Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1562776
MD5:d0038532ae6cec64be83bc19d0b8f695
SHA1:17a23380f80068d15ebc014cb2b1748bb45fb5c1
SHA256:b412dd132cb21a0d4d7bb622c6fe49f9e6c5c934201815d570db774ac80194f5
Tags:exeuser-Bitsight
Infos:

Detection

Poverty Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Poverty Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking mutex)
Machine Learning detection for sample
Tries to harvest and steal browser information (history, passwords, etc)
Contains functionality to query CPU information (cpuid)
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected TCP or UDP traffic on non-standard ports
Internet Provider seen in connection with other malware
Program does not show much activity (idle)
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 6664 cmdline: "C:\Users\user\Desktop\file.exe" MD5: D0038532AE6CEC64BE83BC19D0B8F695)
  • cleanup

Malware Configuration

Threatname: Poverty Stealer

{"C2 url": "85.244.212.106:2227"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
file.exeJoeSecurity_PovertyStealerYara detected Poverty StealerJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000000.1654543699.0000000000297000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_PovertyStealerYara detected Poverty StealerJoe Security
      00000000.00000002.1760028147.0000000000297000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_PovertyStealerYara detected Poverty StealerJoe Security
        Process Memory Space: file.exe PID: 6664JoeSecurity_PovertyStealerYara detected Poverty StealerJoe Security

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.file.exe.290000.0.unpackJoeSecurity_PovertyStealerYara detected Poverty StealerJoe Security
            0.0.file.exe.290000.0.unpackJoeSecurity_PovertyStealerYara detected Poverty StealerJoe Security

              Sigma Signatures

              No Sigma rule has matched

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-11-26T01:15:06.727599+010020487361A Network Trojan was detected192.168.2.449730185.244.212.1062227TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus / Scanner detection for submitted sample
              Source: file.exeAvira: detected
              Found malware configuration
              Source: 0.0.file.exe.290000.0.unpackMalware Configuration Extractor: Poverty Stealer {"C2 url": "85.244.212.106:2227"}
              Multi AV Scanner detection for submitted file
              Source: file.exeVirustotal: Detection: 67%Perma Link
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Machine Learning detection for sample
              Source: file.exeJoe Sandbox ML: detected
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00291D21 CryptUnprotectData,CryptProtectData,0_2_00291D21
              Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: Binary string: ntkrnlmp.pdb/ source: file.exe, 00000000.00000002.1781980686.000000000A191000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: ntkrnlmp.pdbUxi source: file.exe, 00000000.00000002.1846640773.000000000C7EE000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: ntkrnlmp.pdb&>G/- source: file.exe, 00000000.00000002.1894109859.000000000D74C000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: WINLOA~1.PDBwinload_prod.pdbW|k source: file.exe, 00000000.00000002.1846640773.000000000C7EE000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: ntkrnlmp.pdb;t source: file.exe, 00000000.00000002.1806662952.000000000B0F6000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: WINLOA~1.PDBwinload_prod.pdb source: file.exe, 00000000.00000002.1869520671.000000000CFB3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1817983693.000000000B842000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1831076867.000000000C091000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1869520671.000000000CFBF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1894109859.000000000D74C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1762944379.0000000008ED8000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: WINLOA~1.PDBwinload_prod.pdb<.B1" source: file.exe, 00000000.00000002.1915819842.000000000DF59000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: WINLOA~1.PDBwinload_prod.pdb: source: file.exe, 00000000.00000002.1818937151.000000000B890000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: ntkrnlmp.pdb source: file.exe, 00000000.00000002.1773857010.0000000009A6C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1818937151.000000000B884000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1869520671.000000000CFBF000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: WINLOA~1.PDBwinload_prod.pdb-4B source: file.exe, 00000000.00000002.1894109859.000000000D756000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: WINLOA~1.PDBwinload_prod.pdb9z source: file.exe, 00000000.00000002.1773857010.0000000009A6C000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: WINLOA~1.PDBwinload_prod.pdb8 source: file.exe, 00000000.00000002.1795920728.000000000A910000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdbo source: file.exe, 00000000.00000002.1760644057.00000000007AF000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: WINLOA~1.PDBwinload_prod.pdb=x source: file.exe, 00000000.00000002.1806662952.000000000B0EE000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: WINLOA~1.PDBwinload_prod.pdb) source: file.exe, 00000000.00000002.1795920728.000000000A917000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1781980686.000000000A191000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: WINLOA~1.PDBwinload_prod.pdb* source: file.exe, 00000000.00000002.1831076867.000000000C091000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: WINLOA~1.PDBwinload_prod.pdb. source: file.exe, 00000000.00000002.1763849049.000000000904D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: ntkrnlmp.pdbx, source: file.exe, 00000000.00000002.1806662952.000000000B0EE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1763849049.000000000904D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1846640773.000000000C7EE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1869520671.000000000CFB3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1817983693.000000000B842000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1773857010.0000000009A6C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1915819842.000000000DF59000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1767555678.0000000009406000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1831076867.000000000C091000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1795920728.000000000A910000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1894109859.000000000D74C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1762944379.0000000008ED8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1781980686.000000000A191000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: WINLOA~1.PDBwinload_prod.pdb# source: file.exe, 00000000.00000002.1767555678.0000000009406000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1781980686.000000000A191000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: ntkrnlmp.pdbP source: file.exe, 00000000.00000002.1831076867.000000000C09B000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: ntkrnlmp.pdb>"L=$ source: file.exe, 00000000.00000002.1915819842.000000000DF59000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: WINLOA~1.PDBwinload_prod.pdb"JP source: file.exe, 00000000.00000002.1915819842.000000000DF66000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: WINLOA~1.PDBwinload_prod.pdb<@ source: file.exe, 00000000.00000002.1773857010.0000000009A6C000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: WINLOA~1.PDBwinload_prod.pdb+Do source: file.exe, 00000000.00000002.1846640773.000000000C7EE000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: ntkrnlmp.pdb" source: file.exe, 00000000.00000002.1795920728.000000000A917000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: WINLOA~1.PDBwinload_prod.pdb<~ source: file.exe, 00000000.00000002.1806662952.000000000B0EE000.00000004.00000020.00020000.00000000.sdmp
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00291000 FindFirstFileW,FindNextFileW,EnterCriticalSection,LeaveCriticalSection,0_2_00291000
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00294EB2 FindFirstFileW,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,0_2_00294EB2
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00291DC9 FindFirstFileW,FindNextFileW,0_2_00291DC9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00294145 FindFirstFileW,FindNextFileW,0_2_00294145
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00293F87 FindFirstFileW,FindNextFileW,0_2_00293F87
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Adobe\AcroCef\DC\Acrobat\Cache\Network\CookiesJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Network\CookiesJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Adobe\AcroCef\DC\Acrobat\Cache\Network\CookiesJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\AcroCef\DC\Acrobat\Cache\Network\CookiesJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Application Data\Adobe\AcroCef\DC\Acrobat\Cache\Network\CookiesJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Adobe\AcroCef\DC\Acrobat\Cache\Network\CookiesJump to behavior

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2048736 - Severity 1 - ET MALWARE LUMAR Stealer Exfiltration M2 : 192.168.2.4:49730 -> 185.244.212.106:2227
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: 85.244.212.106:2227
              Source: global trafficTCP traffic: 192.168.2.4:49730 -> 185.244.212.106:2227
              Source: Joe Sandbox ViewASN Name: M247GB M247GB
              Source: unknownTCP traffic detected without corresponding DNS query: 185.244.212.106
              Source: unknownTCP traffic detected without corresponding DNS query: 185.244.212.106
              Source: unknownTCP traffic detected without corresponding DNS query: 185.244.212.106
              Source: unknownTCP traffic detected without corresponding DNS query: 185.244.212.106
              Source: unknownTCP traffic detected without corresponding DNS query: 185.244.212.106
              Source: unknownTCP traffic detected without corresponding DNS query: 185.244.212.106
              Source: unknownTCP traffic detected without corresponding DNS query: 185.244.212.106
              Source: unknownTCP traffic detected without corresponding DNS query: 185.244.212.106
              Source: unknownTCP traffic detected without corresponding DNS query: 185.244.212.106
              Source: unknownTCP traffic detected without corresponding DNS query: 185.244.212.106
              Source: unknownTCP traffic detected without corresponding DNS query: 185.244.212.106
              Source: unknownTCP traffic detected without corresponding DNS query: 185.244.212.106
              Source: unknownTCP traffic detected without corresponding DNS query: 185.244.212.106
              Source: unknownTCP traffic detected without corresponding DNS query: 185.244.212.106
              Source: unknownTCP traffic detected without corresponding DNS query: 185.244.212.106
              Source: unknownTCP traffic detected without corresponding DNS query: 185.244.212.106
              Source: unknownTCP traffic detected without corresponding DNS query: 185.244.212.106
              Source: unknownTCP traffic detected without corresponding DNS query: 185.244.212.106
              Source: unknownTCP traffic detected without corresponding DNS query: 185.244.212.106
              Source: unknownTCP traffic detected without corresponding DNS query: 185.244.212.106
              Source: unknownTCP traffic detected without corresponding DNS query: 185.244.212.106
              Source: unknownTCP traffic detected without corresponding DNS query: 185.244.212.106
              Source: unknownTCP traffic detected without corresponding DNS query: 185.244.212.106
              Source: unknownTCP traffic detected without corresponding DNS query: 185.244.212.106
              Source: unknownTCP traffic detected without corresponding DNS query: 185.244.212.106
              Source: unknownTCP traffic detected without corresponding DNS query: 185.244.212.106
              Source: unknownTCP traffic detected without corresponding DNS query: 185.244.212.106
              Source: unknownTCP traffic detected without corresponding DNS query: 185.244.212.106
              Source: unknownTCP traffic detected without corresponding DNS query: 185.244.212.106
              Source: unknownTCP traffic detected without corresponding DNS query: 185.244.212.106
              Source: unknownTCP traffic detected without corresponding DNS query: 185.244.212.106
              Source: unknownTCP traffic detected without corresponding DNS query: 185.244.212.106
              Source: unknownTCP traffic detected without corresponding DNS query: 185.244.212.106
              Source: unknownTCP traffic detected without corresponding DNS query: 185.244.212.106
              Source: unknownTCP traffic detected without corresponding DNS query: 185.244.212.106
              Source: unknownTCP traffic detected without corresponding DNS query: 185.244.212.106
              Source: unknownTCP traffic detected without corresponding DNS query: 185.244.212.106
              Source: unknownTCP traffic detected without corresponding DNS query: 185.244.212.106
              Source: unknownTCP traffic detected without corresponding DNS query: 185.244.212.106
              Source: unknownTCP traffic detected without corresponding DNS query: 185.244.212.106
              Source: unknownTCP traffic detected without corresponding DNS query: 185.244.212.106
              Source: unknownTCP traffic detected without corresponding DNS query: 185.244.212.106
              Source: unknownTCP traffic detected without corresponding DNS query: 185.244.212.106
              Source: unknownTCP traffic detected without corresponding DNS query: 185.244.212.106
              Source: unknownTCP traffic detected without corresponding DNS query: 185.244.212.106
              Source: unknownTCP traffic detected without corresponding DNS query: 185.244.212.106
              Source: unknownTCP traffic detected without corresponding DNS query: 185.244.212.106
              Source: unknownTCP traffic detected without corresponding DNS query: 185.244.212.106
              Source: unknownTCP traffic detected without corresponding DNS query: 185.244.212.106
              Source: unknownTCP traffic detected without corresponding DNS query: 185.244.212.106
              Source: file.exe, 00000000.00000002.1796832609.000000000AA57000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1766312611.00000000092CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
              Source: file.exe, 00000000.00000002.1796832609.000000000AA57000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1766312611.00000000092CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
              Source: file.exe, 00000000.00000002.1796832609.000000000AA57000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1766312611.00000000092CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
              Source: file.exe, 00000000.00000002.1796832609.000000000AA57000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1766312611.00000000092CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
              Source: file.exe, 00000000.00000002.1796832609.000000000AA57000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1766312611.00000000092CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
              Source: file.exe, 00000000.00000002.1766312611.00000000092CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
              Source: file.exe, 00000000.00000002.1796832609.000000000AA57000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1766312611.00000000092CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
              Source: file.exe, 00000000.00000002.1796832609.000000000AA57000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1766312611.00000000092CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
              Source: file.exe, 00000000.00000002.1766312611.00000000092CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00294C2D GetSystemMetrics,KiUserCallbackDispatcher,GetSystemMetrics,GetDC,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateDIBSection,SelectObject,BitBlt,DeleteObject,DeleteDC,ReleaseDC,0_2_00294C2D
              Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@0/1
              Source: C:\Users\user\Desktop\file.exeMutant created: \Sessions\1\BaseNamedObjects\085f229d-d27d-4fc1-9dc1-8958125ccbd9
              Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: file.exeVirustotal: Detection: 67%
              Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
              Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: Binary string: ntkrnlmp.pdb/ source: file.exe, 00000000.00000002.1781980686.000000000A191000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: ntkrnlmp.pdbUxi source: file.exe, 00000000.00000002.1846640773.000000000C7EE000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: ntkrnlmp.pdb&>G/- source: file.exe, 00000000.00000002.1894109859.000000000D74C000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: WINLOA~1.PDBwinload_prod.pdbW|k source: file.exe, 00000000.00000002.1846640773.000000000C7EE000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: ntkrnlmp.pdb;t source: file.exe, 00000000.00000002.1806662952.000000000B0F6000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: WINLOA~1.PDBwinload_prod.pdb source: file.exe, 00000000.00000002.1869520671.000000000CFB3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1817983693.000000000B842000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1831076867.000000000C091000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1869520671.000000000CFBF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1894109859.000000000D74C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1762944379.0000000008ED8000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: WINLOA~1.PDBwinload_prod.pdb<.B1" source: file.exe, 00000000.00000002.1915819842.000000000DF59000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: WINLOA~1.PDBwinload_prod.pdb: source: file.exe, 00000000.00000002.1818937151.000000000B890000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: ntkrnlmp.pdb source: file.exe, 00000000.00000002.1773857010.0000000009A6C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1818937151.000000000B884000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1869520671.000000000CFBF000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: WINLOA~1.PDBwinload_prod.pdb-4B source: file.exe, 00000000.00000002.1894109859.000000000D756000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: WINLOA~1.PDBwinload_prod.pdb9z source: file.exe, 00000000.00000002.1773857010.0000000009A6C000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: WINLOA~1.PDBwinload_prod.pdb8 source: file.exe, 00000000.00000002.1795920728.000000000A910000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdbo source: file.exe, 00000000.00000002.1760644057.00000000007AF000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: WINLOA~1.PDBwinload_prod.pdb=x source: file.exe, 00000000.00000002.1806662952.000000000B0EE000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: WINLOA~1.PDBwinload_prod.pdb) source: file.exe, 00000000.00000002.1795920728.000000000A917000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1781980686.000000000A191000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: WINLOA~1.PDBwinload_prod.pdb* source: file.exe, 00000000.00000002.1831076867.000000000C091000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: WINLOA~1.PDBwinload_prod.pdb. source: file.exe, 00000000.00000002.1763849049.000000000904D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: ntkrnlmp.pdbx, source: file.exe, 00000000.00000002.1806662952.000000000B0EE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1763849049.000000000904D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1846640773.000000000C7EE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1869520671.000000000CFB3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1817983693.000000000B842000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1773857010.0000000009A6C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1915819842.000000000DF59000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1767555678.0000000009406000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1831076867.000000000C091000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1795920728.000000000A910000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1894109859.000000000D74C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1762944379.0000000008ED8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1781980686.000000000A191000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: WINLOA~1.PDBwinload_prod.pdb# source: file.exe, 00000000.00000002.1767555678.0000000009406000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1781980686.000000000A191000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: ntkrnlmp.pdbP source: file.exe, 00000000.00000002.1831076867.000000000C09B000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: ntkrnlmp.pdb>"L=$ source: file.exe, 00000000.00000002.1915819842.000000000DF59000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: WINLOA~1.PDBwinload_prod.pdb"JP source: file.exe, 00000000.00000002.1915819842.000000000DF66000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: WINLOA~1.PDBwinload_prod.pdb<@ source: file.exe, 00000000.00000002.1773857010.0000000009A6C000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: WINLOA~1.PDBwinload_prod.pdb+Do source: file.exe, 00000000.00000002.1846640773.000000000C7EE000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: ntkrnlmp.pdb" source: file.exe, 00000000.00000002.1795920728.000000000A917000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: WINLOA~1.PDBwinload_prod.pdb<~ source: file.exe, 00000000.00000002.1806662952.000000000B0EE000.00000004.00000020.00020000.00000000.sdmp

              Malware Analysis System Evasion

              barindex
              Found evasive API chain (may stop execution after checking mutex)
              Source: C:\Users\user\Desktop\file.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcessgraph_0-2301
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00291000 FindFirstFileW,FindNextFileW,EnterCriticalSection,LeaveCriticalSection,0_2_00291000
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00294EB2 FindFirstFileW,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,0_2_00294EB2
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00291DC9 FindFirstFileW,FindNextFileW,0_2_00291DC9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00294145 FindFirstFileW,FindNextFileW,0_2_00294145
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00293F87 FindFirstFileW,FindNextFileW,0_2_00293F87
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002920E1 GetCurrentHwProfileA,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,0_2_002920E1
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Adobe\AcroCef\DC\Acrobat\Cache\Network\CookiesJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Network\CookiesJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Adobe\AcroCef\DC\Acrobat\Cache\Network\CookiesJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\AcroCef\DC\Acrobat\Cache\Network\CookiesJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Application Data\Adobe\AcroCef\DC\Acrobat\Cache\Network\CookiesJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Adobe\AcroCef\DC\Acrobat\Cache\Network\CookiesJump to behavior
              Source: file.exe, 00000000.00000002.1821824765.000000000BA5C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00293595 EnterCriticalSection,GetProcessHeap,RtlAllocateHeap,LeaveCriticalSection,0_2_00293595
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002920E1 cpuid 0_2_002920E1

              Stealing of Sensitive Information

              barindex
              Yara detected Poverty Stealer
              Source: Yara matchFile source: file.exe, type: SAMPLE
              Source: Yara matchFile source: 0.2.file.exe.290000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.file.exe.290000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000000.1654543699.0000000000297000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1760028147.0000000000297000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 6664, type: MEMORYSTR
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web DataJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web DataJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Local StateJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.dbJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local StateJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web DataJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local StateJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local StateJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web DataJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.dbJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local StateJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web DataJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local StateJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Local StateJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Web DataJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web DataJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web DataJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Web DataJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Application Data\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local StateJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local StateJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local StateJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web DataJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local StateJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web DataJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior

              Remote Access Functionality

              barindex
              Yara detected Poverty Stealer
              Source: Yara matchFile source: file.exe, type: SAMPLE
              Source: Yara matchFile source: 0.2.file.exe.290000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.file.exe.290000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000000.1654543699.0000000000297000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1760028147.0000000000297000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 6664, type: MEMORYSTR

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
              Native API              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		1
              OS Credential Dumping              		11
              Security Software Discovery              		Remote Services1
              Screen Capture              		1
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS Memory2
              File and Directory Discovery              		Remote Desktop Protocol1
              Data from Local System              		1
              Non-Standard Port              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account Manager12
              System Information Discovery              		SMB/Windows Admin SharesData from Network Shared Drive1
              Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              file.exe68%VirustotalBrowse
              file.exe100%AviraTR/Crypt.XPACK.Gen3
              file.exe100%Joe Sandbox ML

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              85.244.212.106:22270%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              No contacted domains info

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              85.244.212.106:2227true
              • Avira URL Cloud: safe
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              https://ac.ecosia.org/autocomplete?q=file.exe, 00000000.00000002.1796832609.000000000AA57000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1766312611.00000000092CB000.00000004.00000020.00020000.00000000.sdmpfalse
                		high
                https://duckduckgo.com/chrome_newtabfile.exe, 00000000.00000002.1766312611.00000000092CB000.00000004.00000020.00020000.00000000.sdmpfalse
                  		high
                  https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=file.exe, 00000000.00000002.1796832609.000000000AA57000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1766312611.00000000092CB000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=file.exe, 00000000.00000002.1796832609.000000000AA57000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1766312611.00000000092CB000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      https://duckduckgo.com/ac/?q=file.exe, 00000000.00000002.1796832609.000000000AA57000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1766312611.00000000092CB000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        https://www.google.com/images/branding/product/ico/googleg_lodp.icofile.exe, 00000000.00000002.1766312611.00000000092CB000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          https://www.ecosia.org/newtab/file.exe, 00000000.00000002.1796832609.000000000AA57000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1766312611.00000000092CB000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=file.exe, 00000000.00000002.1796832609.000000000AA57000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1766312611.00000000092CB000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchfile.exe, 00000000.00000002.1796832609.000000000AA57000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1766312611.00000000092CB000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high

                                World Map of Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public IPs

                                IPDomainCountryFlagASNASN NameMalicious
                                185.244.212.106
                                		unknownRomania
                                		9009M247GBtrue

                                General Information

                                Joe Sandbox version:41.0.0 Charoite
                                Analysis ID:1562776
                                Start date and time:2024-11-26 01:14:05 +01:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:0h 3m 12s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                Number of analysed new started processes analysed:4
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Sample name:file.exe
                                Detection:MAL
                                Classification:mal100.troj.spyw.evad.winEXE@1/0@0/1
                                EGA Information:
                                • Successful, ratio: 100%
                                HCA Information:
                                • Successful, ratio: 100%
                                • Number of executed functions: 14
                                • Number of non-executed functions: 8
                                Cookbook Comments:
                                • Found application associated with file extension: .exe
                                • Stop behavior analysis, all processes terminated

                                Warnings

                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
                                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                • Not all processes where analyzed, report is missing behavior information
                                • Report size getting too big, too many NtOpenFile calls found.
                                • Report size getting too big, too many NtQueryAttributesFile calls found.

                                Simulations

                                Behavior and APIs

                                No simulations

                                Joe Sandbox View / Context

                                IPs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                185.244.212.106file.exeGet hashmaliciousPoverty StealerBrowse
                                  j95Whg3AY1.exeGet hashmaliciousPoverty StealerBrowse
                                    F7fahhucBo.exeGet hashmaliciousPoverty StealerBrowse
                                      IxE6TjWjRM.exeGet hashmaliciousPoverty StealerBrowse

                                        Domains

                                        No context

                                        ASNs

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        M247GBfile.exeGet hashmaliciousPoverty StealerBrowse
                                        • 185.244.212.106
                                        file.exeGet hashmaliciousNetSupport RATBrowse
                                        • 45.61.128.74
                                        la.bot.mipsel.elfGet hashmaliciousUnknownBrowse
                                        • 93.120.123.217
                                        file.exeGet hashmaliciousNetSupport RATBrowse
                                        • 45.61.128.74
                                        loligang.ppc.elfGet hashmaliciousMiraiBrowse
                                        • 104.224.90.41
                                        comprobante.exeGet hashmaliciousRemcosBrowse
                                        • 176.10.80.43
                                        7jBzTH9FXQ.exeGet hashmaliciousUnknownBrowse
                                        • 95.174.64.138
                                        fACYdCvub8.exeGet hashmaliciousUnknownBrowse
                                        • 95.174.66.19
                                        7jBzTH9FXQ.exeGet hashmaliciousUnknownBrowse
                                        • 193.29.107.181
                                        fACYdCvub8.exeGet hashmaliciousUnknownBrowse
                                        • 217.138.199.203

                                        JA3 Fingerprints

                                        No context

                                        Dropped Files

                                        No context

                                        Created / dropped Files

                                        No created / dropped files found

                                        Static File Info

                                        General

                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                        Entropy (8bit):6.4829991676504175
                                        TrID:
                                        • Win32 Executable (generic) a (10002005/4) 99.96%
                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                        • DOS Executable Generic (2002/1) 0.02%
                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                        File name:file.exe
                                        File size:30'208 bytes
                                        MD5:d0038532ae6cec64be83bc19d0b8f695
                                        SHA1:17a23380f80068d15ebc014cb2b1748bb45fb5c1
                                        SHA256:b412dd132cb21a0d4d7bb622c6fe49f9e6c5c934201815d570db774ac80194f5
                                        SHA512:af269471f7093445fb05bc6d6d185f9e48d0666674a3de50c4217757d3fdf39b067668bf2ca37eac91d5cb203c3ce3d4d634661e470d84d12c80c332344503ea
                                        SSDEEP:384:piY/4mcwYPSNOjKjg11+rVlOxxtNP97kJkgQ8pwIIumVbgORBprjlJZpTJ3uPbHO:piWWjjKjrOFgwItmVsOlr1B+90B
                                        TLSH:C7D29EA5CDE0D0B3C0630571B39FFB5B5DFF2626022844C767B50C55899AA81EAAB3D3
                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........M...,}..,}..,}..q~..,}..T...,}..,|..,}..qt..,}..q...,}.Rich.,}.........PE..L......f.................`...........".......p....@

                                        File Icon

                                        Icon Hash:90cececece8e8eb0

                                        Static PE Info

                                        General

                                        Entrypoint:0x402282
                                        Entrypoint Section:.text
                                        Digitally signed:false
                                        Imagebase:0x400000
                                        Subsystem:windows gui
                                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                        Time Stamp:0x668CD4E5 [Tue Jul 9 06:12:53 2024 UTC]
                                        TLS Callbacks:
                                        CLR (.Net) Version:
                                        OS Version Major:5
                                        OS Version Minor:1
                                        File Version Major:5
                                        File Version Minor:1
                                        Subsystem Version Major:5
                                        Subsystem Version Minor:1
                                        Import Hash:f63e2b20da57bba52ad3b39011a8e8d2

                                        Entrypoint Preview

                                        Instruction
                                        push ebp
                                        mov ebp, esp
                                        sub esp, 00000364h
                                        push esi
                                        push edi
                                        push 00000DA3h
                                        push 004084D4h
                                        call dword ptr [00407018h]
                                        test eax, eax
                                        jne 00007FA248D44487h
                                        jmp 00007FA248D448ECh
                                        push 00408046h
                                        push 00000000h
                                        push 00000000h
                                        call dword ptr [0040701Ch]
                                        mov dword ptr [ebp-30h], eax
                                        cmp dword ptr [ebp-30h], 00000000h
                                        je 00007FA248D448C9h
                                        call dword ptr [00407024h]
                                        cmp eax, 000000B7h
                                        je 00007FA248D448B8h
                                        push 00000065h
                                        pop edx
                                        lea ecx, dword ptr [ebp-28h]
                                        call 00007FA248D45E06h
                                        cmp dword ptr [ebp-24h], 00000000h
                                        je 00007FA248D4487Ah
                                        push 0000011Ch
                                        xor edx, edx
                                        lea ecx, dword ptr [ebp-00000164h]
                                        call 00007FA248D4578Eh
                                        pop ecx
                                        mov dword ptr [ebp-00000164h], 0000011Ch
                                        lea ecx, dword ptr [ebp-00000164h]
                                        call 00007FA248D469E6h
                                        test eax, eax
                                        jl 00007FA248D44842h
                                        push dword ptr [ebp-00000158h]
                                        push dword ptr [ebp-0000015Ch]
                                        push dword ptr [ebp-00000160h]
                                        push 00407474h
                                        push 00000000h
                                        call 00007FA248D457B7h
                                        add esp, 14h
                                        sub esp, 0000011Ch
                                        push 00000047h
                                        pop ecx
                                        lea esi, dword ptr [ebp-00000164h]
                                        mov edi, esp

                                        Rich Headers

                                        Programming Language:
                                        • [IMP] VS2008 SP1 build 30729
                                        • [LNK] VS2015 UPD2 build 23918

                                        Data Directories

                                        NameVirtual AddressVirtual Size Is in Section
                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x76b00x78.rdata
                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x90000x2fc.reloc
                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x75d00x1c.rdata
                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IAT0x70000xb0.rdata
                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                        Sections

                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                        .text0x10000x5ecd0x600039c5351867ca632d1851a77edb7027dcFalse0.6384684244791666data6.6047321266474475IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                        .rdata0x70000xaf60xc00adcc9fb56ce6bb8a5b9550b0cd8aa46eFalse0.4612630208333333PGP symmetric key encrypted data - Plaintext or unencrypted data4.887509921041914IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                        .data0x80000x5100x200931354d1114628f4e46dab76862a5fe5False0.24609375data1.8621385217302757IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                        .reloc0x90000x2fc0x400a015961f72d73e04f569fe5162e49191False0.6982421875data5.466540815021208IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                        Imports

                                        DLLImport
                                        KERNEL32.dllWaitForMultipleObjects, GetUserDefaultUILanguage, InitializeCriticalSectionAndSpinCount, CreateMutexA, Sleep, GetLastError, CloseHandle, GetSystemInfo, CreateThread, DeleteCriticalSection, ExitProcess, GlobalMemoryStatusEx, HeapFree, GetModuleFileNameW, HeapReAlloc, IsDBCSLeadByte, HeapAlloc, GetProcessHeap, WideCharToMultiByte, GetCurrentProcess, VirtualAlloc, GetFileAttributesW, DuplicateHandle, GetModuleHandleA, OpenProcess, LoadLibraryA, GetProcAddress, IsWow64Process, LeaveCriticalSection, MultiByteToWideChar, EnterCriticalSection
                                        USER32.dllReleaseDC, EnumDisplayDevicesA, GetKeyboardLayoutList, GetSystemMetrics
                                        ADVAPI32.dllGetCurrentHwProfileA
                                        CRYPT32.dllCryptProtectData
                                        urlmon.dllObtainUserAgentString

                                        Network Behavior

                                        Suricata IDS Alerts

                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                        2024-11-26T01:15:06.727599+01002048736ET MALWARE LUMAR Stealer Exfiltration M21192.168.2.449730185.244.212.1062227TCP

                                        Network Port Distribution

                                        TCP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Nov 26, 2024 01:15:06.486646891 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:06.606667995 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:06.606759071 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:06.606841087 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:06.607167006 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:06.726785898 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:06.727227926 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:06.727426052 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:06.727475882 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:06.727488041 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:06.727555037 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:06.727581024 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:06.727598906 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:06.727616072 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:06.727678061 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:06.727711916 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:06.727725983 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:06.727739096 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:06.727773905 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:06.727790117 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:06.846617937 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:06.847125053 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:06.847222090 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:06.847353935 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:06.847619057 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:06.847632885 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:06.847673893 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:06.847697020 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:06.966907024 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:06.966929913 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:06.966943026 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:06.966958046 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:06.966980934 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:06.967036963 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.008934975 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.009001017 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.128987074 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.177002907 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.177059889 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.380980968 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.381036043 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.622283936 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.622472048 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.622541904 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.742660046 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.742690086 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.742716074 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.742732048 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.742789030 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.742801905 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.742858887 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.742883921 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.742887020 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.742911100 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.742939949 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.742961884 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.743175030 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.743218899 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.743257046 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.743294954 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.743307114 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.743338108 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.743360043 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.743390083 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.743413925 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.743437052 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.743439913 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.743489981 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.743534088 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.743558884 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.743583918 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.743618965 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.743655920 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.743709087 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.743773937 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.743830919 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.743832111 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.743866920 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.743899107 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.743913889 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.743999004 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.744036913 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.744055033 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.744096041 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.744126081 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.744179010 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.744208097 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.744255066 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.744330883 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.744374990 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.744410038 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.744436026 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.744457006 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.744488955 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.744491100 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.744543076 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.744580984 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.744627953 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.744657993 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.744682074 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.744705915 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.744760990 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.744796038 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.744838953 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.744868040 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.744924068 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.744942904 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.744987011 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.788995981 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.789052010 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.862799883 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.862858057 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.862904072 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.862953901 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.863008022 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.863076925 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.863089085 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.863121033 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.863136053 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.863178015 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.863339901 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.863388062 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.863496065 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.863554001 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.864034891 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.864105940 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.864166021 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.864180088 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.864218950 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.864219904 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.864269018 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.864284039 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.864310026 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.864413023 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.864425898 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.864439011 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.864460945 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.864464045 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.864478111 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.864487886 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.864516973 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.864521027 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.864538908 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.864562988 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.864589930 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.864603043 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.864646912 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.864686012 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.864711046 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.864736080 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.864761114 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.864768028 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.864773989 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.864814997 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.864828110 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.864861012 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.864892006 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.864912987 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.864936113 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.864939928 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.864963055 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.864984989 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.865010023 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.865081072 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.865093946 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.865108967 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.865128994 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.865156889 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.865204096 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.865216970 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.865258932 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.865298033 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.865310907 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.865323067 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.865353107 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.865356922 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.865365982 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.865379095 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.865382910 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.865391016 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.865401983 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.865436077 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.865447998 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.865510941 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.865524054 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.865535975 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.865547895 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.865561962 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.865562916 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.865576982 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.865596056 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.865597963 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.865638018 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.865639925 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.865689039 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.909032106 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.909101963 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.982928038 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.982943058 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.982956886 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.982980013 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.982980967 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.983022928 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.983026028 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.983035088 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.983071089 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.983103037 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.983155012 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.983186960 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.983200073 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.983215094 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.983234882 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.983274937 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.983280897 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.983288050 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.983330965 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.983341932 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.983356953 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.983369112 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.983421087 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.983480930 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.983531952 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.983560085 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.983608961 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.983633041 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.983645916 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.983679056 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.983701944 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.983777046 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.983791113 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.983833075 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.983988047 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.984038115 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.984133959 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.984147072 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.984194040 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.984205961 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.984217882 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.984268904 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.984272003 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.984325886 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.984338045 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.984370947 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.984395981 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.984395981 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.984409094 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.984452009 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.984452963 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.984467030 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.984507084 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.984523058 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.984529972 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.984571934 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.984621048 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.984633923 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.984671116 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.984678030 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.984683990 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.984697104 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.984725952 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.984752893 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.984777927 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.984797955 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.984834909 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.984859943 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.984867096 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.984895945 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.984913111 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.984945059 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.984956026 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.984983921 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.985014915 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.985044003 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.985044956 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.985069036 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.985090017 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.985126019 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.985215902 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.985229015 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.985280037 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.985301018 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.985315084 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.985346079 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.985357046 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.985368967 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.985379934 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.985416889 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.985524893 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.985538006 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.985549927 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.985563993 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.985579014 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.985601902 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.985622883 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.985629082 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.985635996 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.985670090 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.985687017 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.985698938 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.985712051 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.985754013 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.985796928 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.985810041 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.985848904 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.985898972 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.985910892 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.985925913 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.985946894 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.985980988 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.985981941 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.986026049 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.986069918 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.986083984 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.986110926 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.986129045 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.986140013 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.986154079 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.986200094 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.986253977 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.986267090 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.986279964 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.986306906 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.986315012 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.986320972 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.986335993 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.986362934 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.986372948 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.986469984 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.986484051 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.986495972 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.986514091 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.986521006 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.986522913 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.986536026 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.986545086 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.986571074 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.986572027 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.986641884 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.986645937 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.986671925 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.986696005 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.986722946 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.986763000 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.986823082 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.986826897 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.986835957 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.986882925 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.986895084 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.986906052 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.986907005 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.986929893 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.986932993 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.986944914 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.986970901 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.986999035 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.987025023 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.987040043 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.987066031 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.987068892 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.987082958 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.987106085 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.987112045 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.987128019 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.987149000 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.987189054 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.987257957 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.987271070 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.987320900 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.987325907 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.987341881 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.987370014 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.987380028 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.987430096 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.987431049 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.987443924 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.987485886 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.987500906 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.987579107 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.987592936 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.987605095 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.987617016 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.987628937 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.987631083 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.987668037 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.987668991 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.987680912 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.987693071 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.987704992 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.987718105 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.987759113 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:07.987762928 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:07.987813950 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:08.029288054 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.029300928 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.029349089 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:08.029367924 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:08.103162050 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.103174925 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.103230953 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:08.103249073 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.103285074 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.103298903 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:08.103311062 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.103331089 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.103338003 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:08.103365898 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.103368044 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:08.103379011 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.103389978 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:08.103425026 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:08.103432894 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:08.103482962 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.103496075 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.103533983 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:08.103545904 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:08.103617907 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.103631020 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.103667021 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.103672981 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:08.103719950 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:08.103799105 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.103811979 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.103822947 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.103848934 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.103851080 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:08.103863001 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.103883982 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:08.103899956 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:08.103907108 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:08.104001999 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.104015112 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.104060888 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.104063988 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:08.104087114 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.104110956 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:08.104129076 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:08.104192019 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.104204893 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.104257107 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:08.104306936 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.104320049 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.104352951 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:08.104363918 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:08.104372025 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.104428053 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:08.104470015 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.104482889 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.104521990 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.104526997 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:08.104535103 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.104547024 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.104582071 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:08.104594946 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:08.104641914 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.104654074 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.104676008 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.104701042 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:08.104727030 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:08.104737043 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.104789019 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:08.104804039 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.104823112 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.104873896 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:08.104902029 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.104913950 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.104926109 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.104960918 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:08.104975939 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:08.104979038 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.105029106 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:08.105113029 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.105127096 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.105139017 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.105150938 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.105160952 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:08.105164051 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.105189085 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:08.105216980 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:08.105241060 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.105253935 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.105266094 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.105298042 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:08.105309010 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.105320930 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.105329037 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:08.105334044 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.105349064 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.105367899 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:08.105391979 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:08.105402946 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:08.105422020 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.105473042 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.105473995 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:08.105484962 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.105523109 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:08.105536938 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.105544090 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:08.105593920 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:08.105667114 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.105679989 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.105715036 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:08.105736017 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:08.105750084 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.105762959 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.105804920 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:08.105842113 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.105892897 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:08.105997086 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.106013060 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.106024981 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.106057882 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:08.106070042 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.106080055 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:08.106125116 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:08.106157064 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.106245041 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.106251001 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:08.106260061 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.106271982 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.106287003 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.106295109 CET497302227192.168.2.4185.244.212.106
                                        Nov 26, 2024 01:15:08.106329918 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.106344938 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.106465101 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.106477976 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.106501102 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.106513023 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.106580973 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.106594086 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.106667042 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.106683969 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.106707096 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.106719017 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.106796980 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.106812000 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.106920004 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.106933117 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.106946945 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.106987000 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.107048988 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.107062101 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.107105017 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.107209921 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.107223034 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.107235909 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.107280016 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.107292891 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.107352018 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.107453108 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.107465029 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.107476950 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.107574940 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.107587099 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.107599020 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.107642889 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.107708931 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.107721090 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.107769966 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.107789040 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.107831955 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.107844114 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.107897997 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.107911110 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.108038902 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.108051062 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.108141899 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.108155012 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.108269930 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.108283043 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.108325958 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.108339071 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.108443022 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.108457088 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.108505964 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.108519077 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.108575106 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.108587980 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.108642101 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.108654976 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.108714104 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.108726978 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.108795881 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.108808994 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.108901978 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.108915091 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.108975887 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.108988047 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.109052896 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.109065056 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.109118938 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.109177113 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.109189987 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.109292030 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.109304905 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.109317064 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.109328985 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.109406948 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.109421015 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.109435081 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.109447002 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.109471083 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.109494925 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.109507084 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.109674931 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.109688044 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.109699965 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.109711885 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.109736919 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.109750032 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.109765053 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.109787941 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.109812021 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.109853029 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.109980106 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.109992027 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.110016108 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.110028028 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.110076904 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.110133886 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.110146999 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.110196114 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.110208988 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.110220909 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.110337973 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.110352039 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.110363007 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.110375881 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.110399008 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.110411882 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.110447884 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.110461950 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.110560894 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.110573053 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.110635996 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.110660076 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.110748053 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.110759974 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.110894918 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.110908031 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.110939980 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.110951900 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.110965967 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.111052036 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.111064911 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.111109972 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.111123085 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.111135960 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.111207008 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.111221075 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.111232996 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.111244917 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.111293077 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.111306906 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.111336946 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.111350060 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.111375093 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.111387014 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.111448050 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.111459970 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.111524105 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.111536026 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.111592054 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.111603975 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.111618996 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.111641884 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.111690998 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.111705065 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.111757040 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.111768961 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.111830950 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.111844063 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.111891985 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.111903906 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.112008095 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.112020969 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.112059116 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.112071991 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.112123966 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.112137079 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.149328947 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.149342060 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.149389029 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.149401903 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.223366976 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.223419905 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.223500013 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.223524094 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.223633051 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.223700047 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.223822117 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.223846912 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.223951101 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.224080086 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.224195957 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.224275112 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.224440098 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.224452019 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.224570990 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.224582911 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.224755049 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.224766970 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.224781990 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.224834919 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.224968910 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.225006104 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.225065947 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.225090981 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.225236893 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.225249052 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.225301981 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.225354910 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.225382090 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.225394011 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.225512028 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.225524902 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.225596905 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.225610018 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.225655079 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.225667953 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.225785971 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.225799084 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.225893974 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.225908041 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.225960016 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.225987911 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.226078987 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.226177931 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.226191044 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.226202965 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.226315022 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.226326942 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.226387024 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.226438999 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.226517916 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.226531029 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.226641893 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.226655960 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.226690054 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.226701975 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.226850033 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.226862907 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.226876020 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.226937056 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.227022886 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.227035999 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.227078915 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.227123976 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.227226019 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.227238894 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.227278948 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.227370024 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.227413893 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.227427006 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.227530003 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.227543116 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.227619886 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.227632999 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.227737904 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.227751017 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.227864981 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.227878094 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.227890015 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.227937937 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.227962971 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.228060961 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.228085041 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.228096962 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.228142023 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.228188038 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.228293896 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.228307009 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.228322029 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.228346109 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.228493929 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.228506088 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.228521109 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.228574038 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.228631973 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.228643894 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.228718996 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.228734016 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.228789091 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.228857040 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.228921890 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.228935003 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.229010105 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.229022980 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.229109049 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.229132891 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.229257107 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.229269028 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.229326963 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.229340076 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.229399920 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.229412079 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.229485989 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.229573011 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.229635000 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.229648113 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.229717016 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.229779005 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.229811907 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.229835033 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.229914904 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.229947090 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.230079889 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.230093002 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.230171919 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.230185032 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.230214119 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.230226040 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.230340958 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.230353117 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.230523109 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.230535030 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.230546951 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.230561972 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.230642080 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.230654001 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.231297970 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.257842064 CET222749730185.244.212.106192.168.2.4
                                        Nov 26, 2024 01:15:08.257898092 CET497302227192.168.2.4185.244.212.106

                                        Statistics

                                        CPU Usage

                                        Click to jump to process

                                        Memory Usage

                                        Click to jump to process

                                        High Level Behavior Distribution

                                        Click to dive into process behavior distribution

                                        System Behavior

                                        General

                                        Target ID:0
                                        Start time:19:14:55
                                        Start date:25/11/2024
                                        Path:C:\Users\user\Desktop\file.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\Desktop\file.exe"
                                        Imagebase:0x290000
                                        File size:30'208 bytes
                                        MD5 hash:D0038532AE6CEC64BE83BC19D0B8F695
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_PovertyStealer, Description: Yara detected Poverty Stealer, Source: 00000000.00000000.1654543699.0000000000297000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_PovertyStealer, Description: Yara detected Poverty Stealer, Source: 00000000.00000002.1760028147.0000000000297000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                        Reputation:low
                                        Has exited:true

                                        Disassembly

                                        Reset < >

                                          Execution Graph

                                          Execution Coverage:27.7%
                                          Dynamic/Decrypted Code Coverage:0%
                                          Signature Coverage:35.7%
                                          Total number of Nodes:384
                                          Total number of Limit Nodes:8
                                          execution_graph 2300 292282 InitializeCriticalSectionAndSpinCount 2301 2922a6 CreateMutexA 2300->2301 2338 2922a1 2300->2338 2302 2922c2 GetLastError 2301->2302 2303 292705 ExitProcess 2301->2303 2302->2303 2304 2922d3 2302->2304 2378 293c5f 2304->2378 2306 2926dc DeleteCriticalSection 2306->2303 2307 2922de 2307->2306 2382 294871 2307->2382 2310 2926d4 2312 2935c3 2 API calls 2310->2312 2312->2306 2317 29236d 2405 293595 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 2317->2405 2319 29237c 2406 293595 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 2319->2406 2321 29266c 2471 293e03 EnterCriticalSection 2321->2471 2323 292685 2484 2935c3 2323->2484 2324 29238b 2324->2321 2407 29475f GetModuleHandleA 2324->2407 2328 2923ed 2328->2321 2410 291fba GetUserDefaultUILanguage 2328->2410 2329 2935c3 2 API calls 2331 29269d 2329->2331 2333 2935c3 2 API calls 2331->2333 2334 2926a8 2333->2334 2336 2935c3 2 API calls 2334->2336 2335 29475f 2 API calls 2337 292441 2335->2337 2340 2926b3 2336->2340 2337->2338 2339 29246a ExitProcess 2337->2339 2342 292472 2337->2342 2340->2310 2487 2953f8 2340->2487 2343 29249f ExitProcess 2342->2343 2344 2924a7 2342->2344 2345 2924dc 2344->2345 2346 2924d4 ExitProcess 2344->2346 2421 294c2d 2345->2421 2354 2925ac 2356 293668 11 API calls 2354->2356 2355 2925bf 2503 2952c4 2355->2503 2356->2355 2358 2925d0 2359 2952c4 4 API calls 2358->2359 2360 2925de 2359->2360 2361 2952c4 4 API calls 2360->2361 2362 2925ee 2361->2362 2363 2952c4 4 API calls 2362->2363 2364 2925fd 2363->2364 2365 2952c4 4 API calls 2364->2365 2366 29260d 2365->2366 2367 2952c4 4 API calls 2366->2367 2368 29261c 2367->2368 2507 293595 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 2368->2507 2370 292626 2371 29263f 2370->2371 2372 29262f GetModuleFileNameW 2370->2372 2373 2952c4 4 API calls 2371->2373 2372->2371 2374 292659 2373->2374 2375 2952c4 4 API calls 2374->2375 2376 292664 2375->2376 2377 2935c3 2 API calls 2376->2377 2377->2321 2379 293c67 2378->2379 2508 293595 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 2379->2508 2381 293c72 2381->2307 2383 29475f 2 API calls 2382->2383 2384 29489d 2383->2384 2385 2952c4 4 API calls 2384->2385 2390 292310 2384->2390 2386 2948b3 2385->2386 2387 2952c4 4 API calls 2386->2387 2388 2948be 2387->2388 2389 2952c4 4 API calls 2388->2389 2389->2390 2390->2310 2391 293668 2390->2391 2509 292c95 2391->2509 2394 2948d6 2395 2948eb VirtualAlloc 2394->2395 2398 292351 2394->2398 2396 29490a 2395->2396 2395->2398 2397 29475f 2 API calls 2396->2397 2399 29492c 2397->2399 2398->2310 2404 293595 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 2398->2404 2399->2398 2400 29495b GetCurrentProcess IsWow64Process 2399->2400 2402 2952c4 4 API calls 2400->2402 2403 294985 2402->2403 2403->2398 2404->2317 2405->2319 2406->2324 2408 29477d LoadLibraryA 2407->2408 2409 29478a 2407->2409 2408->2409 2409->2328 2411 29202d 2410->2411 2412 293668 11 API calls 2411->2412 2413 292065 2412->2413 2414 293668 11 API calls 2413->2414 2415 292074 GetKeyboardLayoutList 2414->2415 2416 2920cf 2415->2416 2420 29208e 2415->2420 2417 293668 11 API calls 2416->2417 2418 2920db 2417->2418 2418->2335 2418->2337 2419 293668 11 API calls 2419->2420 2420->2416 2420->2419 2422 2924f5 CreateThread CreateThread WaitForMultipleObjects 2421->2422 2423 294c43 2421->2423 2448 291a6c 2422->2448 2733 291dc9 2422->2733 2749 29522a 2422->2749 2424 29475f 2 API calls 2423->2424 2425 294c74 2424->2425 2425->2422 2426 29475f 2 API calls 2425->2426 2427 294c89 2426->2427 2427->2422 2428 294c91 KiUserCallbackDispatcher GetSystemMetrics 2427->2428 2429 294cb6 2428->2429 2430 294cdc GetDC 2429->2430 2430->2422 2431 294cf0 GetCurrentObject 2430->2431 2432 294d03 GetObjectW 2431->2432 2433 294ea2 ReleaseDC 2431->2433 2432->2433 2434 294d1a 2432->2434 2433->2422 2435 293668 11 API calls 2434->2435 2436 294d3a DeleteObject CreateCompatibleDC 2435->2436 2436->2433 2437 294daf CreateDIBSection 2436->2437 2438 294e9b DeleteDC 2437->2438 2439 294dd0 SelectObject 2437->2439 2438->2433 2440 294de0 BitBlt 2439->2440 2441 294e94 DeleteObject 2439->2441 2440->2441 2442 294e05 2440->2442 2441->2438 2537 293595 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 2442->2537 2444 294e10 2444->2441 2445 293e03 10 API calls 2444->2445 2446 294e89 2445->2446 2447 2935c3 2 API calls 2446->2447 2447->2441 2449 291a7a 2448->2449 2453 291ab3 2448->2453 2451 291a96 2449->2451 2538 291000 2449->2538 2452 291000 57 API calls 2451->2452 2451->2453 2452->2453 2454 2920e1 2453->2454 2716 293595 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 2454->2716 2456 292190 GetCurrentHwProfileA 2457 2921ba GetSystemInfo 2456->2457 2458 2921a4 2456->2458 2459 293668 11 API calls 2457->2459 2461 293668 11 API calls 2458->2461 2462 2921dc 2459->2462 2460 292106 2460->2456 2463 2921b7 2461->2463 2464 2935c3 2 API calls 2462->2464 2463->2457 2465 2921e6 GlobalMemoryStatusEx 2464->2465 2466 293668 11 API calls 2465->2466 2469 292215 2466->2469 2467 292268 EnumDisplayDevicesA 2468 29227b ObtainUserAgentString 2467->2468 2467->2469 2468->2354 2468->2355 2469->2467 2470 293668 11 API calls 2469->2470 2470->2469 2472 293f31 LeaveCriticalSection 2471->2472 2473 293e25 2471->2473 2472->2323 2473->2472 2717 293da9 WideCharToMultiByte 2473->2717 2477 293e79 2724 296d0e 2477->2724 2479 293e83 2480 2935c3 2 API calls 2479->2480 2481 293edc 2480->2481 2482 2935c3 2 API calls 2481->2482 2483 293f2c 2482->2483 2483->2472 2485 292692 2484->2485 2486 2935c7 GetProcessHeap RtlFreeHeap 2484->2486 2485->2329 2486->2485 2488 29475f 2 API calls 2487->2488 2489 29547b 2488->2489 2490 29548a WSAStartup 2489->2490 2493 295483 2489->2493 2491 2954ec 2490->2491 2490->2493 2492 2954fc socket 2491->2492 2492->2493 2494 295520 2492->2494 2493->2340 2495 295540 connect 2494->2495 2496 2955b3 closesocket 2494->2496 2497 295557 send 2495->2497 2498 2955a6 Sleep 2495->2498 2496->2493 2497->2498 2499 295579 send 2497->2499 2498->2494 2499->2498 2500 295595 2499->2500 2501 2935c3 2 API calls 2500->2501 2502 2955a0 2501->2502 2502->2496 2504 2952e7 2503->2504 2505 295313 2503->2505 2504->2505 2732 293595 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 2504->2732 2505->2358 2507->2370 2508->2381 2510 292ca5 2509->2510 2517 292cb3 2509->2517 2521 293595 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 2510->2521 2512 292d03 2514 292336 2512->2514 2532 295281 2512->2532 2514->2394 2515 2930c3 2516 2935c3 2 API calls 2515->2516 2516->2514 2517->2512 2519 292eb6 WideCharToMultiByte 2517->2519 2520 292f3e WideCharToMultiByte 2517->2520 2522 292a1e 2517->2522 2519->2517 2520->2517 2521->2517 2523 292a36 2522->2523 2524 292a5d 2523->2524 2525 292c71 2523->2525 2528 292a6f __aulldvrm 2523->2528 2527 292a66 2524->2527 2529 292c0a 2524->2529 2526 292c77 WideCharToMultiByte 2525->2526 2525->2528 2526->2528 2527->2528 2531 292bd2 WideCharToMultiByte 2527->2531 2528->2517 2529->2528 2530 292c32 IsDBCSLeadByte 2529->2530 2530->2529 2531->2527 2533 29529c 2532->2533 2534 295292 2532->2534 2533->2515 2536 293595 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 2534->2536 2536->2533 2537->2444 2539 29141c 2538->2539 2540 29101e 2538->2540 2539->2451 2540->2539 2575 294108 GetFileAttributesW 2540->2575 2542 291035 2542->2539 2576 293595 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 2542->2576 2544 291049 2577 293595 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 2544->2577 2546 291052 2552 2913df 2546->2552 2578 29368d 2546->2578 2547 2935c3 2 API calls 2549 291415 2547->2549 2551 2935c3 2 API calls 2549->2551 2551->2539 2552->2547 2553 2913c7 FindNextFileW 2553->2552 2556 291173 2553->2556 2554 29368d 7 API calls 2554->2556 2556->2553 2556->2554 2557 293f43 41 API calls 2556->2557 2562 2916ef EnterCriticalSection 2556->2562 2566 293e03 10 API calls 2556->2566 2568 2935c3 GetProcessHeap RtlFreeHeap 2556->2568 2571 29134d 2556->2571 2574 291000 53 API calls 2556->2574 2581 2944f7 2556->2581 2613 293729 2556->2613 2617 291aef 2556->2617 2625 291d21 2556->2625 2632 291c32 2556->2632 2669 293595 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 2556->2669 2557->2556 2643 294eb2 2562->2643 2566->2556 2567 293f87 43 API calls 2567->2571 2568->2556 2569 294145 15 API calls 2569->2571 2571->2556 2571->2567 2571->2569 2572 29368d 7 API calls 2571->2572 2635 293595 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 2571->2635 2636 293f43 2571->2636 2572->2571 2574->2556 2575->2542 2576->2544 2577->2546 2670 293111 2578->2670 2678 294108 GetFileAttributesW 2581->2678 2583 294509 2584 294758 2583->2584 2679 293595 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 2583->2679 2584->2556 2586 29451f 2587 294750 2586->2587 2588 29368d 7 API calls 2586->2588 2589 2935c3 2 API calls 2587->2589 2590 29453c 2588->2590 2589->2584 2591 29455a EnterCriticalSection 2590->2591 2592 2945c4 LeaveCriticalSection 2591->2592 2593 294626 2592->2593 2594 2945dd 2592->2594 2593->2587 2596 294649 EnterCriticalSection 2593->2596 2594->2593 2595 2945fa 2594->2595 2681 294377 GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 2595->2681 2598 294680 LeaveCriticalSection 2596->2598 2600 294698 2598->2600 2601 29471c EnterCriticalSection 2598->2601 2680 293595 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 2600->2680 2607 294745 LeaveCriticalSection 2601->2607 2602 294603 2604 2935c3 2 API calls 2602->2604 2606 29460b 2604->2606 2605 2946a2 2605->2601 2610 2946bf EnterCriticalSection 2605->2610 2608 2944f7 29 API calls 2606->2608 2607->2587 2609 29461f 2608->2609 2609->2584 2611 294700 LeaveCriticalSection 2610->2611 2611->2601 2612 294714 2611->2612 2612->2601 2614 29373d 2613->2614 2616 293741 2614->2616 2702 293595 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 2614->2702 2616->2556 2618 291b07 2617->2618 2620 291b0c 2617->2620 2703 291aba 2618->2703 2623 291b11 2620->2623 2706 293595 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 2620->2706 2623->2556 2624 291b40 2624->2623 2707 291adc 2624->2707 2626 29475f 2 API calls 2625->2626 2627 291d5a 2626->2627 2628 291d87 2627->2628 2629 291d6a CryptUnprotectData 2627->2629 2628->2556 2629->2628 2630 291d92 2629->2630 2630->2628 2631 291d99 CryptProtectData 2630->2631 2631->2628 2711 293595 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 2632->2711 2634 291c58 2634->2556 2635->2571 2637 2944f7 37 API calls 2636->2637 2638 293f59 2637->2638 2641 293e03 10 API calls 2638->2641 2642 293f78 2638->2642 2639 2935c3 2 API calls 2640 293f81 2639->2640 2640->2571 2641->2642 2642->2639 2644 294f15 2643->2644 2645 294ed4 2643->2645 2653 29170b LeaveCriticalSection 2644->2653 2712 293595 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 2644->2712 2646 29368d 7 API calls 2645->2646 2648 294f0b 2646->2648 2714 294108 GetFileAttributesW 2648->2714 2649 294f35 2713 293595 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 2649->2713 2652 294f3f 2654 29368d 7 API calls 2652->2654 2653->2556 2655 294f4d FindFirstFileW 2654->2655 2656 29520e 2655->2656 2668 294f6a 2655->2668 2657 2935c3 2 API calls 2656->2657 2658 295215 2657->2658 2659 2935c3 2 API calls 2658->2659 2659->2653 2660 2951f6 FindNextFileW 2660->2656 2660->2668 2661 293f43 41 API calls 2661->2668 2662 29368d 7 API calls 2662->2668 2664 29500f EnterCriticalSection 2665 294eb2 41 API calls 2664->2665 2666 29502a LeaveCriticalSection 2665->2666 2666->2660 2667 294eb2 41 API calls 2667->2668 2668->2660 2668->2661 2668->2662 2668->2664 2668->2667 2715 294108 GetFileAttributesW 2668->2715 2669->2556 2676 29311d 2670->2676 2671 291156 FindFirstFileW 2671->2552 2671->2556 2672 292a1e 3 API calls 2672->2676 2673 29332a IsDBCSLeadByte 2674 293337 MultiByteToWideChar 2673->2674 2673->2676 2674->2676 2675 293395 IsDBCSLeadByte 2675->2676 2676->2671 2676->2672 2676->2673 2676->2675 2677 2933b6 MultiByteToWideChar 2676->2677 2677->2676 2678->2583 2679->2586 2680->2605 2682 2943bc 2681->2682 2683 2944ee 2681->2683 2682->2683 2695 293595 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 2682->2695 2683->2593 2683->2602 2685 2944d2 2687 2935c3 2 API calls 2685->2687 2686 2943d0 2692 294408 2686->2692 2696 2937f9 2686->2696 2687->2683 2689 29442a OpenProcess 2690 294440 GetCurrentProcess DuplicateHandle 2689->2690 2689->2692 2691 2944b7 CloseHandle 2690->2691 2690->2692 2691->2692 2692->2685 2692->2689 2692->2691 2693 294487 CloseHandle GetCurrentProcess DuplicateHandle 2692->2693 2694 2944d4 CloseHandle CloseHandle 2692->2694 2693->2691 2693->2692 2694->2685 2695->2686 2697 293803 2696->2697 2698 293819 GetProcessHeap HeapReAlloc 2697->2698 2699 293810 2697->2699 2698->2698 2701 293815 2698->2701 2700 2935c3 2 API calls 2699->2700 2700->2701 2701->2686 2702->2616 2710 293595 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 2703->2710 2705 291ac4 2705->2620 2706->2624 2708 2935c3 2 API calls 2707->2708 2709 291ae7 2708->2709 2709->2623 2710->2705 2711->2634 2712->2649 2713->2652 2714->2644 2715->2668 2716->2460 2718 293dfd 2717->2718 2719 293dd4 2717->2719 2718->2472 2723 293595 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 2718->2723 2727 293595 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 2719->2727 2721 293ddc 2721->2718 2722 293de2 WideCharToMultiByte 2721->2722 2722->2718 2723->2477 2728 296de8 2724->2728 2726 296d19 2726->2479 2727->2721 2731 293595 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 2728->2731 2730 296df0 2730->2726 2731->2730 2732->2504 2734 291de1 2733->2734 2735 291fb2 2733->2735 2734->2735 2736 29368d 7 API calls 2734->2736 2737 291e02 FindFirstFileW 2736->2737 2737->2735 2738 291e21 2737->2738 2757 293595 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 2738->2757 2740 291f8e FindNextFileW 2741 291fa9 2740->2741 2746 291e2b 2740->2746 2742 2935c3 2 API calls 2741->2742 2742->2735 2744 2935c3 2 API calls 2744->2746 2745 291dc9 41 API calls 2745->2746 2746->2740 2746->2744 2746->2745 2747 29368d 7 API calls 2746->2747 2748 293f43 41 API calls 2746->2748 2758 294118 2746->2758 2747->2746 2748->2746 2750 295279 2749->2750 2751 295238 2749->2751 2768 293595 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 2751->2768 2753 295242 2754 294eb2 45 API calls 2753->2754 2755 295272 2753->2755 2754->2753 2756 2935c3 2 API calls 2755->2756 2756->2750 2757->2746 2760 294120 2758->2760 2759 294132 2759->2746 2760->2759 2763 2936e4 2760->2763 2764 2936f8 2763->2764 2766 2936fc 2764->2766 2767 293595 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 2764->2767 2766->2746 2767->2766 2768->2753

                                          Executed Functions

                                          Function 00294C2D Relevance: 35.2, APIs: 13, Strings: 7, Instructions: 208windowCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                            • Part of subcall function 0029475F: GetModuleHandleA.KERNEL32(ntdl,0000011C,?,?,?,?,?,?,?,0029489D), ref: 00294771
                                            • Part of subcall function 0029475F: LoadLibraryA.KERNELBASE(ntdl,?,?,?,?,?,?,?,0029489D), ref: 0029477E
                                          • KiUserCallbackDispatcher.NTDLL(0000004C), ref: 00294C9E
                                          • GetSystemMetrics.USER32(0000004D), ref: 00294CA5
                                          • GetDC.USER32(00000000), ref: 00294CE0
                                          • GetCurrentObject.GDI32(00000000,00000007), ref: 00294CF3
                                          • GetObjectW.GDI32(00000000,00000018,?), ref: 00294D0C
                                          • DeleteObject.GDI32(00000000), ref: 00294D3E
                                          • CreateCompatibleDC.GDI32(00000000), ref: 00294D9F
                                          • CreateDIBSection.GDI32(00000000,?,00000000,?,00000000,00000000), ref: 00294DC0
                                          • SelectObject.GDI32(00000000,00000000), ref: 00294DD2
                                          • BitBlt.GDI32(00000000,00000000,00000000,?,002924F5,00000000,?,?,00CC0020), ref: 00294DF7
                                            • Part of subcall function 00293595: EnterCriticalSection.KERNEL32(002984D4,?,?,00293C72,?,002922DE), ref: 0029359F
                                            • Part of subcall function 00293595: GetProcessHeap.KERNEL32(00000008,?,?,?,00293C72,?,002922DE), ref: 002935A8
                                            • Part of subcall function 00293595: RtlAllocateHeap.NTDLL(00000000,?,?,?,00293C72,?,002922DE), ref: 002935AF
                                            • Part of subcall function 00293595: LeaveCriticalSection.KERNEL32(002984D4,?,?,?,00293C72,?,002922DE), ref: 002935B8
                                            • Part of subcall function 00293E03: EnterCriticalSection.KERNEL32(002984D4,?,0000011C), ref: 00293E15
                                            • Part of subcall function 002935C3: GetProcessHeap.KERNEL32(00000000,00000000,002926DC), ref: 002935CA
                                            • Part of subcall function 002935C3: RtlFreeHeap.NTDLL(00000000), ref: 002935D1
                                          • DeleteObject.GDI32(00000000), ref: 00294E95
                                          • DeleteDC.GDI32(00000000), ref: 00294E9C
                                          • ReleaseDC.USER32(00000000,00000000), ref: 00294EA5
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1759974814.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true
                                          • Associated: 00000000.00000002.1759955556.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1760028147.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1760055328.0000000000298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1760116878.0000000000299000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_290000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Object$HeapSection$CriticalDelete$CreateEnterProcess$AllocateCallbackCompatibleCurrentDispatcherFreeHandleLeaveLibraryLoadMetricsModuleReleaseSelectSystemUser
                                          • String ID: ($- ScreenSize: {lWidth=%d, lHeight=%d}$2$6$U$er32$gdi3
                                          • API String ID: 1387450592-1028866296
                                          • Opcode ID: 347b437fc6361b70ff8c69f3e3b20a09d2e58b81ecbdf621260e2425184b57df
                                          • Instruction ID: c95b1869a4fbdc88a8d07918b350129b8b36743e2d5c32d96fc19a042ff03ccf
                                          • Opcode Fuzzy Hash: 347b437fc6361b70ff8c69f3e3b20a09d2e58b81ecbdf621260e2425184b57df
                                          • Instruction Fuzzy Hash: 1E719D71E10209ABDF20EFA4DC46FEEBB79AF48700F14405AE605FB291DB709A15CB65
                                          Function 00291000 Relevance: 21.7, APIs: 4, Strings: 8, Instructions: 700fileCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 156 291000-291018 157 29141c-291422 156->157 158 29101e-291028 156->158 158->157 159 29102e-291037 call 294108 158->159 159->157 162 29103d-291059 call 293595 * 2 159->162 167 29105f-291061 162->167 168 29140e-291417 call 2935c3 * 2 162->168 167->168 169 291067-29116d call 29368d FindFirstFileW 167->169 168->157 175 2913df-29140b call 293603 * 3 169->175 176 291173-291192 call 2936c8 * 2 169->176 175->168 186 291198-2911b7 call 29368d 176->186 187 2913c4 176->187 192 2911bd-2911cf call 2937b8 186->192 193 2917f6-2917fd 186->193 188 2913c7-2913d9 FindNextFileW 187->188 188->175 188->176 192->193 198 2911d5-2911e7 call 2937b8 192->198 193->187 195 291803-291821 call 2936c8 call 293bed 193->195 205 291878-29187d 195->205 206 291823-291870 call 293595 call 29368d call 293f43 195->206 198->193 204 2911ed-29120f call 2936c8 call 293bed 198->204 224 2917ab-2917d6 call 294145 204->224 225 291215-29121b 204->225 208 291a28-291a5f call 29368d call 293f43 205->208 209 291883-291888 205->209 206->205 226 291a64-291a67 208->226 209->208 214 29188e-291893 209->214 214->208 218 291899-29189e 214->218 218->208 222 2918a4-2918a9 218->222 222->208 227 2918af-2918b4 222->227 235 2913bd-2913bf call 2935c3 224->235 236 2917dc-2917e7 call 2937b8 224->236 225->224 230 291221-291227 225->230 226->188 227->208 231 2918ba-2918bf 227->231 230->224 233 29122d-291233 230->233 231->208 234 2918c5-2918ca 231->234 233->224 237 291239-29123f 233->237 234->208 238 2918d0-2918d5 234->238 235->187 236->235 248 2917ed-2917ef 236->248 237->224 241 291245-29124b 237->241 238->208 242 2918db-2918e0 238->242 241->224 245 291251-291257 241->245 242->208 243 2918e6-2918eb 242->243 243->187 247 2918f1-291905 call 2944f7 243->247 245->224 246 29125d-291263 245->246 246->224 249 291269-29126f 246->249 254 291538-291542 call 2935c3 247->254 255 29190b-291910 247->255 248->193 249->224 251 291275-29127b 249->251 251->224 253 291281-291287 251->253 253->224 256 29128d-291293 253->256 254->187 255->254 257 291916-29192e call 29377e 255->257 256->224 259 291299-29129f 256->259 257->254 265 291934-29194c call 29377e 257->265 259->224 262 2912a5-2912ab 259->262 262->224 264 2912b1-2912b7 262->264 264->224 266 2912bd-2912c3 264->266 265->254 271 291952-291968 call 293729 265->271 266->224 268 2912c9-2912cf 266->268 268->224 270 2912d5-2912db 268->270 270->224 272 2912e1-2912e7 270->272 271->254 277 29196e-29197a call 2936b2 271->277 272->224 274 2912ed-2912f3 272->274 274->224 276 2912f9-2912ff 274->276 276->224 278 291305-29130b 276->278 283 291531-291533 call 2935c3 277->283 284 291980-291993 call 291aef 277->284 278->224 281 291311-291317 278->281 281->224 282 29131d-291323 281->282 282->224 285 291329-29132f 282->285 283->254 284->283 291 291999-29199e 284->291 285->224 288 291335-29133b 285->288 288->224 290 291341-291347 288->290 292 29134d-291382 call 294145 290->292 293 291423-291429 290->293 291->283 294 2919a4-2919b6 call 291d21 291->294 292->235 304 291384-29138f call 2937b8 292->304 297 291719-29174e call 294145 293->297 298 29142f-291435 293->298 305 2919b8-291a01 call 291c32 call 29368d call 293e03 294->305 306 291a1b-291a23 call 2935c3 294->306 297->254 313 291754-29175f call 2937b8 297->313 298->297 302 29143b-291441 298->302 302->297 303 291447-29144d 302->303 308 2916ef-291714 EnterCriticalSection call 294eb2 LeaveCriticalSection 303->308 309 291453-291459 303->309 304->235 323 291391-2913ba call 293f87 304->323 343 291a06-291a18 call 2935c3 * 2 305->343 306->283 308->187 309->308 314 29145f-291465 309->314 313->254 331 291765-2917a6 call 293f87 313->331 320 29149d-2914a3 314->320 321 291467-291498 call 293f87 314->321 327 2914a9-2914cb call 294145 320->327 328 291547-29154d 320->328 321->187 323->235 327->254 346 2914cd-2914d8 call 2937b8 327->346 334 29154f-291571 call 294145 328->334 335 2915be-2915c4 328->335 331->254 334->235 354 291577-291582 call 2937b8 334->354 339 291603-291609 335->339 340 2915c6-2915e8 call 294145 335->340 348 2916e8 339->348 349 29160f-291615 339->349 340->235 357 2915ee-2915f9 call 2937b8 340->357 343->306 346->254 366 2914da-29152b call 293595 call 29368d call 293f43 346->366 348->308 349->348 355 29161b-291621 349->355 354->235 368 291588 354->368 360 291623-29162a 355->360 361 291636-29163c 355->361 357->235 376 2915ff-291601 357->376 360->361 363 29163e-291644 361->363 364 291670-291698 call 294145 361->364 363->364 369 291646-29164c 363->369 364->235 381 29169e-2916a9 call 2937b8 364->381 366->283 373 29158a-2915b9 call 293f87 368->373 369->364 374 29164e-291654 369->374 373->235 374->364 380 291656-29165c 374->380 376->373 380->364 384 29165e-291665 call 291000 380->384 381->235 391 2916af-2916e3 call 293f87 381->391 390 29166a-29166b 384->390 390->187 391->235
                                          APIs
                                          • FindNextFileW.KERNELBASE(?,?), ref: 002913D1
                                            • Part of subcall function 00294108: GetFileAttributesW.KERNELBASE(006E4398,00291035,006E4398,?), ref: 00294109
                                            • Part of subcall function 00293595: EnterCriticalSection.KERNEL32(002984D4,?,?,00293C72,?,002922DE), ref: 0029359F
                                            • Part of subcall function 00293595: GetProcessHeap.KERNEL32(00000008,?,?,?,00293C72,?,002922DE), ref: 002935A8
                                            • Part of subcall function 00293595: RtlAllocateHeap.NTDLL(00000000,?,?,?,00293C72,?,002922DE), ref: 002935AF
                                            • Part of subcall function 00293595: LeaveCriticalSection.KERNEL32(002984D4,?,?,?,00293C72,?,002922DE), ref: 002935B8
                                          • FindFirstFileW.KERNELBASE(00000000,?,006E4398,?), ref: 00291161
                                            • Part of subcall function 00293F87: FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 00293FE8
                                            • Part of subcall function 00293F87: FindNextFileW.KERNEL32(0029179D,?), ref: 00294089
                                          • EnterCriticalSection.KERNEL32(002984D4), ref: 002916F5
                                          • LeaveCriticalSection.KERNEL32(002984D4), ref: 0029170E
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1759974814.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true
                                          • Associated: 00000000.00000002.1759955556.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1760028147.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1760055328.0000000000298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1760116878.0000000000299000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_290000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: File$CriticalFindSection$EnterFirstHeapLeaveNext$AllocateAttributesProcess
                                          • String ID: $Lr$%s%s$%s\%s$%s\*$7a?=$7a?=$Discord/$Telegram
                                          • API String ID: 1893179121-60960798
                                          • Opcode ID: dda93f640c8c261b617d9cef1633cabb71e396d3c31e29564b7247b26f5e0594
                                          • Instruction ID: 2beeb48ceb54d42ae2844e10ff0dfdbfa1e75ae17ffebecf58aebf53d73cd0da
                                          • Opcode Fuzzy Hash: dda93f640c8c261b617d9cef1633cabb71e396d3c31e29564b7247b26f5e0594
                                          • Instruction Fuzzy Hash: A8322661E302175ADF28EFA59C85BFDB3B4AF44300F15406AE805E7291EB708EB5CB95
                                          Function 002920E1 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 134COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 467 2920e1-292132 call 293595 470 292190-2921a2 GetCurrentHwProfileA 467->470 471 292134-292153 467->471 474 2921ba-29222b GetSystemInfo call 293668 call 2935c3 GlobalMemoryStatusEx call 293668 470->474 475 2921a4-2921b7 call 293668 470->475 472 29215b-292161 471->472 473 292155-292159 471->473 478 29216c-292172 472->478 479 292163-29216a 472->479 477 29217b-292186 call 2935d8 473->477 491 292268-292279 EnumDisplayDevicesA 474->491 475->474 482 292189-29218e 477->482 478->482 483 292174-292178 478->483 479->477 482->470 482->471 483->477 492 29227b-292281 491->492 493 29222d-292236 491->493 494 292238-292254 call 293668 493->494 495 292257-292267 493->495 494->495 495->491
                                          APIs
                                            • Part of subcall function 00293595: EnterCriticalSection.KERNEL32(002984D4,?,?,00293C72,?,002922DE), ref: 0029359F
                                            • Part of subcall function 00293595: GetProcessHeap.KERNEL32(00000008,?,?,?,00293C72,?,002922DE), ref: 002935A8
                                            • Part of subcall function 00293595: RtlAllocateHeap.NTDLL(00000000,?,?,?,00293C72,?,002922DE), ref: 002935AF
                                            • Part of subcall function 00293595: LeaveCriticalSection.KERNEL32(002984D4,?,?,?,00293C72,?,002922DE), ref: 002935B8
                                          • GetCurrentHwProfileA.ADVAPI32(?), ref: 00292198
                                          • GetSystemInfo.KERNELBASE(?,?,0000011C), ref: 002921BF
                                          • GlobalMemoryStatusEx.KERNELBASE(?), ref: 002921F3
                                          • EnumDisplayDevicesA.USER32(00000000,00000002,?,00000001), ref: 00292275
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1759974814.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true
                                          • Associated: 00000000.00000002.1759955556.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1760028147.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1760055328.0000000000298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1760116878.0000000000299000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_290000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CriticalHeapSection$AllocateCurrentDevicesDisplayEnterEnumGlobalInfoLeaveMemoryProcessProfileStatusSystem
                                          • String ID: - CPU: %s (%d cores)$- HWID: %s$- RAM: %d GB$- VideoAdapter #%d: %s$@
                                          • API String ID: 330852582-565344305
                                          • Opcode ID: 3cd18f4b180b5c9de1f6b704602c661e7d82b637a4077d6fbc727ae52992dc60
                                          • Instruction ID: 8ff1fd76f8f0e7982aeceae2a77f54fc294197ad381f1d8df147faa78ba919ba
                                          • Opcode Fuzzy Hash: 3cd18f4b180b5c9de1f6b704602c661e7d82b637a4077d6fbc727ae52992dc60
                                          • Instruction Fuzzy Hash: 7E41B471528301ABDB24DF24DC85FABB7E8EBC8714F10491DF94987242E7709968CBA2
                                          Function 00294EB2 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 286fileCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          • FindFirstFileW.KERNELBASE(00000000,?,00000000,002984D4,?), ref: 00294F58
                                          • EnterCriticalSection.KERNEL32(002984D4), ref: 00295014
                                            • Part of subcall function 00294EB2: LeaveCriticalSection.KERNEL32(002984D4), ref: 00295031
                                          • FindNextFileW.KERNELBASE(?,?), ref: 00295200
                                            • Part of subcall function 00294108: GetFileAttributesW.KERNELBASE(006E4398,00291035,006E4398,?), ref: 00294109
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1759974814.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true
                                          • Associated: 00000000.00000002.1759955556.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1760028147.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1760055328.0000000000298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1760116878.0000000000299000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_290000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: File$CriticalFindSection$AttributesEnterFirstLeaveNext
                                          • String ID: %s\%s$%s\*$Telegram
                                          • API String ID: 648860119-4994844
                                          • Opcode ID: 27956e56439976032d1d682ed24bdd643342673e7fa54af49f6a3ff983180158
                                          • Instruction ID: 00133dc1d760c96d516d684b996f35f03c96fd0f2d6120701715876c0af581de
                                          • Opcode Fuzzy Hash: 27956e56439976032d1d682ed24bdd643342673e7fa54af49f6a3ff983180158
                                          • Instruction Fuzzy Hash: A7A16521E24358A9EF10DBA0EC46BFE7375EF44710F10505EE908EB2A1FBB11E558B5A
                                          Function 00291DC9 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 139fileCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 628 291dc9-291ddb 629 291de1-291deb 628->629 630 291fb2-291fb7 628->630 629->630 631 291df1-291e1b call 29368d FindFirstFileW 629->631 631->630 634 291e21-291e65 call 293595 call 2936c8 631->634 639 291e6a-291e8f call 2936c8 * 2 634->639 644 291f8e-291f9c FindNextFileW 639->644 645 291e95-291eae call 29368d 639->645 647 291fa9-291fad call 2935c3 644->647 648 291f9e-291fa4 644->648 651 291ee1-291ee6 645->651 652 291eb0-291ec0 call 2937b8 645->652 647->630 648->639 654 291eec-291ef6 651->654 655 291f7f-291f8a 651->655 652->651 658 291ec2-291ed2 call 2937b8 652->658 654->655 657 291efc-291f09 call 294118 654->657 655->644 662 291f78-291f7a call 2935c3 657->662 663 291f0b-291f22 call 2936c8 call 293bed 657->663 658->651 666 291ed4-291ed7 call 291dc9 658->666 662->655 673 291f39-291f69 call 29368d call 293f43 663->673 674 291f24-291f29 663->674 671 291edc 666->671 671->655 680 291f6e-291f71 673->680 674->673 675 291f2b-291f30 674->675 675->673 677 291f32-291f37 675->677 677->662 677->673 680->662
                                          APIs
                                          • FindFirstFileW.KERNELBASE(?), ref: 00291E10
                                            • Part of subcall function 00293595: EnterCriticalSection.KERNEL32(002984D4,?,?,00293C72,?,002922DE), ref: 0029359F
                                            • Part of subcall function 00293595: GetProcessHeap.KERNEL32(00000008,?,?,?,00293C72,?,002922DE), ref: 002935A8
                                            • Part of subcall function 00293595: RtlAllocateHeap.NTDLL(00000000,?,?,?,00293C72,?,002922DE), ref: 002935AF
                                            • Part of subcall function 00293595: LeaveCriticalSection.KERNEL32(002984D4,?,?,?,00293C72,?,002922DE), ref: 002935B8
                                          • FindNextFileW.KERNELBASE(00000000,?), ref: 00291F94
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1759974814.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true
                                          • Associated: 00000000.00000002.1759955556.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1760028147.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1760055328.0000000000298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1760116878.0000000000299000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_290000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CriticalFileFindHeapSection$AllocateEnterFirstLeaveNextProcess
                                          • String ID: %s%s$%s\%s$%s\*
                                          • API String ID: 3555643018-2064654797
                                          • Opcode ID: 8414e9fbebe7c6852dd6d4884d826ea23143273c2f7161775f032d037e59b056
                                          • Instruction ID: c3385893804a4515593ac7508fa8f960ce31bfec1fbf8c9c0fbcfc1f0b700ec3
                                          • Opcode Fuzzy Hash: 8414e9fbebe7c6852dd6d4884d826ea23143273c2f7161775f032d037e59b056
                                          • Instruction Fuzzy Hash: 0A41C5712283075BCF14EF25D855A2E73E8AF85700F04092EF985C72A1EF31DA748B96
                                          Function 00291D21 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 69encryptionCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 681 291d21-291d5c call 29475f 684 291dbc-291dc8 681->684 685 291d5e-291d85 call 293603 CryptUnprotectData 681->685 688 291d92-291d97 685->688 689 291d87-291d90 685->689 688->684 690 291d99-291db6 CryptProtectData 688->690 689->684 690->684
                                          APIs
                                            • Part of subcall function 0029475F: GetModuleHandleA.KERNEL32(ntdl,0000011C,?,?,?,?,?,?,?,0029489D), ref: 00294771
                                            • Part of subcall function 0029475F: LoadLibraryA.KERNELBASE(ntdl,?,?,?,?,?,?,?,0029489D), ref: 0029477E
                                          • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00291D80
                                          • CryptProtectData.CRYPT32(?,?,00000000,00000000,00000000,00000000,?), ref: 00291DB6
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1759974814.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true
                                          • Associated: 00000000.00000002.1759955556.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1760028147.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1760055328.0000000000298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1760116878.0000000000299000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_290000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CryptData$HandleLibraryLoadModuleProtectUnprotect
                                          • String ID: CRYPT32.dll$Poverty is the parent of crime.
                                          • API String ID: 3642467563-1885057629
                                          • Opcode ID: 26627f8fb3a829380bcf430d676873d278b8e9cae3ab6cfdea70a1bb44856f2e
                                          • Instruction ID: c18e3d68933ce4eb84f2a1f59611087a1f61b591d58cd4d85836e6caaf8fc318
                                          • Opcode Fuzzy Hash: 26627f8fb3a829380bcf430d676873d278b8e9cae3ab6cfdea70a1bb44856f2e
                                          • Instruction Fuzzy Hash: 771117B6D0020DABDF10DF95C8859EEBBBCFB48310F10456AE955B3240E770AE59CAA0
                                          Function 00293595 Relevance: 6.0, APIs: 4, Instructions: 18memoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          • EnterCriticalSection.KERNEL32(002984D4,?,?,00293C72,?,002922DE), ref: 0029359F
                                          • GetProcessHeap.KERNEL32(00000008,?,?,?,00293C72,?,002922DE), ref: 002935A8
                                          • RtlAllocateHeap.NTDLL(00000000,?,?,?,00293C72,?,002922DE), ref: 002935AF
                                          • LeaveCriticalSection.KERNEL32(002984D4,?,?,?,00293C72,?,002922DE), ref: 002935B8
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1759974814.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true
                                          • Associated: 00000000.00000002.1759955556.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1760028147.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1760055328.0000000000298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1760116878.0000000000299000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_290000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CriticalHeapSection$AllocateEnterLeaveProcess
                                          • String ID:
                                          • API String ID: 1367039788-0
                                          • Opcode ID: 42b3477e30a2a6248f3d35da2b1cc99f87fbe698105c5d6b3ee43b9e92b65d66
                                          • Instruction ID: c971c5437f3dc915ac7fb3a2f7613de68e046ebf466df0c0c7c72d0d1fa66d5f
                                          • Opcode Fuzzy Hash: 42b3477e30a2a6248f3d35da2b1cc99f87fbe698105c5d6b3ee43b9e92b65d66
                                          • Instruction Fuzzy Hash: 09D0C73362812067CB5017FABC0D9DBBF6CEF96661B090057F205C3160DAA44C1587A0
                                          Function 00292282 Relevance: 38.8, APIs: 13, Strings: 9, Instructions: 304synchronizationCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 0 292282-29229f InitializeCriticalSectionAndSpinCount 1 2922a1 0->1 2 2922a6-2922bc CreateMutexA 0->2 3 29270d 1->3 4 2922c2-2922cd GetLastError 2->4 5 292705-292707 ExitProcess 2->5 4->5 6 2922d3-2922e2 call 293c5f 4->6 9 2922e8-292312 call 293603 call 294871 6->9 10 2926dc-2926fc DeleteCriticalSection 6->10 15 292318-29235d call 293668 call 2948d6 9->15 16 2926d4-2926d7 call 2935c3 9->16 10->5 15->16 22 292363-292397 call 293595 * 3 15->22 16->10 29 29239d-2923a4 22->29 30 29266c-2926bb call 293e03 call 2935c3 * 4 call 293c88 22->30 29->30 32 2923aa-2923b1 29->32 60 2926be-2926c4 call 2953f8 30->60 32->30 34 2923b7-2923f3 call 29475f 32->34 34->30 39 2923f9-29240e call 291fba 34->39 45 29244e-292468 39->45 46 292410-292447 call 29475f 39->46 54 29246a-29246c ExitProcess 45->54 55 292472-29249d call 2936c8 45->55 46->45 53 292449 46->53 53->3 64 29249f-2924a1 ExitProcess 55->64 65 2924a7-2924d2 call 2936c8 55->65 62 2926c9-2926d0 60->62 62->16 66 2926d2 62->66 70 2924dc-29254a call 2936c8 call 294c2d CreateThread * 2 WaitForMultipleObjects call 291a6c call 2920e1 65->70 71 2924d4-2924d6 ExitProcess 65->71 66->60 80 292554-29255b 70->80 81 29255d-292566 80->81 82 29258e-2925aa ObtainUserAgentString 80->82 83 292568-292582 81->83 84 29258c 81->84 85 2925ac-2925bf call 293668 82->85 86 2925c2-29262d call 2952c4 * 6 call 293595 82->86 83->84 84->80 85->86 104 29263f-292667 call 2936c8 call 2952c4 * 2 call 2935c3 86->104 105 29262f-292639 GetModuleFileNameW 86->105 104->30 105->104
                                          APIs
                                          • InitializeCriticalSectionAndSpinCount.KERNEL32(002984D4,00000DA3), ref: 00292297
                                          • CreateMutexA.KERNELBASE(00000000,00000000,085f229d-d27d-4fc1-9dc1-8958125ccbd9), ref: 002922AF
                                          • GetLastError.KERNEL32 ref: 002922C2
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1759974814.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true
                                          • Associated: 00000000.00000002.1759955556.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1760028147.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1760055328.0000000000298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1760116878.0000000000299000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_290000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CountCreateCriticalErrorInitializeLastMutexSectionSpin
                                          • String ID: $$$d.log$- OperationSystem: %d:%d:%d$- UserAgent: %s$085f229d-d27d-4fc1-9dc1-8958125ccbd9$@$Chrome$kernel32$shell32
                                          • API String ID: 2005177960-2910755732
                                          • Opcode ID: d82e750464baf9fb3c19cf5a64adf59ca928c8ecfd83ed004a0a69582b2d0253
                                          • Instruction ID: 71d4dca998abd2786f5a2f1415680a02e068660e419cf2c627febbf7d51add6d
                                          • Opcode Fuzzy Hash: d82e750464baf9fb3c19cf5a64adf59ca928c8ecfd83ed004a0a69582b2d0253
                                          • Instruction Fuzzy Hash: 00C1E730A64245EEEF14EFA0EC0AFED7B75AF15301F04005AE601AA1E2DF754A68CF65
                                          Function 002953F8 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 139networkCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 394 2953f8-295481 call 29475f 397 29548a-2954e6 WSAStartup 394->397 398 295483-295485 394->398 400 2955ca 397->400 401 2954ec-29551a call 2953ec socket 397->401 399 2955cd-2955d0 398->399 400->399 404 2955c0-2955c3 401->404 405 295520-295537 call 29535a call 293603 401->405 404->400 410 295538-29553e 405->410 411 295540-295555 connect 410->411 412 2955b3-2955bc closesocket 410->412 413 295557-295577 send 411->413 414 2955a6-2955b1 Sleep 411->414 412->404 413->414 415 295579-295593 send 413->415 414->410 415->414 416 295595-2955a4 call 2935c3 415->416 416->412
                                          APIs
                                            • Part of subcall function 0029475F: GetModuleHandleA.KERNEL32(ntdl,0000011C,?,?,?,?,?,?,?,0029489D), ref: 00294771
                                            • Part of subcall function 0029475F: LoadLibraryA.KERNELBASE(ntdl,?,?,?,?,?,?,?,0029489D), ref: 0029477E
                                          • WSAStartup.WS2_32(00000202,?), ref: 002954E0
                                          • socket.WS2_32(?,00000001,00000000), ref: 0029550F
                                          • connect.WS2_32(000000FF,?,00000010), ref: 0029554E
                                          • send.WS2_32(000000FF,00000000,00000000), ref: 00295570
                                          • send.WS2_32(000000FF,000000FF,106,00000000), ref: 0029558C
                                          • closesocket.WS2_32(000000FF), ref: 002955BC
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1759974814.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true
                                          • Associated: 00000000.00000002.1759955556.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1760028147.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1760055328.0000000000298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1760116878.0000000000299000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_290000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: send$HandleLibraryLoadModuleStartupclosesocketconnectsocket
                                          • String ID: 106$185.244.212.106$ws2_32.dll
                                          • API String ID: 653765639-2093737415
                                          • Opcode ID: f9021a0fca2179b65bbb4b7032b4f82884f83558b289b2944363a9588972345a
                                          • Instruction ID: 457be1f1067e05ef56bef086cca17552c14fcb98909b73cac6a3b17fb7be9e7c
                                          • Opcode Fuzzy Hash: f9021a0fca2179b65bbb4b7032b4f82884f83558b289b2944363a9588972345a
                                          • Instruction Fuzzy Hash: 3C51B230D44289EEEF028BE8D8097EDBFB99F15314F544089E660BE2C2C7B5475ACB65
                                          Function 002944F7 Relevance: 16.7, APIs: 8, Strings: 3, Instructions: 179COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                            • Part of subcall function 00294108: GetFileAttributesW.KERNELBASE(006E4398,00291035,006E4398,?), ref: 00294109
                                            • Part of subcall function 00293595: EnterCriticalSection.KERNEL32(002984D4,?,?,00293C72,?,002922DE), ref: 0029359F
                                            • Part of subcall function 00293595: GetProcessHeap.KERNEL32(00000008,?,?,?,00293C72,?,002922DE), ref: 002935A8
                                            • Part of subcall function 00293595: RtlAllocateHeap.NTDLL(00000000,?,?,?,00293C72,?,002922DE), ref: 002935AF
                                            • Part of subcall function 00293595: LeaveCriticalSection.KERNEL32(002984D4,?,?,?,00293C72,?,002922DE), ref: 002935B8
                                          • EnterCriticalSection.KERNEL32(002984D4), ref: 00294580
                                          • LeaveCriticalSection.KERNEL32(002984D4), ref: 002945CC
                                          • EnterCriticalSection.KERNEL32(002984D4), ref: 0029464F
                                          • LeaveCriticalSection.KERNEL32(002984D4), ref: 00294688
                                          • EnterCriticalSection.KERNEL32(002984D4), ref: 002946C5
                                          • LeaveCriticalSection.KERNEL32(002984D4), ref: 00294708
                                          • EnterCriticalSection.KERNEL32(002984D4), ref: 00294721
                                          • LeaveCriticalSection.KERNEL32(002984D4), ref: 0029474A
                                            • Part of subcall function 00294377: GetModuleHandleA.KERNEL32(ntdll,NtQuerySystemInformation,?,00000000,?,?,?,?,?,002945FF), ref: 00294390
                                            • Part of subcall function 00294377: GetProcAddress.KERNEL32(00000000), ref: 00294399
                                            • Part of subcall function 00294377: GetModuleHandleA.KERNEL32(ntdll,NtQueryObject,?,?,?,?,002945FF), ref: 002943AA
                                            • Part of subcall function 00294377: GetProcAddress.KERNEL32(00000000), ref: 002943AD
                                            • Part of subcall function 00294377: OpenProcess.KERNEL32(00000040,00000000,00000000,?,?,?,?,002945FF), ref: 0029442F
                                            • Part of subcall function 00294377: GetCurrentProcess.KERNEL32(002945FF,00000000,00000000,00000002,?,?,?,?,002945FF), ref: 0029444B
                                            • Part of subcall function 00294377: DuplicateHandle.KERNEL32(?,?,00000000,?,?,?,?,002945FF), ref: 0029445A
                                            • Part of subcall function 00294377: CloseHandle.KERNEL32(002945FF,?,?,?,?,002945FF), ref: 0029448A
                                            • Part of subcall function 002935C3: GetProcessHeap.KERNEL32(00000000,00000000,002926DC), ref: 002935CA
                                            • Part of subcall function 002935C3: RtlFreeHeap.NTDLL(00000000), ref: 002935D1
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1759974814.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true
                                          • Associated: 00000000.00000002.1759955556.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1760028147.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1760055328.0000000000298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1760116878.0000000000299000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_290000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CriticalSection$EnterLeave$HandleHeapProcess$AddressModuleProc$AllocateAttributesCloseCurrentDuplicateFileFreeOpen
                                          • String ID: @$\??\%s$\Network\Cookies
                                          • API String ID: 330363434-2791195959
                                          • Opcode ID: e2c14f9cf643887fbefbc4e547acd27954c0306d0ca8e72f562eae11c41443ea
                                          • Instruction ID: 8dcf0ab433d9c4a760b4ffe9ff04bafc1987b011a992ffc75bdf56088cd80b5e
                                          • Opcode Fuzzy Hash: e2c14f9cf643887fbefbc4e547acd27954c0306d0ca8e72f562eae11c41443ea
                                          • Instruction Fuzzy Hash: E0713971960209AFDF04EF90DC4AFEDBBB5EF09305F14805AFA01AA1D1EB715A55CB50
                                          Function 002948D6 Relevance: 12.5, APIs: 3, Strings: 4, Instructions: 231memoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 563 2948d6-2948e5 564 294c1b 563->564 565 2948eb-294904 VirtualAlloc 563->565 566 294c21-294c24 564->566 565->564 567 29490a-29492e call 29475f 565->567 568 294c27-294c2c 566->568 571 294934-294949 call 2935d8 567->571 572 294c17-294c19 567->572 575 29494b-294952 571->575 572->568 576 29495d-294960 575->576 577 294954-294959 575->577 579 294964-29498b GetCurrentProcess IsWow64Process call 2952c4 576->579 577->575 578 29495b 577->578 578->579 582 294a1b-294a1e 579->582 583 294991-294996 579->583 584 294a6b-294a6e 582->584 585 294a20-294a23 582->585 586 294998-2949a8 583->586 587 2949b7-2949bc 583->587 591 294b19-294b1f 584->591 592 294a74-294a79 584->592 588 294a43-294a47 585->588 589 294a25-294a41 585->589 590 2949aa-2949b2 586->590 593 2949fc-2949ff 587->593 594 2949be-2949c3 587->594 588->564 601 294a4d-294a69 588->601 600 294abd-294aca 589->600 590->600 598 294bba-294bbd 591->598 599 294b25-294b2b 591->599 602 294a9b-294a9d 592->602 603 294a7b-294a99 592->603 596 294a0a-294a19 593->596 597 294a01-294a04 593->597 594->586 595 2949c5-2949c7 594->595 595->586 604 2949c9-2949cc 595->604 596->590 597->564 597->596 598->564 605 294bbf-294be0 598->605 608 294b4b-294b51 599->608 609 294b2d-294b46 599->609 600->566 601->600 606 294acf-294ad2 602->606 607 294a9f-294ab8 602->607 603->600 610 2949ce-2949e0 604->610 611 2949e2-2949e5 604->611 612 294c02 605->612 613 294be2-294be8 605->613 614 294af2-294af5 606->614 615 294ad4-294aed 606->615 607->600 616 294b71-294b77 608->616 617 294b53-294b6c 608->617 609->566 610->590 611->564 619 2949eb-2949fa 611->619 621 294c07-294c0e 612->621 613->612 618 294bea-294bf0 613->618 614->564 620 294afb-294b14 614->620 615->566 622 294b79-294b92 616->622 623 294b97-294b9d 616->623 617->566 618->612 624 294bf2-294bf8 618->624 619->590 620->566 621->566 622->566 623->605 625 294b9f-294bb8 623->625 624->612 626 294bfa-294c00 624->626 625->566 626->612 627 294c10-294c15 626->627 627->621
                                          APIs
                                          • VirtualAlloc.KERNELBASE(00000000,00000020,00003000,00000040,0000011C,?,?,?,?,?,00292351), ref: 002948F7
                                            • Part of subcall function 0029475F: GetModuleHandleA.KERNEL32(ntdl,0000011C,?,?,?,?,?,?,?,0029489D), ref: 00294771
                                            • Part of subcall function 0029475F: LoadLibraryA.KERNELBASE(ntdl,?,?,?,?,?,?,?,0029489D), ref: 0029477E
                                          • GetCurrentProcess.KERNEL32(Q#)), ref: 0029496B
                                          • IsWow64Process.KERNEL32(00000000), ref: 00294972
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1759974814.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true
                                          • Associated: 00000000.00000002.1759955556.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1760028147.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1760055328.0000000000298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1760116878.0000000000299000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_290000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Process$AllocCurrentHandleLibraryLoadModuleVirtualWow64
                                          • String ID: Q#)$l$ntdl$ntdllQ#)
                                          • API String ID: 1207166019-1855892816
                                          • Opcode ID: 65ab3fea5beba9b4c30a354e1f97fddda5673148acf2da99b5f523b59718a8e6
                                          • Instruction ID: 910a7615d587e069483cfb637d8b70120afae7977f6d8a1c9fb6865a397eef49
                                          • Opcode Fuzzy Hash: 65ab3fea5beba9b4c30a354e1f97fddda5673148acf2da99b5f523b59718a8e6
                                          • Instruction Fuzzy Hash: C181C2306352029AEF24AF10FC59FB933A8FF16714F24151BE7099B2E0DBF489968756
                                          Function 0029475F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94libraryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 692 29475f-29477b GetModuleHandleA 693 29477d-294788 LoadLibraryA 692->693 694 294791-294799 692->694 693->694 695 29478a-29478c 693->695 696 294868 694->696 697 29479f-2947aa 694->697 698 29486b-294870 695->698 696->698 697->696 699 2947b0-2947b9 697->699 699->696 700 2947bf-2947c4 699->700 700->696 701 2947ca-2947ce 700->701 701->696 702 2947d4-2947f9 701->702 703 2947fb-294806 702->703 704 294867 702->704 705 294808-294812 703->705 704->696 706 294814-29482e call 2936b2 call 293bed 705->706 707 294857-294865 705->707 712 29483c-294854 706->712 713 294830-294838 706->713 707->703 707->704 712->707 713->705 714 29483a 713->714 714->707
                                          APIs
                                          • GetModuleHandleA.KERNEL32(ntdl,0000011C,?,?,?,?,?,?,?,0029489D), ref: 00294771
                                          • LoadLibraryA.KERNELBASE(ntdl,?,?,?,?,?,?,?,0029489D), ref: 0029477E
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1759974814.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true
                                          • Associated: 00000000.00000002.1759955556.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1760028147.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1760055328.0000000000298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1760116878.0000000000299000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_290000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: HandleLibraryLoadModule
                                          • String ID: ntdl
                                          • API String ID: 4133054770-3973061744
                                          • Opcode ID: edfb2aa947b0f649667c41ec8ba48abe31a2e077872c988f614891c45398252b
                                          • Instruction ID: 830990aa99d6d37b691ecde61cb279a31a1aae16cdce2399cf33370dc65bf3b5
                                          • Opcode Fuzzy Hash: edfb2aa947b0f649667c41ec8ba48abe31a2e077872c988f614891c45398252b
                                          • Instruction Fuzzy Hash: B131CB35E106169BCF24EFA9C890EBDB7B5FF89704F04029AD455A3341C734A962CBA0
                                          Function 002935C3 Relevance: 3.0, APIs: 2, Instructions: 8memoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 715 2935c3-2935c5 716 2935d7 715->716 717 2935c7-2935d1 GetProcessHeap RtlFreeHeap 715->717 717->716
                                          APIs
                                          • GetProcessHeap.KERNEL32(00000000,00000000,002926DC), ref: 002935CA
                                          • RtlFreeHeap.NTDLL(00000000), ref: 002935D1
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1759974814.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true
                                          • Associated: 00000000.00000002.1759955556.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1760028147.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1760055328.0000000000298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1760116878.0000000000299000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_290000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Heap$FreeProcess
                                          • String ID:
                                          • API String ID: 3859560861-0
                                          • Opcode ID: abefb197a93a05b7d2162b3935f99776a61fed261360daa8400d318a7af47726
                                          • Instruction ID: 49c3eb1fdc245e1b549121ca10443b02891b3520dbb02241bcd78e85f5deec68
                                          • Opcode Fuzzy Hash: abefb197a93a05b7d2162b3935f99776a61fed261360daa8400d318a7af47726
                                          • Instruction Fuzzy Hash: 57B0127063D1016BEE085FE1BD0DB3E3618AF08303F000099F306D1460DA6845108620
                                          Function 00294108 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 731 294108-294117 GetFileAttributesW
                                          APIs
                                          • GetFileAttributesW.KERNELBASE(006E4398,00291035,006E4398,?), ref: 00294109
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1759974814.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true
                                          • Associated: 00000000.00000002.1759955556.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1760028147.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1760055328.0000000000298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1760116878.0000000000299000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_290000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: AttributesFile
                                          • String ID:
                                          • API String ID: 3188754299-0
                                          • Opcode ID: 93492eb1d3cb2a18235f8c95286b02c5b1522397992ade2021abc0467a2479ed
                                          • Instruction ID: 8c13f362465b88b8fab569f1490e4c160bf21da0089568d75b4a1a63e5f80815
                                          • Opcode Fuzzy Hash: 93492eb1d3cb2a18235f8c95286b02c5b1522397992ade2021abc0467a2479ed
                                          • Instruction Fuzzy Hash: 72A022380302208BCA2C03302F2E00E30000E0A2F03220B8EB033C80E0EA28C2800000

                                          Non-executed Functions

                                          Function 00293F87 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 111fileCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00294108: GetFileAttributesW.KERNELBASE(006E4398,00291035,006E4398,?), ref: 00294109
                                            • Part of subcall function 00293595: EnterCriticalSection.KERNEL32(002984D4,?,?,00293C72,?,002922DE), ref: 0029359F
                                            • Part of subcall function 00293595: GetProcessHeap.KERNEL32(00000008,?,?,?,00293C72,?,002922DE), ref: 002935A8
                                            • Part of subcall function 00293595: RtlAllocateHeap.NTDLL(00000000,?,?,?,00293C72,?,002922DE), ref: 002935AF
                                            • Part of subcall function 00293595: LeaveCriticalSection.KERNEL32(002984D4,?,?,?,00293C72,?,002922DE), ref: 002935B8
                                          • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 00293FE8
                                          • FindNextFileW.KERNEL32(0029179D,?), ref: 00294089
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1759974814.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true
                                          • Associated: 00000000.00000002.1759955556.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1760028147.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1760055328.0000000000298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1760116878.0000000000299000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_290000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: File$CriticalFindHeapSection$AllocateAttributesEnterFirstLeaveNextProcess
                                          • String ID: %s%s$%s\%s$%s\*
                                          • API String ID: 674214967-2064654797
                                          • Opcode ID: 8ef089ac2d5f50e775144c8ce546eb9f3bad03131a9fdddc4671901219276860
                                          • Instruction ID: ef5f38df606f3e812ffafd342b20ce626589ee0551a8b4e842e4e76573b18be5
                                          • Opcode Fuzzy Hash: 8ef089ac2d5f50e775144c8ce546eb9f3bad03131a9fdddc4671901219276860
                                          • Instruction Fuzzy Hash: D131EE71A24229A7CF24FA608C4AEBE77799F84300F0401A9F90596291EB358F668A91
                                          Function 00294145 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 97fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 00294198
                                          • FindNextFileW.KERNEL32(000000FF,?), ref: 002941E4
                                            • Part of subcall function 002935C3: GetProcessHeap.KERNEL32(00000000,00000000,002926DC), ref: 002935CA
                                            • Part of subcall function 002935C3: RtlFreeHeap.NTDLL(00000000), ref: 002935D1
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1759974814.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true
                                          • Associated: 00000000.00000002.1759955556.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1760028147.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1760055328.0000000000298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1760116878.0000000000299000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_290000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: FileFindHeap$FirstFreeNextProcess
                                          • String ID: %s\%s$%s\*
                                          • API String ID: 1689202581-2848263008
                                          • Opcode ID: 2cc2cb177b404313abb94cbd3c66eb80122f73d6423de0dd977c6082f5feb2ca
                                          • Instruction ID: b7befd48ec89ff3080f9d4fb61cbf9bb5f2fafe49b6d99bd4b9584750e40f630
                                          • Opcode Fuzzy Hash: 2cc2cb177b404313abb94cbd3c66eb80122f73d6423de0dd977c6082f5feb2ca
                                          • Instruction Fuzzy Hash: 9C31AB70B20215ABCF20FFA4C895EAD77B9EF49740F504179BD0987241EB749E668F90
                                          Function 00294377 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 139libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleA.KERNEL32(ntdll,NtQuerySystemInformation,?,00000000,?,?,?,?,?,002945FF), ref: 00294390
                                          • GetProcAddress.KERNEL32(00000000), ref: 00294399
                                          • GetModuleHandleA.KERNEL32(ntdll,NtQueryObject,?,?,?,?,002945FF), ref: 002943AA
                                          • GetProcAddress.KERNEL32(00000000), ref: 002943AD
                                            • Part of subcall function 00293595: EnterCriticalSection.KERNEL32(002984D4,?,?,00293C72,?,002922DE), ref: 0029359F
                                            • Part of subcall function 00293595: GetProcessHeap.KERNEL32(00000008,?,?,?,00293C72,?,002922DE), ref: 002935A8
                                            • Part of subcall function 00293595: RtlAllocateHeap.NTDLL(00000000,?,?,?,00293C72,?,002922DE), ref: 002935AF
                                            • Part of subcall function 00293595: LeaveCriticalSection.KERNEL32(002984D4,?,?,?,00293C72,?,002922DE), ref: 002935B8
                                          • OpenProcess.KERNEL32(00000040,00000000,00000000,?,?,?,?,002945FF), ref: 0029442F
                                          • GetCurrentProcess.KERNEL32(002945FF,00000000,00000000,00000002,?,?,?,?,002945FF), ref: 0029444B
                                          • DuplicateHandle.KERNEL32(?,?,00000000,?,?,?,?,002945FF), ref: 0029445A
                                          • CloseHandle.KERNEL32(002945FF,?,?,?,?,002945FF), ref: 0029448A
                                          • GetCurrentProcess.KERNEL32(002945FF,00000000,00000000,00000001,?,?,?,?,002945FF), ref: 00294498
                                          • DuplicateHandle.KERNEL32(?,?,00000000,?,?,?,?,002945FF), ref: 002944A7
                                          • CloseHandle.KERNEL32(?,?,?,?,?,002945FF), ref: 002944BA
                                          • CloseHandle.KERNEL32(000000FF), ref: 002944DD
                                          • CloseHandle.KERNEL32(?), ref: 002944E5
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1759974814.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true
                                          • Associated: 00000000.00000002.1759955556.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1760028147.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1760055328.0000000000298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1760116878.0000000000299000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_290000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Handle$CloseProcess$AddressCriticalCurrentDuplicateHeapModuleProcSection$AllocateEnterLeaveOpen
                                          • String ID: NtQueryObject$NtQuerySystemInformation$ntdll
                                          • API String ID: 3110323036-2044536123
                                          • Opcode ID: e2978d04a0661490b88823b835dd2190b3b6d441af815fae1ce1e9de8c1c84c5
                                          • Instruction ID: 1f2a51e7e8564ed5fdbb54de257af5418dd8557745ce9d0685367ecb47183f52
                                          • Opcode Fuzzy Hash: e2978d04a0661490b88823b835dd2190b3b6d441af815fae1ce1e9de8c1c84c5
                                          • Instruction Fuzzy Hash: 2E417071A2011AABDF10AFE59C49EAFBBB9EF44310F154165F905E2190DB70DE61CBA0
                                          Function 00292A1E Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 245COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1759974814.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true
                                          • Associated: 00000000.00000002.1759955556.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1760028147.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1760055328.0000000000298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1760116878.0000000000299000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_290000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: __aulldvrm
                                          • String ID: (null)$(null)$0123456789ABCDEF$0123456789abcdef
                                          • API String ID: 1302938615-1267642376
                                          • Opcode ID: 977a972568957437d1dbfd19ee4cf87cfd55ea494fea90e44586aef3218374cd
                                          • Instruction ID: 512c92dc9350e1dabce68585353d839d9524aa39e7c701a0c4d0f97cefa3b4b8
                                          • Opcode Fuzzy Hash: 977a972568957437d1dbfd19ee4cf87cfd55ea494fea90e44586aef3218374cd
                                          • Instruction Fuzzy Hash: 7091D271624703EFCF24CF28C89062ABBE5EF84344F25896EE49A87251D770EC98CB41
                                          Function 00291FBA Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 84COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetUserDefaultUILanguage.KERNEL32 ref: 0029201D
                                          • GetKeyboardLayoutList.USER32(00000032,?), ref: 0029207F
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1759974814.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true
                                          • Associated: 00000000.00000002.1759955556.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1760028147.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1760055328.0000000000298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1760116878.0000000000299000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_290000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: DefaultKeyboardLanguageLayoutListUser
                                          • String ID: )$- KeyboardLayouts: ( $- SystemLayout %d${%d}
                                          • API String ID: 167087913-619012376
                                          • Opcode ID: 706fdd82d74c7b7f4efee2cf1109650bb9021cfe5e19d64b05ee864c1399d864
                                          • Instruction ID: f666c02a01bceb8442418a5fedc55ffed1f1f625ba77a9da18da1dabfdb15ae2
                                          • Opcode Fuzzy Hash: 706fdd82d74c7b7f4efee2cf1109650bb9021cfe5e19d64b05ee864c1399d864
                                          • Instruction Fuzzy Hash: 5531BC50928288BADF009FE8A4027BDBB74EF24305F005096F548F6282D2794B69CB6A
                                          Function 00293111 Relevance: 9.2, APIs: 4, Strings: 1, Instructions: 410COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1759974814.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true
                                          • Associated: 00000000.00000002.1759955556.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1760028147.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1760055328.0000000000298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1760116878.0000000000299000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_290000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: x
                                          • API String ID: 0-2363233923
                                          • Opcode ID: c0e546d354a0a82c12d02ff80e7722ed305953ac37e4c91d17623a84a70a1a98
                                          • Instruction ID: 06fedf613d1b0fa88ce4f92530ba40b945ce5e07b4e60806a65cdae5e45772ea
                                          • Opcode Fuzzy Hash: c0e546d354a0a82c12d02ff80e7722ed305953ac37e4c91d17623a84a70a1a98
                                          • Instruction Fuzzy Hash: BA028E74E2425AEFCF45CF98C985AADB7F4FB09304F108456E82AEB250D770AA61CF51
                                          Function 00292C95 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 389COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00293595: EnterCriticalSection.KERNEL32(002984D4,?,?,00293C72,?,002922DE), ref: 0029359F
                                            • Part of subcall function 00293595: GetProcessHeap.KERNEL32(00000008,?,?,?,00293C72,?,002922DE), ref: 002935A8
                                            • Part of subcall function 00293595: RtlAllocateHeap.NTDLL(00000000,?,?,?,00293C72,?,002922DE), ref: 002935AF
                                            • Part of subcall function 00293595: LeaveCriticalSection.KERNEL32(002984D4,?,?,?,00293C72,?,002922DE), ref: 002935B8
                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,?,00000005,00000000,00000000), ref: 00292ECA
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1759974814.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true
                                          • Associated: 00000000.00000002.1759955556.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1760028147.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1760055328.0000000000298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1760116878.0000000000299000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_290000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CriticalHeapSection$AllocateByteCharEnterLeaveMultiProcessWide
                                          • String ID: 6#)
                                          • API String ID: 1990697408-599568189
                                          • Opcode ID: 0734b9ebf656eb4c26d6fab82e568adf6006ece6f0752f20a7d2bdd274cee619
                                          • Instruction ID: 04c94da03858e3f5447fcf86d108f5c69380c15041807d24238b612aa33ac840
                                          • Opcode Fuzzy Hash: 0734b9ebf656eb4c26d6fab82e568adf6006ece6f0752f20a7d2bdd274cee619
                                          • Instruction Fuzzy Hash: 4E02A070A2424AEFCF05CF98D985AADBBF0FF09304F148455E865EB250D770AA65CF61
                                          Function 00293DA9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                          Download Yara Rule
                                          APIs
                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,$d.log,000000FF,00000000,00000000,00000000,00000000,?,?,?,00293E4E,00000000,?,0000011C), ref: 00293DC1
                                            • Part of subcall function 00293595: EnterCriticalSection.KERNEL32(002984D4,?,?,00293C72,?,002922DE), ref: 0029359F
                                            • Part of subcall function 00293595: GetProcessHeap.KERNEL32(00000008,?,?,?,00293C72,?,002922DE), ref: 002935A8
                                            • Part of subcall function 00293595: RtlAllocateHeap.NTDLL(00000000,?,?,?,00293C72,?,002922DE), ref: 002935AF
                                            • Part of subcall function 00293595: LeaveCriticalSection.KERNEL32(002984D4,?,?,?,00293C72,?,002922DE), ref: 002935B8
                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,$d.log,000000FF,00000000,?,00000000,00000000,?,00293E4E,00000000,?,0000011C), ref: 00293DF7
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1759974814.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true
                                          • Associated: 00000000.00000002.1759955556.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1760028147.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1760055328.0000000000298000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1760116878.0000000000299000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_290000_file.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ByteCharCriticalHeapMultiSectionWide$AllocateEnterLeaveProcess
                                          • String ID: $d.log
                                          • API String ID: 635875880-1910398676
                                          • Opcode ID: b2df967980b95a2278ffb5f9ee81e88ec9178983d08305f1a2c98094b194c0d8
                                          • Instruction ID: 92d793dedcabcff498c41607e503954208635c7c7d52b4a63e965ddd4dba193b
                                          • Opcode Fuzzy Hash: b2df967980b95a2278ffb5f9ee81e88ec9178983d08305f1a2c98094b194c0d8
                                          • Instruction Fuzzy Hash: 9AF082B16151217FA7249A6ADC1EC777BADDBC5B717054229FD19CF2D4D9209C0086B0